BleepingComputer.com: A Cunning Adversary

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

A Cunning Adversary Please help remove Malware that stops and blocks scanning programs.

#1 User is offline   mjohnsn 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 1
  • Joined: 18-September 09

Posted 18 September 2009 - 11:58 PM

I am pretty certain I have a rootkit virus. If I to run any popular scanner or even an online scan that program is interrupted and the application file is changed to a read only file. Happens with hijack this, spybot search and destroy and online scans.
I ran DDS, Combo fix and root reveal logs attached.
Thanks in advance for any assistance.
MJ

DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 19:04:10.78 on Fri 09/18/2009
Internet Explorer: 8.0.6001.18702

============== Pseudo HJT Report ===============

uStart Page = hxxp://us.mc308.mail.yahoo.com/mc/welcome?.gx=1&.tm=1251001917&.rand=c2via7vubeq8h
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4431.1036\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [AudioDeck] c:\program files\viaudioi\sbadeck\ADeck.exe 1
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-explorer: MaxRecentDocs = 18 (0x12)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\urql8k3i.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.mc308.mail.yahoo.com/mc/welcome?.gx=1&.tm=1253148704&.rand=ebj0rffduv18k|http://www.google.com/search?q=www.safer-networking.org&source=DNS&lr=&rlz=
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\urql8k3i.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-09-17 23:48 <DIR> --d----- c:\windows\system32\xircom
2009-09-17 23:48 <DIR> --d----- c:\windows\system32\wbem\snmp
2009-09-17 23:48 <DIR> --d----- c:\windows\system32\oobe
2009-09-17 23:48 <DIR> --d----- c:\windows\system32\inetsrv
2009-09-17 23:48 <DIR> --d----- c:\program files\windows nt
2009-09-17 23:48 <DIR> --d----- c:\program files\msn gaming zone
2009-09-17 23:32 <DIR> a-dshr-- C:\cmdcons
2009-09-17 23:30 229,888 a------- c:\windows\PEV.exe
2009-09-17 23:30 161,792 a------- c:\windows\SWREG.exe
2009-09-17 23:30 98,816 a------- c:\windows\sed.exe
2009-09-17 23:02 731,136 a------- C:\avenger.exe
2009-09-17 22:38 <DIR> --d----- c:\program files\common files\Windows Live
2009-09-17 22:22 <DIR> --d----- c:\windows\system32\NtmsData
2009-09-17 22:19 3,550,592 a------- C:\procexp.exe
2009-09-17 21:46 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-09-17 21:28 224,056 a------- C:\Diskmon.exe
2009-09-17 21:28 9,519 a------- C:\DISKMON.HLP
2009-09-17 21:23 313,200 a------- C:\accesschk.exe
2009-09-17 20:57 4,382,720 a------- c:\windows\system32\ECBK
2009-09-17 20:52 334,720 a------- C:\RootkitRevealer.exe
2009-09-17 20:52 102,160 a------- C:\RootkitRevealer.chm
2009-09-17 20:35 4,382,720 a------- c:\windows\system32\MICGYRR
2009-09-17 18:25 4,378,624 a------- c:\windows\system32\SUFSQUX
2009-09-17 18:19 162,616 -------- C:\RegDelNull.exe
2009-09-17 18:15 4,378,624 a------- c:\windows\system32\DCIGJHYSF
2009-09-16 21:57 <DIR> --d----- C:\wmi
2009-09-16 21:28 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-09-16 21:28 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-16 21:28 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-16 21:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-16 21:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-16 21:26 <DIR> --d----- c:\program files\Trend Micro
2009-09-16 21:00 <DIR> --d-h--- c:\windows\PIF
2009-09-16 20:40 <DIR> --d----- c:\program files\Safer Networking
2009-09-16 20:31 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-16 20:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-03 20:16 <DIR> --d----- C:\spm8
2009-08-22 09:28 512,000 a------- c:\windows\system32\WunderPhoto Screensaver.scr
2009-08-22 09:28 <DIR> --d----- c:\windows\system32\WunderPhoto Screensaver dir

==================== Find3M ====================

2009-09-07 17:49 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2009-09-07 17:49 87,352 a------- c:\windows\system32\LMIinit.dll
2009-09-07 17:49 25,248 a------- c:\windows\system32\lmimirr.dll
2009-09-07 17:49 11,552 a------- c:\windows\system32\lmimirr2.dll
2009-08-06 16:59 4 ---shr-- c:\docume~1\alluse~1\applic~1\sysqcl0.dat
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 08:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-09 12:16 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-07-03 12:09 915,456 -------- c:\windows\system32\wininet.dll
2009-07-03 12:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 12:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 12:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 12:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 12:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 12:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 12:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 12:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 12:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 12:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 12:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 06:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-26 15:11 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-26 15:11 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 03:41 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:41 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:41 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 03:41 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 03:41 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 03:41 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-25 03:41 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:41 136,704 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:41 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 03:41 136,704 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-24 05:28 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys

============= FINISH: 19:05:06.68 ===============

Combo fix log as follows

ComboFix 09-09-17.04 - Owner 09/17/2009 23:37.1.1 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Custom Settings\TaskBarCmd v1.1.exe
c:\documents and settings\Owner\Application Data\alot
c:\documents and settings\Owner\Application Data\alot\BrowserSearch\BrowserSearch.xml
c:\documents and settings\Owner\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\Owner\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\Owner\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\Owner\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_3\Button_3.xml
c:\documents and settings\Owner\Application Data\alot\Button_3\Button_3.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\Owner\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_5\Button_5.xml
c:\documents and settings\Owner\Application Data\alot\Button_5\Button_5.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\Owner\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\Owner\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_8\Button_8.xml
c:\documents and settings\Owner\Application Data\alot\Button_8\Button_8.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_9\Button_9.xml
c:\documents and settings\Owner\Application Data\alot\Button_9\Button_9.xml.backup
c:\documents and settings\Owner\Application Data\alot\configurator\configurator.xml
c:\documents and settings\Owner\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\Owner\Application Data\alot\contextMenu\contextMenu.xml
c:\documents and settings\Owner\Application Data\alot\contextMenu\contextMenu.xml.backup
c:\documents and settings\Owner\Application Data\alot\ErrorSearch\ErrorSearch.xml
c:\documents and settings\Owner\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
c:\documents and settings\Owner\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\Owner\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\Owner\Application Data\alot\products\products.xml
c:\documents and settings\Owner\Application Data\alot\products\products.xml.backup
c:\documents and settings\Owner\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
c:\documents and settings\Owner\Application Data\alot\Resources\BrowserSearch\images\favicon.ico
c:\documents and settings\Owner\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_search_button.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_2\images\default_1795_default_1795_alot_configure.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_2\images\default_1795_default_1795_alot_configure.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_3\images\default_1008_alot_map_widget_default.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_3\images\default_1008_alot_map_widget_default.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_4\images\default_1011_alot_maps_tools.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_4\images\default_1011_alot_maps_tools.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_5\images\default_2284_alot_map_travel.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_5\images\default_2284_alot_map_travel.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_6\images\default_1870_mrkt_traffic.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_6\images\default_1870_mrkt_traffic.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_7\images\default_1007_alot_weather_widget.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_7\images\default_1007_alot_weather_widget.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_7\images\nclear.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_7\images\pcloud.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_8\images\2567_icon.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_9\images\default_1423_alot_mrkt_globe.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_9\images\default_1423_alot_mrkt_globe.png
c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_icon.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_icon.png
c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\domains.dat
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\alot_splitter.png
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\discover.png
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\spinner.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_caption.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
c:\documents and settings\Owner\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\Owner\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\Owner\Application Data\alot\toolbar.xml
c:\documents and settings\Owner\Application Data\alot\toolbar.xml.backup
c:\documents and settings\Owner\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml
c:\documents and settings\Owner\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml.backup
c:\documents and settings\Owner\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\Owner\Application Data\alot\Updater\Updater.xml
c:\documents and settings\Owner\Application Data\alot\Updater\Updater.xml.backup
c:\program files\alot
c:\program files\alot\alotUninst.exe
c:\program files\alot\bin\alot.dll
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\Downloaded Program Files\bdcore.dll
c:\windows\Downloaded Program Files\libfn.dll
c:\windows\system32\drivers\rotscxqllxdqgk.sys
c:\windows\system32\rotscxcmyoxear.dll
c:\windows\system32\rotscxjnswrrva.dat
c:\windows\system32\rotscxlkdqvoas.dll
c:\windows\system32\systeminfo.dll
c:\windows\system32\uuddc32.dll

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\system32\ntvdm.exe . . . is infected!!

c:\windows\system32\sc.exe . . . is infected!!

c:\windows\system32\wbem\wmiprvse.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-18 04:48 . 2009-09-18 04:48 -------- d-----w- c:\windows\system32\xircom
2009-09-18 04:48 . 2009-09-18 04:48 -------- d-----w- c:\windows\system32\wbem\snmp
2009-09-18 04:48 . 2009-09-18 04:48 -------- d-----w- c:\windows\system32\oobe
2009-09-18 04:02 . 2008-05-31 04:09 731136 ----a-w- C:\avenger.exe
2009-09-18 03:38 . 2009-09-18 03:38 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-18 03:36 . 2009-09-18 03:44 -------- d-----w- c:\windows\BDOSCAN8
2009-09-18 03:22 . 2009-09-18 03:35 -------- d-----w- c:\windows\system32\NtmsData
2009-09-18 03:19 . 2009-02-03 15:32 3550592 ----a-w- C:\procexp.exe
2009-09-18 02:46 . 2009-09-18 02:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-18 02:28 . 2006-11-01 18:06 224056 ----a-w- C:\Diskmon.exe
2009-09-18 02:23 . 2008-12-18 02:11 313200 ----a-w- C:\accesschk.exe
2009-09-18 01:52 . 2006-11-01 18:07 334720 ----a-w- C:\RootkitRevealer.exe
2009-09-17 23:19 . 2006-11-01 18:06 162616 ------w- C:\RegDelNull.exe
2009-09-17 02:57 . 2009-09-17 03:25 -------- d-----w- C:\wmi
2009-09-17 02:48 . 2009-09-17 02:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2009-09-17 02:28 . 2009-09-17 02:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-17 02:28 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-17 02:28 . 2009-09-17 02:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 02:28 . 2009-09-17 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-17 02:28 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-17 02:26 . 2009-09-17 02:26 -------- d-----w- c:\program files\Trend Micro
2009-09-17 02:00 . 2009-09-18 04:13 -------- d--h--w- c:\windows\PIF
2009-09-17 01:40 . 2009-09-17 01:40 -------- d-----w- c:\program files\Safer Networking
2009-09-17 01:31 . 2009-09-17 02:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-17 01:31 . 2009-09-17 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-04 01:16 . 2009-09-04 01:16 -------- d-----w- C:\spm8
2009-08-22 14:28 . 2009-08-22 14:28 512000 ----a-w- c:\windows\system32\WunderPhoto Screensaver.scr
2009-08-22 14:28 . 2009-08-22 14:28 -------- d-----w- c:\windows\system32\WunderPhoto Screensaver dir

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 04:48 . 2009-09-18 04:48 -------- d-----w- c:\program files\microsoft frontpage
2009-09-18 04:29 . 2009-07-30 22:47 256 ----a-w- c:\windows\system32\pool.bin
2009-09-18 04:22 . 2009-06-09 12:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Dropbox
2009-09-17 15:09 . 2009-06-09 12:50 -------- d-----w- c:\program files\LogMeIn
2009-09-13 14:10 . 2009-05-08 03:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-09-07 22:49 . 2009-06-09 12:50 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-09-07 22:49 . 2009-06-09 12:50 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-09-07 22:49 . 2008-10-17 01:35 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2009-09-07 22:49 . 2008-10-17 01:35 25248 ----a-w- c:\windows\system32\lmimirr.dll
2009-09-04 01:31 . 2009-05-31 02:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Thinstall
2009-08-14 20:36 . 2009-08-14 20:36 -------- d-----w- c:\program files\Auslogics
2009-08-14 02:44 . 2009-05-08 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-11 03:08 . 2009-08-11 03:08 0 ----a-w- c:\windows\nsreg.dat
2009-08-08 14:01 . 2009-05-10 12:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Ahead
2009-08-08 14:01 . 2009-05-10 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-08-06 21:59 . 2009-08-06 21:59 4 --sh--r- c:\documents and settings\All Users\Application Data\sysqcl0.dat
2009-08-06 21:59 . 2009-08-06 21:59 -------- d-----w- c:\program files\plasq
2009-08-06 21:58 . 2009-08-06 21:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-05 20:44 . 2009-08-05 20:44 -------- d-----w- c:\program files\Microsoft
2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 04:44 . 2009-08-02 04:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-08-02 04:40 . 2009-08-02 04:40 -------- d-----w- c:\program files\iTunes
2009-08-02 04:40 . 2009-08-02 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-02 04:40 . 2009-08-02 04:40 -------- d-----w- c:\program files\iPod
2009-08-02 04:40 . 2009-08-02 04:37 -------- d-----w- c:\program files\Common Files\Apple
2009-08-02 04:40 . 2009-05-08 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-02 04:40 . 2009-08-02 04:40 -------- d-----w- c:\program files\Bonjour
2009-08-02 04:39 . 2009-05-08 01:36 -------- d-----w- c:\program files\QuickTime Alternative
2009-08-02 04:38 . 2009-08-02 04:38 -------- d-----w- c:\program files\Apple Software Update
2009-08-02 04:38 . 2009-08-02 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-02 03:05 . 2009-05-08 02:08 124808 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-01 23:27 . 2009-07-29 02:26 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-08-01 23:24 . 2009-08-01 23:24 -------- d-----w- c:\program files\Roxio
2009-08-01 23:24 . 2009-07-29 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-08-01 23:24 . 2009-08-01 23:24 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-08-01 23:21 . 2009-08-01 22:55 -------- d-----w- c:\program files\AnalogX
2009-08-01 23:20 . 2009-08-01 23:09 -------- d-----w- c:\program files\OCS Inventory NG
2009-08-01 22:59 . 2009-07-29 01:49 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-08-01 22:50 . 2009-08-01 22:50 -------- d-----w- c:\program files\Network Chemistry
2009-08-01 22:50 . 2009-08-01 22:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Ethereal
2009-08-01 22:42 . 2009-08-01 22:19 -------- d-----w- c:\program files\URLSnooper2
2009-08-01 22:31 . 2009-08-01 22:31 -------- d-----w- c:\program files\NetworkActiv Port Scanner 4.0
2009-08-01 22:20 . 2009-08-01 22:20 46 ----a-w- c:\windows\system32\DonationCoder_urlsnooper_InstallInfo.dat
2009-08-01 22:20 . 2009-08-01 22:20 -------- d-----w- c:\documents and settings\Owner\Application Data\DonationCoder
2009-08-01 22:19 . 2009-08-01 22:19 -------- d-----w- c:\program files\WinPcap
2009-08-01 22:19 . 2009-08-01 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DonationCoder
2009-08-01 13:50 . 2009-05-08 01:17 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 00:25 . 2009-05-08 03:35 -------- d-----w- c:\program files\Vuze
2009-07-30 22:47 . 2009-07-30 22:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Research In Motion
2009-07-29 02:28 . 2009-06-17 16:05 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield
2009-07-29 02:28 . 2009-07-29 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-07-29 02:14 . 2009-07-29 02:14 -------- d-----w- c:\program files\Research In Motion
2009-07-28 12:17 . 2009-07-28 12:17 -------- d-----w- c:\documents and settings\Owner\Application Data\MathWorks
2009-07-27 23:01 . 2009-07-27 23:01 -------- d-----w- c:\program files\MATLAB
2009-07-24 12:09 . 2009-07-24 12:09 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2009-07-23 02:58 . 2009-07-23 02:56 -------- d-----w- c:\program files\Quicken WillMaker Plus 2009
2009-07-23 02:56 . 2009-07-23 02:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Quicken WillMaker
2009-07-23 02:34 . 2009-07-23 02:24 -------- d-----w- c:\program files\Quicken
2009-07-23 02:25 . 2009-06-10 22:23 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2009-07-23 02:25 . 2009-05-08 02:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-23 02:25 . 2009-05-08 02:03 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-23 02:25 . 2009-06-10 22:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Intuit
2009-07-23 02:23 . 2009-06-10 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2009-04-20 18:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 17:16 . 2009-08-02 04:38 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-09 17:16 . 2009-08-02 04:38 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-03 17:09 . 2009-04-20 18:19 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 20:11 . 2009-04-20 18:17 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:41 . 2009-04-20 18:18 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:41 . 2009-04-20 18:18 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:41 . 2008-04-14 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:41 . 2009-04-20 18:18 136704 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:41 . 2009-04-20 18:17 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 10:28 . 2008-04-14 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

------- Sigcheck -------

[-] 2009-04-20 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-04-14 . 6D9C6B855C7CF5F36392D194DF6BF553 . 98304 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe


c:\windows\system32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-08 133104]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-02-24 203928]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-14 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [2005-12-11 454656]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-14 68592]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-03-20 49152]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2004-05-13 143360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-04-20 128512]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Owner\Application Data\Dropbox\bin\Dropbox.exe [2009-8-27 26784939]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-07 22:49 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\OCS Inventory NG\\xampp\\apache\\bin\\apache.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R3 DKNBOHUKUXMFC;DKNBOHUKUXMFC;c:\docume~1\Owner\LOCALS~1\Temp\DKNBOHUKUXMFC.exe [x]
R3 NJUOF;NJUOF;c:\docume~1\Owner\LOCALS~1\Temp\NJUOF.exe [x]
R3 OSPOQRYU;OSPOQRYU;c:\docume~1\Owner\LOCALS~1\Temp\OSPOQRYU.exe [x]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\DRIVERS\xfilt.sys [2008-12-16 21144]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-07-24 47640]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-12-23 50704]
S2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-03-30 1533808]


--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2009-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1801674531-842925246-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-08 02:09]

2009-09-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1801674531-842925246-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-08 02:09]

2009-09-18 c:\windows\Tasks\User_Feed_Synchronization-{A33E4BAC-2D8E-4B90-B140-A04B0D5E05B9}.job
- c:\windows\system32\msfeedssync.exe [2009-04-20 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mc308.mail.yahoo.com/mc/welcome?.gx=1&.tm=1251001917&.rand=c2via7vubeq8h
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\urql8k3i.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.mc308.mail.yahoo.com/mc/welcome?.gx=1&.tm=1253148704&.rand=ebj0rffduv18k|http://www.google.com/search?q=www.safer-networking.org&source=DNS&lr=&rlz=
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\urql8k3i.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-alotToolbar - c:\program files\alot\alotUninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-17 23:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AudioDeck = c:\program files\VIAudioi\SBADeck\ADeck.exe 1?$?????'d?|????.d?|` $??6$??????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mysql]
"ImagePath"="\"c:\program files\OCS Inventory NG\xampp\mysql\bin\mysqld-nt\" \"--defaults-file=c:\program files\OCS Inventory NG\xampp\mysql\bin\my.cnf\" mysql"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(1492)
c:\windows\system32\WININET.dll
c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.3.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3079_x-ww_b811a94e\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-18 23:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-18 04:55

Pre-Run: 136,236,929,024 bytes free
Post-Run: 136,154,484,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

410 --- E O F --- 2009-09-18 01:34

Attached File(s)

  • Attached File  Attach.txt (5.77K)
    Number of downloads: 0
  • Attached File  DDS.txt (18.69K)
    Number of downloads: 0
  • Attached File  log.txt (31.37K)
    Number of downloads: 2
  • Attached File  ark.txt (45.21K)
    Number of downloads: 14

#2 User is offline   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 26,080
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 06 October 2009 - 04:33 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Pleaseinclude a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#3 User is offline   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 26,080
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 11 October 2009 - 05:50 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
_temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users