1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Infected Computer, need some help

Discussion in 'Virus & Other Malware Removal' started by 801current, Dec 20, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. 801current

    801current Thread Starter

    Joined:
    Dec 20, 2011
    Messages:
    7
    I got the Microsoft Security Center 2012 virus about a week ago. The fraud program was popping up telling me I had other viruses, wanting me to pay for their service to take them off. The virus wouldn't let me open the internet or any program, wihtout pestering me with the service and telling me that they were infected.

    I went onto another user account, which didn't seem to be infected..do user accounts get infected? or why does the virus seem to only show on one user account? I googled "Microsoft Security Center 2012 removal" and found forums/how to's telling me to fix the registry, which I was scared to do, I didn't want to mess things up even more.

    I looked for an alternative and I found a video here; http://www.youtube.com/watch?v=IXd402v4OkM which told me how to get rid of the virus wihtout me having to manually mess with the registry. On the non-infected user I ran; http://tigzy.geekstogo.com/Tools/RogueKiller.exe (report below)

    RogueKiller V6.2.0 [12/12/2011] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User: brad [Admin rights]
    Mode: Remove -- Date : 12/12/2011 17:22:15
    ¤¤¤ Bad processes: 1 ¤¤¤
    [SUSP PATH] tmt.exe -- C:\Documents and Settings\Preston\Local Settings\Application Data\tmt.exe -> KILLED [TermProc]
    ¤¤¤ Registry Entries: 5 ¤¤¤
    [HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
    [HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
    [HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command : ("C:\Documents and Settings\Preston\Local Settings\Application Data\tmt.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") -> REPLACED ("C:\Program Files\internet explorer\iexplore.exe")
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver: [LOADED] ¤¤¤
    ¤¤¤ Infection : Rogue.AntiSpy-AH|ZeroAccess ¤¤¤
    [ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!
    ¤¤¤ HOSTS File: ¤¤¤

    ¤¤¤ MBR Check: ¤¤¤
    --- User ---
    [MBR] 9ca1fbc295489a30a992b81f63e6aa25
    [BSP] dfe4c0bfa859120fb83a6a1aa43abcee : MBR Code unknown
    Partition table:
    0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 49 Mo
    1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 96390 | Size: 156724 Mo
    2 - [XXXXXX] FAT32 [HIDDEN!] Offset (sectors): 306198900 | Size: 3224 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[1].txt >>
    RKreport[1].txt


    Running this stopped the virus from blocking my internet on the other user, I went to that user an ran it a second time to make sure it wasn't going to bounce back so here is the report from the 'infected user'

    RogueKiller V6.2.0 [12/12/2011] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User: Preston [Admin rights]
    Mode: Remove -- Date : 12/12/2011 17:22:53
    ¤¤¤ Bad processes: 1 ¤¤¤
    [WINDOW : XP Internet Security 2012] tmt.exe -- C:\Documents and Settings\Preston\Local Settings\Application Data\tmt.exe -> KILLED [TermProc]
    ¤¤¤ Registry Entries: 3 ¤¤¤
    [FILEASSO] HKCU\[...]Software\Classes\.exe\shell\open\command : ("C:\Documents and Settings\Preston\Local Settings\Application Data\tmt.exe" -a "%1" %*) -> REPLACED ("%1" %*)
    [FILEASSO] HKCR\[...].exe : (v8) -> REPLACED (exefile)
    [FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command : ("C:\Documents and Settings\Preston\Local Settings\Application Data\tmt.exe" -a "C:\Program Files\internet explorer\iexplore.exe") -> REPLACED ("C:\Program Files\internet explorer\iexplore.exe")
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver: [LOADED] ¤¤¤
    ¤¤¤ Infection : Rogue.AntiSpy-AH|ZeroAccess ¤¤¤
    [ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!
    ¤¤¤ HOSTS File: ¤¤¤

    ¤¤¤ MBR Check: ¤¤¤
    --- User ---
    [MBR] 9ca1fbc295489a30a992b81f63e6aa25
    [BSP] dfe4c0bfa859120fb83a6a1aa43abcee : MBR Code unknown
    Partition table:
    0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 49 Mo
    1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 96390 | Size: 156724 Mo
    2 - [XXXXXX] FAT32 [HIDDEN!] Offset (sectors): 306198900 | Size: 3224 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[1].txt >>
    RKreport[1].txt


    After this I ran a Hijack This scan and 'fixed' the file that the youtube video above said to fix:

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    After this process the virus disapeared. I didn't see any visible evidence anywhere, but I just searched through program files for anything saying microsoft 2012.

    I reactivated my Windows firewall which was turned off by the MSC 2012.

    Next step in the video was to download Malwarebytes' which I did, but it asked me to purchase a product key or use free trial version. I figured it was going to be like every other security program and wouldn't fix my computer without me paying the fee. I asked the video poster and he replied that everything he did was free, but I had already uninstalled malwarebytes' and began searching for an alternative. I scanned with Microsoft Security Essentials and found no infection

    I heard it's not good to have two security programs on the same OS or they fight eachother..is this true, and should I use malwarebytes' over MSE?

    After that I was reading a site that said I still needed to fix my registry, so I ran this script from the site copying and pasting to notepad and saving as some file type to edit the registry. Here's notepad copy and pasted below, I found it on a website saying that you could do this instead of manually changing the registry.


    Windows Registry Editor Version 5.00
    [-HKEY_CURRENT_USER\Software\Classes\.exe]
    [-HKEY_CURRENT_USER\Software\Classes\secfile]
    [-HKEY_CLASSES_ROOT\secfile]
    [-HKEY_CLASSES_ROOT\.exe\shell\open\command]
    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    @="\"%1\" %*"
    [HKEY_CLASSES_ROOT\.exe]
    @="exefile"
    "Content Type"="application/x-msdownload"


    I went back to using the computer like normal because the virus had disapeared and it was functioning properly, I went about two weeks with no problems, in between I looked up other ways to delete the virus' leftovers and have gone into C:\Documents and Settings\Preston\Local Settings\Application Data and deleted some of the files not in folders that matched descriptions of suspicious files that the virus supposedly puts there. The description was a file with three random letters, I deleted it.

    Everything was working fine until yesterday, the virus popped up again and I just quickly went into task manager and ended a process that I thought was connected to the activity (I would close the virus and the activity would go to 0 then when it popped up it would boost up) of the virus so I could access the internet.

    I can't remember the name of the process I ended, but I think I went in back to C:\Documents and Settings\[Infected User Name]\Local Settings\Application Data and found a file matching the description of what they had said was the virus file and it matched the name of the process I ended in task manager so I just deleted it. Right then the virus disappeared.

    After that I reran the registry 'fix' script again as well as going into Hijack this and fixing for a second time:

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    After doing this which took only a few minutes it seemed to go back to normal and the virus disapear again. But then the computer started acting slow, shortcuts to things like internet explorer, email programs, etc. started asking me to choose the proper program to open them every time I would click them.

    On the original infected account the dead shortcut problem went away after I chose the program that is supposed to open. But on the other user, the user I was on to access the internet while I was infected for the first time, the internet shortcut was dead and wouldn't repair for a while, eventually it started working.

    The email program on the account is currently dead, they ask to choose a program every time I try opening, nothing works to repair the shortcut. I can still access programs, but I have to choose it from a list every time. I have tried making new shorcuts but they are dead too, when it asks to choose a program there is a box that says choose this program every time, but it is grayed out and won't let me check it. Sites have said to change the registry, but run:regedit.exe: okay still asks what program I want to use to run it

    I have looked up causes for dead shortcuts, I think that it might not be recognizing exe file extension, when I look under my computer|folder options|file types there isn't and EXE extension on the list, help sites say it should be there and be connected to application. On the account that things work there isn't one either, but things are still working I can run regedit.exe, but on the other nothing works and I can't run that or add EXE file extenstion...I click new: type: .exe, advanced: application after clicking ok it won't let me apply the change.

    So I'll get to running the scans and post them in a few, hopefully some of that made sense I willbe happy to clear anything up.

    Also when using the internet random extra windows pop up linking to random sites like pogo.com. The sites it links to aren't sites I use, or anyone who uses the computer has been to. Also sometimes will overide the links I click from google and send me elsewhere, to like a shopping site, etc.
     
  2. 801current

    801current Thread Starter

    Joined:
    Dec 20, 2011
    Messages:
    7
    Theses scans are being done on the user that was originally infected, but not the user that is having the most trouble currently. Please let me know whether or not it matters what user I scan on. All the changes I have made previously have been done from the user that I have scanned below.

    Hijack this scan results

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:20:06 PM, on 12/20/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file)
    R3 - URLSearchHook: (no name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
    F2 - REG:system.ini: UserInit=userinit.exe,
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin1.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin1.dll
    O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [PMBVolumeWatcher] C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [InstallIQUpdater] "C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe" /silent /autorun
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; BRI/1)" -"http://bcs.worthpublishers.com/myer...000|14000|15000|16000|17000|18000|19000|99000|"
    O4 - HKUS\S-1-5-21-4139520878-3972465413-1066383556-1006\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'brad')
    O4 - HKUS\S-1-5-21-4139520878-3972465413-1066383556-1006\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'brad')
    O4 - HKUS\S-1-5-21-4139520878-3972465413-1066383556-1006\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent (User 'brad')
    O4 - HKUS\S-1-5-21-4139520878-3972465413-1066383556-1006\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'brad')
    O4 - HKUS\S-1-5-21-4139520878-3972465413-1066383556-1011\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'UpdatusUser')
    O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {517BE9E4-0B43-4B36-95BA-AE0611546427} (Image Uploader Control) - http://www.epropertysites.com/ImageUploader7.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    O16 - DPF: {CB166B52-6741-412A-AF4C-FE59A35F5001} (UploadWizard.VirtualTour) - http://www.tourfactory.com/Inventory/UploadWizard/UploadWizard.CAB
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    O23 - Service: PMBDeviceInfoProvider - Sony Corporation - C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    --
    End of file - 10925 bytes

    Have fixed twice under someone else's instruction:

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
     
  3. 801current

    801current Thread Starter

    Joined:
    Dec 20, 2011
    Messages:
    7
    DDS Scan Results

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Preston at 12:22:31 on 2011-12-20
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.314 [GMT -7:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\SearchIndexer.exe
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\ping.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.youtube.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    mURLSearchHooks: H - No File
    mWinlogon: Userinit=userinit.exe,
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin1.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows
    live\WindowsLiveLogin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin1.dll
    TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
    uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [InstallIQUpdater] "c:\program files\w3i\installiqupdater\InstallIQUpdater.exe" /silent /autorun
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT
    5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3;
    OfficeLivePatch.0.0; BRI/1)"
    -"http://bcs.worthpublishers.com/myer...&n=00020&o=|00510|00520|00530|00540|00550|005
    60|00570|00580|00590|00600|00610|00620|00630|00640|00650|00660|00010|00020|00030|00040|00050|00060|00070|00080|00090|00180|00100|00110|00120|00
    130|00140|00150|00160|00170|00190|00200|00000|01000|02000|03000|04000|05000|06000|07000|08000|09000|10000|11000|12000|13000|14000|15000|16000|1
    7000|18000|19000|99000|"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows
    live\writer\WriterBrowserExtension.dll
    LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
    LSP: mswsock.dll
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
    hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
    DPF: {517BE9E4-0B43-4B36-95BA-AE0611546427} - hxxp://www.epropertysites.com/ImageUploader7.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} -
    hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CB166B52-6741-412A-AF4C-FE59A35F5001} - hxxp://www.tourfactory.com/Inventory/UploadWizard/UploadWizard.CAB
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
    TCP: Interfaces\{FEB0E536-A87D-4169-A43B-3A702F9A0182} : DhcpNameServer = 75.75.76.76 75.75.75.75
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop
    search\MSNLNamespaceMgr.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-12-12 218592]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
    R1 MpKsl52e2da12;MpKsl52e2da12;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{7b25c004-ee0a-4d19-9a8a-e1adb33b83f8}\MpKsl52e2da12.sys [2011-12-20 29904]
    R1 MpKsl834c0982;MpKsl834c0982;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{7b25c004-ee0a-4d19-9a8a-e1adb33b83f8}\MpKsl834c0982.sys [2011-12-19 29904]
    R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2011-12-12 112592]
    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-12-7 54752]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-7-12 2214504]
    R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2009-10-24 360224]
    S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]
    S0 szkg5;szkg5;c:\windows\system32\drivers\szkg.sys --> c:\windows\system32\drivers\szkg.sys [?]
    S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
    S1 MpKsl019276b5;MpKsl019276b5;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{638efc77-1d77-42fa-b64a-07a5abde1138}\mpksl019276b5.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{638efc77-1d77-42fa-b64a-07a5abde1138}\MpKsl019276b5.sys [?]
    S1 MpKsl0815864b;MpKsl0815864b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{f27fb579-0b60-4807-80d4-811495678b3a}\mpksl0815864b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{f27fb579-0b60-4807-80d4-811495678b3a}\MpKsl0815864b.sys [?]
    S1 MpKsl0de7269a;MpKsl0de7269a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{b9929e8b-3a83-4244-8300-07b80f1c67b3}\mpksl0de7269a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{b9929e8b-3a83-4244-8300-07b80f1c67b3}\MpKsl0de7269a.sys [?]
    S1 MpKsl107d5203;MpKsl107d5203;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{7c97f7c5-e375-482e-bb43-27085ac176b8}\mpksl107d5203.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{7c97f7c5-e375-482e-bb43-27085ac176b8}\MpKsl107d5203.sys [?]
    S1 MpKsl18ce3617;MpKsl18ce3617;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{8a7d0b49-d798-49bf-bfab-be234ebf51ed}\mpksl18ce3617.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{8a7d0b49-d798-49bf-bfab-be234ebf51ed}\MpKsl18ce3617.sys [?]
    S1 MpKsl1bffd36f;MpKsl1bffd36f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{85a55e5f-15af-420c-b72f-fb17410f4ce5}\mpksl1bffd36f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{85a55e5f-15af-420c-b72f-fb17410f4ce5}\MpKsl1bffd36f.sys [?]
    S1 MpKsl24bbccef;MpKsl24bbccef;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{997a5d40-d9c7-43a0-8679-a34adfad2aaa}\mpksl24bbccef.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{997a5d40-d9c7-43a0-8679-a34adfad2aaa}\MpKsl24bbccef.sys [?]
    S1 MpKsl2c51d959;MpKsl2c51d959;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{23d01f0f-659e-4bd6-821c-07a343e31100}\mpksl2c51d959.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{23d01f0f-659e-4bd6-821c-07a343e31100}\MpKsl2c51d959.sys [?]
    S1 MpKsl33a4e3db;MpKsl33a4e3db;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{12016a07-cbd7-41b3-a279-8714e160377c}\mpksl33a4e3db.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{12016a07-cbd7-41b3-a279-8714e160377c}\MpKsl33a4e3db.sys [?]
    S1 MpKsl342c39a2;MpKsl342c39a2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{23d01f0f-659e-4bd6-821c-07a343e31100}\mpksl342c39a2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{23d01f0f-659e-4bd6-821c-07a343e31100}\MpKsl342c39a2.sys [?]
    S1 MpKsl387f6740;MpKsl387f6740;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{4e868d69-65a8-48f4-87e4-ae44a85e1e47}\mpksl387f6740.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{4e868d69-65a8-48f4-87e4-ae44a85e1e47}\MpKsl387f6740.sys [?]
    S1 MpKsl4860fc3f;MpKsl4860fc3f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{55bbd28b-2173-41f5-8e32-d918bf02e99d}\mpksl4860fc3f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{55bbd28b-2173-41f5-8e32-d918bf02e99d}\MpKsl4860fc3f.sys [?]
    S1 MpKsl49e98ee3;MpKsl49e98ee3;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{1361ab20-b8e8-416d-9148-6f9d0f5154d3}\mpksl49e98ee3.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{1361ab20-b8e8-416d-9148-6f9d0f5154d3}\MpKsl49e98ee3.sys [?]
    S1 MpKsl53ed16bd;MpKsl53ed16bd;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{01e67826-f0f6-4d6c-b632-1df71e846f9a}\mpksl53ed16bd.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{01e67826-f0f6-4d6c-b632-1df71e846f9a}\MpKsl53ed16bd.sys [?]
    S1 MpKsl5fac6b35;MpKsl5fac6b35;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{55266810-a689-4fd5-abe8-67659fae15ec}\mpksl5fac6b35.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{55266810-a689-4fd5-abe8-67659fae15ec}\MpKsl5fac6b35.sys [?]
    S1 MpKsl6378608b;MpKsl6378608b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{638efc77-1d77-42fa-b64a-07a5abde1138}\mpksl6378608b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{638efc77-1d77-42fa-b64a-07a5abde1138}\MpKsl6378608b.sys [?]
    S1 MpKsl6d3060a4;MpKsl6d3060a4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{8717dd65-521f-4fae-9a88-ad8250341f75}\mpksl6d3060a4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{8717dd65-521f-4fae-9a88-ad8250341f75}\MpKsl6d3060a4.sys [?]
    S1 MpKsl91b28cbe;MpKsl91b28cbe;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{55266810-a689-4fd5-abe8-67659fae15ec}\mpksl91b28cbe.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{55266810-a689-4fd5-abe8-67659fae15ec}\MpKsl91b28cbe.sys [?]
    S1 MpKsl9b9a3b60;MpKsl9b9a3b60;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{113564cb-3d38-4cb7-a95d-dbd2a2379ce9}\mpksl9b9a3b60.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{113564cb-3d38-4cb7-a95d-dbd2a2379ce9}\MpKsl9b9a3b60.sys [?]
    S1 MpKsl9e2de4f2;MpKsl9e2de4f2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{d9db9f77-88b7-4b72-97e5-315840c63cde}\mpksl9e2de4f2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{d9db9f77-88b7-4b72-97e5-315840c63cde}\MpKsl9e2de4f2.sys [?]
    S1 MpKsl9fc69680;MpKsl9fc69680;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{a7c6292f-2930-4189-8fa4-aa13311d09ed}\mpksl9fc69680.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{a7c6292f-2930-4189-8fa4-aa13311d09ed}\MpKsl9fc69680.sys [?]
    S1 MpKslb65d7177;MpKslb65d7177;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{55266810-a689-4fd5-abe8-67659fae15ec}\mpkslb65d7177.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{55266810-a689-4fd5-abe8-67659fae15ec}\MpKslb65d7177.sys [?]
    S1 MpKslbf38ec5e;MpKslbf38ec5e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{f5dabbd6-1d4c-4619-aa77-4989ad895b56}\mpkslbf38ec5e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{f5dabbd6-1d4c-4619-aa77-4989ad895b56}\MpKslbf38ec5e.sys [?]
    S1 MpKslc4c6118b;MpKslc4c6118b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{f5dabbd6-1d4c-4619-aa77-4989ad895b56}\mpkslc4c6118b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{f5dabbd6-1d4c-4619-aa77-4989ad895b56}\MpKslc4c6118b.sys [?]
    S1 MpKslce158488;MpKslce158488;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{55266810-a689-4fd5-abe8-67659fae15ec}\mpkslce158488.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{55266810-a689-4fd5-abe8-67659fae15ec}\MpKslce158488.sys [?]
    S1 MpKsld34fc450;MpKsld34fc450;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{eecb8d13-bbdf-415b-a4a9-8957a2568766}\mpksld34fc450.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{eecb8d13-bbdf-415b-a4a9-8957a2568766}\MpKsld34fc450.sys [?]
    S1 MpKsld9ff6604;MpKsld9ff6604;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{39053f78-2e75-4bd7-9715-8e1367595fb8}\mpksld9ff6604.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{39053f78-2e75-4bd7-9715-8e1367595fb8}\MpKsld9ff6604.sys [?]
    S1 MpKsle4cea228;MpKsle4cea228;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{fe083e24-e4de-482e-a49d-0c9f73f1b7c0}\mpksle4cea228.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{fe083e24-e4de-482e-a49d-0c9f73f1b7c0}\MpKsle4cea228.sys [?]
    S1 MpKsleaac359a;MpKsleaac359a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{e098858b-0ea4-4a7c-856f-5edc6ee22b89}\mpksleaac359a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{e098858b-0ea4-4a7c-856f-5edc6ee22b89}\MpKsleaac359a.sys [?]
    S1 MpKsleccaa415;MpKsleccaa415;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{3a43725d-8ff6-4977-89d9-703a16b99a13}\mpksleccaa415.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{3a43725d-8ff6-4977-89d9-703a16b99a13}\MpKsleccaa415.sys [?]
    S1 MpKslf53d4542;MpKslf53d4542;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{55266810-a689-4fd5-abe8-67659fae15ec}\mpkslf53d4542.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{55266810-a689-4fd5-abe8-67659fae15ec}\MpKslf53d4542.sys [?]
    S1 MpKslf93309e3;MpKslf93309e3;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{c8f7aea5-3256-411b-83bc-a596b4b2771f}\mpkslf93309e3.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{c8f7aea5-3256-411b-83bc-a596b4b2771f}\MpKslf93309e3.sys [?]
    S1 MpKslff5f967a;MpKslff5f967a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{baea95d7-0f4e-4ff7-a1c4-2961add4ef83}\mpkslff5f967a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft
    antimalware\definition updates\{baea95d7-0f4e-4ff7-a1c4-2961add4ef83}\MpKslff5f967a.sys [?]
    S3 CEUSBAUD;DigiTech RP500 USB MIDI Driver;c:\windows\system32\drivers\ceusbaud.sys [2011-1-14 17920]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
    S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2010-8-6 50704]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2011-12-12 366840]
    S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2011-12-12 1142224]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-11 14336]
    .
    =============== Created Last 30 ================
    .
    2011-12-20 15:02:13 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{7b25c004-ee0a-4d19-9a8a-e1adb33b83f8}\MpKsl52e2da12.sys
    2011-12-20 04:20:44 -------- d-----w- c:\program files\iTunes
    2011-12-20 04:14:16 -------- d-----w- c:\program files\Bonjour
    2011-12-20 04:12:06 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
    2011-12-20 04:12:06 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
    2011-12-20 04:12:06 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
    2011-12-20 04:12:06 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
    2011-12-20 04:12:06 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
    2011-12-20 04:12:06 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
    2011-12-20 04:12:06 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
    2011-12-19 16:03:07 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc4.tmp
    2011-12-19 15:58:59 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{7b25c004-ee0a-4d19-9a8a-e1adb33b83f8}\MpKsl834c0982.sys
    2011-12-19 15:58:55 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{7b25c004-ee0a-4d19-9a8a-e1adb33b83f8}\offreg.dll
    2011-12-18 15:00:59 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition
    updates\{7b25c004-ee0a-4d19-9a8a-e1adb33b83f8}\mpengine.dll
    2011-12-13 00:22:00 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
    2011-12-12 23:49:56 -------- d-----w- c:\documents and settings\preston\local settings\application data\Threat Expert
    2011-12-12 23:28:27 767952 ----a-w- c:\windows\BDTSupport.dll
    2011-12-12 23:28:25 149456 ----a-w- c:\windows\SGDetectionTool.dll
    2011-12-12 23:28:22 165840 ----a-w- c:\windows\PCTBDRes.dll
    2011-12-12 23:28:22 1652688 ----a-w- c:\windows\PCTBDCore.dll
    2011-12-12 23:22:00 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2011-12-12 23:21:46 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2011-12-12 23:21:46 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2011-12-12 23:21:24 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2011-12-12 23:20:06 -------- d-----w- c:\program files\Spyware Doctor
    2011-12-12 23:20:06 -------- d-----w- c:\program files\common files\PC Tools
    2011-12-12 23:20:06 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
    2011-12-12 23:17:10 -------- d-----w- c:\documents and settings\preston\application data\Windows Search
    .
    ==================== Find3M ====================
    .
    2011-12-05 16:09:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-24 21:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 21:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 17:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 17:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 17:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    .
    ============= FINISH: 12:26:56.28 ===============
     
  4. 801current

    801current Thread Starter

    Joined:
    Dec 20, 2011
    Messages:
    7
    attached should be the DDS attach.txt
     

    Attached Files:

  5. 801current

    801current Thread Starter

    Joined:
    Dec 20, 2011
    Messages:
    7
    The scan said found modifications from rootkit activity

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-20 22:30:22
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST316081 rev.3.AD
    Running: Gmer.exe; Driver: C:\DOCUME~1\Preston\LOCALS~1\Temp\uxtyapob.sys
    .text ...
    ---- Files - GMER 1.0.15 ----
    File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS020F7.log 131072 bytes
    ---- User code sections - GMER 1.0.15 ----
    .text C:\WINDOWS\System32\ping.exe[3216] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00BD000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBA0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E56FF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\WINDOWS\system32\SearchIndexer.exe[324] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
    .text C:\WINDOWS\System32\ping.exe[3216] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA000A
    .text C:\WINDOWS\System32\ping.exe[3216] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00BB000A
    .text C:\WINDOWS\System32\ping.exe[3216] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0066000A
    .text C:\WINDOWS\System32\svchost.exe[1220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C8000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02A1000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[2784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0376000A
    .text C:\WINDOWS\System32\ping.exe[3216] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0067000A
    .text C:\WINDOWS\System32\svchost.exe[1220] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C9000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 02A2000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[2784] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0377000A
    .text C:\WINDOWS\System32\ping.exe[3216] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0065000C
    .text C:\WINDOWS\System32\svchost.exe[1220] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C5000C
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 02A0000C
    .text C:\Program Files\Internet Explorer\iexplore.exe[2784] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0375000C
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] USER32.dll!CreateDialogParamW 7E41EA3B 5 Bytes JMP 04394D20 C:\Program Files\ConduitEngine\ConduitEngin1.dll (Conduit Toolbar/Conduit Ltd.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 04394EA0 C:\Program Files\ConduitEngine\ConduitEngin1.dll (Conduit Toolbar/Conduit Ltd.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2784] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\WINDOWS\System32\ping.exe[3216] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00BE000A
    .text C:\WINDOWS\System32\ping.exe[3216] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00BF000A
    .text C:\WINDOWS\System32\ping.exe[3216] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00C0000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD10D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2784] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25464E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5397 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2784] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5397 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52C9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2784] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52C9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5334 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2784] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5334 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E519A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2784] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E519A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E51FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2784] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E51FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E53FA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2784] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E53FA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 043944A0 C:\Program Files\ConduitEngine\ConduitEngin1.dll (Conduit Toolbar/Conduit Ltd.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E525E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2784] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E525E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[824] USER32.dll!TrackPopupMenuEx 7E46CF62 5 Bytes JMP 04394600 C:\Program Files\ConduitEngine\ConduitEngin1.dll (Conduit Toolbar/Conduit Ltd.)
    ---- Kernel code sections - GMER 1.0.15 ----
    .text afd.sys EB0DB000 125 Bytes [0D, EB, 6A, 00, FF, 73, 0C, ...]
    .text afd.sys EB0DB07F 4 Bytes CALL EB0E1BD4 \SystemRoot\System32\drivers\afd.sys (Ancillary Function Driver for WinSock/Microsoft Corporation)
    .text afd.sys EB0DB085 61 Bytes [C3, 90, 90, 90, 90, 90, 8B, ...]
    .text afd.sys EB0DB0C3 41 Bytes [83, C8, FF, 83, C1, 40, 87, ...]
    .text afd.sys EB0DB0ED 45 Bytes [43, 18, 8B, 78, 0C, 66, 81, ...]
    ---- Modules - GMER 1.0.15 ----
    Module (noname) (*** hidden *** ) EB0FC000-EB116000 (106496 bytes)
    ---- Devices - GMER 1.0.15 ----
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
    ---- Kernel code sections - GMER 1.0.15 ----
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF4F503A0, 0x88C445, 0xE8000020]
    ? C:\WINDOWS\System32\drivers\afd.sys suspicious PE modification
    ---- System - GMER 1.0.15 ----
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7289112]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF72682D6]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF72684C8]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7289900]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF7289BB4]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7287E12]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF728A020]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF72893D2]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7267F44]
    ---- Files - GMER 1.0.15 ----
    File C:\Documents and Settings\NetworkService\Cookies\SYQAPFT6.txt 505 bytes
    File C:\Documents and Settings\NetworkService\Cookies\OC8KDI2L.txt 114 bytes
    File C:\Documents and Settings\NetworkService\Cookies\OK9AAAFS.txt 2127 bytes
    File C:\Documents and Settings\NetworkService\Cookies\OSJB5HZU.txt 7931 bytes
    File C:\Documents and Settings\NetworkService\Cookies\GBJP019A.txt 76 bytes
    File C:\Documents and Settings\NetworkService\Cookies\QLL19ZO8.txt 496 bytes
    File C:\Documents and Settings\NetworkService\Cookies\R1OW5HF5.txt 889 bytes
    File C:\Documents and Settings\NetworkService\Cookies\9VH7ZDCF.txt 85 bytes
    File C:\Documents and Settings\NetworkService\Cookies\HNXBDR6B.txt 624 bytes
    File C:\Documents and Settings\NetworkService\Cookies\I6PV4D5N.txt 562 bytes
    File C:\Documents and Settings\NetworkService\Cookies\LEHO9LOI.txt 1251 bytes
    File C:\Documents and Settings\NetworkService\Cookies\TTRGD0CF.txt 613 bytes
    File C:\Documents and Settings\NetworkService\Cookies\YHFCB5EN.txt 461 bytes
    File C:\Documents and Settings\NetworkService\Cookies\YMZ2DYGW.txt 603 bytes
    File C:\Documents and Settings\NetworkService\Cookies\YS0K8MH4.txt 3528 bytes
    File C:\Documents and Settings\NetworkService\Cookies\YSO69H11.txt 322 bytes
    File C:\Documents and Settings\NetworkService\Cookies\7XBTV395.txt 689 bytes
    File C:\Documents and Settings\NetworkService\Cookies\1H47RI6G.txt 1316 bytes
    File C:\Documents and Settings\NetworkService\Cookies\BQBN3ZEZ.txt 595 bytes
    File C:\Documents and Settings\NetworkService\Cookies\BSETXMA6.txt 3787 bytes
    File C:\Documents and Settings\NetworkService\Cookies\C0SDBHZW.txt 530 bytes
    File C:\Documents and Settings\NetworkService\Cookies\C83ZMP9X.txt 216 bytes
    File C:\Documents and Settings\NetworkService\Cookies\C8Q633O0.txt 116 bytes
    File C:\Documents and Settings\NetworkService\Cookies\EC3HKTTF.txt 1642 bytes
    File C:\Documents and Settings\NetworkService\Cookies\GQNVDROA.txt 1134 bytes
    File C:\Documents and Settings\NetworkService\Cookies\RVMU39JB.txt 13098 bytes
    File C:\Documents and Settings\NetworkService\Cookies\VXN28Z94.txt 738 bytes
    File C:\Documents and Settings\NetworkService\Cookies\5GG9TSDQ.txt 114 bytes
    File C:\Documents and Settings\NetworkService\Cookies\ZFUO6VCT.txt 1540 bytes
    File C:\Documents and Settings\NetworkService\Cookies\8TXYRLBB.txt 384 bytes
    File C:\Documents and Settings\NetworkService\Cookies\92NW9VIC.txt 127 bytes
    File C:\Documents and Settings\NetworkService\Cookies\78EQNZXM.txt 1082 bytes
    File C:\Documents and Settings\NetworkService\Cookies\P3QWNYFK.txt 408 bytes
    File C:\Documents and Settings\NetworkService\Cookies\PFW0MS2A.txt 352 bytes
    File C:\Documents and Settings\NetworkService\Cookies\JCOKDHVN.txt 80 bytes
    File C:\Documents and Settings\NetworkService\Cookies\K8K8OG1Z.txt 5071 bytes
    File C:\Documents and Settings\NetworkService\Cookies\KQEL5O8M.txt 4433 bytes
    File C:\Documents and Settings\NetworkService\Cookies\APXOBAG9.txt 968 bytes
    File C:\Documents and Settings\NetworkService\Cookies\AY33FUMT.txt 90 bytes
    File C:\Documents and Settings\NetworkService\Cookies\2QP4XJKX.txt 1202 bytes
    File C:\Documents and Settings\NetworkService\Cookies\0UOE4PXE.txt 689 bytes
    File C:\Documents and Settings\NetworkService\Cookies\171LBCJ4.txt 5247 bytes
    File C:\Documents and Settings\NetworkService\Cookies\WMRDHELH.txt 493 bytes
    File C:\Documents and Settings\NetworkService\Cookies\NUFOUKTQ.txt 489 bytes
    File C:\Documents and Settings\NetworkService\Cookies\4WXXD9GD.txt 147 bytes
    File C:\Documents and Settings\NetworkService\Cookies\50FBQZFD.txt 69 bytes
    File C:\Documents and Settings\NetworkService\Cookies\Y76FYKCG.txt 805 bytes
    File C:\Documents and Settings\NetworkService\Cookies\YAMNX5XZ.txt 784 bytes
    File C:\Documents and Settings\NetworkService\Cookies\U9M83IKF.txt 448 bytes
    File C:\Documents and Settings\NetworkService\Cookies\UCVTEJ9Q.txt 4769 bytes
    File C:\Documents and Settings\NetworkService\Cookies\VELUZDSP.txt 584 bytes
    File C:\Documents and Settings\NetworkService\Cookies\VG1ETIGQ.txt 5064 bytes
    File C:\Documents and Settings\NetworkService\Cookies\9EEIPBMV.txt 393 bytes
    File C:\Documents and Settings\NetworkService\Cookies\NROB4JUR.txt 259 bytes
    File C:\Documents and Settings\NetworkService\Cookies\ELIXHUXA.txt 146 bytes
    File C:\Documents and Settings\NetworkService\Cookies\EWOH2BQJ.txt 583 bytes
    File C:\Documents and Settings\NetworkService\Cookies\EWOWD8WT.txt 1750 bytes
    File C:\Documents and Settings\NetworkService\Cookies\F00HVNAC.txt 444 bytes
    File C:\Documents and Settings\NetworkService\Cookies\Z5D810A8.txt 83 bytes
    File C:\Documents and Settings\NetworkService\Cookies\ZBV9V172.txt 146 bytes
    File C:\Documents and Settings\NetworkService\Cookies\3DRTFD6B.txt 1475 bytes
    File C:\Documents and Settings\NetworkService\Cookies\H3RYITA5.txt 98 bytes
    File C:\Documents and Settings\NetworkService\Cookies\HCKOJ4FQ.txt 4265 bytes
    File C:\Documents and Settings\NetworkService\Cookies\TEO73Z3K.txt 459 bytes
    File C:\Documents and Settings\NetworkService\Cookies\6RUQCXOH.txt 1533 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539 0 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\bckfg.tmp 794 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\cfg.ini 199 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\Desktop.ini 4608 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\keywords 210 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\kwrd.dll 223744 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\L\iahonoel 138496 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\lsflt7.ver 5175 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\U\[email protected] 1536 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\U\[email protected] 224768 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\U\[email protected] 1024 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\U\[email protected] 11264 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\U\[email protected] 12800 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\2467377539\U\[email protected] 97792 bytes
    File C:\WINDOWS\$NtUninstallKB41618$\59131336 0 bytes
    ---- EOF - GMER 1.0.15 ----


    So that's it, please let me know of anything you find, thanks very much
     
  6. 801current

    801current Thread Starter

    Joined:
    Dec 20, 2011
    Messages:
    7
    I know I should have waited for a response, but reading other forums it seems like most of the time the first step is to run Malwarebytes' so I DLed it, ran a scan and removed everything it found. Some of what it found could not be removed, I will post logs below:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org
    Database version: 911122204
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    12/22/2011 5:42:51 PM
    mbam-log-2011-12-22 (17-42-40).txt
    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 363621
    Time elapsed: 4 hour(s), 40 minute(s), 42 second(s)
    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 16
    Memory Processes Infected:
    c:\WINDOWS\Temp\_ex-68.exe (Trojan.Dropper) -> 1784 -> No action taken.
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MozillaAgent (Trojan.Dropper) -> Value: MozillaAgent -> No action taken.
    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Preston\Local Settings\Application Data\nex.exe" -a "C:\Program Files\Intern") Good: (iexplore.exe) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1721\A0358694.exe (Rootkit.0Access) -> No action taken.
    c:\WINDOWS\Temp\sghj0.022405596812481998.exe (Trojan.FakeAlert) -> No action taken.
    c:\WINDOWS\Temp\sghj0.22962962412655796.exe (Trojan.FakeAlert) -> No action taken.
    c:\WINDOWS\Temp\kna0.8290757845294371.exe (Trojan.FakeAlert) -> No action taken.
    c:\WINDOWS\Temp\kna0.3589791442642576.exe (Rogue.FakeHDD) -> No action taken.
    c:\WINDOWS\Temp\kna0.4211750804960196.exe (Trojan.FakeAlert) -> No action taken.
    c:\WINDOWS\Temp\2B5.tmp (Trojan.FakeAlert) -> No action taken.
    c:\WINDOWS\Temp\5689.sys (Heuristics.Shuriken) -> No action taken.
    c:\WINDOWS\Temp\kna0.5995280383734601.exe (Trojan.FakeAlert) -> No action taken.
    c:\WINDOWS\Temp\sghj0.688626487894241.exe (Exploit.Drop.6) -> No action taken.
    c:\WINDOWS\Temp\sghj0.1142323685686254.exe (Exploit.Drop.6) -> No action taken.
    c:\WINDOWS\Temp\sghj0.2763980578467776.exe (Exploit.Drop.6) -> No action taken.
    c:\WINDOWS\Temp\sghj0.4086884550225285.exe (Exploit.Drop.6) -> No action taken.
    c:\WINDOWS\Temp\sghj0.10423266013247323.exe (Exploit.Drop.6) -> No action taken.
    c:\WINDOWS\Temp\sghj0.33917607469357636.exe (Exploit.Drop.6) -> No action taken.
    c:\WINDOWS\Temp\_ex-68.exe (Trojan.Dropper) -> No action taken.

    protection-log-2011-12-12

    17:27:59 Preston MESSAGE Protection started successfully
    17:28:04 Preston MESSAGE IP Protection started successfully
    17:29:04 Preston MESSAGE IP Protection stopped
    18:02:17 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\tmt.exe Trojan.ExeShell.Gen ALLOW
    18:02:17 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\ebx.exe Trojan.ExeShell.Gen ALLOW
    18:02:41 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\ebx.exe Trojan.ExeShell.Gen ALLOW
    18:02:41 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\tmt.exe Trojan.ExeShell.Gen ALLOW
    18:06:34 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\ebx.exe Trojan.ExeShell.Gen ALLOW
    18:06:52 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\ebx.exe Trojan.ExeShell.Gen ALLOW
    18:07:19 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\ebx.exe Trojan.ExeShell.Gen ALLOW
    18:07:21 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\tmt.exe Trojan.ExeShell.Gen ALLOW
    18:07:38 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\ebx.exe Trojan.ExeShell.Gen ALLOW
    18:27:53 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\ebx.exe Trojan.ExeShell.Gen ALLOW
    18:27:54 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\tmt.exe Trojan.ExeShell.Gen ALLOW
    18:28:12 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\ebx.exe Trojan.ExeShell.Gen ALLOW
    18:28:14 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\tmt.exe Trojan.ExeShell.Gen ALLOW
    18:28:50 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\ebx.exe Trojan.ExeShell.Gen ALLOW
    18:28:50 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\tmt.exe Trojan.ExeShell.Gen ALLOW
    18:28:50 Preston DETECTION C:\Documents and Settings\Preston\Local Settings\Application Data\ebx.exe Trojan.ExeShell.Gen ALLOW
     
  7. 801current

    801current Thread Starter

    Joined:
    Dec 20, 2011
    Messages:
    7
    I just downloaded and ran Combo Fix, after running that I lost internet connection on the computer. Other forums said to rerun combo fix and restart the computer to repair the connection. I did that and had no luck, tried repairing connection, getting messages saying that the IP address cannot be renewed. Something to do with the security center not being enabled. I looked into the security center and it says "not monitored" under firewall, and will not let me enable it. I have done multiple reboots as well as disabling security programs and try repairing. I have tried unplugging the network connection which is cable and plugging it in. I have saved both logs from Combo Fix.

    If you want me to post them let me know. I can put them on a flash drive and carry them to this clean comp. One worry is that the virus could move to this clean computer?? let me know whether that is possible.

    Anyway...I won't do anything else with the computer.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1032123

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice