A Cunning Adversary

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Virus, Trojan, Spyware, and Malware Removal Logs

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

DO NOT RUN ComboFix unless requested to.

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

A Cunning Adversary, Please help remove Malware that stops and blocks scanning programs.

Options

mjohnsn View Member Profile	Sep 18 2009, 11:58 PM Post #1
New Member Group: Members Posts: 1 Joined: 18-September 09 Member No.: 379,611	I am pretty certain I have a rootkit virus. If I to run any popular scanner or even an online scan that program is interrupted and the application file is changed to a read only file. Happens with hijack this, spybot search and destroy and online scans. I ran DDS, Combo fix and root reveal logs attached. Thanks in advance for any assistance. MJ DDS (Ver_09-07-30.01) - NTFSx86 Run by Owner at 19:04:10.78 on Fri 09/18/2009 Internet Explorer: 8.0.6001.18702 ============== Pseudo HJT Report =============== uStart Page = hxxp://us.mc308.mail.yahoo.com/mc/welcome?.gx=1&.tm=1251001917&.rand=c2via7vubeq8h uDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4431.1036\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe" uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe mRun: [VTTimer] VTTimer.exe mRun: [VTTrayp] VTtrayp.exe mRun: [AudioDeck] c:\program files\viaudioi\sbadeck\ADeck.exe 1 mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) mPolicies-explorer: ForceClassicControlPanel = 1 (0x1) mPolicies-explorer: MaxRecentDocs = 18 (0x12) mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1) mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1) mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1) IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000 IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100 Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\urql8k3i.default\ FF - prefs.js: browser.startup.homepage - hxxp://us.mc308.mail.yahoo.com/mc/welcome?.gx=1&.tm=1253148704&.rand=ebj0rffduv18k\|http://www.google.com/search?q=www.safer-networking.org&source=DNS&lr=&rlz= FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\urql8k3i.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews..wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== =============== Created Last 30 ================ 2009-09-17 23:48 <DIR> --d----- c:\windows\system32\xircom 2009-09-17 23:48 <DIR> --d----- c:\windows\system32\wbem\snmp 2009-09-17 23:48 <DIR> --d----- c:\windows\system32\oobe 2009-09-17 23:48 <DIR> --d----- c:\windows\system32\inetsrv 2009-09-17 23:48 <DIR> --d----- c:\program files\windows nt 2009-09-17 23:48 <DIR> --d----- c:\program files\msn gaming zone 2009-09-17 23:32 <DIR> a-dshr-- C:\cmdcons 2009-09-17 23:30 229,888 a------- c:\windows\PEV.exe 2009-09-17 23:30 161,792 a------- c:\windows\SWREG.exe 2009-09-17 23:30 98,816 a------- c:\windows\sed.exe 2009-09-17 23:02 731,136 a------- C:\avenger.exe 2009-09-17 22:38 <DIR> --d----- c:\program files\common files\Windows Live 2009-09-17 22:22 <DIR> --d----- c:\windows\system32\NtmsData 2009-09-17 22:19 3,550,592 a------- C:\procexp.exe 2009-09-17 21:46 <DIR> --d-h--- c:\windows\system32\GroupPolicy 2009-09-17 21:28 224,056 a------- C:\Diskmon.exe 2009-09-17 21:28 9,519 a------- C:\DISKMON.HLP 2009-09-17 21:23 313,200 a------- C:\accesschk.exe 2009-09-17 20:57 4,382,720 a------- c:\windows\system32\ECBK 2009-09-17 20:52 334,720 a------- C:\RootkitRevealer.exe 2009-09-17 20:52 102,160 a------- C:\RootkitRevealer.chm 2009-09-17 20:35 4,382,720 a------- c:\windows\system32\MICGYRR 2009-09-17 18:25 4,378,624 a------- c:\windows\system32\SUFSQUX 2009-09-17 18:19 162,616 -------- C:\RegDelNull.exe 2009-09-17 18:15 4,378,624 a------- c:\windows\system32\DCIGJHYSF 2009-09-16 21:57 <DIR> --d----- C:\wmi 2009-09-16 21:28 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes 2009-09-16 21:28 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-16 21:28 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-09-16 21:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-09-16 21:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-09-16 21:26 <DIR> --d----- c:\program files\Trend Micro 2009-09-16 21:00 <DIR> --d-h--- c:\windows\PIF 2009-09-16 20:40 <DIR> --d----- c:\program files\Safer Networking 2009-09-16 20:31 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2009-09-16 20:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-09-03 20:16 <DIR> --d----- C:\spm8 2009-08-22 09:28 512,000 a------- c:\windows\system32\WunderPhoto Screensaver.scr 2009-08-22 09:28 <DIR> --d----- c:\windows\system32\WunderPhoto Screensaver dir ==================== Find3M ==================== 2009-09-07 17:49 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll 2009-09-07 17:49 87,352 a------- c:\windows\system32\LMIinit.dll 2009-09-07 17:49 25,248 a------- c:\windows\system32\lmimirr.dll 2009-09-07 17:49 11,552 a------- c:\windows\system32\lmimirr2.dll 2009-08-06 16:59 4 ---shr-- c:\docume~1\alluse~1\applic~1\sysqcl0.dat 2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll 2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll 2009-07-19 08:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll 2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll 2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll 2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll 2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll 2009-07-09 12:16 2,060,288 a------- c:\windows\system32\usbaaplrc.dll 2009-07-03 12:09 915,456 -------- c:\windows\system32\wininet.dll 2009-07-03 12:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll 2009-07-03 12:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll 2009-07-03 12:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll 2009-07-03 12:09 206,848 -------- c:\windows\system32\dllcache\occache.dll 2009-07-03 12:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll 2009-07-03 12:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll 2009-07-03 12:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll 2009-07-03 12:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll 2009-07-03 12:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll 2009-07-03 12:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll 2009-07-03 12:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll 2009-07-03 06:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe 2009-06-26 15:11 730,112 a------- c:\windows\system32\lsasrv.dll 2009-06-26 15:11 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll 2009-06-25 03:41 147,456 a------- c:\windows\system32\schannel.dll 2009-06-25 03:41 56,832 a------- c:\windows\system32\secur32.dll 2009-06-25 03:41 54,272 a------- c:\windows\system32\wdigest.dll 2009-06-25 03:41 147,456 -------- c:\windows\system32\dllcache\schannel.dll 2009-06-25 03:41 56,832 -------- c:\windows\system32\dllcache\secur32.dll 2009-06-25 03:41 54,272 -------- c:\windows\system32\dllcache\wdigest.dll 2009-06-25 03:41 301,568 a------- c:\windows\system32\kerberos.dll 2009-06-25 03:41 136,704 a------- c:\windows\system32\msv1_0.dll 2009-06-25 03:41 301,568 -------- c:\windows\system32\dllcache\kerberos.dll 2009-06-25 03:41 136,704 -------- c:\windows\system32\dllcache\msv1_0.dll 2009-06-24 05:28 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys ============= FINISH: 19:05:06.68 =============== Combo fix log as follows ComboFix 09-09-17.04 - Owner 09/17/2009 23:37.1.1 - NTFSx86 Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Custom Settings\TaskBarCmd v1.1.exe c:\documents and settings\Owner\Application Data\alot c:\documents and settings\Owner\Application Data\alot\BrowserSearch\BrowserSearch.xml c:\documents and settings\Owner\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup c:\documents and settings\Owner\Application Data\alot\Button_0\Button_0.xml c:\documents and settings\Owner\Application Data\alot\Button_0\Button_0.xml.backup c:\documents and settings\Owner\Application Data\alot\Button_1\Button_1.xml c:\documents and settings\Owner\Application Data\alot\Button_1\Button_1.xml.backup c:\documents and settings\Owner\Application Data\alot\Button_2\Button_2.xml c:\documents and settings\Owner\Application Data\alot\Button_2\Button_2.xml.backup c:\documents and settings\Owner\Application Data\alot\Button_3\Button_3.xml c:\documents and settings\Owner\Application Data\alot\Button_3\Button_3.xml.backup c:\documents and settings\Owner\Application Data\alot\Button_4\Button_4.xml c:\documents and settings\Owner\Application Data\alot\Button_4\Button_4.xml.backup c:\documents and settings\Owner\Application Data\alot\Button_5\Button_5.xml c:\documents and settings\Owner\Application Data\alot\Button_5\Button_5.xml.backup c:\documents and settings\Owner\Application Data\alot\Button_6\Button_6.xml c:\documents and settings\Owner\Application Data\alot\Button_6\Button_6.xml.backup c:\documents and settings\Owner\Application Data\alot\Button_7\Button_7.xml c:\documents and settings\Owner\Application Data\alot\Button_7\Button_7.xml.backup c:\documents and settings\Owner\Application Data\alot\Button_8\Button_8.xml c:\documents and settings\Owner\Application Data\alot\Button_8\Button_8.xml.backup c:\documents and settings\Owner\Application Data\alot\Button_9\Button_9.xml c:\documents and settings\Owner\Application Data\alot\Button_9\Button_9.xml.backup c:\documents and settings\Owner\Application Data\alot\configurator\configurator.xml c:\documents and settings\Owner\Application Data\alot\configurator\configurator.xml.backup c:\documents and settings\Owner\Application Data\alot\contextMenu\contextMenu.xml c:\documents and settings\Owner\Application Data\alot\contextMenu\contextMenu.xml.backup c:\documents and settings\Owner\Application Data\alot\ErrorSearch\ErrorSearch.xml c:\documents and settings\Owner\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup c:\documents and settings\Owner\Application Data\alot\postInstallLayout\postInstallLayout.xml c:\documents and settings\Owner\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup c:\documents and settings\Owner\Application Data\alot\products\products.xml c:\documents and settings\Owner\Application Data\alot\products\products.xml.backup c:\documents and settings\Owner\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html c:\documents and settings\Owner\Application Data\alot\Resources\BrowserSearch\images\favicon.ico c:\documents and settings\Owner\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Button_0\images\alot_logo_button.png c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_search_button.png c:\documents and settings\Owner\Application Data\alot\Resources\Button_2\images\default_1795_default_1795_alot_configure.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Button_2\images\default_1795_default_1795_alot_configure.png c:\documents and settings\Owner\Application Data\alot\Resources\Button_3\images\default_1008_alot_map_widget_default.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Button_3\images\default_1008_alot_map_widget_default.png c:\documents and settings\Owner\Application Data\alot\Resources\Button_4\images\default_1011_alot_maps_tools.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Button_4\images\default_1011_alot_maps_tools.png c:\documents and settings\Owner\Application Data\alot\Resources\Button_5\images\default_2284_alot_map_travel.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Button_5\images\default_2284_alot_map_travel.png c:\documents and settings\Owner\Application Data\alot\Resources\Button_6\images\default_1870_mrkt_traffic.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Button_6\images\default_1870_mrkt_traffic.png c:\documents and settings\Owner\Application Data\alot\Resources\Button_7\images\default_1007_alot_weather_widget.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Button_7\images\default_1007_alot_weather_widget.png c:\documents and settings\Owner\Application Data\alot\Resources\Button_7\images\nclear.png c:\documents and settings\Owner\Application Data\alot\Resources\Button_7\images\pcloud.png c:\documents and settings\Owner\Application Data\alot\Resources\Button_8\images\2567_icon.png c:\documents and settings\Owner\Application Data\alot\Resources\Button_9\images\default_1423_alot_mrkt_globe.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Button_9\images\default_1423_alot_mrkt_globe.png c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_icon.bmp c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_icon.png c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png c:\documents and settings\Owner\Application Data\alot\Resources\Shared\domains.dat c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\alot_brand.png c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\alot_splitter.png c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\discover.png c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\spinner.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_bottom.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_caption.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_error_close.bmp c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp c:\documents and settings\Owner\Application Data\alot\TimerManager\TimerManager.xml c:\documents and settings\Owner\Application Data\alot\TimerManager\TimerManager.xml.backup c:\documents and settings\Owner\Application Data\alot\toolbar.xml c:\documents and settings\Owner\Application Data\alot\toolbar.xml.backup c:\documents and settings\Owner\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml c:\documents and settings\Owner\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml.backup c:\documents and settings\Owner\Application Data\alot\ToolbarSearch\ToolbarSearch.xml c:\documents and settings\Owner\Application Data\alot\Updater\Updater.xml c:\documents and settings\Owner\Application Data\alot\Updater\Updater.xml.backup c:\program files\alot c:\program files\alot\alotUninst.exe c:\program files\alot\bin\alot.dll c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb c:\windows\Downloaded Program Files\bdcore.dll c:\windows\Downloaded Program Files\libfn.dll c:\windows\system32\drivers\rotscxqllxdqgk.sys c:\windows\system32\rotscxcmyoxear.dll c:\windows\system32\rotscxjnswrrva.dat c:\windows\system32\rotscxlkdqvoas.dll c:\windows\system32\systeminfo.dll c:\windows\system32\uuddc32.dll c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\system32\ntvdm.exe . . . is infected!! c:\windows\system32\sc.exe . . . is infected!! c:\windows\system32\wbem\wmiprvse.exe . . . is infected!! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 ))))))))))))))))))))))))))))))) . 2009-09-18 04:48 . 2009-09-18 04:48 -------- d-----w- c:\windows\system32\xircom 2009-09-18 04:48 . 2009-09-18 04:48 -------- d-----w- c:\windows\system32\wbem\snmp 2009-09-18 04:48 . 2009-09-18 04:48 -------- d-----w- c:\windows\system32\oobe 2009-09-18 04:02 . 2008-05-31 04:09 731136 ----a-w- C:\avenger.exe 2009-09-18 03:38 . 2009-09-18 03:38 -------- d-----w- c:\program files\Common Files\Windows Live 2009-09-18 03:36 . 2009-09-18 03:44 -------- d-----w- c:\windows\BDOSCAN8 2009-09-18 03:22 . 2009-09-18 03:35 -------- d-----w- c:\windows\system32\NtmsData 2009-09-18 03:19 . 2009-02-03 15:32 3550592 ----a-w- C:\procexp.exe 2009-09-18 02:46 . 2009-09-18 02:46 -------- d--h--w- c:\windows\system32\GroupPolicy 2009-09-18 02:28 . 2006-11-01 18:06 224056 ----a-w- C:\Diskmon.exe 2009-09-18 02:23 . 2008-12-18 02:11 313200 ----a-w- C:\accesschk.exe 2009-09-18 01:52 . 2006-11-01 18:07 334720 ----a-w- C:\RootkitRevealer.exe 2009-09-17 23:19 . 2006-11-01 18:06 162616 ------w- C:\RegDelNull.exe 2009-09-17 02:57 . 2009-09-17 03:25 -------- d-----w- C:\wmi 2009-09-17 02:48 . 2009-09-17 02:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS 2009-09-17 02:28 . 2009-09-17 02:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-09-17 02:28 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-17 02:28 . 2009-09-17 02:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-17 02:28 . 2009-09-17 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-17 02:28 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-17 02:26 . 2009-09-17 02:26 -------- d-----w- c:\program files\Trend Micro 2009-09-17 02:00 . 2009-09-18 04:13 -------- d--h--w- c:\windows\PIF 2009-09-17 01:40 . 2009-09-17 01:40 -------- d-----w- c:\program files\Safer Networking 2009-09-17 01:31 . 2009-09-17 02:44 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-09-17 01:31 . 2009-09-17 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-09-04 01:16 . 2009-09-04 01:16 -------- d-----w- C:\spm8 2009-08-22 14:28 . 2009-08-22 14:28 512000 ----a-w- c:\windows\system32\WunderPhoto Screensaver.scr 2009-08-22 14:28 . 2009-08-22 14:28 -------- d-----w- c:\windows\system32\WunderPhoto Screensaver dir . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-18 04:48 . 2009-09-18 04:48 -------- d-----w- c:\program files\microsoft frontpage 2009-09-18 04:29 . 2009-07-30 22:47 256 ----a-w- c:\windows\system32\pool.bin 2009-09-18 04:22 . 2009-06-09 12:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Dropbox 2009-09-17 15:09 . 2009-06-09 12:50 -------- d-----w- c:\program files\LogMeIn 2009-09-13 14:10 . 2009-05-08 03:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus 2009-09-07 22:49 . 2009-06-09 12:50 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2009-09-07 22:49 . 2009-06-09 12:50 87352 ----a-w- c:\windows\system32\LMIinit.dll 2009-09-07 22:49 . 2008-10-17 01:35 11552 ----a-w- c:\windows\system32\lmimirr2.dll 2009-09-07 22:49 . 2008-10-17 01:35 25248 ----a-w- c:\windows\system32\lmimirr.dll 2009-09-04 01:31 . 2009-05-31 02:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Thinstall 2009-08-14 20:36 . 2009-08-14 20:36 -------- d-----w- c:\program files\Auslogics 2009-08-14 02:44 . 2009-05-08 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-08-11 03:08 . 2009-08-11 03:08 0 ----a-w- c:\windows\nsreg.dat 2009-08-08 14:01 . 2009-05-10 12:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Ahead 2009-08-08 14:01 . 2009-05-10 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead 2009-08-06 21:59 . 2009-08-06 21:59 4 --sh--r- c:\documents and settings\All Users\Application Data\sysqcl0.dat 2009-08-06 21:59 . 2009-08-06 21:59 -------- d-----w- c:\program files\plasq 2009-08-06 21:58 . 2009-08-06 21:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-08-05 20:44 . 2009-08-05 20:44 -------- d-----w- c:\program files\Microsoft 2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-02 04:44 . 2009-08-02 04:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer 2009-08-02 04:40 . 2009-08-02 04:40 -------- d-----w- c:\program files\iTunes 2009-08-02 04:40 . 2009-08-02 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-08-02 04:40 . 2009-08-02 04:40 -------- d-----w- c:\program files\iPod 2009-08-02 04:40 . 2009-08-02 04:37 -------- d-----w- c:\program files\Common Files\Apple 2009-08-02 04:40 . 2009-05-08 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2009-08-02 04:40 . 2009-08-02 04:40 -------- d-----w- c:\program files\Bonjour 2009-08-02 04:39 . 2009-05-08 01:36 -------- d-----w- c:\program files\QuickTime Alternative 2009-08-02 04:38 . 2009-08-02 04:38 -------- d-----w- c:\program files\Apple Software Update 2009-08-02 04:38 . 2009-08-02 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-08-02 03:05 . 2009-05-08 02:08 124808 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-01 23:27 . 2009-07-29 02:26 -------- d-----w- c:\program files\Common Files\Roxio Shared 2009-08-01 23:24 . 2009-08-01 23:24 -------- d-----w- c:\program files\Roxio 2009-08-01 23:24 . 2009-07-29 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio 2009-08-01 23:24 . 2009-08-01 23:24 -------- d-----w- c:\program files\Common Files\Sonic Shared 2009-08-01 23:21 . 2009-08-01 22:55 -------- d-----w- c:\program files\AnalogX 2009-08-01 23:20 . 2009-08-01 23:09 -------- d-----w- c:\program files\OCS Inventory NG 2009-08-01 22:59 . 2009-07-29 01:49 -------- d-----w- c:\program files\Common Files\Research In Motion 2009-08-01 22:50 . 2009-08-01 22:50 -------- d-----w- c:\program files\Network Chemistry 2009-08-01 22:50 . 2009-08-01 22:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Ethereal 2009-08-01 22:42 . 2009-08-01 22:19 -------- d-----w- c:\program files\URLSnooper2 2009-08-01 22:31 . 2009-08-01 22:31 -------- d-----w- c:\program files\NetworkActiv Port Scanner 4.0 2009-08-01 22:20 . 2009-08-01 22:20 46 ----a-w- c:\windows\system32\DonationCoder_urlsnooper_InstallInfo.dat 2009-08-01 22:20 . 2009-08-01 22:20 -------- d-----w- c:\documents and settings\Owner\Application Data\DonationCoder 2009-08-01 22:19 . 2009-08-01 22:19 -------- d-----w- c:\program files\WinPcap 2009-08-01 22:19 . 2009-08-01 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DonationCoder 2009-08-01 13:50 . 2009-05-08 01:17 -------- d-----w- c:\program files\Microsoft Silverlight 2009-07-31 00:25 . 2009-05-08 03:35 -------- d-----w- c:\program files\Vuze 2009-07-30 22:47 . 2009-07-30 22:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Research In Motion 2009-07-29 02:28 . 2009-06-17 16:05 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield 2009-07-29 02:28 . 2009-07-29 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic 2009-07-29 02:14 . 2009-07-29 02:14 -------- d-----w- c:\program files\Research In Motion 2009-07-28 12:17 . 2009-07-28 12:17 -------- d-----w- c:\documents and settings\Owner\Application Data\MathWorks 2009-07-27 23:01 . 2009-07-27 23:01 -------- d-----w- c:\program files\MATLAB 2009-07-24 12:09 . 2009-07-24 12:09 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss 2009-07-23 02:58 . 2009-07-23 02:56 -------- d-----w- c:\program files\Quicken WillMaker Plus 2009 2009-07-23 02:56 . 2009-07-23 02:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Quicken WillMaker 2009-07-23 02:34 . 2009-07-23 02:24 -------- d-----w- c:\program files\Quicken 2009-07-23 02:25 . 2009-06-10 22:23 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0 2009-07-23 02:25 . 2009-05-08 02:04 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-07-23 02:25 . 2009-05-08 02:03 -------- d-----w- c:\program files\Common Files\InstallShield 2009-07-23 02:25 . 2009-06-10 22:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Intuit 2009-07-23 02:23 . 2009-06-10 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit 2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 04:43 . 2009-04-20 18:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-09 17:16 . 2009-08-02 04:38 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-07-09 17:16 . 2009-08-02 04:38 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-07-03 17:09 . 2009-04-20 18:19 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-26 20:11 . 2009-04-20 18:17 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:41 . 2009-04-20 18:18 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:41 . 2009-04-20 18:18 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:41 . 2008-04-14 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:41 . 2009-04-20 18:18 136704 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-25 08:41 . 2009-04-20 18:17 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-24 10:28 . 2008-04-14 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys . ------- Sigcheck ------- [-] 2009-04-20 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys [-] 2008-04-14 . 6D9C6B855C7CF5F36392D194DF6BF553 . 98304 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe c:\windows\system32\wscntfy.exe ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.3.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.3.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.3.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-08 133104] "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-02-24 203928] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-14 39408] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168] "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632] "AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [2005-12-11 454656] "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-14 68592] "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960] "QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-03-20 49152] "VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2004-05-13 143360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-04-20 128512] c:\documents and settings\Owner\Start Menu\Programs\Startup\ Dropbox.lnk - c:\documents and settings\Owner\Application Data\Dropbox\bin\Dropbox.exe [2009-8-27 26784939] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "MaxRecentDocs"= 18 (0x12) "NoSMConfigurePrograms"= 1 (0x1) "NoRecentDocsNetHood"= 1 (0x1) "MemCheckBoxInRunDlg"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-09-07 22:49 87352 ----a-w- c:\windows\system32\LMIinit.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Program Files\\OCS Inventory NG\\xampp\\apache\\bin\\apache.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5353:TCP"= 5353:TCP:Adobe CSI CS4 R3 DKNBOHUKUXMFC;DKNBOHUKUXMFC;c:\docume~1\Owner\LOCALS~1\Temp\DKNBOHUKUXMFC.exe [x] R3 NJUOF;NJUOF;c:\docume~1\Owner\LOCALS~1\Temp\NJUOF.exe [x] R3 OSPOQRYU;OSPOQRYU;c:\docume~1\Owner\LOCALS~1\Temp\OSPOQRYU.exe [x] R4 LMIRfsClientNP;LMIRfsClientNP; [x] S0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\DRIVERS\xfilt.sys [2008-12-16 21144] S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088] S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856] S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-07-24 47640] S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-12-23 50704] S2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-03-30 1533808] --- Other Services/Drivers In Memory --- Deregistered - uphcleanhlp . Contents of the 'Scheduled Tasks' folder 2009-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1801674531-842925246-1003Core.job - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-08 02:09] 2009-09-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1801674531-842925246-1003UA.job - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-08 02:09] 2009-09-18 c:\windows\Tasks\User_Feed_Synchronization-{A33E4BAC-2D8E-4B90-B140-A04B0D5E05B9}.job - c:\windows\system32\msfeedssync.exe [2009-04-20 18:22] . . ------- Supplementary Scan ------- . uStart Page = hxxp://us.mc308.mail.yahoo.com/mc/welcome?.gx=1&.tm=1251001917&.rand=c2via7vubeq8h uDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000 IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\urql8k3i.default\ FF - prefs.js: browser.startup.homepage - hxxp://us.mc308.mail.yahoo.com/mc/welcome?.gx=1&.tm=1253148704&.rand=ebj0rffduv18k\|http://www.google.com/search?q=www.safer-networking.org&source=DNS&lr=&rlz= FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\urql8k3i.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - AddRemove-alotToolbar - c:\program files\alot\alotUninst.exe *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-17 23:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run AudioDeck = c:\program files\VIAudioi\SBADeck\ADeck.exe 1?$?????'d?\|????.d?\|` $??6$?????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mysql] "ImagePath"="\"c:\program files\OCS Inventory NG\xampp\mysql\bin\mysqld-nt\" \"--defaults-file=c:\program files\OCS Inventory NG\xampp\mysql\bin\my.cnf\" mysql" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(740) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll - - - - - - - > 'explorer.exe'(1492) c:\windows\system32\WININET.dll c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.3.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3079_x-ww_b811a94e\MSVCR80.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\LogMeIn\x86\ramaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe c:\program files\UPHClean\uphclean.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe c:\program files\iPod\bin\iPodService.exe . ********************************************************************** . Completion time: 2009-09-18 23:55 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-18 04:55 Pre-Run: 136,236,929,024 bytes free Post-Run: 136,154,484,736 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [spybotsd] timeout.old=30 410 --- E O F --- 2009-09-18 01:34 Attached File(s)** Attach.txt ( 5.77k ) Number of downloads: 0 DDS.txt ( 18.69k ) Number of downloads: 0 log.txt ( 31.37k ) Number of downloads: 2 ark.txt ( 45.21k ) Number of downloads: 11

myrti View Member Profile	Oct 6 2009, 04:33 AM Post #2
bleepin' _temp_ Group: Malware Response Instructor Posts: 13,118 Joined: 25-January 08 From: At home Member No.: 186,120	Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Pleaseinclude a clear description of the problems you're having, along with any steps you may have performed so far. Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem. Please download OTL from following mirror: This is THE Mirror Save it to your desktop. Double click on the icon on your desktop. Click the "Scan All Users" checkbox. Push the button. Two reports will open, copy and paste them in a reply here: OTL.txt <-- Will be opened Extra.txt <-- Will be minimized In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine. After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. regards _temp_ -------------------- Help request via PM will be ignored, unless I am already helping you. Please use the forums! If I have helped you please consider to to help me continue the malware fight! Thank you! I'll be gone from 30th July - 5th August. Sorry for any incovenience caused.

myrti View Member Profile	Oct 11 2009, 05:50 PM Post #3
bleepin' _temp_ Group: Malware Response Instructor Posts: 13,118 Joined: 25-January 08 From: At home Member No.: 186,120	Due to lack of feedback, this topic is now Closed If you need this topic reopened, please send me a PM. Please include the address of this thread in your request. This applies only to the original topic starter. Everyone else please start a new topic. With Regards, _temp_ -------------------- Help request via PM will be ignored, unless I am already helping you. Please use the forums! If I have helped you please consider to to help me continue the malware fight! Thank you! I'll be gone from 30th July - 5th August. Sorry for any incovenience caused.

« Next Oldest · Virus, Trojan, Spyware, and Malware Removal Logs · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 29th July 2010 - 09:28 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides