Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware Bloodhound Exploit 196

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware Bloodhound Exploit 196

Unread postby Shadowfox4744 » January 29th, 2009, 12:45 am

Keep getting this odd Bloodhound exploit,

Please see attached hijackthis log file,

Not sure what I should do here,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:04 PM, on 1/28/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI\Catalyst Media Center\CMCService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Users\Jamie\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... P&M=GT5620
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html ... P&M=GT5620
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... P&M=GT5620
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CMCService] "C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: BDARemote.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ietoolpro.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ietoolpro.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7321 bytes

Any help would be greatly appreciated
Shadowfox4744
Active Member
 
Posts: 8
Joined: January 29th, 2009, 12:40 am
Advertisement
Register to Remove

Re: Malware Bloodhound Exploit 196

Unread postby Sharagoz » January 31st, 2009, 2:26 pm

Hello Shadowfox4744, welcome to MWR
Please take note of the following before we begin the cleaning process:
  • The whole process will usually take at least a week complete, sometimes several weeks depending on the severity of the infection and how promptly you and me are able to reply, so please stay patient
  • Hang in there until I give you the 'All clean'. If you leave prematurely because your computer seems to be back to its old self, the risk of re-infection will be very high
  • Perform all actions in the order given
  • The instructions I give expect that you're using an account with administrator privileges and that the language of your operating system is English.
  • Dont be afraid to ask questions if something is unclear or you run into issues during cleaning steps
  • I recommend you read through each set of instructions before you actually perform them

The first thing you should do is to subscribe to this topic.
In the top left corner of your opening post there is a link called Subscribe topic. If you click it you will be subscribed to this thread and will receive instant email notification of new replies. For most people this works better than periodically checking back here to see if there's any new posts.

1) Move HiJackThis to its own folder
  • Your HiJackThis program is currently located directly on your desktop
  • Create a new folder C:\HJT or C:\Program Files\HJT
  • Move HiJackThis to the new folder

2) Download and run DDS by sUBs
  • Download DDS from one of the links below and save it to your desktop
    Link1 | Link2 | Link3
  • Double-click the file to run the tool
  • A black window will stay open while the tool runs
  • Wait for the scan to finish (this will only take a couple of minutes), and two logs to open in separate notepad documents
  • Include both these logs in your next reply

3) Download and run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop
  • Double click on RSIT.exe to run RSIT
  • Click Continue at the disclaimer screen to start the scanner
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized
    • info.txt will be opened minimized
  • Post the contents of both log.txt but just close info.txt

Logs I need:
    Both DDS logs
    RSIT log

Question:
    Have you done anything to try and solve this problem before posting here?
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Malware Bloodhound Exploit 196

Unread postby Shadowfox4744 » January 31st, 2009, 11:46 pm

I have used Malware Bytes and moved the hijackthis to my C: drive

See new Log,

gfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:37 PM, on 1/31/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI\Catalyst Media Center\CMCService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\mobsync.exe
C:\Hijackthis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... P&M=GT5620
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html ... P&M=GT5620
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... P&M=GT5620
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CMCService] "C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6141 bytes

Thanks for the help thus far
Shadowfox4744
Active Member
 
Posts: 8
Joined: January 29th, 2009, 12:40 am

Re: Malware Bloodhound Exploit 196

Unread postby Sharagoz » February 1st, 2009, 8:41 am

You forgot step 2 and 3 of my previous post.
Please do them and post the logs.

If you've run Malwarebytes' before posting here, you probably have a log from the scan.
Post that log as well:
  • Press the windows key and the R key at the same time to open the Run dialog box
  • Type control folders and press enter
  • A control panel should now open.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Click OK
  • You should now be able to access this folder:
    C:\Users\<your username>\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs
  • Post all logs present there
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Malware Bloodhound Exploit 196

Unread postby Shadowfox4744 » February 1st, 2009, 9:42 am

MalwareBytes Logs

Malwarebytes' Anti-Malware 1.33
Database version: 1704
Windows 6.0.6001 Service Pack 1

1/28/2009 11:49:57 PM
mbam-log-2009-01-28 (23-49-57).txt

Scan type: Quick Scan
Objects scanned: 48238
Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 8
Registry Data Items Infected: 8
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\e405.e405mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e405.e405mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{99ba268b-4021-4739-9945-3c774217fe75} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6b5cfd66-1f55-4fc2-b5af-36b66e7cfe6a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\Windows\System32\247880 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Jamie\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Jamie\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Jamie\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Jamie\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.33
Database version: 1704
Windows 6.0.6001 Service Pack 1

1/29/2009 8:16:12 AM
mbam-log-2009-01-29 (08-16-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 176136
Time elapsed: 2 hour(s), 50 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes' Anti-Malware 1.33
Database version: 1704
Windows 6.0.6001 Service Pack 1

1/29/2009 10:36:30 PM
mbam-log-2009-01-29 (22-36-30).txt

Scan type: Quick Scan
Objects scanned: 48219
Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes' Anti-Malware 1.33
Database version: 1704
Windows 6.0.6001 Service Pack 1

1/30/2009 6:51:49 PM
mbam-log-2009-01-30 (18-51-49).txt

Scan type: Quick Scan
Objects scanned: 48135
Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS Logs

DDS (Ver_09-01-07.01) - NTFSx86
Run by Jamie at 8:35:19.41 on Sun 02/01/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.922 [GMT -5:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI\Catalyst Media Center\CMCService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Jamie\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
uRun: [Aim6]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CMCService] "c:\program files\ati\catalyst media center\CMCService.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\progra~1\netdog\netd.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\jamie\appdata\roaming\mozilla\firefox\profiles\c44zs0fg.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=fi ... S:official
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-4 99376]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-7 24652]
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2007-10-7 173824]
S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2007-10-7 29184]
S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2007-10-7 9088]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-11-28 122008]

=============== Created Last 30 ================

2009-01-31 15:39 <DIR> --d----- C:\Hijackthis
2009-01-28 23:45 <DIR> --d----- c:\users\jamie\appdata\roaming\Malwarebytes
2009-01-28 23:45 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-28 23:45 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-28 23:45 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-28 23:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-28 23:45 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-24 10:04 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-24 10:04 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-24 10:03 <DIR> --d----- c:\program files\iPod
2009-01-24 10:03 <DIR> --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-24 10:03 <DIR> --d----- c:\program files\iTunes
2009-01-24 10:03 <DIR> --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-24 10:03 <DIR> --d----- c:\program files\Bonjour
2009-01-24 10:02 <DIR> --d----- c:\programdata\Apple Computer
2009-01-24 09:59 <DIR> --d----- c:\programdata\Apple
2009-01-24 01:27 168,448 a------- c:\windows\system32\unrar.dll
2009-01-24 01:27 839,680 a------- c:\windows\system32\lameACM.acm
2009-01-24 01:27 118,784 a------- c:\windows\system32\ac3acm.acm
2009-01-24 01:27 414 a------- c:\windows\system32\lame_acm.xml
2009-01-24 01:27 795,648 a------- c:\windows\system32\xvidcore.dll
2009-01-24 01:27 217,088 a------- c:\windows\system32\yv12vfw.dll
2009-01-24 01:27 130,048 a------- c:\windows\system32\xvidvfw.dll
2009-01-24 01:26 684,032 a------- c:\windows\system32\divx.dll
2009-01-24 01:26 57,344 a------- c:\windows\system32\ff_vfw.dll
2009-01-24 01:26 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-01-24 01:26 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-01-13 19:33 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-05 16:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-01-05 16:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-01-24 10:00 86,016 a------- c:\windows\inf\infstor.dat
2009-01-24 10:00 51,200 a------- c:\windows\inf\infpub.dat
2009-01-24 10:00 86,016 a------- c:\windows\inf\infstrng.dat
2008-12-10 19:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-11-06 11:37 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-02 08:35 3,902,784 a------- c:\users\jamie\gosetup.exe
2008-10-12 03:29 174 a--sh--- c:\program files\desktop.ini
2008-10-12 03:09 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-08-27 05:32 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-08-27 05:32 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-08-27 05:32 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-03-20 19:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008032020080321\index.dat
2008-03-23 06:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008032320080324\index.dat
2008-03-23 06:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\internet explorer\userdata\index.dat

============= FINISH: 8:35:51.62 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-07.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 8/31/2007 3:50:27 AM
System Uptime: 1/24/2009 1:08:01 AM (199 hours ago)

Motherboard: ELITEGROUP | | 945GCT-M3
Processor: Genuine Intel(R) CPU 2140 @ 1.60GHz | Socket 775 | 1600/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 288 GiB total, 126.413 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 3.037 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP636: 1/22/2009 12:00:04 AM - Scheduled Checkpoint
RP637: 1/22/2009 10:35:43 PM - Windows Update
RP638: 1/24/2009 4:20:26 AM - Scheduled Checkpoint
RP639: 1/24/2009 10:00:15 AM - Device Driver Package Install: Apple, Inc. Universal Serial Bus controllers
RP640: 1/24/2009 10:03:16 AM - Installed iTunes
RP641: 1/25/2009 12:00:04 AM - Scheduled Checkpoint
RP642: 1/26/2009 12:00:03 AM - Scheduled Checkpoint
RP643: 1/26/2009 10:47:18 AM - Windows Update
RP644: 1/27/2009 12:00:04 AM - Scheduled Checkpoint
RP645: 1/28/2009 12:59:05 AM - Scheduled Checkpoint
RP646: 1/29/2009 3:12:02 AM - Scheduled Checkpoint
RP647: 1/29/2009 3:24:17 PM - Windows Update
RP648: 1/31/2009 1:59:45 AM - Scheduled Checkpoint
RP649: 2/1/2009 12:24:34 AM - Scheduled Checkpoint

==== Installed Programs ======================

Sansa Media Converter
2007 Microsoft Office Suite Service Pack 1 (SP1)
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.3
Adobe Shockwave Player
Agere Systems PCI-SV92PP Soft Modem
AIM 6
Apple Mobile Device Support
Apple Software Update
ATI AVIVO Codecs
ATI Catalyst Install Manager
AutoUpdate
BigFix
BitTorrent
Bonjour
Browser Address Error Redirector
Catalyst Media Center
Catalyst Media Center DVD Authoring Module
Digital Media Reader
DivX Player
DivX Web Player
Dune 2000
Electronic Arts Game Updater
Gateway Connect
Gateway Game Console
Gateway Recovery Center Installer
Google Desktop
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) SE Runtime Environment 6 Update 1
K-Lite Codec Pack 4.5.3 (Full)
LimeWire 4.18.8
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business 2007
Microsoft Office Word MUI (English) 2007
Microsoft WSE 2.0 SP3 Runtime
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Need For Speed - Porsche Unleashed
NetDog
NVIDIA Drivers
Power2Go 5.0
QuickTime
RealPlayer
Realtek High Definition Audio Driver
RealWorld Icon Editor
Rhapsody Player Engine
Sansa Media Converter
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Spare Backup
Symantec AntiVirus
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959141)
USB Video Driver
Viewpoint Media Player
Westwood Shared Internet Components
Windows Driver Package - eMPIA Technology Inc, (emAudio) MEDIA (04/27/2007 5.7.0427.0)
Windows Media Player Firefox Plugin
WinRAR archiver

==== Event Viewer Messages From Past Week ========

1/31/2009 12:02:04 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

==== End Of File ===========================


FINAL RSIT LOG

Logfile of random's system information tool 1.05 (written by random/random)
Run by Jamie at 2009-02-01 08:23:23
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 129 GB (44%) free of 295 GB
Total RAM: 2047 MB (41% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:29 AM, on 2/1/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI\Catalyst Media Center\CMCService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\notepad.exe
C:\Users\Jamie\Desktop\RSIT.exe
C:\Hijackthis\Jamie.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CMCService] "C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5551 bytes

======Scheduled tasks folder======

C:\Windows\tasks\User_Feed_Synchronization-{8E1FEF2E-16C9-4AD6-82FA-067F5A579824}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 501400]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-04-23 4435968]
"CMCService"=C:\Program Files\ATI\Catalyst Media Center\CMCService.exe [2007-08-02 172032]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2007-10-18 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2007-10-18 166424]
"Persistence"=C:\Windows\system32\igfxpers.exe [2007-10-18 133656]
"MSConfig"=C:\Windows\system32\msconfig.exe [2008-01-19 227840]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-22 107112]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-11-28 134808]
"NvSvc"=C:\Windows\system32\nvsvc.dll [2006-11-28 90191]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2006-11-28 7757824]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2006-11-28 81920]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-01-06 290088]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-01-14 399504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Aim6"= []
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-19 1233920]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigFix]
c:\program files\Bigfix\bigfix.exe [2006-11-16 2348584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
C:\Users\Jamie\Program Files\BitTorrent_DNA\dna.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2007-08-31 240640]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\Windows\system32\NvMcTray.dll [2006-11-28 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
C:\Program Files\Spare Backup\SpareBackup.exe [2007-07-13 5252936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-11-15 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
C:\PROGRA~1\Sandisk\Common\Bin\WINCIN~1.EXE [2006-09-26 303104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2007-10-18 200704]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2009-02-01 08:23:23 ----D---- C:\rsit
2009-01-31 15:39:20 ----D---- C:\Hijackthis
2009-01-28 23:45:44 ----D---- C:\Users\Jamie\AppData\Roaming\Malwarebytes
2009-01-28 23:45:36 ----D---- C:\ProgramData\Malwarebytes
2009-01-28 23:45:36 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-24 10:04:40 ----D---- C:\Users\Jamie\AppData\Roaming\Apple Computer
2009-01-24 10:04:09 ----A---- C:\Windows\system32\GEARAspi.dll
2009-01-24 10:04:08 ----DC---- C:\Windows\system32\DRVSTORE
2009-01-24 10:03:51 ----D---- C:\Program Files\iPod
2009-01-24 10:03:49 ----D---- C:\ProgramData\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-24 10:03:49 ----D---- C:\Program Files\iTunes
2009-01-24 10:03:04 ----D---- C:\Program Files\Bonjour
2009-01-24 10:02:20 ----D---- C:\Program Files\QuickTime
2009-01-24 10:02:18 ----D---- C:\ProgramData\Apple Computer
2009-01-24 10:00:56 ----D---- C:\Program Files\Apple Software Update
2009-01-24 10:00:40 ----D---- C:\Windows\LastGood
2009-01-24 09:59:54 ----D---- C:\ProgramData\Apple
2009-01-24 09:59:54 ----D---- C:\Program Files\Common Files\Apple
2009-01-24 01:27:03 ----A---- C:\Windows\system32\unrar.dll
2009-01-24 01:27:00 ----A---- C:\Windows\system32\yv12vfw.dll
2009-01-24 01:27:00 ----A---- C:\Windows\system32\xvidvfw.dll
2009-01-24 01:27:00 ----A---- C:\Windows\system32\xvidcore.dll
2009-01-24 01:26:58 ----A---- C:\Windows\system32\divx.dll
2009-01-24 01:26:57 ----A---- C:\Windows\system32\ff_vfw.dll.manifest
2009-01-24 01:26:57 ----A---- C:\Windows\system32\ff_vfw.dll
2009-01-24 01:26:56 ----D---- C:\Program Files\K-Lite Codec Pack

======List of files/folders modified in the last 1 months======

2009-02-01 08:23:29 ----D---- C:\Windows\Temp
2009-02-01 08:23:29 ----D---- C:\Windows\Prefetch
2009-02-01 00:24:47 ----SHD---- C:\System Volume Information
2009-01-31 22:48:13 ----D---- C:\Windows\System32
2009-01-31 11:56:42 ----HD---- C:\Windows\inf
2009-01-31 11:56:42 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-01-31 02:00:03 ----D---- C:\Windows\system32\catroot2
2009-01-28 23:45:40 ----D---- C:\Windows\system32\drivers
2009-01-28 23:45:36 ----RD---- C:\Program Files
2009-01-28 23:45:36 ----HD---- C:\ProgramData
2009-01-24 10:04:45 ----SHD---- C:\Windows\Installer
2009-01-24 10:04:45 ----SHD---- C:\Config.Msi
2009-01-24 10:04:09 ----D---- C:\Windows\system32\catroot
2009-01-24 10:01:54 ----D---- C:\Windows
2009-01-24 10:01:00 ----D---- C:\Windows\system32\Tasks
2009-01-24 09:59:54 ----D---- C:\Program Files\Common Files
2009-01-24 01:27:23 ----D---- C:\Program Files\Mozilla Firefox
2009-01-24 01:24:06 ----D---- C:\Program Files\Combined Community Codec Pack
2009-01-24 01:23:44 ----D---- C:\Program Files\DivX
2009-01-22 05:53:53 ----D---- C:\Users\Jamie\AppData\Roaming\BitTorrent
2009-01-18 14:08:58 ----D---- C:\Windows\Minidump
2009-01-17 11:38:17 ----D---- C:\Program Files\BitTorrent
2009-01-14 18:38:07 ----D---- C:\ProgramData\Microsoft Help
2009-01-14 03:10:18 ----D---- C:\Windows\winsxs
2009-01-14 03:02:32 ----D---- C:\Program Files\Windows Mail
2009-01-09 20:35:28 ----A---- C:\Windows\system32\mrt.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [2008-09-04 371248]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [2006-10-06 406672]
R1 SRTSPX;SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [2006-11-22 25448]
R1 SYMTDI;SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [2006-10-26 185744]
R2 MCSTRM;MCSTRM; C:\Windows\system32\drivers\MCSTRM.sys [2007-10-11 8413]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\Windows\system32\DRIVERS\AGRSM.sys [2006-10-05 1161152]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-04 99376]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-04-23 1769952]
R3 Iviaspi;IVI ASPI Shell; C:\Windows\system32\drivers\iviaspi.sys [2005-09-20 10368]
R3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
R3 NAVENG;NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090131.003\NAVENG.SYS [2008-11-12 89104]
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090131.003\NAVEX15.SYS [2008-11-12 876112]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2006-11-28 4455616]
R3 RTL8023xp;Realtek 10/100 NIC Family NDIS x86 Driver; C:\Windows\system32\DRIVERS\Rtnicxp.sys [2007-11-13 51200]
R3 SRTSP;SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [2006-11-22 247144]
R3 SymEvent;SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [2008-06-08 109744]
R3 SYMREDRV;SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [2006-10-26 26384]
R3 USB28xxBGA;ATI TV Wonder 600 USB 2.0; C:\Windows\system32\DRIVERS\emBDA.sys [2007-05-16 459520]
R3 USB28xxOEM;USB 28xx OEM Filter; C:\Windows\system32\DRIVERS\emOEM.sys [2007-05-16 39808]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\Windows\system32\drivers\ac97intc.sys [2006-11-02 108032]
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture; C:\Windows\system32\drivers\aticxcap.sys [2005-03-30 173824]
S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3); C:\Windows\system32\drivers\aticxtun.sys [2005-03-30 29184]
S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar; C:\Windows\system32\drivers\aticxxbr.sys [2005-03-30 9088]
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-02 45056]
S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2006-11-02 14208]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-10-18 2009088]
S3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-10-18 2009088]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista; C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S3 SRTSPL;SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [2006-11-22 274328]
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\Windows\system32\DRIVERS\sscdbus.sys [2005-08-17 58352]
S3 sscdmdfl;SAMSUNG CDMA Modem Filter; C:\Windows\system32\DRIVERS\sscdmdfl.sys [2005-08-17 8272]
S3 sscdmdm;SAMSUNG CDMA Modem Drivers; C:\Windows\system32\DRIVERS\sscdmdm.sys [2005-08-17 93872]
S3 sscdserd;SAMSUNG CDMA Modem Diagnostic Serial Port (WDM); C:\Windows\system32\DRIVERS\sscdserd.sys [2005-08-17 73696]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S4 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2006-11-02 82432]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\Windows\system32\agrsmsvc.exe [2006-10-05 9216]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-11-22 107624]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-11-22 107624]
R2 CLCapSvc;CyberLink Background Capture Service (CBCS); C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe [2007-08-02 262239]
R2 CyberLink Media Library Service;CyberLink Media Library Service; C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe [2007-08-02 1073152]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-11-28 30872]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-11-28 1962136]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-01-06 536872]
S2 CLSched;CyberLink Task Scheduler (CTS); C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe [2007-08-02 110685]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-10-31 2541248]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-11-28 122008]
S4 GoogleDesktopManager;GoogleDesktopManager; C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe [2007-08-31 81408]

-----------------EOF-----------------

Thanks for all your help let me know if you need anything else,
Shadowfox4744
Active Member
 
Posts: 8
Joined: January 29th, 2009, 12:40 am

Re: Malware Bloodhound Exploit 196

Unread postby Sharagoz » February 1st, 2009, 10:05 am

P2P warning
You have BitTorrent and LimeWire installed on your computer. This is a peer-to-peer program used to share files between computers.
There are several issues related to this:
  • P2P programs are notorious for being bundled with unwanted adware/spyware programs
  • Poorly configured P2P programs can share more files than you want them too, including personal files
  • Since its impossible to establish the source of which you are copying files from, you will always be at a certan risk every time you download a file. Malware written to spesifically spread through P2P networks are becoming an increasing problem and may be the source of your current infection. Even if you can trust the P2P program itself, you can never trust the sources you download from.

By MWR policy I am forced to ask that you uninstall this program if you wish me to further help you with your malware issues.
For more info, read MWR policy on P2P programs

To uninstall the program, go to Add/Remove Programs and uninstall the following:
BitTorrent
LimeWire 4.18.8

If you chose to proceede, do the below:

Post new DDS logs the same way you did last time.

Question:
You say you 'keep getting this odd Bloodhound exploit'.
Can you elaborate a bit on that?
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Malware Bloodhound Exploit 196

Unread postby Shadowfox4744 » February 2nd, 2009, 2:33 am

It keeps popping up like every so often for repeated times in Symantec under my temporary internet files, C:\Users\Jamie\AppData\Local\Temp\DWHD73D.tmp for example is one of them,

Here is my new DDS logs, I have removed BitTorrent and Limewire from the computer,
While I was scanning with DDS the symantec was auto protecting against this Bloodhound Exploit 196 as an example was noted above,

Hope you can help, As always Thank You!

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-07.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 8/31/2007 3:50:27 AM
System Uptime: 2/2/2009 1:15:12 AM (0 hours ago)

Motherboard: ELITEGROUP | | 945GCT-M3
Processor: Genuine Intel(R) CPU 2140 @ 1.60GHz | Socket 775 | 1600/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 288 GiB total, 127.122 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 3.037 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

Sansa Media Converter
2007 Microsoft Office Suite Service Pack 1 (SP1)
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.3
Adobe Shockwave Player
Agere Systems PCI-SV92PP Soft Modem
AIM 6
Apple Mobile Device Support
Apple Software Update
ATI AVIVO Codecs
ATI Catalyst Install Manager
AutoUpdate
BigFix
Bonjour
Browser Address Error Redirector
Catalyst Media Center
Catalyst Media Center DVD Authoring Module
Digital Media Reader
DivX Player
DivX Web Player
Dune 2000
Electronic Arts Game Updater
Gateway Connect
Gateway Game Console
Gateway Recovery Center Installer
Google Desktop
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) SE Runtime Environment 6 Update 1
K-Lite Codec Pack 4.5.3 (Full)
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business 2007
Microsoft Office Word MUI (English) 2007
Microsoft WSE 2.0 SP3 Runtime
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Need For Speed - Porsche Unleashed
NetDog
NVIDIA Drivers
Power2Go 5.0
QuickTime
RealPlayer
Realtek High Definition Audio Driver
RealWorld Icon Editor
Rhapsody Player Engine
Sansa Media Converter
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Spare Backup
Symantec AntiVirus
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959141)
USB Video Driver
Viewpoint Media Player
Westwood Shared Internet Components
Windows Driver Package - eMPIA Technology Inc, (emAudio) MEDIA (04/27/2007 5.7.0427.0)
Windows Media Player Firefox Plugin
WinRAR archiver

==== End Of File ===========================


s
DDS (Ver_09-01-07.01) - NTFSx86
Run by Jamie at 1:28:18.94 on Mon 02/02/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.863 [GMT -5:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI\Catalyst Media Center\CMCService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\vssvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\mcupdate.EXE
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Jamie\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
uRun: [Aim6]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CMCService] "c:\program files\ati\catalyst media center\CMCService.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\progra~1\netdog\netd.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\jamie\appdata\roaming\mozilla\firefox\profiles\c44zs0fg.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=fi ... S:official
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-4 99376]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-7 24652]
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2007-10-7 173824]
S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2007-10-7 29184]
S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2007-10-7 9088]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-11-28 122008]

=============== Created Last 30 ================

2009-01-31 15:39 <DIR> --d----- C:\Hijackthis
2009-01-28 23:45 <DIR> --d----- c:\users\jamie\appdata\roaming\Malwarebytes
2009-01-28 23:45 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-28 23:45 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-28 23:45 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-28 23:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-28 23:45 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-24 10:04 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-24 10:04 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-24 10:03 <DIR> --d----- c:\program files\iPod
2009-01-24 10:03 <DIR> --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-24 10:03 <DIR> --d----- c:\program files\iTunes
2009-01-24 10:03 <DIR> --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-24 10:03 <DIR> --d----- c:\program files\Bonjour
2009-01-24 10:02 <DIR> --d----- c:\programdata\Apple Computer
2009-01-24 09:59 <DIR> --d----- c:\programdata\Apple
2009-01-24 01:27 168,448 a------- c:\windows\system32\unrar.dll
2009-01-24 01:27 839,680 a------- c:\windows\system32\lameACM.acm
2009-01-24 01:27 118,784 a------- c:\windows\system32\ac3acm.acm
2009-01-24 01:27 414 a------- c:\windows\system32\lame_acm.xml
2009-01-24 01:27 795,648 a------- c:\windows\system32\xvidcore.dll
2009-01-24 01:27 217,088 a------- c:\windows\system32\yv12vfw.dll
2009-01-24 01:27 130,048 a------- c:\windows\system32\xvidvfw.dll
2009-01-24 01:26 684,032 a------- c:\windows\system32\divx.dll
2009-01-24 01:26 57,344 a------- c:\windows\system32\ff_vfw.dll
2009-01-24 01:26 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-01-24 01:26 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-01-13 19:33 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-05 16:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-01-05 16:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-01-24 10:00 86,016 a------- c:\windows\inf\infstor.dat
2009-01-24 10:00 51,200 a------- c:\windows\inf\infpub.dat
2009-01-24 10:00 86,016 a------- c:\windows\inf\infstrng.dat
2008-12-10 19:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-11-06 11:37 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-02 08:35 3,902,784 a------- c:\users\jamie\gosetup.exe
2008-10-12 03:29 174 a--sh--- c:\program files\desktop.ini
2008-10-12 03:09 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-08-27 05:32 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-08-27 05:32 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-08-27 05:32 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-03-20 19:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008032020080321\index.dat
2008-03-23 06:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008032320080324\index.dat
2008-03-23 06:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\internet explorer\userdata\index.dat

============= FINISH: 1:29:02.75 ===============
Shadowfox4744
Active Member
 
Posts: 8
Joined: January 29th, 2009, 12:40 am

Re: Malware Bloodhound Exploit 196

Unread postby Sharagoz » February 2nd, 2009, 3:30 pm

Hi,
just dropping in to let you know that I'll be back in 48hrs or so
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Malware Bloodhound Exploit 196

Unread postby Sharagoz » February 5th, 2009, 4:13 pm

Sorry about the delay, hope you're still with us

1) Disable Windows Defender
You need to temporarily disable windows defender as it may interfere with the tools we are going to use.
  • Open Windows Defender
  • Select Tools and then General Settings
  • Scroll down, and under Real Time Protection Options uncheck Turn on real-time protection
  • Select Save
Note:
We'll re-enable Windows Defender after we're done cleaning your computer.

2) Download and run GMER
  • Download gmer.zip by GMER from here and extract it to a folder on your desktop
  • Double click on gmer.exe to launch the program
  • If asked, allow the gmer.sys driver to load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning, click the Rootkit/Malware tab and then Scan
  • Once the scan has finished, click copy
  • Create a new notepad document on your desktop, name it "gmerrk.txt", open it, insert the GMER log by right-clicking in the document and chosing Paste, and then save the document
  • This log must be included in your next reply
  • Back in GMER, click on the >>> tab to bring up additional tabs
  • Click on the Autostart tab and then click Scan
  • Once the scan has finished, click copy, start a new reply here, right click and select "paste" to copy the log.
  • Also remember to copy the content of "gmerrk.txt" into the reply

Have you seen any other signs of malware, other than the symantec alerts?
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Malware Bloodhound Exploit 196

Unread postby Shadowfox4744 » February 5th, 2009, 11:56 pm

Thanks again,

Good Luck finding where the issue is,

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-05 22:50:14
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT 85A47BD0 ZwAlertResumeThread
SSDT 85A47C90 ZwAlertThread
SSDT 85A8D338 ZwAllocateVirtualMemory
SSDT 85A8CAF0 ZwConnectPort
SSDT 85AD2980 ZwCreateMutant
SSDT 859F93E8 ZwCreateThread
SSDT 85A4AAF8 ZwFreeVirtualMemory
SSDT 85AD2A40 ZwImpersonateAnonymousToken
SSDT 85A47B10 ZwImpersonateThread
SSDT 85A468C0 ZwMapViewOfSection
SSDT 85AD28C0 ZwOpenEvent
SSDT 85AD24B0 ZwOpenProcessToken
SSDT 85A8F2A0 ZwOpenThreadToken
SSDT 85A4A698 ZwResumeThread
SSDT 85A45F48 ZwSetContextThread
SSDT 85AD2D88 ZwSetInformationProcess
SSDT 85A45E88 ZwSetInformationThread
SSDT 85A559D0 ZwSuspendProcess
SSDT 85A8D998 ZwSuspendThread
SSDT 85A579C8 ZwTerminateProcess
SSDT 85A5E980 ZwTerminateThread
SSDT 85A5CB60 ZwUnmapViewOfSection
SSDT 85A4A720 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!KeSetTimerEx + 350 81EC5914 8 Bytes [ D0, 7B, A4, 85, 90, 7C, A4, ... ]
.text ntkrnlpa.exe!KeSetTimerEx + 364 81EC5928 4 Bytes [ 38, D3, A8, 85 ]
.text ntkrnlpa.exe!KeSetTimerEx + 3F4 81EC59B8 4 Bytes [ F0, CA, A8, 85 ]
.text ntkrnlpa.exe!KeSetTimerEx + 428 81EC59EC 4 Bytes [ 80, 29, AD, 85 ]
.text ntkrnlpa.exe!KeSetTimerEx + 454 81EC5A18 4 Bytes CALL 9771F9B0
.text ...

---- Devices - GMER 1.0.14 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0xFC 0x45 0xBA 0x8E ...

---- EOF - GMER 1.0.14 ----

GMER 1.0.14.14536 - http://www.gmer.net
Autostart scan 2009-02-05 22:54:35
Windows 6.0.6001 Service Pack 1


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\Windows\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui@DLLName = igfxdev.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AgereModemAudio@ = C:\Windows\system32\agrsmsvc.exe
Apple Mobile Device@ = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe"
ccEvtMgr@ = "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
ccSetMgr@ = "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
CLCapSvc@ = "C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe" iles\ATI\Catalyst Media Center\Kernel\TV\CapSetup HLP ?w??h? ?
CLSched@ = "C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe" a C e n t e r \ K e r n e l \ T V \ C L C a p S v c . e x e
CyberLink Media Library Service@ = "C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe"
DefWatch@ = "C:\Program Files\Symantec AntiVirus\DefWatch.exe"
slsvc@ = %SystemRoot%\system32\SLsvc.exe
Symantec AntiVirus@ = "C:\Program Files\Symantec AntiVirus\Rtvscan.exe"
Viewpoint Manager Service@ = "C:\Program Files\Viewpoint\Common\ViewpointService.exe"
WMPNetworkSvc@ = "%ProgramFiles%\Windows Media Player\wmpnetwk.exe"
WSearch@ = %systemroot%\system32\SearchIndexer.exe /Embedding

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Windows Defender%ProgramFiles%\Windows Defender\MSASCui.exe -hide /*file not found*/ = %ProgramFiles%\Windows Defender\MSASCui.exe -hide /*file not found*/
@RtHDVCplRtHDVCpl.exe = RtHDVCpl.exe
@CMCService"C:\Program Files\ATI\Catalyst Media Center\CMCService.exe" = "C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"
@IgfxTrayC:\Windows\system32\igfxtray.exe = C:\Windows\system32\igfxtray.exe
@HotKeysCmdsC:\Windows\system32\hkcmd.exe = C:\Windows\system32\hkcmd.exe
@PersistenceC:\Windows\system32\igfxpers.exe = C:\Windows\system32\igfxpers.exe
@MSConfig"C:\Windows\system32\msconfig.exe" /auto = "C:\Windows\system32\msconfig.exe" /auto
@ccApp"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
@vptrayC:\PROGRA~1\SYMANT~1\VPTray.exe = C:\PROGRA~1\SYMANT~1\VPTray.exe
@NvSvcRUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart = RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
@NvCplDaemonRUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
@NvMediaCenterRUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit = RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
@QuickTime Task"C:\Program Files\QuickTime\QTTask.exe" -atboottime = "C:\Program Files\QuickTime\QTTask.exe" -atboottime
@iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Aim6 /*file not found*/ = /*file not found*/
@ehTray.exeC:\Windows\ehome\ehTray.exe = C:\Windows\ehome\ehTray.exe
@SidebarC:\Program Files\Windows Sidebar\sidebar.exe /autoRun /*file not found*/ = C:\Program Files\Windows Sidebar\sidebar.exe /autoRun /*file not found*/
@WMPNSCFGC:\Program Files\Windows Media Player\WMPNSCFG.exe = C:\Program Files\Windows Media Player\WMPNSCFG.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{F02C1A0D-BE21-4350-88B0-7367FC96EF3C} /*Computers and Devices*/%systemroot%\system32\NetworkExplorer.dll = %systemroot%\system32\NetworkExplorer.dll
@{4A1E5ACD-A108-4100-9E26-D2FAFA1BA486} /*IGD Property Sheet Handler*/%SystemRoot%\System32\icsigd.dll = %SystemRoot%\System32\icsigd.dll
@{92dbad9f-5025-49b0-9078-2d78f935e341} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{b9815375-5d7f-4ce2-9245-c9d4da436930} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{f8b8412b-dea3-4130-b36c-5e8be73106ac} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{5FA29220-36A1-40f9-89C6-F4B384B7642E} /*Shell Message Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{8856f961-340a-11d0-a96b-00c04fd705a2} /*Microsoft Web Browser*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{00020d75-0000-0000-c000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL
@{CC6EEFFB-43F6-46c5-9619-51D571967F7D} /*Web Publishing Wizard*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll
@{add36aa8-751a-4579-a266-d66f5202ccbb} /*Print Ordering via the Web*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll
@{6b33163c-76a5-4b6c-bf21-45de9cd503a1} /*Shell Publishing Wizard Object*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll
@{176d6597-26d3-11d1-b350-080036a75b03} /*ICM Scanner Management*/%SystemRoot%\System32\colorui.dll = %SystemRoot%\System32\colorui.dll
@{5DB2625A-54DF-11D0-B6C4-0800091AA605} /*ICM Monitor Management*/%SystemRoot%\System32\colorui.dll = %SystemRoot%\System32\colorui.dll
@{675F097E-4C4D-11D0-B6C1-0800091AA605} /*ICM Printer Management*/%SystemRoot%\system32\colorui.dll = %SystemRoot%\system32\colorui.dll
@{DBCE2480-C732-101B-BE72-BA78E9AD5B27} /*ICC Profile*/%SystemRoot%\system32\colorui.dll = %SystemRoot%\system32\colorui.dll
@{b2c761c6-29bc-4f19-9251-e6195265baf1} /*Color Control Panel Applet*/(null) =
@{74246bfc-4c96-11d0-abef-0020af6b0b7a} /*Device Manager*/%SystemRoot%\System32\devmgr.dll = %SystemRoot%\System32\devmgr.dll
@{7A979262-40CE-46ff-AEEE-7884AC3B6136} /*Add New Hardware*/(null) =
@{3e7efb4c-faf1-453d-89eb-56026875ef90} /*Get Programs Online*/(null) =
@{1b24a030-9b20-49bc-97ac-1be4426f9e59} /*ActiveDirectory Folder*/(null) =
@{34449847-FD14-4fc8-A75A-7432F5181EFB} /*ActiveDirectory Folder*/(null) =
@{C8494E42-ACDD-4739-B0FB-217361E4894F} /*Sam Account Folder*/(null) =
@{E29F9716-5C08-4FCD-955A-119FDB5A522D} /*Sam Account Folder*/(null) =
@{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0} /*Control Panel command object for Start menu*/(null) =
@{E44E5D18-0652-4508-A4E2-8A090067BCB0} /*Default Programs command object for Start menu*/(null) =
@{6dfd7c5c-2451-11d3-a299-00c04f8ef6af} /*Folder Options*/(null) =
@{97e467b4-98c6-4f19-9588-161b7773d6f6} /*Office Document Property Handler*/%SystemRoot%\system32\propsys.dll = %SystemRoot%\system32\propsys.dll
@{2C2577C2-63A7-40e3-9B7F-586602617ECB} /*Explorer Query Band*/(null) =
@{DC1C5A9C-E88A-4dde-A5A1-60F82A20AEF7} /*File Open Dialog*/%SystemRoot%\System32\comdlg32.dll = %SystemRoot%\System32\comdlg32.dll
@{C0B4E2F3-BA21-4773-8DBA-335EC946EB8B} /*File Save Dialog*/%SystemRoot%\System32\comdlg32.dll = %SystemRoot%\System32\comdlg32.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\Windows\system32\dfshim.dll = C:\Windows\system32\dfshim.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\Windows\system32\dfshim.dll = C:\Windows\system32\dfshim.dll
@{92337A8C-E11D-11D0-BE48-00C04FC30DF6} /*OlePrn.PrinterURL*/%SystemRoot%\system32\oleprn.dll = %SystemRoot%\system32\oleprn.dll
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft XPS Properties*/%SystemRoot%\system32\XPSSHHDR.DLL = %SystemRoot%\system32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft XPS Thumbnail*/%SystemRoot%\system32\XPSSHHDR.DLL = %SystemRoot%\system32\XPSSHHDR.DLL
@{38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b} /*View Available Networks*/(null) =
@{13D3C4B8-B179-4ebb-BF62-F704173E7448} /*Windows Contact Preview Handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} /*Contacts folder*/(null) =
@{4F58F63F-244B-4c07-B29F-210BE59BE9B4} /*.group shell extension handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{8082C5E6-4C27-48ec-A809-B8E1122E8F97} /*.contact shell extension handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{16C2C29D-0E5F-45f3-A445-03E03F587B7D} /*group_wab_auto_file*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{CF67796C-F57F-45F8-92FB-AD698826C602} /*contact_wab_auto_file*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} /*Compatibility Property Page*/%windir%\system32\acppage.dll = %windir%\system32\acppage.dll
@{4026492f-2f69-46b8-b9bf-5654fc07e423} /*Windows Firewall*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\Windows\system32\extmgr.dll = C:\Windows\system32\extmgr.dll
@{fcfeecae-ee1b-4849-ae50-685dcf7717ec} /*Problem Reports and Solutions*/(null) =
@{a304259d-52b8-4526-8b1a-a1d6cecc8243} /*iSCSI Initiator*/(null) =
@{11dbb47c-a525-400b-9e80-a54615a090c0} /*Execute Folder*/ExplorerFrame.dll = ExplorerFrame.dll
@{90b9bce2-b6db-4fd3-8451-35917ea1081b} /*Search Execute Command*/ExplorerFrame.dll = ExplorerFrame.dll
@{911051fa-c21c-4246-b470-070cd8df6dc4} /*.cab or .zip files*/(null) =
@{da67b8ad-e81b-4c70-9b91b417b5e33527} /*Windows Search Shell Service*/(null) =
@{a38b883c-1682-497e-97b0-0a3a9e801682} /*IPropertyStore Handler for Images*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll
@{C7657C4A-9F68-40fa-A4DF-96BC08EB3551} /*Photo Thumbnail Provider*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll
@{3F30C968-480A-4C6C-862D-EFC0897BB84B} /*Photo Thumbnail Extractor*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll
@{BC65FB43-1958-4349-971A-210290480130} /*Network Explorer Property Sheet Handler*/%SystemRoot%\System32\NcdProp.dll = %SystemRoot%\System32\NcdProp.dll
@{d3e34b21-9d75-101a-8c3d-00aa001a1652} /*Bitmap Image*/(null) =
@{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} /*Video Media Properties Handler*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll
@{E598560B-28D5-46aa-A14A-8A3BEA34B576} /*Windows Photo Gallery Viewer Video Verbs*/%ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/
@{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3} /*Microsoft.ScannersAndCameras*/(null) =
@{0a4286ea-e355-44fb-8086-af3df7645bd9} /*Windows Media Player*/C:\PROGRA~1\WI4EB4~1\wmpband.dll = C:\PROGRA~1\WI4EB4~1\wmpband.dll
@{BB6B2374-3D79-41DB-87F4-896C91846510} /*EMDFileProperties*/emdmgmt.dll = emdmgmt.dll
@{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} /*Audio Media Properties Handler*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll
@{89D83576-6BD1-4c86-9454-BEB04E94C819} /*MAPI Search Namespace Extension*/%systemroot%\system32\mssvp.dll = %systemroot%\system32\mssvp.dll
@{7A0F6AB7-ED84-46B6-B47E-02AA159A152B} /*Sync Center Simple Conflict Presenter*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{9D687A4C-1404-41ef-A089-883B6FBECDE6} /*Windows Photo Gallery Viewer Autoplay Handler*/(null) =
@{37efd44d-ef8d-41b1-940d-96973a50e9e0} /*Windows Sidebar Properties*/(null) =
@{00f20eb5-8fd6-4d9d-b75e-36801766c8f1} /*PhotoAcqDropTarget*/%ProgramFiles%\Windows Photo Gallery\PhotoAcq.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoAcq.dll /*file not found*/
@{BC48B32F-5910-47F5-8570-5074A8A5636A} /*Sync Results Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{ED228FDF-9EA8-4870-83B1-96B02CFE0D52} /*Games Folder*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll
@{E413D040-6788-4C22-957E-175D1C513A34} /*Sync Center Conflict Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{67718415-c450-4f3c-bf8a-b487642dc39b} /*Windows Features*/(null) =
@{91ADC906-6722-4B05-A12B-471ADDCCE132} /*Touch Band*/%SystemRoot%\System32\TouchX.dll = %SystemRoot%\System32\TouchX.dll
@{2781761E-28E0-4109-99FE-B9D127C57AFE} /*Windows Defender IOfficeAntiVirus implementation*/%ProgramFiles%\Windows Defender\MpOav.dll /*file not found*/ = %ProgramFiles%\Windows Defender\MpOav.dll /*file not found*/
@{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A} /*Windows Photo Gallery Viewer Image Verbs*/%ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/
@{4B534112-3AF6-4697-A77C-D62CE9B9E7CF} /*Sync Center Event Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{F1390A9A-A3F4-4E5D-9C5F-98F3BD8D935C} /*Sync Setup Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{4E5BFBF8-F59A-4e87-9805-1F9B42CC254A} /*GameUX.RichGameMediaThumbnail*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll
@{d8559eb9-20c0-410e-beda-7ed416aecc2a} /*Windows Defender*/(null) =
@{576C9E85-1300-4EF5-BF6B-D00509F4EDCD} /*Sync Center Handler Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{5ea4f148-308c-46d7-98a9-49041b1dd468} /*Mobility Center Control Panel*/(null) =
@{289978AC-A101-4341-A817-21EBA7FD046D} /*Sync Center Conflict Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{877ca5ac-cb41-4842-9c69-9136e42d47e2} /*File Backup Index*/%systemroot%\system32\sdshext.dll = %systemroot%\system32\sdshext.dll
@{71D99464-3B6B-475C-B241-E15883207529} /*Sync Results Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{B32D3949-ED98-4DBB-B347-17A144969BBA} /*Sync Center Item Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{2E9E59C0-B437-4981-A647-9C34B9B90891} /*Sync Setup Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF} /*Sync Center Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{CB1B7F8C-C50A-4176-B604-9E24DEE8D4D1} /*Welcome Center*/oobefldr.dll = oobefldr.dll
@{15D633E2-AD00-465b-9EC7-F56B7CDF8E27} /*Tablet PC Input Panel*/%CommonProgramFiles%\microsoft shared\ink\TipBand.dll /*file not found*/ = %CommonProgramFiles%\microsoft shared\ink\TipBand.dll /*file not found*/
@{F04CC277-03A2-4277-96A9-77967471BDFF} /*Sync Center Conflict Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{53BEDF0B-4E5B-4183-8DC9-B844344FA104} /*Microsoft Windows MAPI Preview Handler*/%SystemRoot%\system32\mssvp.dll = %SystemRoot%\system32\mssvp.dll
@{6b9228da-9c15-419e-856c-19e768a13bdc} /*Windows gadget DropTarget*/%ProgramFiles%\Windows Sidebar\sbdrop.dll /*file not found*/ = %ProgramFiles%\Windows Sidebar\sbdrop.dll /*file not found*/
@{8E25992B-373E-486E-80E5-BD23AE417E66} /*Sync Center Device Notification Sink*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{031EE060-67BC-460d-8847-E4A7C5E45A27} /*Windows Media Player Rich Preview Handler*/(null) =
@{1FA9085F-25A2-489B-85D4-86326EEDCD87} /*Manage Wireless Networks*/%SystemRoot%\system32\wlanpref.dll = %SystemRoot%\system32\wlanpref.dll
@{7dda204b-2097-47c9-8323-c40bb840ae44} /*XPS document*/(null) =
@{ECDD6472-2B9B-4b4b-AE36-F316DF3C8D60} /*RichGameMediaPropertyStore Class*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll
@{BD7A2E7B-21CB-41b2-A086-B309680C6B7E} /*Client Side Cache Namespace Extension*/%systemroot%\system32\mssvp.dll = %systemroot%\system32\mssvp.dll
@{c5a40261-cd64-4ccf-84cb-c394da41d590} /*Video Thumbnail Extractor*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office12\msohevi.dll = C:\Program Files\Microsoft Office\Office12\msohevi.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{E46D104B-FE72-4396-A6F4-E984F3FCC057} /*Spare Backup Shell*/C:\Program Files\Spare Backup\SpareShellExtension.dll = C:\Program Files\Spare Backup\SpareShellExtension.dll
@{7F67036B-66F1-411A-AD85-759FB9C5B0DB} /*SampleView*/C:\Windows\System32\ShellvRTF.dll = C:\Windows\System32\ShellvRTF.dll
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL
@{8FF88D21-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.65 Context Menu Shell Extension*/(null) =
@{8FF88D25-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.65 DragDrop Shell Extension*/(null) =
@{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.65 Context Menu Shell Extension*/(null) =
@{8FF88D23-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.65 Property Sheet Shell Extension*/(null) =
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\Windows\system32\nvcpl.dll = C:\Windows\system32\nvcpl.dll
@{8BEEE74D-455E-4616-A97A-F6E86C317F32} /*LDVP Shell Extensions*/C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\Windows\system32\nvcpl.dll = C:\Windows\system32\nvcpl.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
LDVPMenu@{8BEEE74D-455E-4616-A97A-F6E86C317F32} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
Spare Backup Shell@{E46D104B-FE72-4396-A6F4-E984F3FCC057} = C:\Program Files\Spare Backup\SpareShellExtension.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
LDVPMenu@{8BEEE74D-455E-4616-A97A-F6E86C317F32} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
Spare Backup Shell@{E46D104B-FE72-4396-A6F4-E984F3FCC057} = C:\Program Files\Spare Backup\SpareShellExtension.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\Windows\system32\Ribbons.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.msn.com/ = http://www.msn.com/
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.msn.com/ = http://www.msn.com/
@Local PageC:\Windows\system32\blank.htm = C:\Windows\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\Windows\System32\msvidctl.dll
its@CLSID = %SystemRoot%\System32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-help@CLSID = C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
ms-its@CLSID = %SystemRoot%\System32\itss.dll
tv@CLSID = C:\Windows\System32\msvidctl.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{19CD283F-B1B1-447E-8BAF-81E615E0C315} /*Local Area Connection*/ >>>
@IPAddress =
@NameServer =
@DefaultGateway =
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>>
000000000001@LibraryPath = %SystemRoot%\system32\NLAapi.dll
000000000002@LibraryPath = %SystemRoot%\system32\napinsp.dll
000000000003@LibraryPath = %SystemRoot%\system32\pnrpnsp.dll
000000000004@LibraryPath = %SystemRoot%\system32\pnrpnsp.dll
000000000007@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000008@PackedCatalogItem = C:\PROGRA~1\NetDog\netd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010@PackedCatalogItem = C:\PROGRA~1\NetDog\netd.dll

---- EOF - GMER 1.0.14 ----
Shadowfox4744
Active Member
 
Posts: 8
Joined: January 29th, 2009, 12:40 am

Re: Malware Bloodhound Exploit 196

Unread postby Sharagoz » February 6th, 2009, 4:35 pm

1) Download and run CCleaner
  • Download CCleaner from here
  • Install and launch CCleaner
  • Click the Options button and select Advanced
  • Uncheck the option "Only delete files in Windows Temp folders older than 48 hours"
  • Click the Cleaner button
  • If you wish to avoid being logged out of all websites you're currently logged into, make sure Cookies are unchecked for the web browser(s) you use. Internet Explorer is located under the Windows tab, other browsers are located under the Applications tab
  • Click the Run Cleaner button at the bottom right of the window
  • Click Yes at the prompt and let the cleaner finish
Note:
If there are more than one user account on this computer, run CCleaner using this procedure on all other user accounts as well

If you temporarily disable Symantec Antivirus before the next two steps, the scans will complete faster.

2) Download and Run Malwarebytes Anti-Malware
  • Download Malwarebytes' Anti-Malware and install the program
  • At the end, make sure a checkmark is placed next to:
    o Update Malwarebytes' Anti-Malware
    o Launch Malwarebytes' Anti-Malware
  • Click Finish
  • If an update is found, it will download and install the latest version
  • Once the program has loaded, click Check for updates
  • Click select Perform quick scan, then click Scan to start scanning
  • When the scan is complete, click OK, then Show Results to view the results
  • Make sure that everything is checked, and click Remove Selected
  • When completed, a log will open in Notepad. Include this log in your next reply
Note:
If you for some reason lose the log, it can be retrieved manually from this location:
C:\Users\<your username>\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logsmbam-log-date (time).txt
You must enable the viewing of hidden files to access that AppData folder
(Start -> Run -> control folders -> View -> Show hidden files and folders)

3) Run ESET's online scanner
  • Launch Internet Explorer by right-clicking on it and chosing Run as administrator and then go here:
    http://www.eset.com/onlinescan/
  • Put a checkmark next to Yes, I accept the Terms of Use and click the Start button
  • When prompted about installing ActiveX, allow it and click Install
    The interface will load
  • Click Start
    The scanner will initialize and update itself
  • Once the scanner has loaded, leave both check boxes unchecked and click the Scan button
    Your computer will be scanned, this can take a while to complete
  • When the scan has finished, close Internet Explorer
  • A log will be located here
    C:\Program Files\EsetOnlineScanner\log.txt
  • Include this log in your next reply
Note:
If you get an error message saying that ESET Online Scan needs administration rights, you will need to temporarily disable User Account Control
(Start -> Control Panel -> User Accounts and Family Safety -> User accounts -> Turn User Account Control on or off)

Remember to enable Symantec AV again after this step if you disabled it.

4) Get new RSIT log
  • Double click on RSIT.exe (on your desktop) to run RSIT
  • Click Continue at the disclaimer screen to start the scanner
  • When the scan finishes a log will open. Include this log in your next reply

Logs I need:
    MBAM log
    ESET log
    RSIT log
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Malware Bloodhound Exploit 196

Unread postby Shadowfox4744 » February 7th, 2009, 9:52 am

Thanks again,

Any luck thus far?

Malwarebytes' Anti-Malware 1.33
Database version: 1704
Windows 6.0.6001 Service Pack 1

2/7/2009 12:43:37 AM
mbam-log-2009-02-07 (00-43-37).txt

Scan type: Quick Scan
Objects scanned: 47547
Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET Online Scanner
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3836 (20090207)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=102bb39c20e6f1418d1bf018f384d66d
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2009-02-07 07:32:28
# local_time=2009-02-07 02:32:28 (-0500, Eastern Standard Time)
# country="United States"
# osver=6.0.6001 NT Service Pack 1
# scanned=544038
# found=0
# scan_time=5822


RSIT

Logfile of random's system information tool 1.05 (written by random/random)
Run by Jamie at 2009-02-07 08:47:19
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 139 GB (47%) free of 295 GB
Total RAM: 2047 MB (49% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:28 AM, on 2/7/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI\Catalyst Media Center\CMCService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Jamie\Desktop\RSIT.exe
C:\Hijackthis\Jamie.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CMCService] "C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5419 bytes

======Scheduled tasks folder======

C:\Windows\tasks\User_Feed_Synchronization-{8E1FEF2E-16C9-4AD6-82FA-067F5A579824}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 501400]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-04-23 4435968]
"CMCService"=C:\Program Files\ATI\Catalyst Media Center\CMCService.exe [2007-08-02 172032]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2007-10-18 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2007-10-18 166424]
"Persistence"=C:\Windows\system32\igfxpers.exe [2007-10-18 133656]
"MSConfig"=C:\Windows\system32\msconfig.exe [2008-01-19 227840]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-22 107112]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-11-28 134808]
"NvSvc"=C:\Windows\system32\nvsvc.dll [2006-11-28 90191]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2006-11-28 7757824]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2006-11-28 81920]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-01-06 290088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Aim6"= []
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-19 1233920]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigFix]
c:\program files\Bigfix\bigfix.exe [2006-11-16 2348584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
C:\Users\Jamie\Program Files\BitTorrent_DNA\dna.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2007-08-31 240640]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\Windows\system32\NvMcTray.dll [2006-11-28 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
C:\Program Files\Spare Backup\SpareBackup.exe [2007-07-13 5252936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-11-15 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
C:\PROGRA~1\Sandisk\Common\Bin\WINCIN~1.EXE [2006-09-26 303104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2007-10-18 200704]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2009-02-07 00:52:05 ----D---- C:\Program Files\EsetOnlineScanner
2009-02-07 00:35:19 ----D---- C:\Program Files\CCleaner
2009-02-05 21:52:48 ----A---- C:\Windows\gmer.ini
2009-02-05 21:52:41 ----A---- C:\Windows\gmer_uninstall.cmd
2009-02-05 21:52:41 ----A---- C:\Windows\gmer.dll
2009-02-05 21:52:40 ----A---- C:\Windows\gmer.exe
2009-02-01 08:23:23 ----D---- C:\rsit
2009-01-31 15:39:20 ----D---- C:\Hijackthis
2009-01-28 23:45:44 ----D---- C:\Users\Jamie\AppData\Roaming\Malwarebytes
2009-01-28 23:45:36 ----D---- C:\ProgramData\Malwarebytes
2009-01-28 23:45:36 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-24 10:04:40 ----D---- C:\Users\Jamie\AppData\Roaming\Apple Computer
2009-01-24 10:04:09 ----A---- C:\Windows\system32\GEARAspi.dll
2009-01-24 10:04:08 ----DC---- C:\Windows\system32\DRVSTORE
2009-01-24 10:03:51 ----D---- C:\Program Files\iPod
2009-01-24 10:03:49 ----D---- C:\ProgramData\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-24 10:03:49 ----D---- C:\Program Files\iTunes
2009-01-24 10:03:04 ----D---- C:\Program Files\Bonjour
2009-01-24 10:02:20 ----D---- C:\Program Files\QuickTime
2009-01-24 10:02:18 ----D---- C:\ProgramData\Apple Computer
2009-01-24 10:00:56 ----D---- C:\Program Files\Apple Software Update
2009-01-24 09:59:54 ----D---- C:\ProgramData\Apple
2009-01-24 09:59:54 ----D---- C:\Program Files\Common Files\Apple
2009-01-24 01:27:03 ----A---- C:\Windows\system32\unrar.dll
2009-01-24 01:27:00 ----A---- C:\Windows\system32\yv12vfw.dll
2009-01-24 01:27:00 ----A---- C:\Windows\system32\xvidvfw.dll
2009-01-24 01:27:00 ----A---- C:\Windows\system32\xvidcore.dll
2009-01-24 01:26:58 ----A---- C:\Windows\system32\divx.dll
2009-01-24 01:26:57 ----A---- C:\Windows\system32\ff_vfw.dll.manifest
2009-01-24 01:26:57 ----A---- C:\Windows\system32\ff_vfw.dll
2009-01-24 01:26:56 ----D---- C:\Program Files\K-Lite Codec Pack

======List of files/folders modified in the last 1 months======

2009-02-07 08:47:25 ----D---- C:\Windows\Temp
2009-02-07 01:03:08 ----D---- C:\Windows\Prefetch
2009-02-07 00:52:05 ----RD---- C:\Program Files
2009-02-07 00:52:03 ----SD---- C:\Windows\Downloaded Program Files
2009-02-07 00:52:03 ----D---- C:\Windows\System32
2009-02-07 00:38:18 ----D---- C:\Windows\Debug
2009-02-07 00:38:18 ----D---- C:\Windows
2009-02-07 00:13:21 ----SHD---- C:\System Volume Information
2009-02-05 21:52:41 ----D---- C:\Windows\system32\drivers
2009-02-05 21:50:29 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-02-05 21:50:28 ----HD---- C:\Windows\inf
2009-02-04 23:45:04 ----RD---- C:\Users
2009-02-02 01:15:31 ----SHD---- C:\Config.Msi
2009-01-31 02:00:03 ----D---- C:\Windows\system32\catroot2
2009-01-28 23:45:36 ----HD---- C:\ProgramData
2009-01-24 10:04:45 ----SHD---- C:\Windows\Installer
2009-01-24 10:04:09 ----D---- C:\Windows\system32\catroot
2009-01-24 10:01:00 ----D---- C:\Windows\system32\Tasks
2009-01-24 09:59:54 ----D---- C:\Program Files\Common Files
2009-01-24 01:27:23 ----D---- C:\Program Files\Mozilla Firefox
2009-01-24 01:23:44 ----D---- C:\Program Files\DivX
2009-01-18 14:08:58 ----D---- C:\Windows\Minidump
2009-01-17 11:38:17 ----D---- C:\Program Files\BitTorrent
2009-01-14 18:38:07 ----D---- C:\ProgramData\Microsoft Help
2009-01-14 03:10:18 ----D---- C:\Windows\winsxs
2009-01-14 03:02:32 ----D---- C:\Program Files\Windows Mail
2009-01-09 20:35:28 ----A---- C:\Windows\system32\mrt.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [2008-09-04 371248]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [2006-10-06 406672]
R1 SRTSPX;SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [2006-11-22 25448]
R1 SYMTDI;SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [2006-10-26 185744]
R2 MCSTRM;MCSTRM; C:\Windows\system32\drivers\MCSTRM.sys [2007-10-11 8413]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\Windows\system32\DRIVERS\AGRSM.sys [2006-10-05 1161152]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-04 99376]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-04-23 1769952]
R3 Iviaspi;IVI ASPI Shell; C:\Windows\system32\drivers\iviaspi.sys [2005-09-20 10368]
R3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
R3 NAVENG;NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090206.007\NAVENG.SYS [2008-11-12 89104]
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090206.007\NAVEX15.SYS [2008-11-12 876112]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2006-11-28 4455616]
R3 RTL8023xp;Realtek 10/100 NIC Family NDIS x86 Driver; C:\Windows\system32\DRIVERS\Rtnicxp.sys [2007-11-13 51200]
R3 SRTSP;SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [2006-11-22 247144]
R3 SymEvent;SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [2008-06-08 109744]
R3 SYMREDRV;SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [2006-10-26 26384]
R3 USB28xxBGA;ATI TV Wonder 600 USB 2.0; C:\Windows\system32\DRIVERS\emBDA.sys [2007-05-16 459520]
R3 USB28xxOEM;USB 28xx OEM Filter; C:\Windows\system32\DRIVERS\emOEM.sys [2007-05-16 39808]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\Windows\system32\drivers\ac97intc.sys [2006-11-02 108032]
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture; C:\Windows\system32\drivers\aticxcap.sys [2005-03-30 173824]
S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3); C:\Windows\system32\drivers\aticxtun.sys [2005-03-30 29184]
S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar; C:\Windows\system32\drivers\aticxxbr.sys [2005-03-30 9088]
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-02 45056]
S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2006-11-02 14208]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632]
S3 gmer;gmer; C:\Windows\System32\DRIVERS\gmer.sys [2009-02-05 85969]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-10-18 2009088]
S3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-10-18 2009088]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista; C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S3 SRTSPL;SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [2006-11-22 274328]
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\Windows\system32\DRIVERS\sscdbus.sys [2005-08-17 58352]
S3 sscdmdfl;SAMSUNG CDMA Modem Filter; C:\Windows\system32\DRIVERS\sscdmdfl.sys [2005-08-17 8272]
S3 sscdmdm;SAMSUNG CDMA Modem Drivers; C:\Windows\system32\DRIVERS\sscdmdm.sys [2005-08-17 93872]
S3 sscdserd;SAMSUNG CDMA Modem Diagnostic Serial Port (WDM); C:\Windows\system32\DRIVERS\sscdserd.sys [2005-08-17 73696]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S4 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2006-11-02 82432]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\Windows\system32\agrsmsvc.exe [2006-10-05 9216]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-11-22 107624]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-11-22 107624]
R2 CLCapSvc;CyberLink Background Capture Service (CBCS); C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe [2007-08-02 262239]
R2 CLSched;CyberLink Task Scheduler (CTS); C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe [2007-08-02 110685]
R2 CyberLink Media Library Service;CyberLink Media Library Service; C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe [2007-08-02 1073152]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-11-28 30872]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-11-28 1962136]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-01-06 536872]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-10-31 2541248]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-11-28 122008]
S4 GoogleDesktopManager;GoogleDesktopManager; C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe [2007-08-31 81408]

-----------------EOF-----------------
Shadowfox4744
Active Member
 
Posts: 8
Joined: January 29th, 2009, 12:40 am

Re: Malware Bloodhound Exploit 196

Unread postby Sharagoz » February 7th, 2009, 6:58 pm

Any luck thus far?
You're logs are clean, and I strongly doubt that your machine is infected.

Im certan that the detection alerts you are experiencing is related to an error in Symantec AntiVirus.
These DWH****.tmp files are actually created by Symantec itself during the update process that runs periodically.
So basically, the detection engine is detecting the files created by the update engine as infected.

Here are some threads where people are complaining about the same problem with Symantec AntiVirus:
http://www.bleepingcomputer.com/forums/topic152802.html
https://forums.symantec.com/syment/boar ... ing&page=1
https://forums.symantec.com/syment/boar ... ead.id=228

I've done some research on this, and it seems that the only way to solve this problem is to either replace Symantec AntiVirus with something else, or to call their support line and convince them to send you a tool that supposedly solves this problem called "SymDelTemp.exe".
You could also start a thread on the Symantec forum and ask if anybody there has a solution to this problem, that doesn't involve any of the above.
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Malware Bloodhound Exploit 196

Unread postby Shadowfox4744 » February 8th, 2009, 3:04 am

Thank you SOOO much I really appreciate you taking the time to look at my machine,

It's reassuring to know that it's ok,

I'll take a look at the links you provided and hopefully Symantec can get me that fix,

THANKS!!! :-)
Shadowfox4744
Active Member
 
Posts: 8
Joined: January 29th, 2009, 12:40 am

Re: Malware Bloodhound Exploit 196

Unread postby Sharagoz » February 8th, 2009, 2:02 pm

You're welcome!

There's one more step to do.

Cleaning up after the removal procedures
  • 1) Uninstall through Add/Remove Programs
    • Uninstall the below programs unless you want to keep some of them for future usage:
      CCleaner
      Malwarebytes' Anti-Malware
      ESET Online Scanner
  • 2) Uninstall GMER
    • Right-click on the file below and chose Run as administrator
      C:\Windows\gmer_uninstall.cmd
    • This will uninstall GMER
  • 3) Other deletions
    • You can delete the files and folders below
      DDS (on your desktop)
      RSIT.exe (on your desktop)
      C:\rsit (folder)

You can also enable Windows Defender again now, using a similar procedure as when you disabled it (see this post)
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 48 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware