Help
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
This topic is locked
I was desperate to remove a virus from my computer that makes google refer me to either "bestwebsearch.com" or a "samebleepasiteverwas.com", and youtube doesnt work as well as photo sharing sites. I came to this site, read one of the forums, it said to use combofix, so i used it, later realizing that the instructions were to not use it unless a certified professional tells you so. But anyway, i used it but the virus is still hre. Here's my log.
ComboFix 09-06-07.07 - Omid 06/08/2009 17:34.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.2047 [GMT -5:00]
Running from: c:\users\Omid\Downloads\Desktop\XifObmoc.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\IEToolbar
c:\program files\IEToolbar\Ant.com Toolbar\ant.dll
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Omid\AppData\Roaming\020000003cf80d3e600C.manifest
c:\users\Omid\AppData\Roaming\020000003cf80d3e600O.manifest
c:\users\Omid\AppData\Roaming\020000003cf80d3e600P.manifest
c:\users\Omid\AppData\Roaming\020000003cf80d3e600S.manifest
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\SystemService32
c:\windows\system32\SystemService32\165.crack.zip
c:\windows\system32\SystemService32\165.crack.zip.kwd
c:\windows\system32\SystemService32\166.keygen.zip
c:\windows\system32\SystemService32\166.keygen.zip.kwd
c:\windows\system32\SystemService32\167.serial.zip
c:\windows\system32\SystemService32\167.serial.zip.kwd
c:\windows\system32\SystemService32\168.setup.zip
c:\windows\system32\SystemService32\168.setup.zip.kwd
c:\windows\system32\SystemService32\169.music.au
c:\windows\system32\SystemService32\169.music.au.kwd
c:\windows\system32\SystemService32\170.music.mp3
c:\windows\system32\SystemService32\170.music.mp3.kwd
c:\windows\system32\SystemService32\171.music2.au
c:\windows\system32\SystemService32\171.music2.au.kwd
c:\windows\system32\SystemService32\172.music.snd
c:\windows\system32\SystemService32\172.music.snd.kwd
D:\Desktop.ini
----- BITS: Possible infected sites -----
hxxp://www.spiralfrog.com
.
((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 )))))))))))))))))))))))))))))))
.
2009-06-08 22:31 . 2009-06-08 22:42 -------- d-s---w- \XifObmoc
2009-06-08 21:59 . 2009-06-08 22:15 -------- d-sh--w- \Config.Msi
2009-06-08 21:17 . 2009-06-08 22:37 -------- d---a-w- \Qoobox
2009-06-08 21:16 . 2009-06-08 21:17 -------- d-----w- c:\programdata\fssg
2009-06-08 19:11 . 2009-06-08 19:13 -------- d-----w- c:\programdata\f-secure
2009-06-08 19:01 . 2009-06-08 19:01 -------- d-----w- c:\program files\Microsoft
2009-06-08 18:59 . 2009-06-08 18:58 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-08 18:10 . 2009-06-08 22:20 117760 ----a-w- c:\users\Omid\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-08 17:08 . 2009-06-08 22:15 2951069696 --sha-w- \hiberfil.sys
2009-05-22 21:25 . 2009-06-08 22:39 143360 ----a-w- c:\windows\system32\dmvdsitf32.dll
2009-05-22 21:25 . 2009-05-22 21:25 1372 ----a-w- c:\windows\system32\H9dqOCzxnATrR.vbs
2009-05-21 09:07 . 2009-05-21 09:07 738120 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-05-15 21:06 . 2009-05-15 21:06 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-08 22:40 . 2008-12-11 01:26 -------- d-----w- c:\users\Omid\AppData\Roaming\DNA
2009-06-08 22:19 . 2008-12-11 01:26 -------- d-----w- c:\program files\DNA
2009-06-08 22:19 . 2008-11-29 01:31 41952 ----a-w- c:\programdata\nvModes.dat
2009-06-08 22:15 . 2009-06-08 17:08 2951069696 --sha-w- \hiberfil.sys
2009-06-08 22:15 . 2008-11-03 22:38 3264942080 --sha-w- \pagefile.sys
2009-06-08 22:15 . 2008-08-04 16:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-08 22:11 . 2008-08-04 16:43 -------- d-----w- c:\programdata\Symantec
2009-06-08 20:33 . 2009-02-11 03:00 -------- d-----w- c:\program files\SpiralFrog
2009-06-08 18:58 . 2008-08-04 18:49 -------- d-----w- c:\program files\Java
2009-06-08 17:10 . 2009-01-05 01:02 -------- d-----w- c:\programdata\WSC Guard
2009-06-08 17:03 . 2008-11-03 22:38 88439423 ----a-w- c:\windows\DUMP1b3d.tmp
2009-05-24 14:00 . 2008-12-11 01:27 -------- d-----w- c:\users\Omid\AppData\Roaming\BitTorrent
2009-05-24 14:00 . 2008-12-02 02:38 -------- d-----w- c:\users\Omid\AppData\Roaming\FrostWire
2009-04-26 05:36 . 2009-04-26 05:36 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-04-26 05:35 . 2009-04-26 05:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-04-26 05:35 . 2009-04-26 05:35 -------- d-----w- c:\users\Omid\AppData\Roaming\SUPERAntiSpyware.com
2009-04-26 05:33 . 2009-04-26 05:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-04-23 23:37 . 2009-04-23 23:37 -------- d-----w- c:\users\Omid\AppData\Roaming\acccore
2009-04-11 21:23 . 2009-04-11 21:23 -------- d-----w- c:\users\Omid\AppData\Roaming\Template
2009-03-17 02:16 . 2009-03-17 02:16 48271 ----a-w- c:\windows\system32\cubdaeewwltuthnb.exe
2008-08-04 15:03 . 2008-08-04 15:03 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-09 04:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}]
2008-11-27 01:40 253048 ----a-w- c:\program files\My.Freeze.com Toolbar\NetAssistant.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-11 342848]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-21 2153472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-06-12 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-08 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
c:\users\Omid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Linksys Wireless Guard.lnk - c:\program files\Linksys Wireless Guard\WscGuard.exe [2004-4-18 872526]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{053E5549-ECD5-4FE4-8DB9-641DFB10CF77}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{C1BAABB6-21B7-49B7-91E1-E455B4B6BC44}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{CE417CC2-006D-44BC-B33A-291B02416FCB}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{360E3640-FB26-4DEF-8288-8B53B8EBB28A}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C55EE582-4D18-4465-B67C-01CCBFDC83AC}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{261E301A-F759-4EFF-AD4E-D0D01E301A38}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{54340200-B830-4D55-84AD-13CF90EA14A9}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7E21CF18-CB99-48CE-B661-B62AE4F6C563}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{1D736C70-99D3-4F05-B76D-7B7641DF6E49}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Users\\Omid\\Documents\\BitTorrent\\bittorrent.exe"= c:\users\Omid\Documents\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [8/4/2008 1:43 PM 361808]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/28/2008 4:59 PM 24652]
R2 WSCNetManager;Linksys Wireless Guard Network Manager Service;c:\program files\Linksys Wireless Guard\WscNetMgrSvc.exe [4/18/2004 10:57 AM 663635]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [8/4/2008 12:15 PM 193840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [5/9/2008 2:17 PM 43040]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder
2009-06-04 c:\windows\Tasks\HPCeeScheduleForOmid.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-08-04 03:03]
2009-06-08 c:\windows\Tasks\PCConfidential.job
- c:\program files\Winferno\PC Confidential\PCConfidential.exe [2008-12-22 20:10]
2009-06-08 c:\windows\Tasks\User_Feed_Synchronization-{387F34B8-CC5E-486A-8EEC-EA497EC32F61}.job
- c:\windows\system32\msfeedssync.exe [2009-04-06 11:31]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-bxdbjkeyzyzsl - c:\windows\system32\edsgkxzxzl.dll
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 17:41
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(796)
c:\windows\System32\dmvdsitf32.dll
- - - - - - - > 'lsass.exe'(588)
c:\windows\System32\dmvdsitf32.dll
.
Completion time: 2009-06-08 17:44
ComboFix-quarantined-files.txt 2009-06-08 22:44
Pre-Run: 30,859,603,968 bytes free
Post-Run: 30,898,688,000 bytes free
206
I'm no expert, so I was wondering if someone could help me get rid of this virus.
ComboFix 09-06-07.07 - Omid 06/08/2009 17:34.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.2047 [GMT -5:00]
Running from: c:\users\Omid\Downloads\Desktop\XifObmoc.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\IEToolbar
c:\program files\IEToolbar\Ant.com Toolbar\ant.dll
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Omid\AppData\Roaming\020000003cf80d3e600C.manifest
c:\users\Omid\AppData\Roaming\020000003cf80d3e600O.manifest
c:\users\Omid\AppData\Roaming\020000003cf80d3e600P.manifest
c:\users\Omid\AppData\Roaming\020000003cf80d3e600S.manifest
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\SystemService32
c:\windows\system32\SystemService32\165.crack.zip
c:\windows\system32\SystemService32\165.crack.zip.kwd
c:\windows\system32\SystemService32\166.keygen.zip
c:\windows\system32\SystemService32\166.keygen.zip.kwd
c:\windows\system32\SystemService32\167.serial.zip
c:\windows\system32\SystemService32\167.serial.zip.kwd
c:\windows\system32\SystemService32\168.setup.zip
c:\windows\system32\SystemService32\168.setup.zip.kwd
c:\windows\system32\SystemService32\169.music.au
c:\windows\system32\SystemService32\169.music.au.kwd
c:\windows\system32\SystemService32\170.music.mp3
c:\windows\system32\SystemService32\170.music.mp3.kwd
c:\windows\system32\SystemService32\171.music2.au
c:\windows\system32\SystemService32\171.music2.au.kwd
c:\windows\system32\SystemService32\172.music.snd
c:\windows\system32\SystemService32\172.music.snd.kwd
D:\Desktop.ini
----- BITS: Possible infected sites -----
hxxp://www.spiralfrog.com
.
((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 )))))))))))))))))))))))))))))))
.
2009-06-08 22:31 . 2009-06-08 22:42 -------- d-s---w- \XifObmoc
2009-06-08 21:59 . 2009-06-08 22:15 -------- d-sh--w- \Config.Msi
2009-06-08 21:17 . 2009-06-08 22:37 -------- d---a-w- \Qoobox
2009-06-08 21:16 . 2009-06-08 21:17 -------- d-----w- c:\programdata\fssg
2009-06-08 19:11 . 2009-06-08 19:13 -------- d-----w- c:\programdata\f-secure
2009-06-08 19:01 . 2009-06-08 19:01 -------- d-----w- c:\program files\Microsoft
2009-06-08 18:59 . 2009-06-08 18:58 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-08 18:10 . 2009-06-08 22:20 117760 ----a-w- c:\users\Omid\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-08 17:08 . 2009-06-08 22:15 2951069696 --sha-w- \hiberfil.sys
2009-05-22 21:25 . 2009-06-08 22:39 143360 ----a-w- c:\windows\system32\dmvdsitf32.dll
2009-05-22 21:25 . 2009-05-22 21:25 1372 ----a-w- c:\windows\system32\H9dqOCzxnATrR.vbs
2009-05-21 09:07 . 2009-05-21 09:07 738120 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-05-15 21:06 . 2009-05-15 21:06 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-08 22:40 . 2008-12-11 01:26 -------- d-----w- c:\users\Omid\AppData\Roaming\DNA
2009-06-08 22:19 . 2008-12-11 01:26 -------- d-----w- c:\program files\DNA
2009-06-08 22:19 . 2008-11-29 01:31 41952 ----a-w- c:\programdata\nvModes.dat
2009-06-08 22:15 . 2009-06-08 17:08 2951069696 --sha-w- \hiberfil.sys
2009-06-08 22:15 . 2008-11-03 22:38 3264942080 --sha-w- \pagefile.sys
2009-06-08 22:15 . 2008-08-04 16:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-08 22:11 . 2008-08-04 16:43 -------- d-----w- c:\programdata\Symantec
2009-06-08 20:33 . 2009-02-11 03:00 -------- d-----w- c:\program files\SpiralFrog
2009-06-08 18:58 . 2008-08-04 18:49 -------- d-----w- c:\program files\Java
2009-06-08 17:10 . 2009-01-05 01:02 -------- d-----w- c:\programdata\WSC Guard
2009-06-08 17:03 . 2008-11-03 22:38 88439423 ----a-w- c:\windows\DUMP1b3d.tmp
2009-05-24 14:00 . 2008-12-11 01:27 -------- d-----w- c:\users\Omid\AppData\Roaming\BitTorrent
2009-05-24 14:00 . 2008-12-02 02:38 -------- d-----w- c:\users\Omid\AppData\Roaming\FrostWire
2009-04-26 05:36 . 2009-04-26 05:36 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-04-26 05:35 . 2009-04-26 05:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-04-26 05:35 . 2009-04-26 05:35 -------- d-----w- c:\users\Omid\AppData\Roaming\SUPERAntiSpyware.com
2009-04-26 05:33 . 2009-04-26 05:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-04-23 23:37 . 2009-04-23 23:37 -------- d-----w- c:\users\Omid\AppData\Roaming\acccore
2009-04-11 21:23 . 2009-04-11 21:23 -------- d-----w- c:\users\Omid\AppData\Roaming\Template
2009-03-17 02:16 . 2009-03-17 02:16 48271 ----a-w- c:\windows\system32\cubdaeewwltuthnb.exe
2008-08-04 15:03 . 2008-08-04 15:03 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-09 04:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}]
2008-11-27 01:40 253048 ----a-w- c:\program files\My.Freeze.com Toolbar\NetAssistant.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-11 342848]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-21 2153472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-06-12 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-08 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
c:\users\Omid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Linksys Wireless Guard.lnk - c:\program files\Linksys Wireless Guard\WscGuard.exe [2004-4-18 872526]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{053E5549-ECD5-4FE4-8DB9-641DFB10CF77}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{C1BAABB6-21B7-49B7-91E1-E455B4B6BC44}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{CE417CC2-006D-44BC-B33A-291B02416FCB}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{360E3640-FB26-4DEF-8288-8B53B8EBB28A}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C55EE582-4D18-4465-B67C-01CCBFDC83AC}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{261E301A-F759-4EFF-AD4E-D0D01E301A38}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{54340200-B830-4D55-84AD-13CF90EA14A9}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7E21CF18-CB99-48CE-B661-B62AE4F6C563}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{1D736C70-99D3-4F05-B76D-7B7641DF6E49}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Users\\Omid\\Documents\\BitTorrent\\bittorrent.exe"= c:\users\Omid\Documents\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [8/4/2008 1:43 PM 361808]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/28/2008 4:59 PM 24652]
R2 WSCNetManager;Linksys Wireless Guard Network Manager Service;c:\program files\Linksys Wireless Guard\WscNetMgrSvc.exe [4/18/2004 10:57 AM 663635]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [8/4/2008 12:15 PM 193840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [5/9/2008 2:17 PM 43040]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder
2009-06-04 c:\windows\Tasks\HPCeeScheduleForOmid.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-08-04 03:03]
2009-06-08 c:\windows\Tasks\PCConfidential.job
- c:\program files\Winferno\PC Confidential\PCConfidential.exe [2008-12-22 20:10]
2009-06-08 c:\windows\Tasks\User_Feed_Synchronization-{387F34B8-CC5E-486A-8EEC-EA497EC32F61}.job
- c:\windows\system32\msfeedssync.exe [2009-04-06 11:31]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-bxdbjkeyzyzsl - c:\windows\system32\edsgkxzxzl.dll
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 17:41
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(796)
c:\windows\System32\dmvdsitf32.dll
- - - - - - - > 'lsass.exe'(588)
c:\windows\System32\dmvdsitf32.dll
.
Completion time: 2009-06-08 17:44
ComboFix-quarantined-files.txt 2009-06-08 22:44
Pre-Run: 30,859,603,968 bytes free
Post-Run: 30,898,688,000 bytes free
206
I'm no expert, so I was wondering if someone could help me get rid of this virus.
Back to top
