Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware.Unruy (aka Downloader-BZH) Infection on Windows XP

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware.Unruy (aka Downloader-BZH) Infection on Windows XP

Unread postby kstubbs » August 15th, 2010, 10:19 pm

In late-june, Spyware Doctor started repeatedly finding and cleaning Malware.Unruy, initially in C:\System Volume Information\Microsoft\services.exe, then in C:\Documents and Settings\Keith\Local Settings\temp\loader.exe and C:\System Volume Information\Microsoft\smss.exe.

A week earlier, Spyware Doctor had reported quarantining and cleaning Email-Worm.Zhelatin infection in C:\Documents and Settings\KEITH\Local Settings\TEMP\SMSS.EXE. I'm not sure if that is part of my current problem, but I mention it because the file smss.exe is involved. I also noticed an anomaly I've seen reported elsewhere -- mysterious clicking and wav sound volume repeatedly & mysteriously turned down to zero.

On July 2, Cox Security Suite (powered by McAfee) started detecting and repairing Downloader-BZH, which I think is the same as Malware.Unruy, in C:\System Volume Information\Microsoft\smss.exe and/or C:\System Volume Information\Microsoft\services.exe after every reboot. It took me awhile to realize I still had a problem since I don't reboot often and both Spyware Doctor & McAfee returned clean scans.

Things don't seem to be getting worse, but I'd like to eradicate the root cause of the repeated infection.

==========
hijackthis.log
==========


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:06:48, on 8/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\M-Audio Transit USB\TUSBTask.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: M-Audio Transit USB Control Panel Launcher.lnk = C:\Program Files\M-Audio Transit USB\TUSBTask.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Transit USB Installer (Transit USBInstallerService) - Nemesis - C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe

--
End of file - 17451 bytes

===========
uninstall_lst.txt
===========


32 Bit HP CIO Components Installer
7-Zip 4.32
ABBYY FineReader 6.0 Sprint
AbcNavigator 2.0
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 3.0
Adobe Photoshop Elements 5.0
Adobe Reader 9.3.3
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOLIcon
APC PowerChute Personal Edition
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Banctec Service Agreement
BK ReplaceEm 2.0
Bonjour
Browser Defender 2.0.6.15
Canon Camera Access Library
Canon Camera Support Core Library
Canon DIGITAL CAMERA Solution Disk Software Guide
Canon EOS 5D WIA Driver
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon Personal Printing Guide
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC 8
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.7
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities WFT-E1/E2/E3 Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Carbonite Online Backup Setup
Corel Paint Shop Pro X
Corel Photo Album 6
Creative MediaSource
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
DellSupport
Digital Content Portal
Documents To Go
EarthLink setup files
Easy Thumbnails (Remove only)
EducateU
ELIcon
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Event Manager
EPSON Perfection V500 Photo Scanner Driver Update
EPSON Perfection V500P User's Guide
EPSON Scan
EPSON Scan Assistant
ESPNMotion
Exact Audio Copy 0.99pb5
Exact Audio Copy v0.9 beta 4
FastStone Image Viewer 3.6
GemMaster Mystic
Get High Speed Internet!
Google AFE
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
GPL Ghostscript 8.70
High Definition Audio Driver Package - KB835221
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Image Zone 4.7
HP Imaging Device Functions 7.0
HP Officejet Pro 8500 A909 Series
HP Officejet Pro All-In-One Series
HP Photosmart Essential
HP Product Assistant
HP Solution Center 7.0
HP Update
Intel Matrix Storage Manager
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Intel(R) Quick Resume Technology Drivers
Intel(R) Quick Resume Technology Drivers
Intel® Viiv™
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) 6 Update 21
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Learn2 Player (Uninstall Only)
Legacy 7.4
Legacy Charting 7.4
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
McAfee SecurityCenter
McAfee Uninstaller
MCU
MD Simple Burner 2.0.05
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Robocopy GUI
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Modem Event Monitor
Modem Helper
Modem On Hold
Mozilla Firefox (3.6.3)
Mp3tag v2.35
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicmatch for Windows Media Player
NetZeroInstallers
Norton Ghost 10.0
NVIDIA Drivers
OCR Software by I.R.I.S 7.0
OpenMG Limited Patch 4.4-06-13-19-01
OpenMG Secure Module 4.4.00
Otto
Palm
Palm-DB-Tools 0.3.6
pdfsam
PDFTK Builder 3.5.3
Photo Story 3 for Windows
Pilot-DB 1.1.3
PowerDVD 5.5
QuickTime
RealPlayer
RON Tool Banners4u
Scribus 1.3.3.13
Seagate Manager Installer
Seagate Manager Installer
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SonicStage 3.4
Sony Sound Forge Audio Studio 8.0a
Sound Blaster X-Fi
Spyware Doctor 7.0
Transit USB 1.0.2.2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WildTangent Web Driver
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Wise-FTP
Xenu's Link Sleuth
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm
Advertisement
Register to Remove

Re: Malware.Unruy (aka Downloader-BZH) Infection on Windows

Unread postby melboy » August 17th, 2010, 8:56 pm

Hi and welcome to the MR forums. :)

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

  1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine.
  3. If you don't know or understand something, please don't hesitate to ask.
  4. Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
  5. Please DO NOT run any other tools or scans whilst I am helping you.
  6. It is important that you reply to this thread. Do not start a new topic.
  7. DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.
  8. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  9. Absence of symptoms does not mean that everything is clear.


NOTE: Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.


IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.



No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.


==========================================================


DDS

Please disable any anti-malware program that will block scripts from running before running DDS.

Please download DDS from one of the links below and save it to your desktop:

Link1
Link2
Link3

Disable any script blocker, and then double click dds.scr to run the tool. A command window will appear, this is normal.

Image
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.

Please copy & paste the contents of :
  • DDS.txt
  • Attach.txt
And post them in your next reply.



HD Partition Check

Please download Preformat by Noviciate and save to your desktop.

  • Unzip Preformat.zip and in the resulting folder double click Preformat.vbs (Zip/UnZip Tutorial)
  • Once completed, you will be prompted, click OK.
  • A text file be created in the same folder named Preformat.txt
  • Please copy & paste the contents of Preformat.txt in your next reply



MBRCheck

Download MBRCheck by a_d_13 from here

  • Double click MBRCheck.exe
  • A black command type window will open
  • After a short while, a text file will appear on your desktop named MBRCheck_Date_Time.txt
  • press 'N' on your keyboard, then press 'enter'
  • Click enter again on your keyboard and the window will close.
  • Copy/paste the contents of MBRCheck_Date_Time.txt in your next reply



Gmer

Download GMER Rootkit Scanner from here.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    See image below
    Image
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

-- If GMER crashes or keeps resulting in a BSoDs, uncheck Devices on the right side before scanning -- If you continue to encounter problems, try running GMER in safe mode

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.




In your next reply:
  1. DDS.txt
  2. Attach.txt
  3. MBRCheck
  4. Preformat.txt
  5. GMER log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Malware.Unruy (aka Downloader-BZH) Infection on Windows

Unread postby kstubbs » August 18th, 2010, 10:09 pm

Melboy,

Thanks for responding so quickly. I ran the tools as you requested. I had to run GMER in safe mode; hope that's ok.

kstubbs

==========
dds.txt
==========


DDS (Ver_10-03-17.01) - NTFSx86
Run by Keith at 15:32:18.71 on Wed 08/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.445 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\M-Audio Transit USB\TUSBTask.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Keith\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [DellTransferAgent] "c:\documents and settings\all users\application data\dell\transferagent\TransferAgent.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Norton Ghost 10.0] "c:\program files\norton ghost\agent\GhostTray.exe"
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\program files\common files\dataviz\DvzIncMsgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\m-audi~1.lnk - c:\program files\m-audio transit usb\TUSBTask.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/share ... insctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Hosts: 192.168.1.104 HP0017A42A901C

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\keith\applic~1\mozilla\firefox\profiles\y0qka3c9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\keith\application data\mozilla\firefox\profiles\y0qka3c9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-29 218592]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-1-20 112592]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-1-27 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-1-27 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-1-27 144704]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-5-6 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-5-6 1142224]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-15 822424]
R2 Transit USBInstallerService;Transit USB Installer;c:\program files\m-audio transit usb\install\TUSBInst.exe [2006-4-25 49152]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-1-27 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-1-27 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-1-27 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-1-27 40552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-18 135664]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 ma763006;M-Audio Transit USB;c:\windows\system32\drivers\MA763006.sys [2006-4-25 41216]
S3 MADFU006;MADFU006;c:\windows\system32\drivers\MADFU006.sys [2006-4-25 16512]
S3 mbr;mbr;\??\c:\docume~1\keith\locals~1\temp\mbr.sys --> c:\docume~1\keith\locals~1\temp\mbr.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-1-27 34248]

=============== Created Last 30 ================

2010-08-10 09:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 09:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-07-29 16:55:09 0 d-----w- c:\windows\hpojp8500a909
2010-07-29 16:54:07 118272 ----a-w- c:\windows\system32\hpf3l082.dll
2010-07-29 16:53:31 966656 ----a-r- c:\windows\system32\hpwtiop4.dll
2010-07-29 16:53:31 741376 ----a-r- c:\windows\system32\hpwwiax5.dll
2010-07-29 16:53:31 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2010-07-29 16:53:31 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-07-29 16:53:31 294912 ----a-r- c:\windows\system32\hpovst11.dll
2010-07-29 16:44:26 131461 ----a-w- c:\windows\hpwins22.dat
2010-07-29 16:44:26 1075 ------w- c:\windows\hpwmdl22.dat

==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-25 00:06:52 767928 ----a-w- c:\windows\BDTSupport.dll
2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-15 19:18:22 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 21:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2010-06-08 00:21:02 1652664 ----a-w- c:\windows\PCTBDCore.dll
2010-05-02 21:35:06 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-05-02 21:35:06 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-05-02 21:35:06 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 15:34:41.26 ===============

==========
attach.txt
==========



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/17/2006 5:01:08 PM
System Uptime: 8/18/2010 1:30:25 PM (2 hours ago)

Motherboard: Dell Inc. | | 0YC523
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 170 GiB total, 3.845 GiB free.
D: is FIXED (NTFS) - 58 GiB total, 58.117 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is FIXED (NTFS) - 466 GiB total, 7.568 GiB free.
H: is FIXED (NTFS) - 932 GiB total, 471.829 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Officejet Pro 8500 A909g
Device ID: ROOT\IMAGE\0001
Manufacturer: HP
Name: 8500 A909g,192.168.1.104
PNP Device ID: ROOT\IMAGE\0001
Service: StillCam

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Officejet Pro 8500 A909g
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Officejet Pro 8500 A909g
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}
Description: Officejet Pro 8500 A909g
Device ID: ROOT\PRINTER\0000
Manufacturer: HP
Name: Officejet Pro 8500 A909g
PNP Device ID: ROOT\PRINTER\0000
Service:

Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}
Description: Officejet Pro 8500 A909g
Device ID: ROOT\PRINTER\0001
Manufacturer: HP
Name: Officejet Pro 8500 A909g
PNP Device ID: ROOT\PRINTER\0001
Service:

==== System Restore Points ===================

RP473: 7/11/2010 4:14:09 PM - System Checkpoint
RP474: 7/11/2010 5:35:28 PM - System Checkpoint
RP475: 7/12/2010 6:07:36 PM - Installed HiJackThis
RP476: 7/13/2010 6:15:06 PM - System Checkpoint
RP477: 7/13/2010 6:35:15 PM - Software Distribution Service 3.0
RP478: 7/15/2010 6:40:15 PM - System Checkpoint
RP479: 7/16/2010 6:42:02 PM - System Checkpoint
RP480: 7/17/2010 6:43:07 PM - System Checkpoint
RP481: 7/24/2010 8:41:17 PM - System Checkpoint
RP482: 7/26/2010 2:20:30 AM - System Checkpoint
RP483: 7/27/2010 2:58:08 AM - System Checkpoint
RP484: 7/28/2010 3:57:57 AM - System Checkpoint
RP485: 7/29/2010 4:58:09 AM - System Checkpoint
RP486: 7/30/2010 5:32:02 AM - System Checkpoint
RP487: 7/31/2010 6:00:56 AM - System Checkpoint
RP488: 8/8/2010 5:30:47 PM - System Checkpoint
RP489: 8/8/2010 8:48:12 PM - Software Distribution Service 3.0
RP490: 8/10/2010 12:36:13 AM - System Checkpoint
RP491: 8/11/2010 3:16:19 AM - System Checkpoint
RP492: 8/11/2010 12:56:31 PM - Software Distribution Service 3.0
RP493: 8/11/2010 1:39:02 PM - Installed Java(TM) 6 Update 21
RP494: 8/12/2010 6:21:19 PM - System Checkpoint
RP495: 8/13/2010 6:36:44 PM - System Checkpoint
RP496: 8/15/2010 12:36:52 AM - System Checkpoint
RP497: 8/16/2010 1:47:05 AM - System Checkpoint
RP498: 8/17/2010 1:58:37 AM - System Checkpoint
RP499: 8/17/2010 4:51:02 PM - Installed QuickTime

==== Installed Programs ======================

32 Bit HP CIO Components Installer
7-Zip 4.32
7500_7600_7700_Help
8500A909_BasicWeb
8500A909_Help_BasicWeb
ABBYY FineReader 6.0 Sprint
AbcNavigator 2.0
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 3.0
Adobe Photoshop Elements 5.0
Adobe Reader 9.3.3
Adobe Reader for Palm OS, 3.05
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOLIcon
APC PowerChute Personal Edition
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Banctec Service Agreement
BK ReplaceEm 2.0
Bonjour
BPD_HPSU
BPD_Scan
BPDfax
BPDSoftware
BPDSoftware_Ini
Browser Defender 2.0.6.15
BufferChm
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon DIGITAL CAMERA Solution Disk Software Guide
Canon EOS 5D WIA Driver
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon Personal Printing Guide
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC 8
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.7
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities WFT-E1/E2/E3 Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Carbonite Online Backup Setup
Corel Paint Shop Pro X
Corel Photo Album 6
Creative MediaSource
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Dell System Restore
DellSupport
Destinations
DeviceManagementQFolder
Digital Content Portal
DocProc
DocProcQFolder
Documents To Go
EarthLink setup files
Easy Thumbnails (Remove only)
EducateU
ELIcon
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Event Manager
EPSON Perfection V500 Photo Scanner Driver Update
EPSON Perfection V500P User's Guide
EPSON Scan
EPSON Scan Assistant
ESPNMotion
eSupportQFolder
Exact Audio Copy 0.99pb5
Exact Audio Copy v0.9 beta 4
FastStone Image Viewer 3.6
GemMaster Mystic
Get High Speed Internet!
Google AFE
Google Toolbar for Internet Explorer
Google Update Helper
GPL Ghostscript 8.70
High Definition Audio Driver Package - KB835221
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Image Zone 4.7
HP Imaging Device Functions 7.0
HP Officejet Pro 8500 A909 Series
HP Officejet Pro All-In-One Series
HP Photosmart Essential
HP Product Assistant
HP Solution Center 7.0
HP Update
HPPhotoSmartExpress
HPProductAssistant
HPSystemDiagnostics
InstantShareDevicesMFC
Intel Matrix Storage Manager
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Intel(R) Quick Resume Technology Drivers
Intel® Viiv™
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java Auto Updater
Java(TM) 6 Update 2
Java(TM) 6 Update 21
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
L7600
Learn2 Player (Uninstall Only)
Legacy 7.4
Legacy Charting 7.4
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
McAfee SecurityCenter
McAfee Uninstaller
MCU
MD Simple Burner 2.0.05
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Robocopy GUI
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Modem Event Monitor
Modem Helper
Modem On Hold
Mozilla Firefox (3.6.3)
Mp3tag v2.35
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicmatch for Windows Media Player
Network
NetZeroInstallers
Norton Ghost 10.0
NVIDIA Drivers
OCR Software by I.R.I.S 7.0
OpenMG Limited Patch 4.4-06-13-19-01
OpenMG Secure Module 4.4.00
Otto
Palm
Palm-DB-Tools 0.3.6
PanoStandAlone
pdfsam
PDFTK Builder 3.5.3
Photo Story 3 for Windows
Pilot-DB 1.1.3
PowerDVD 5.5
ProductContext
QFolder
QuickTime
RealPlayer
RON Tool Banners4u
Scan
ScannerCopy
Scribus 1.3.3.13
Seagate Manager Installer
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SolutionCenter
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SonicStage 3.4
Sony Sound Forge Audio Studio 8.0a
Sound Blaster X-Fi
Spyware Doctor 7.0
Status
Toolbox
Transit USB 1.0.2.2
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebFldrs XP
WebReg
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Wise-FTP
Xenu's Link Sleuth

==== End Of File ===========================

==========
MBRcheck
==========


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x008000fc

Kernel Drivers (total 154):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7A12000 \WINDOWS\system32\KDCOM.DLL
0xF7922000 \WINDOWS\system32\BOOTVID.dll
0xF73F1000 fltmgr.sys
0xF73C3000 ACPI.sys
0xF7A14000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF73B2000 pci.sys
0xF7512000 isapnp.sys
0xF7926000 compbatt.sys
0xF792A000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7ADA000 pciide.sys
0xF7792000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7522000 MountMgr.sys
0xF7393000 ftdisk.sys
0xF7A16000 dmload.sys
0xF736D000 dmio.sys
0xF779A000 PartMgr.sys
0xF7532000 VolSnap.sys
0xF7355000 atapi.sys
0xF7280000 iastor.sys
0xF7542000 disk.sys
0xF7552000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF726E000 sr.sys
0xF7235000 PCTCore.sys
0xF7220000 drvmcdb.sys
0xF77A2000 PxHelp20.sys
0xF720A000 SymSnap.sys
0xF71F3000 KSecDD.sys
0xF7166000 Ntfs.sys
0xF7139000 NDIS.sys
0xF711F000 Mup.sys
0xF7612000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF56D8000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF56C4000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF5699000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xF788A000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF5675000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7892000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF5609000 \SystemRoot\system32\drivers\ctaud2k.sys
0xF55E5000 \SystemRoot\system32\drivers\portcls.sys
0xF7622000 \SystemRoot\system32\drivers\drmk.sys
0xF55C2000 \SystemRoot\system32\drivers\ks.sys
0xF5590000 \SystemRoot\system32\drivers\ctoss2k.sys
0xF789A000 \SystemRoot\system32\drivers\ctprxy2k.sys
0xF7632000 \SystemRoot\system32\DRIVERS\IntelC53.sys
0xF5469000 \SystemRoot\system32\DRIVERS\IntelC51.sys
0xF53D4000 \SystemRoot\system32\DRIVERS\IntelC52.sys
0xF78A2000 \SystemRoot\system32\DRIVERS\mohfilt.sys
0xF78AA000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7A9A000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF7642000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7652000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF78B2000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7662000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7A9C000 \SystemRoot\system32\DRIVERS\ELacpi.sys
0xF7B57000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF616E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF79FE000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF53BD000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF615E000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF614E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78BA000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF53AC000 \SystemRoot\system32\DRIVERS\psched.sys
0xF613E000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF78C2000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78CA000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF78D2000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF537C000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF612E000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF78DA000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF78E2000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7AA0000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF531E000 \SystemRoot\system32\DRIVERS\update.sys
0xF70F7000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF70DB000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF610E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF5A05000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7AA8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xEE8E7000 \SystemRoot\system32\drivers\ha20x2k.sys
0xEE8BA000 \SystemRoot\system32\drivers\emupia2k.sys
0xEE893000 \SystemRoot\system32\drivers\ctsfm2k.sys
0xEE7F7000 \SystemRoot\system32\drivers\ctac32k.sys
0xF2F31000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7A42000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF64FF000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A44000 \SystemRoot\System32\Drivers\Beep.SYS
0xEB53F000 \SystemRoot\system32\drivers\ssrtln.sys
0xF6835000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF682D000 \SystemRoot\System32\drivers\vga.sys
0xF7A46000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A48000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF6825000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF681D000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEE176000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEC64A000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEC5F1000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEE09D000 \SystemRoot\System32\Drivers\Mpfp.sys
0xEB769000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF5D9B000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF65D7000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
0xEB741000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEB71F000 \SystemRoot\System32\drivers\afd.sys
0xF65C7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF65A7000 \SystemRoot\System32\Drivers\V2IMount.SYS
0xEB8EB000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEB87B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xEB848000 \SystemRoot\system32\drivers\mfehidk.sys
0xF6597000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7A4C000 \SystemRoot\System32\DRIVERS\ELmou.sys
0xF7A4E000 \SystemRoot\System32\DRIVERS\ELmon.sys
0xF7A50000 \SystemRoot\System32\DRIVERS\ELkbd.sys
0xF70AA000 \SystemRoot\System32\DRIVERS\ELhid.sys
0xBA0F5000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xBA220000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA344000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA210000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA340000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA095000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB9759000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA07D000 \SystemRoot\System32\drivers\Dxapi.sys
0xB9E49000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B2C000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF5A75000 \SystemRoot\system32\drivers\drvnddm.sys
0xF7BD6000 \SystemRoot\system32\dla\tfsndres.sys
0xB82CB000 \SystemRoot\system32\dla\tfsnifs.sys
0xEDD7C000 \SystemRoot\system32\dla\tfsnopio.sys
0xF5E4D000 \SystemRoot\system32\dla\tfsnpool.sys
0xF782A000 \SystemRoot\system32\dla\tfsnboio.sys
0xF5A35000 \SystemRoot\system32\dla\tfsncofs.sys
0xF7C0F000 \SystemRoot\system32\dla\tfsndrct.sys
0xB82B2000 \SystemRoot\system32\dla\tfsnudf.sys
0xB8299000 \SystemRoot\system32\dla\tfsnudfa.sys
0xED3CC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB7A34000 \SystemRoot\system32\drivers\wdmaud.sys
0xF7712000 \SystemRoot\system32\drivers\sysaudio.sys
0xB78C1000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7A8E000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xB7588000 \SystemRoot\System32\Drivers\HTTP.sys
0xB7441000 \SystemRoot\system32\DRIVERS\srv.sys
0xB9E11000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xF77CA000 \SystemRoot\system32\drivers\mfebopk.sys
0xB6783000 \SystemRoot\system32\drivers\mfeavfk.sys
0xF7912000 \??\C:\Program Files\Spyware Doctor\PCTSDInj32.sys
0xF2E9D000 \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
0xB6ACD000 \SystemRoot\system32\drivers\mfesmfk.sys
0xB315B000 \SystemRoot\system32\drivers\kmixer.sys
0xB56E5000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xED0BC000 \SystemRoot\system32\DRIVERS\serscan.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 96):
0 System Idle Process
4 System
748 C:\WINDOWS\system32\smss.exe
800 C:\WINDOWS\system32\csrss.exe
824 C:\WINDOWS\system32\winlogon.exe
880 C:\WINDOWS\system32\services.exe
892 C:\WINDOWS\system32\lsass.exe
1124 C:\WINDOWS\system32\svchost.exe
1228 C:\WINDOWS\system32\svchost.exe
1324 C:\WINDOWS\system32\svchost.exe
1452 C:\WINDOWS\system32\svchost.exe
1604 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1700 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1836 C:\WINDOWS\system32\spoolsv.exe
2032 C:\WINDOWS\system32\svchost.exe
240 C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
272 C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
300 C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
316 C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
380 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
396 C:\Program Files\Bonjour\mDNSResponder.exe
456 C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
604 C:\WINDOWS\system32\CTSVCCDA.EXE
720 C:\WINDOWS\ehome\ehrecvr.exe
732 C:\WINDOWS\ehome\ehSched.exe
148 C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
1284 C:\WINDOWS\system32\gearsec.exe
1540 C:\WINDOWS\system32\svchost.exe
1632 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
1576 C:\Program Files\Java\jre6\bin\jqs.exe
1900 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
2112 C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
2176 C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
2208 C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
2248 C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
2360 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2412 C:\Program Files\McAfee\MPF\MpfSrv.exe
2444 C:\WINDOWS\system32\svchost.exe
2592 C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
2604 C:\WINDOWS\explorer.exe
2620 C:\Program Files\Norton Ghost\Agent\VProSvc.exe
2740 C:\WINDOWS\system32\nvsvc32.exe
2792 C:\WINDOWS\system32\svchost.exe
2876 C:\Program Files\Spyware Doctor\pctsAuxs.exe
2960 C:\Program Files\Spyware Doctor\pctsSvc.exe
3296 C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
3476 C:\WINDOWS\system32\svchost.exe
3488 C:\Program Files\Spyware Doctor\pctsTray.exe
3728 C:\WINDOWS\ehome\ehtray.exe
3756 C:\WINDOWS\CTHELPER.EXE
3848 C:\WINDOWS\system32\svchost.exe
3876 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
3904 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
3920 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
4056 C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
4068 C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
4088 C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
484 C:\WINDOWS\system32\dla\tfswctrl.exe
512 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
532 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
540 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
548 C:\Program Files\Norton Ghost\Agent\GhostTray.exe
596 C:\PROGRA~1\Sony\SONICS~1\SSAAD.exe
600 C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe
2168 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
2660 C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
2576 C:\Program Files\iTunes\iTunesHelper.exe
2868 C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
3156 C:\WINDOWS\system32\CTXFISPI.EXE
3224 C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
3324 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3820 C:\WINDOWS\system32\ctfmon.exe
3872 C:\WINDOWS\ehome\mcrdsvc.exe
3892 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3944 C:\Program Files\DellSupport\DSAgnt.exe
4036 C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
4308 C:\Program Files\Canon\CAL\CALMAIN.exe
4460 C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
4500 C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
4608 C:\Program Files\Palm\Hotsync.exe
4636 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
4672 C:\Program Files\M-Audio Transit USB\TUSBTask.exe
4928 C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
3336 C:\WINDOWS\system32\dllhost.exe
4156 C:\WINDOWS\ehome\ehmsas.exe
4792 C:\Program Files\iPod\bin\iPodService.exe
5564 C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
5792 C:\WINDOWS\system32\alg.exe
4392 C:\WINDOWS\system32\svchost.exe
1988 C:\Program Files\Mozilla Firefox\firefox.exe
4676 C:\WINDOWS\system32\wbem\wmiprvse.exe
1844 C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
5060 C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
5668 C:\PROGRA~1\McAfee\MSC\mcupdui.exe
1040 C:\Program Files\McAfee\VirusScan\mcinsupd.exe
4976 C:\Documents and Settings\Keith\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000002a`7f77de00 (NTFS)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: „
PhysicalDrive1 Model Number: SeagateFreeAgentDesktop, Rev: 100D
PhysicalDrive2 Model Number: SeagateFreeAgent, Rev: 102F

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 6E87A0CEBCF1BA90DAC78A4BB02EB595A128C67E
465 GB \\.\PhysicalDrive1 RE: Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 6E87A0CEBCF1BA90DAC78A4BB02EB595A128C67E
931 GB \\.\PhysicalDrive2 RE: Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 6E87A0CEBCF1BA90DAC78A4BB02EB595A128C67E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

==========
preformat.txt
==========



Partition ID: Disk #0, Partition #0
Size: 47.03 MB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #1
Size: 169.95 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #2
Size: 58.19 GB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #3
Size: 4.64 GB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #2, Partition #0
Size: 931.51 GB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #1, Partition #0
Size: 465.76 GB

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Dell Inc.
Name: Phoenix ROM BIOS PLUS Version 1.10 A03
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~

==========
GMER.txt (run in safe mode)
==========


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-18 21:45:02
Windows 5.1.2600 Service Pack 3
Running: wunc0d6g.exe; Driver: C:\DOCUME~1\Keith\LOCALS~1\Temp\fxddapow.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7593112]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF75722D6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF75724C8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7593900]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF7593BB4]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7591E12]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7594020]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF75933D2]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7571F44]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 172 804E49CC 2 Bytes [00, 39] {ADD [ECX], BH}
.text ntoskrnl.exe!ZwYieldExecution + 17A 804E49D4 2 Bytes [B4, 3B] {MOV AH, 0x3b}

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Spyware Doctor\pctsSvc.exe[780] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044BC05 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1516] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1516] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1516] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1516] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1516] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1516] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1516] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1516] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1516] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \FileSystem\Fastfat \Fat F64AED20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

---- EOF - GMER 1.0.15 ----
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm

Re: Malware.Unruy (aka Downloader-BZH) Infection on Windows

Unread postby melboy » August 19th, 2010, 8:15 am

Hi


Risk Advice - MBR

Unfortunately you have an infected Master Boot Record (MBR)

Some Dell computers have a non-standard customised MBR that allows you to press a key on startup and restore your computer to it's factory delivered condition from a hidden partition. That option is no longer available to you due to the infection.

Any attempted fix of this infection will result in the PC receiving a standard Windows XP MBR, not the custom Dell MBR. Whilst this will fix the infection, it will not fix the ability to restore your computer to it's factory delivered condition.

It may be possible to restore the original Dell MBR, either prior to or after fixing the infection, but I would recommend that you contact Dell themselves for support with this.

If you would like to proceed with attempting to fix this infection I need you to recognise this does not come without risk. The MBR is a critical component of your PC - as the name suggests it is critical to booting the PC. If anything was to go wrong with the fix, it could result in your computer no longer being able to boot up. Whilst an unbootable computer may be fixable, it can be a lengthy and complicated procedure.

If you understand the risk involved and would like to attempt to fix this infection, I would urge you to first ensure you have backed up any important data, and then continue with the instructions below. If you have any questions - Please ask them first.


==================


ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    For instructions on how to disable your security programs, please see this topic:
    How to disable your security applications
    How to disable McAfee:

    • Please open McAfee Security Centre
    • Under Common Tasks click on Home
    • Click Computer Files
    • Click Configure
    • Make sure the following are disabled by ticking the "Off" button.

      Virus protection
      Spyware protection
      System Guards Protection
      Script Scanning Protection (you may have to scroll down to see it)

    • Next, select never for "When to re-enable real time scanning"
    • and click OK.
    Further info on disabling and re-enabling McAfee, see here

  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning:
Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Malware.Unruy (aka Downloader-BZH) Infection on Windows

Unread postby kstubbs » August 19th, 2010, 10:18 am

Melboy,

I have 2 questions.

1) I have a Dell Reinstallation DVD that came with the PC (Windows XP Media Center Edition 2005 w. Update Rollup). It says it's for reinstallation of the OS on a Dell PC. Could that help with the MBR?

2) It appears my two external drive (G & H) have the same MBR infection. That's where I've got my data backed up, but does that help me? Can I clean the MBR infection from the external drives? Can I connect them to another PC without spreading the infection?

kstubbs
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm

Re: Malware.Unruy (aka Downloader-BZH) Infection on Windows

Unread postby melboy » August 19th, 2010, 2:38 pm

Hi

kstubbs wrote: I have a Dell Reinstallation DVD that came with the PC (Windows XP Media Center Edition 2005 w. Update Rollup). It says it's for reinstallation of the OS on a Dell PC. Could that help with the MBR?
To my knowledge re-installing the OS using the supplied Dell CD doesn't re-write the Dell custom MBR. That would be something for Dell support to confirm though.

As you do have the disk it does give you an additional resource for repairing your computer, whether that be repairing the OS or reinstalling the OS.

kstubbs wrote:It appears my two external drive (G & H) have the same MBR infection. That's where I've got my data backed up, but does that help me? Can I clean the MBR infection from the external drives? Can I connect them to another PC without spreading the infection?

That's not so much of a problem as although the boot code is that of the infection, you don't actually boot from those drives. So long as they are connected when combofix runs, Combofix will attempt to fix the MBR's of the external drives as well.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Malware.Unruy (aka Downloader-BZH) Infection on Windows

Unread postby kstubbs » August 19th, 2010, 7:01 pm

That's not so much of a problem as although the boot code is that of the infection, you don't actually boot from those drives. So long as they are connected when combofix runs, Combofix will attempt to fix the MBR's of the external drives as well.


Is there a risk that running combofix could cause the loss of the data I've backed up on the external disks, or is the risk solely to the boot record? If there is a risk, would it be better to try combofix first with only one of the two external disks powered up?
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm

Re: Malware.Unruy (aka Downloader-BZH) Infection on Windows

Unread postby melboy » August 20th, 2010, 2:57 am

Hi

The original MBR's on all three devices were gone the moment you became infected. The infection replaced them with it's own malicious MBR & the malware writers certainly don't care what effect this has on your machine.

Whilst there can be no cast iron guarantees with any malware removal procedure, the prospect of your data becoming inaccessible on those drives is unlikely. They would both need to be attached on combofix's initial run to be fixed by combofix.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Malware.Unruy (aka Downloader-BZH) Infection on Windows

Unread postby kstubbs » August 21st, 2010, 1:29 pm

Melboy,

I ran combofix per the instructions. Here's the log.

=======================================

ComboFix 10-08-20.01 - Keith 08/21/2010 12:55:22.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.489 [GMT -4:00]
Running from: c:\documents and settings\Keith\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
c:\documents and settings\All Users\Application Data\Microsoft\Protect\track.sys
c:\documents and settings\Keith\Recent\Thumbs.db
c:\system volume information\Microsoft
c:\system volume information\Microsoft\smss.exe
c:\windows\system32\Thumbs.db
H:\Autorun.inf

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive2 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive2 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-21 to 2010-08-21 )))))))))))))))))))))))))))))))
.

2010-08-16 02:05 . 2010-08-16 02:05 388096 ----a-r- c:\documents and settings\Keith\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-09 16:07 . 2010-08-09 16:07 -------- d-----w- c:\documents and settings\Keith\Local Settings\Application Data\HP
2010-08-08 23:39 . 2010-08-08 23:39 503808 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2213f077-n\msvcp71.dll
2010-08-08 23:39 . 2010-08-08 23:39 499712 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2213f077-n\jmc.dll
2010-08-08 23:39 . 2010-08-08 23:39 348160 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2213f077-n\msvcr71.dll
2010-08-08 23:39 . 2010-08-08 23:39 61440 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1498dc4c-n\decora-sse.dll
2010-08-08 23:39 . 2010-08-08 23:39 12800 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1498dc4c-n\decora-d3d.dll
2010-07-29 16:55 . 2010-07-29 16:55 -------- d-----w- c:\windows\hpojp8500a909
2010-07-29 16:54 . 2010-07-29 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-07-29 16:54 . 2008-08-12 14:58 118272 ----a-w- c:\windows\system32\hpf3l082.dll
2010-07-29 16:54 . 2008-08-12 14:58 314880 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp082.dll
2010-07-29 16:53 . 2008-10-06 11:11 741376 ----a-r- c:\windows\system32\hpwwiax5.dll
2010-07-29 16:53 . 2008-10-06 11:11 966656 ----a-r- c:\windows\system32\hpwtiop4.dll
2010-07-29 16:53 . 2007-07-09 10:13 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2010-07-29 16:53 . 2007-07-09 10:13 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-07-29 16:53 . 2007-07-06 10:48 294912 ----a-r- c:\windows\system32\hpovst11.dll
2010-07-29 16:44 . 2010-07-29 16:55 131461 ----a-w- c:\windows\hpwins22.dat
2010-07-29 16:44 . 2008-10-25 02:28 1075 ------w- c:\windows\hpwmdl22.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-21 16:53 . 2008-12-03 21:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-21 16:22 . 2008-12-04 00:43 -------- d-----w- c:\program files\Spyware Doctor
2010-08-18 19:05 . 2007-11-03 02:49 102 ----a-w- c:\documents and settings\Keith\Application Data\Microsoft Robocopy GUI\Config\rcscript.bat
2010-08-17 20:53 . 2006-04-03 15:53 -------- d-----w- c:\program files\QuickTime
2010-08-15 16:06 . 2006-04-07 03:04 -------- d-----w- c:\program files\Palm
2010-08-11 17:40 . 2006-02-15 08:59 -------- d-----w- c:\program files\Common Files\Java
2010-08-11 17:39 . 2006-02-15 08:59 -------- d-----w- c:\program files\Java
2010-08-11 17:30 . 2010-07-18 11:38 98160 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-09 22:05 . 2009-02-27 00:32 -------- d-----w- c:\documents and settings\Keith\Application Data\ZoomBrowser EX
2010-08-08 20:49 . 2006-03-13 16:51 -------- d-----w- c:\program files\Legacy
2010-07-29 16:27 . 2010-01-27 14:22 -------- d-----w- c:\program files\McAfee
2010-07-25 00:06 . 2010-01-20 16:22 767928 ----a-w- c:\windows\BDTSupport.dll
2010-07-17 09:00 . 2010-06-23 03:27 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-15 19:18 . 2010-01-27 14:23 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-12 22:07 . 2010-07-12 22:07 -------- d-----w- c:\program files\Trend Micro
2010-06-30 12:31 . 2005-08-16 10:18 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-25 09:33 . 2006-05-03 04:14 -------- d-----w- c:\program files\XenuLinkSleuth
2010-06-24 12:22 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2005-08-16 10:18 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 03:28 . 2010-06-23 03:28 503808 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-18354cd3-n\msvcp71.dll
2010-06-23 03:28 . 2010-06-23 03:28 499712 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-18354cd3-n\jmc.dll
2010-06-23 03:28 . 2010-06-23 03:28 348160 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-18354cd3-n\msvcr71.dll
2010-06-23 03:28 . 2010-06-23 03:28 61440 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5369119f-n\decora-sse.dll
2010-06-23 03:28 . 2010-06-23 03:28 12800 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5369119f-n\decora-d3d.dll
2010-06-21 15:27 . 2006-02-15 08:37 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2005-08-16 10:18 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2005-08-16 10:40 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2005-08-16 10:18 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-08 00:21 . 2010-01-20 16:22 1652664 ----a-w- c:\windows\PCTBDCore.dll
2010-05-25 03:39 . 2010-05-25 03:39 503808 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-68a18762-n\msvcp71.dll
2010-05-25 03:39 . 2010-05-25 03:39 499712 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-68a18762-n\jmc.dll
2010-05-25 03:39 . 2010-05-25 03:39 348160 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-68a18762-n\msvcr71.dll
2010-05-23 21:50 . 2010-06-12 22:05 73216 ----a-w- c:\documents and settings\Keith\Application Data\Mozilla\Firefox\Profiles\y0qka3c9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"CTHelper"="CTHELPER.EXE" [2005-09-20 16384]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-11-11 19968]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-08-17 1531904]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-2-27 221295]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-4-6 28672]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
M-Audio Transit USB Control Panel Launcher.lnk - c:\program files\M-Audio Transit USB\TUSBTask.exe [2003-4-28 61440]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/29/2009 10:06 PM 218592]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/20/2010 12:22 PM 112592]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/27/2010 10:25 AM 93320]
R2 Transit USBInstallerService;Transit USB Installer;c:\program files\M-Audio Transit USB\Install\TUSBInst.exe [4/25/2006 4:23 PM 49152]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/18/2010 1:59 PM 135664]
S3 ma763006;M-Audio Transit USB;c:\windows\system32\drivers\MA763006.sys [4/25/2006 4:23 PM 41216]
S3 MADFU006;MADFU006;c:\windows\system32\drivers\MADFU006.sys [4/25/2006 4:23 PM 16512]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/6/2010 4:01 PM 366840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 17:59]

2010-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 17:59]

2010-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-27 17:22]

2010-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-27 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Keith\Application Data\Mozilla\Firefox\Profiles\y0qka3c9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Keith\Application Data\Mozilla\Firefox\Profiles\y0qka3c9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-ctxdfsqhypkelyfp - c:\windows\system32\ctxdfsqhypkelyfp.exe
AddRemove-EPSON Scanner - c:\program files\epson\escndv\setup\setup.exe
AddRemove-HijackThis - c:\docume~1\Keith\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,16,ec,e4,a7,b8,d9,ed,4d,bd,27,27,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,16,ec,e4,a7,b8,d9,ed,4d,bd,27,27,\
.
Completion time: 2010-08-21 13:12:09
ComboFix-quarantined-files.txt 2010-08-21 17:12
ComboFix2.txt 2008-12-16 15:43

Pre-Run: 9,309,396,992 bytes free
Post-Run: 9,582,280,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 99D51143166D727D52C4202162B6E3D0
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm

Re: Malware.Unruy (aka Downloader-BZH) Infection on Windows

Unread postby melboy » August 21st, 2010, 5:33 pm

Hi

Well done! That looks to have got it. :thumbright:

MBRCheck

You should still have this on your desktop.

  • Double click MBRCheck.exe
  • A black command type window will open
  • After a short while, a text file will appear on your desktop named MBRCheck_Date_Time.txt
  • press 'N' on your keyboard, then press 'enter'
  • Click enter again on your keyboard and the window will close.
  • Copy/paste the contents of MBRCheck_Date_Time.txt in your next reply



Java Runtime
Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 21.

  • Uninstall all old versions of Java via Start > Control Panel > Add/Remove Programs:

    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 8
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1

  • Java(TM) 6 Update 21 << Leave the current version installed



TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



Malwarebytes' Anti-Malware (MBAM)

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.



ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable Mcafee as previously instructed.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)
  • Re-enable Mcafee




In your next reply:
  1. MBRcheck log
  2. MBAM log
  3. ESET online scan log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Malware.Unruy (aka Downloader-BZH) Infection on Windows

Unread postby kstubbs » August 22nd, 2010, 8:55 pm

Melboy,

Here's the new batch of logs you requested.

I think the SpywareGuard registry key that MBAM found is left over from a prior malware infection I had in December 2008.

I let MBAM fix all three items it found, but I have a question about one of them. Removing the FirewallDisableNotify registry entry appears to activate the Microsoft firewall, which I had disabled because I'm using the McAfee firewall. Should I leave both firewalls on?

==============
MBRcheck log
==============


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x008000fc

Kernel Drivers (total 155):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7A12000 \WINDOWS\system32\KDCOM.DLL
0xF7922000 \WINDOWS\system32\BOOTVID.dll
0xF73F1000 fltmgr.sys
0xF73C3000 ACPI.sys
0xF7A14000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF73B2000 pci.sys
0xF7512000 isapnp.sys
0xF7926000 compbatt.sys
0xF792A000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7ADA000 pciide.sys
0xF7792000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7522000 MountMgr.sys
0xF7393000 ftdisk.sys
0xF7A16000 dmload.sys
0xF736D000 dmio.sys
0xF779A000 PartMgr.sys
0xF7532000 VolSnap.sys
0xF7355000 atapi.sys
0xF7280000 iastor.sys
0xF7542000 disk.sys
0xF7552000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF726E000 sr.sys
0xF7235000 PCTCore.sys
0xF7220000 drvmcdb.sys
0xF77A2000 PxHelp20.sys
0xF720A000 SymSnap.sys
0xF71F3000 KSecDD.sys
0xF7166000 Ntfs.sys
0xF7139000 NDIS.sys
0xF711F000 Mup.sys
0xF7612000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF56D8000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF56C4000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF5699000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xF7872000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF5675000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF787A000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF5609000 \SystemRoot\system32\drivers\ctaud2k.sys
0xF55E5000 \SystemRoot\system32\drivers\portcls.sys
0xF7622000 \SystemRoot\system32\drivers\drmk.sys
0xF55C2000 \SystemRoot\system32\drivers\ks.sys
0xF5590000 \SystemRoot\system32\drivers\ctoss2k.sys
0xF7882000 \SystemRoot\system32\drivers\ctprxy2k.sys
0xF7632000 \SystemRoot\system32\DRIVERS\IntelC53.sys
0xF5469000 \SystemRoot\system32\DRIVERS\IntelC51.sys
0xF53D4000 \SystemRoot\system32\DRIVERS\IntelC52.sys
0xF788A000 \SystemRoot\system32\DRIVERS\mohfilt.sys
0xF7892000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7A78000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF7642000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7652000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF789A000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7662000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7A7A000 \SystemRoot\system32\DRIVERS\ELacpi.sys
0xF7C37000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF616E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF79E2000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF53BD000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF615E000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF614E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78A2000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF53AC000 \SystemRoot\system32\DRIVERS\psched.sys
0xF613E000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF78AA000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78B2000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF78BA000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF537C000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF612E000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF78C2000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF78CA000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A7C000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF531E000 \SystemRoot\system32\DRIVERS\update.sys
0xF79FA000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF70F7000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF610E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF5A05000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A84000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xEE8E7000 \SystemRoot\system32\drivers\ha20x2k.sys
0xEE8BA000 \SystemRoot\system32\drivers\emupia2k.sys
0xEE893000 \SystemRoot\system32\drivers\ctsfm2k.sys
0xEE7F7000 \SystemRoot\system32\drivers\ctac32k.sys
0xF2F31000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7A1E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF6500000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A20000 \SystemRoot\System32\Drivers\Beep.SYS
0xEB53F000 \SystemRoot\system32\drivers\ssrtln.sys
0xF6835000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF682D000 \SystemRoot\System32\drivers\vga.sys
0xF7A22000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A24000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF6825000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF681D000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEE176000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEC64A000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEC5F1000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEC5CA000 \SystemRoot\System32\Drivers\Mpfp.sys
0xEB50F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF5D9B000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF65D7000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
0xEB028000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEB006000 \SystemRoot\System32\drivers\afd.sys
0xF65C7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF65A7000 \SystemRoot\System32\Drivers\V2IMount.SYS
0xEB4E4000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEB450000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xEB41D000 \SystemRoot\system32\drivers\mfehidk.sys
0xF6597000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7A28000 \SystemRoot\System32\DRIVERS\ELmou.sys
0xF7A2A000 \SystemRoot\System32\DRIVERS\ELmon.sys
0xF7A2C000 \SystemRoot\System32\DRIVERS\ELkbd.sys
0xF70D7000 \SystemRoot\System32\DRIVERS\ELhid.sys
0xBA0F5000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xBA220000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA338000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA210000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA334000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA32C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB976D000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA079000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA0D5000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7BDA000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF6330000 \SystemRoot\system32\drivers\drvnddm.sys
0xF7BD3000 \SystemRoot\system32\dla\tfsndres.sys
0xB82DF000 \SystemRoot\system32\dla\tfsnifs.sys
0xF2F45000 \SystemRoot\system32\dla\tfsnopio.sys
0xF5C6F000 \SystemRoot\system32\dla\tfsnpool.sys
0xF67ED000 \SystemRoot\system32\dla\tfsnboio.sys
0xF6320000 \SystemRoot\system32\dla\tfsncofs.sys
0xF7BE6000 \SystemRoot\system32\dla\tfsndrct.sys
0xB82C6000 \SystemRoot\system32\dla\tfsnudf.sys
0xB82AD000 \SystemRoot\system32\dla\tfsnudfa.sys
0xED56B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB7A48000 \SystemRoot\system32\drivers\wdmaud.sys
0xF76A2000 \SystemRoot\system32\drivers\sysaudio.sys
0xB78D5000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7A5E000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xB759C000 \SystemRoot\System32\Drivers\HTTP.sys
0xB751D000 \SystemRoot\system32\DRIVERS\srv.sys
0xB987C000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xEB57F000 \SystemRoot\system32\drivers\mfebopk.sys
0xB5F08000 \SystemRoot\system32\drivers\mfeavfk.sys
0xB9E41000 \??\C:\DOCUME~1\Keith\LOCALS~1\Temp\catchme.sys
0xF7AC6000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xF780A000 \??\C:\DOCUME~1\Keith\LOCALS~1\Temp\mbr.sys
0xB64ED000 \SystemRoot\system32\drivers\mfesmfk.sys
0xEE10C000 \??\C:\Program Files\Spyware Doctor\PCTSDInj32.sys
0xEDCF5000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xF669D000 \SystemRoot\system32\DRIVERS\serscan.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 61):
0 System Idle Process
4 System
744 C:\WINDOWS\system32\smss.exe
796 C:\WINDOWS\system32\csrss.exe
820 C:\WINDOWS\system32\winlogon.exe
876 C:\WINDOWS\system32\services.exe
888 C:\WINDOWS\system32\lsass.exe
1088 C:\WINDOWS\system32\svchost.exe
1172 C:\WINDOWS\system32\svchost.exe
1268 C:\WINDOWS\system32\svchost.exe
1468 C:\WINDOWS\system32\svchost.exe
1544 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1572 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1780 C:\WINDOWS\system32\spoolsv.exe
1956 C:\WINDOWS\system32\svchost.exe
172 C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
240 C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
292 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
304 C:\Program Files\Bonjour\mDNSResponder.exe
332 C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
524 C:\WINDOWS\system32\CTSVCCDA.EXE
544 C:\WINDOWS\ehome\ehrecvr.exe
560 C:\WINDOWS\ehome\ehSched.exe
612 C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
1216 C:\WINDOWS\system32\gearsec.exe
1420 C:\WINDOWS\system32\svchost.exe
1432 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
1492 C:\Program Files\Java\jre6\bin\jqs.exe
1596 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
1612 C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
2068 C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
2100 C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
2120 C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
2256 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2296 C:\Program Files\McAfee\MPF\MpfSrv.exe
2332 C:\WINDOWS\system32\svchost.exe
2412 C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
2424 C:\Program Files\Norton Ghost\Agent\VProSvc.exe
2528 C:\WINDOWS\system32\nvsvc32.exe
2548 C:\WINDOWS\system32\svchost.exe
2676 C:\WINDOWS\system32\svchost.exe
2740 C:\WINDOWS\system32\svchost.exe
2836 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
2888 C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe
3076 C:\WINDOWS\ehome\mcrdsvc.exe
3220 C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
3460 C:\Program Files\Canon\CAL\CALMAIN.exe
2672 C:\WINDOWS\system32\dllhost.exe
2940 C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
3368 C:\WINDOWS\system32\alg.exe
2780 C:\WINDOWS\system32\svchost.exe
3972 C:\WINDOWS\explorer.exe
3900 C:\WINDOWS\system32\ctfmon.exe
3980 C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
1024 C:\Program Files\Spyware Doctor\pctsAuxs.exe
3728 C:\Program Files\Spyware Doctor\pctsSvc.exe
1860 C:\Program Files\Spyware Doctor\pctsTray.exe
3212 C:\Program Files\Mozilla Firefox\firefox.exe
4408 C:\Program Files\iPod\bin\iPodService.exe
576 C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
5276 C:\Documents and Settings\Keith\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000002a`7f77de00 (NTFS)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ƒ¸
PhysicalDrive1 Model Number: SeagateFreeAgentDesktop, Rev: 100D
PhysicalDrive2 Model Number: SeagateFreeAgent, Rev: 102F

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
465 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive2 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

==============
MBAM log
==============


Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4462

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/22/2010 3:15:38 PM
mbam-log-2010-08-22 (15-15-38).txt

Scan type: Quick scan
Objects scanned: 149332
Time elapsed: 14 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\spyware guard (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\conf.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.

==============
ESET online scan log
==============


C:\Qoobox\Quarantine\C\System Volume Information\Microsoft\smss.exe.vir a variant of Win32/TrojanDownloader.Unruy.BV trojan
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm

Re: Malware.Unruy (aka Downloader-BZH) Infection on Windows

Unread postby melboy » August 23rd, 2010, 5:42 pm

Hi

kstubbs wrote:Removing the FirewallDisableNotify registry entry appears to activate the Microsoft firewall, which I had disabled because I'm using the McAfee firewall. Should I leave both firewalls on?


That shouldn't have enabled the Windows firewall. If the Windows firewall is enabled please turn it off.

FirewallDisableNotify is relative to Windows Security Center alerts. It was set to Disable firewall alerts which will have been set by Mcafee as it has it's own mechanism for reporting if the firewall is active or not. The setting is now Display firewall alerts. If the firewall reporting to Security Center (in your case Mcafee) is turned off, you would receive a warning from Windows Security Center informing you of this.

Mcafee may well change the setting again. If it does and is detected in further Malwarebytes scans you can safely highlight the item and click ignore.



Update Adobe Reader

Your Adobe Reader is out of date.
Outdated versions may have vulnerabilities that malware can use to infect your system.
  • Using the internal updater update the software to the current increment 9.3.4
    • Open Adobe Reader go to > Help > Check for updates and allow the updater to check.
    • Click to download and install any necessary updates.


=================================


Your log now appears to be clean. Congratulations!
This is my general post for when your logs show no more signs of malware ;) - Please let me know if you still are having problems with your computer and what these problems are. If not, then please continue with the instructions below.



Uninstall Combofix
We Need to Remove ComboFix
  1. Please go to Start -> Run
  2. Enter "ComboFix /uninstall" (without quotes). Note the space between "ComboFix" and "/uninstall", it needs to be there.
    Image
  3. Press OK (Or hit enter).
  4. Allow ComboFix to remove itself.



OTC by OldTimer

Download OTC by Old Timer and save it to your Desktop.

  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself


You can delete both MBRCheck and it's associated logfiles along with Preformat.vbs and Preformat.zip files and folders.


============================================================


General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • Malwarebytes' Anti-Malware
    As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. (TIP: Cleaning out temp files can reduce scanning times.)
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Malware.Unruy (aka Downloader-BZH) Infection on Windows

Unread postby kstubbs » August 23rd, 2010, 8:02 pm

Melboy,

Thanks for all your quick & efficient help. My PC appears to be back to normal.

I was mistaken about the Windows firewall. I misread the MS Security Center screen, which was telling me the McAfee firewall was on, not the Windows one.

I have automatic update checking on for Adobe Reader. The 9.3.4 update came in while we were working on the cleanup & I didn't want to apply the change in the middle of the fix.

One suggestion for your general post-problem cleanup instructions: ComboFix wanted me to shut down McAfee before it would complete the uninstall. I'm not sure why it needs that, but perhaps you should add an instruction to disable antivirus software before initiating the uninstall.

FYI, when I put in the mvps hosts file per your suggestion, Spyware Doctor removed 46 of the entries which it considered "bad sites", apparently not noticing the 127.0.0.1 addresses the sites were set to.
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm

Re: Malware.Unruy (aka Downloader-BZH) Infection on Windows

Unread postby melboy » August 24th, 2010, 12:40 pm

You're welcome and thanks for the suggestion. :)
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Malware.Unruy (aka Downloader-BZH) Infection on Windows

Unread postby Dakeyras » August 24th, 2010, 1:03 pm

As it appears this issue has been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 30 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware