On my wifes user, I did notice a secondary network connection came up in addition to my wireless. (no rj-45 was connected) I disabled it... then I realized "VIRUS!"
Logged onto my user in safe mode and I ran dds.
dds.txt
- Code: Select all
. . DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 10.1.0 Run by charles at 11:42:22 on 2012-01-01 Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.2038.1687 [GMT -6:00] . AV: Doctor Web Anti-Virus *Enabled/Updated* {6CC6AE29-BD86-6306-5444-113FA6A626D8} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: Doctor Web Anti-Virus *Enabled/Updated* {D7A74FCD-9BBC-6C88-6EF4-2A4DDD216C65} FW: Dr.Web Firewall *Enabled* {54FD2F0C-F7E9-625E-7F1B-B80A587561A3} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\Explorer.EXE C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6919 mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6919 mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6919 uInternet Settings,ProxyOverride = *.local mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6919 BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: WRShell.BHO: {255215e2-87dc-4819-8724-d0b4c94dbef5} - c:\program files\webresearch\WRShell.dll BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File TB: WRShell.ToolBand: {8f0f47b1-7d4b-4834-a981-91e2a3dce069} - c:\program files\webresearch\WRShell.dll TB: WRShell.EditBand: {5338df6c-3b3b-4e38-8b31-7b99986627b2} - c:\program files\webresearch\WRShell.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [SkinClock] c:\program files\clock tray skins\ClockTraySkins.exe uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe" mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [Spare Backup] "c:\program files\spare backup\SpareBackup.exe" /silent mRun: [NapsterShell] c:\program files\napster\napster.exe /systray mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe" mRun: [Cm102Sound] RunDll32 cm102.cpl,CMICtrlWnd mRun: [SpIDerMail] "c:\program files\drweb\spiderml.exe" -autorun mRun: [Dr.Web Firewall] "c:\program files\drweb\frwl_notify.exe" mRun: [SpIDerAgent] "c:\program files\drweb\SpIDerAgent.exe" mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot mRun: [adm_tray.exe] c:\program files\acronis\drivemonitor\adm_tray.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe StartupFolder: c:\users\charles\appdata\roaming\micros~1\windows\startm~1\programs\startup\captur~1.lnk - c:\program files\capturewiz\pro\CaptureWiz.exe StartupFolder: c:\users\charles\appdata\roaming\microsoft\windows\start menu\programs\startup\odrive.bat StartupFolder: c:\users\charles\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html IE: WebResearch: Save Link Address As... - c:\progra~1\webres~1\wrshell.dll/#110 IE: WebResearch: Save Page Area (Frame) - c:\progra~1\webres~1\wrshell.dll/#102 IE: WebResearch: Save Page Area (Frame) As... - c:\progra~1\webres~1\wrshell.dll/#106 IE: WebResearch: Save Picture - c:\progra~1\webres~1\wrshell.dll/#101 IE: WebResearch: Save Picture As... - c:\progra~1\webres~1\wrshell.dll/#108 IE: WebResearch: Save Selected Targets As... - c:\progra~1\webres~1\wrshell.dll/#111 IE: WebResearch: Save Selection - c:\progra~1\webres~1\wrshell.dll/#104 IE: WebResearch: Save Selection As... - c:\progra~1\webres~1\wrshell.dll/#109 IE: WebResearch: Save Target - c:\progra~1\webres~1\wrshell.dll/#103 IE: WebResearch: Save Target As... - c:\progra~1\webres~1\wrshell.dll/#107 IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll LSP: c:\program files\drweb\drwebsp.dll DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.2.254 TCP: Interfaces\{12121B48-7C6E-4A78-A74B-243A0A7A7BD4} : DhcpNameServer = 129.107.31.80 129.107.62.80 129.107.45.80 TCP: Interfaces\{1AA66C24-F5AD-4973-875D-B23365C7DEFE} : DhcpNameServer = 192.168.2.254 Notify: igfxcui - igfxdev.dll AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL . ================= FIREFOX =================== . FF - ProfilePath - c:\users\charles\appdata\roaming\mozilla\firefox\profiles\1z9lwc1b.default\ FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll FF - plugin: c:\users\charles\appdata\roaming\mozilla\firefox\profiles\1z9lwc1b.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Dr.Web anti-virus link checker: {6614d11d-d21d-b211-ae23-815234e1ebb5} - %profile%\extensions\{6614d11d-d21d-b211-ae23-815234e1ebb5} FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360} FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com FF - Ext: Copy Link URL: copylinkurl@bluelightdev.com - %profile%\extensions\copylinkurl@bluelightdev.com FF - Ext: WorldIP: {f36c6cd1-da73-491d-b290-8fc9115bfa55} - %profile%\extensions\{f36c6cd1-da73-491d-b290-8fc9115bfa55} FF - Ext: Zotero OpenOffice.org Integration: zoteroOpenOfficeIntegration@zotero.org - %profile%\extensions\zoteroOpenOfficeIntegration@zotero.org FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu . ============= SERVICES / DRIVERS =============== . R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [2011-1-1 149272] R0 SpiderG3;DrWeb file system scanner;c:\windows\system32\drivers\spiderg3.sys [2011-1-1 111896] R1 DRWEBAF;DrWEB Firewall Application Filter;c:\windows\system32\drivers\drwebaf.sys [2011-1-1 84728] R3 DrWebPF;DrWeb Packet Filter Driver;c:\windows\system32\drivers\drwebpf.sys [2011-1-1 72568] R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480] R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2011-8-15 116016] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952] S2 AtomicAlarmClock;Atomic Alarm Clock Time;c:\program files\clock tray skins\timeserv.exe [2011-9-22 415744] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 DMDefragService;Performance Toolkit Disk Defrag Service;c:\program files\pc tools utilities\tools\defrag\DMDefragSrv.exe [2010-12-5 1034208] S2 DMRepairService;Performance Toolkit Disk Repair Service;c:\program files\pc tools utilities\tools\repair\DMRepairSrv.exe [2010-12-5 1021920] S2 DrWebEngine;Dr.Web Scanning Engine (DrWebEngine);c:\program files\common files\doctor web\scanning engine\dwengine.exe [2010-6-21 1844056] S2 DrWebFWSvc;Dr.Web Firewall Application Filter;c:\program files\drweb\frwl_svc.exe [2011-1-1 2267120] S2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2011-5-6 1085440] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-4 135664] S2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2011-9-19 14976] S2 XWNTSERV;XWP_Services;c:\windows\system32\XWNTSERV.EXE [2011-9-20 205952] S2 XwpNTrdr;XwpNTrdr;c:\windows\system32\drivers\XWPFSW2K.SYS [2011-9-20 177918] S2 XwpXSetSrvProNFS;XwpXSetSrvProNFS service;c:\users\public\program files\lab-nc\pronfs\xsetsrv.exe [2011-1-18 106496] S3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe [2011-9-21 68096] S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-12-3 30192] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-4 135664] S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184] S3 USBAU;USB Audio Device Interface;c:\windows\system32\drivers\CM102.sys [2010-12-17 1499648] S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2011-8-15 104752] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] . =============== Created Last 30 ================ . . ==================== Find3M ==================== . 2011-11-24 10:59:31 111896 ----a-w- c:\windows\system32\drivers\spiderg3.sys 2011-11-24 10:59:28 149272 ----a-w- c:\windows\system32\drivers\dwprot.sys 2011-10-31 17:47:25 544656 ----a-w- c:\windows\system32\deployJava1.dll . ============= FINISH: 11:43:40.42 ===============