1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Email issue

Discussion in 'Virus & Other Malware Removal' started by Solride, Nov 4, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. Solride

    Solride Thread Starter

    Joined:
    Nov 4, 2011
    Messages:
    4
    This computer has begun to randomly open Outlook and send emails with embedded links, mostly to craigslist. We do not use Outlook, and use gmail exclusively for all email traffic. As stated in the post "Everyone Must Read This!", following are the requested logs.

    Hijack This Logfile:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:16:51 PM, on 11/4/2011
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v8.00 (8.00.7601.17514)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
    C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLoginAuth
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {0DCC5F01-8F28-4024-8B40-5124D5FA9B51} - C:\Users\Fran\AppData\Local\NetworkAdmin.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [Classes Update] rundll32 "C:\Users\Fran\AppData\Local\Apple Computer\AppleUpdate\Appleup.DLL",DllRegisterServer
    O4 - HKCU\..\Run: [lpc] rundll32.exe "C:\Users\Fran\AppData\Roaming\Remote\makj69.dll", RegisterDll
    O4 - HKCU\..\Run: [WinmailReader Update] rundll32 "C:\Users\Fran\AppData\Local\Google\GoogleUpdate\Googleup.DLL",DllRegisterServer
    O4 - HKCU\..\Run: [Blizzard Update] rundll32 "C:\Users\Fran\AppData\Local\VirtualStore\VirtualStoreUpdate\VirtualStoreup.DLL",DllRegisterServer
    O4 - HKCU\..\Run: [GoogleVerifierVerifier] rundll32.exe "C:\ProgramData\GoogleVerifierVerifier.dll",DllRegisterServer
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

    --
    End of file - 6298 bytes

    DDS Text File:
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_21
    Run by Fran at 17:21:12 on 2011-11-04
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3327.1720 [GMT -5:00]
    .
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
    C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\msiexec.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = https://www.google.com/accounts/ServiceLoginAuth
    uInternet Settings,ProxyOverride = *.local
    BHO: {0dcc5f01-8f28-4024-8b40-5124d5fa9b51} - c:\users\fran\appdata\local\NetworkAdmin.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    {555d4d79-4bd2-4094-a395-cfc534424a05}
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [AdobeBridge]
    uRun: [Classes Update] rundll32 "c:\users\fran\appdata\local\apple computer\appleupdate\Appleup.DLL",DllRegisterServer
    uRun: [lpc] rundll32.exe "c:\users\fran\appdata\roaming\remote\makj69.dll", RegisterDll
    uRun: [WinmailReader Update] rundll32 "c:\users\fran\appdata\local\google\googleupdate\Googleup.DLL",DllRegisterServer
    uRun: [Blizzard Update] rundll32 "c:\users\fran\appdata\local\virtualstore\virtualstoreupdate\VirtualStoreup.DLL",DllRegisterServer
    uRun: [GoogleVerifierVerifier] rundll32.exe "c:\programdata\GoogleVerifierVerifier.dll",DllRegisterServer
    mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\users\fran\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{4BA36685-F63E-49DB-AB65-7551CF9707B9} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{81ADE03E-BD20-49CD-A32F-4799B1E8BCF2} : DhcpNameServer = 192.168.1.1
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\fran\appdata\roaming\mozilla\firefox\profiles\oc5i4vmz.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2
    FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar&search=
    FF - component: c:\users\fran\appdata\roaming\mozilla\firefox\profiles\oc5i4vmz.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
    FF - component: c:\users\fran\appdata\roaming\mozilla\firefox\profiles\oc5i4vmz.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\nos\bin\np_gp.dll
    FF - plugin: c:\users\fran\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\users\fran\appdata\roaming\move networks\plugins\npqmp071701000002.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Aquatint Slate: {526fd696-27a0-11dc-8314-0800200c9a66} - %profile%\extensions\{526fd696-27a0-11dc-8314-0800200c9a66}
    FF - Ext: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - %profile%\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
    FF - Ext: FireFTP button: {9BAE5926-8513-417d-8E47-774955A7C60D} - %profile%\extensions\{9BAE5926-8513-417d-8E47-774955A7C60D}
    FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: HootSuite Hootlet: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: Personas: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: Virtus Search Opt-in: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: XUL Cache: {fe585319-f8fc-4492-a5f5-9967008e63e3} - %profile%\extensions\{fe585319-f8fc-4492-a5f5-9967008e63e3}
    FF - Ext: XUL Cache: {ae0aeda9-cdb2-4be4-a59a-b94156c83739} - %profile%\extensions\{ae0aeda9-cdb2-4be4-a59a-b94156c83739}
    FF - Ext: XUL Cache: {bca0bd8a-92d7-4a72-b49e-c3fd6e0f47bb} - %profile%\extensions\{bca0bd8a-92d7-4a72-b49e-c3fd6e0f47bb}
    FF - Ext: Move Media Player: [email protected] - c:\users\fran\appdata\roaming\Move Networks
    .
    ---- FIREFOX POLICIES ----
    user_pref(security.warn_viewing_mixed,false);
    user_pref(security.warn_viewing_mixed.show_once,false);
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    user_pref(security.warn_submit_insecure,false);
    FF - user.js: security.warn_submit_insecure.show_once - false
    FF - user.js: network.http.accept-encoding -
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
    R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-24 172032]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-1-15 1067008]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-11 136176]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-11 136176]
    S3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [2001-4-1 36013]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-6 52224]
    S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-25 1343400]
    .
    =============== Created Last 30 ================
    .
    2011-11-04 22:16:23 388096 ----a-r- c:\users\fran\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-11-04 22:16:23 -------- d-----w- c:\program files\Trend Micro
    2011-11-04 11:56:43 98816 ----a-w- c:\programdata\GoogleVerifierVerifier.dll
    2011-11-04 11:56:41 268288 ----a-w- c:\users\fran\appdata\local\NetworkAdmin.dll
    2011-11-04 11:03:59 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c27106d4-d2ff-4879-b557-63242ef4c9b3}\offreg.dll
    2011-11-04 11:03:58 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c27106d4-d2ff-4879-b557-63242ef4c9b3}\mpengine.dll
    2011-11-03 17:39:20 264704 ----a-w- c:\users\fran\appdata\local\InternetWin32.dll
    2011-11-02 19:16:32 -------- d-----w- c:\users\fran\appdata\roaming\Remote
    2011-10-25 23:22:46 6144 ----a-w- c:\program files\internet explorer\iecompat.dll
    2011-10-11 19:08:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-10-11 19:08:59 163328 ----a-w- c:\program files\internet explorer\ieproxy.dll
    .
    ==================== Find3M ====================
    .
    2011-11-04 20:29:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-06 02:28:37 2334720 ----a-w- c:\windows\system32\win32k.sys
    2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-27 04:26:27 571904 ----a-w- c:\windows\system32\oleaut32.dll
    2011-08-27 04:26:27 233472 ----a-w- c:\windows\system32\oleacc.dll
    2011-08-20 04:31:05 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-08-17 04:24:12 465408 ----a-w- c:\windows\system32\psisdecd.dll
    2011-08-17 04:19:27 75776 ----a-w- c:\windows\system32\psisrndr.ax
    2011-08-11 13:02:52 152576 ----a-w- c:\windows\system32\msclmd.dll
    2009-12-20 06:45:43 1794456 ----a-w- c:\program files\MoveMediaPlayerWin_071701000002.exe
    .
    ============= FINISH: 17:21:40.28 ===============
    ARK text file:
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-04 19:05:48
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3750640AS rev.3.AAE
    Running: kednhipe.exe; Driver: C:\Users\Fran\AppData\Local\Temp\kxldypog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKey + 13D1 82E3F349 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E78D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9181C000, 0x2CB104, 0xE8000020]
    ? C:\Users\Fran\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[2696] ntdll.dll!LdrLoadDll 76EB22B8 5 Bytes JMP 00DD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2696] kernel32.dll!CreateProcessW 76D7204D 5 Bytes JMP 10022CEE C:\ProgramData\GoogleVerifierVerifier.dll (EQoS Snapin extension/Microsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2696] kernel32.dll!CreateProcessAsUserW 76DA59AF 5 Bytes JMP 10022D8F C:\ProgramData\GoogleVerifierVerifier.dll (EQoS Snapin extension/Microsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2696] kernel32.dll!ResumeThread 76DB16D7 5 Bytes JMP 10022ED1 C:\ProgramData\GoogleVerifierVerifier.dll (EQoS Snapin extension/Microsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2696] WS2_32.dll!closesocket 75333918 5 Bytes JMP 10022923 C:\ProgramData\GoogleVerifierVerifier.dll (EQoS Snapin extension/Microsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2696] WS2_32.dll!WSASocketW 75333CD3 7 Bytes JMP 1002280A C:\ProgramData\GoogleVerifierVerifier.dll (EQoS Snapin extension/Microsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2696] WS2_32.dll!connect 75336BDD 5 Bytes JMP 10022848 C:\ProgramData\GoogleVerifierVerifier.dll (EQoS Snapin extension/Microsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2696] WS2_32.dll!getpeername 75337147 5 Bytes JMP 1002293F C:\ProgramData\GoogleVerifierVerifier.dll (EQoS Snapin extension/Microsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2696] WS2_32.dll!WSAConnect 7533CC3F 5 Bytes JMP 100228B0 C:\ProgramData\GoogleVerifierVerifier.dll (EQoS Snapin extension/Microsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2696] USER32.dll!PeekMessageW 764C634A 5 Bytes JMP 10022BC8 C:\ProgramData\GoogleVerifierVerifier.dll (EQoS Snapin extension/Microsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2696] USER32.dll!TranslateMessage 764C64C7 5 Bytes JMP 037D5E50 C:\Users\Fran\AppData\Roaming\Remote\makj69.dll (Secunia)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2696] USER32.dll!GetMessageW 764CCDE8 5 Bytes JMP 10022B16 C:\ProgramData\GoogleVerifierVerifier.dll (EQoS Snapin extension/Microsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2696] USER32.dll!TrackPopupMenu 764D2228 5 Bytes JMP 10022C75 C:\ProgramData\GoogleVerifierVerifier.dll (EQoS Snapin extension/Microsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2696] USER32.dll!GetClipboardData 764D2BA7 5 Bytes JMP 037D5B90 C:\Users\Fran\AppData\Roaming\Remote\makj69.dll (Secunia)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2696] USER32.dll!TrackPopupMenuEx 764E4832 5 Bytes JMP 10022CB3 C:\ProgramData\GoogleVerifierVerifier.dll (EQoS Snapin extension/Microsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3764] USER32.dll!TrackPopupMenu 764D2228 5 Bytes JMP 60247D29 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\ACPI_HAL \Device\00000047 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

    ---- Files - GMER 1.0.15 ----

    File C:\Users\Fran\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1YS9XNV\xml[1].htm 63 bytes

    ---- EOF - GMER 1.0.15 ----


    Thank you for your help in this matter.
     

    Attached Files:

  2. Solride

    Solride Thread Starter

    Joined:
    Nov 4, 2011
    Messages:
    4
    Bump. Three days. Sorry if I seem impatient.
     
  3. Blade81

    Blade81 Malware Specialist

    Joined:
    Oct 27, 2006
    Messages:
    924
    Hi,

    If help still needed post fresh dds logs, please.
     
  4. Solride

    Solride Thread Starter

    Joined:
    Nov 4, 2011
    Messages:
    4
    Fresh DDS and attach.

    Thank you.

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_21
    Run by Fran at 19:21:55 on 2011-11-14
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3327.1601 [GMT -6:00]
    .
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\atieclxx.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = https://www.google.com/accounts/ServiceLoginAuth
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    {555d4d79-4bd2-4094-a395-cfc534424a05}
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [AdobeBridge]
    mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\users\fran\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{4BA36685-F63E-49DB-AB65-7551CF9707B9} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{81ADE03E-BD20-49CD-A32F-4799B1E8BCF2} : DhcpNameServer = 192.168.1.1
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\fran\appdata\roaming\mozilla\firefox\profiles\oc5i4vmz.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2
    FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar&search=
    FF - component: c:\users\fran\appdata\roaming\mozilla\firefox\profiles\oc5i4vmz.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
    FF - component: c:\users\fran\appdata\roaming\mozilla\firefox\profiles\oc5i4vmz.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\nos\bin\np_gp.dll
    FF - plugin: c:\users\fran\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\users\fran\appdata\roaming\move networks\plugins\npqmp071701000002.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Aquatint Slate: {526fd696-27a0-11dc-8314-0800200c9a66} - %profile%\extensions\{526fd696-27a0-11dc-8314-0800200c9a66}
    FF - Ext: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - %profile%\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
    FF - Ext: FireFTP button: {9BAE5926-8513-417d-8E47-774955A7C60D} - %profile%\extensions\{9BAE5926-8513-417d-8E47-774955A7C60D}
    FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: HootSuite Hootlet: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: Personas: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: Virtus Search Opt-in: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: XUL Cache: {fe585319-f8fc-4492-a5f5-9967008e63e3} - %profile%\extensions\{fe585319-f8fc-4492-a5f5-9967008e63e3}
    FF - Ext: XUL Cache: {ae0aeda9-cdb2-4be4-a59a-b94156c83739} - %profile%\extensions\{ae0aeda9-cdb2-4be4-a59a-b94156c83739}
    FF - Ext: XUL Cache: {bca0bd8a-92d7-4a72-b49e-c3fd6e0f47bb} - %profile%\extensions\{bca0bd8a-92d7-4a72-b49e-c3fd6e0f47bb}
    FF - Ext: Move Media Player: [email protected] - c:\users\fran\appdata\roaming\Move Networks
    .
    ---- FIREFOX POLICIES ----
    user_pref(security.warn_viewing_mixed,false);
    user_pref(security.warn_viewing_mixed.show_once,false);
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    user_pref(security.warn_submit_insecure,false);
    FF - user.js: security.warn_submit_insecure.show_once - false
    FF - user.js: network.http.accept-encoding -
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
    R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-24 172032]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-1-15 1067008]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-11 136176]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-11 136176]
    S3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [2001-4-1 36013]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-6 52224]
    S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-25 1343400]
    .
    =============== Created Last 30 ================
    .
    2011-11-11 07:23:26 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{80ca9b82-6e1b-4dc5-a818-e10d556f061b}\offreg.dll
    2011-11-11 07:23:25 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{80ca9b82-6e1b-4dc5-a818-e10d556f061b}\mpengine.dll
    2011-11-09 12:46:05 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-11-09 12:46:02 708608 ----a-w- c:\program files\common files\system\wab32.dll
    2011-11-09 12:46:00 2341888 ----a-w- c:\windows\system32\win32k.sys
    2011-11-04 22:16:23 388096 ----a-r- c:\users\fran\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-11-04 22:16:23 -------- d-----w- c:\program files\Trend Micro
    2011-11-02 19:16:32 -------- d-----w- c:\users\fran\appdata\roaming\Remote
    2011-10-25 23:22:46 6144 ----a-w- c:\program files\internet explorer\iecompat.dll
    .
    ==================== Find3M ====================
    .
    2011-11-04 20:29:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-01 02:42:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-27 04:26:27 571904 ----a-w- c:\windows\system32\oleaut32.dll
    2011-08-27 04:26:27 233472 ----a-w- c:\windows\system32\oleacc.dll
    2011-08-20 04:31:05 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-08-17 04:24:12 465408 ----a-w- c:\windows\system32\psisdecd.dll
    2011-08-17 04:19:27 75776 ----a-w- c:\windows\system32\psisrndr.ax
    2009-12-20 06:45:43 1794456 ----a-w- c:\program files\MoveMediaPlayerWin_071701000002.exe
    .
    ============= FINISH: 19:22:21.88 ===============
    ♠
     

    Attached Files:

  5. Blade81

    Blade81 Malware Specialist

    Joined:
    Oct 27, 2006
    Messages:
    924
    Hi


    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully first.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New dds log.


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
     
  6. Solride

    Solride Thread Starter

    Joined:
    Nov 4, 2011
    Messages:
    4
    Thank you for your reply. I will follow these steps next week. My wife, who's computer is the issue here, is right in the middle of a big project and does not want me to do anything that may lose data until the project is complete.
     
  7. Blade81

    Blade81 Malware Specialist

    Joined:
    Oct 27, 2006
    Messages:
    924
    Ok, shall wait for the reply next week then.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1025494

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice