Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde W/rootkit ... I Think


  • This topic is locked This topic is locked
23 replies to this topic

#1 Gabisonfire

Gabisonfire

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:18 AM

Posted 10 April 2008 - 12:07 PM

Hi!
I was infected by Virtumonde and I ran Spybot S&D, Adaware, NOD32 but couldn't fix it. Also tried Vundofix in safe mode and also in normal mode. Semmed to clean it but it came back again. Also tried Virtumondobegone in normal and safe mode. Seemed to fix it but still here. Did all that again and logs were telling me it was gone. Everything is fine but one thing that keeps bugging me in the hijackthis log. :

O4 - HKLM\..\Run: [BMeba3747b] Rundll32.exe "C:\WINDOWS\system32\ebjuprfo.dll",s I beleive this is it...
Had hijackthis fix this but everytime i reboot... it comes back there.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:46 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Stardock\MyColors\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LClock\LClock.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Torrents\AnyDVD.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Stardock\DesktopGadgets\Montreal Canadiens Weather\Montreal Canadiens Weather.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\AnyTrial.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Apps&Junk\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: isoHunt Toolbar - {a6e4a4eb-d169-4e99-8988-250fcbafe767} - C:\Program Files\isoHunt\tbiso1.dll
O2 - BHO: Mininova Toolbar - {f592709f-ff4a-4862-b659-4afabda56312} - C:\Program Files\Mininova\tbMini.dll
O3 - Toolbar: isoHunt Toolbar - {a6e4a4eb-d169-4e99-8988-250fcbafe767} - C:\Program Files\isoHunt\tbiso1.dll
O3 - Toolbar: Mininova Toolbar - {f592709f-ff4a-4862-b659-4afabda56312} - C:\Program Files\Mininova\tbMini.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG DWL-G520] C:\Program Files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BMeba3747b] Rundll32.exe "C:\WINDOWS\system32\ebjuprfo.dll",s
O4 - HKCU\..\Run: [Registry Repair Wizard Scheduler] "C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AnyDVD] D:\Torrents\AnyDVD.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Montreal Canadiens Weather.lnk = C:\Program Files\Stardock\DesktopGadgets\Montreal Canadiens Weather\Montreal Canadiens Weather.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Unknown owner - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (file missing)
O23 - Service: BugSoft AnyTrial (AnyTrial) - Dr.Pc Putte Corp ;) - C:\WINDOWS\AnyTrial.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe (file missing)
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 8755 bytes

Thank you.. Really appreciated
Gabisonfire - Habs all the way!

BC AdBot (Login to Remove)

 


#2 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:18 AM

Posted 11 April 2008 - 06:18 AM

Hello!

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

___________________
  • Open HijackThis
  • Click Config
  • Click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.
More information with a screenshot, can be found Here.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#3 Gabisonfire

Gabisonfire
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:18 AM

Posted 11 April 2008 - 12:01 PM

Here they are!
Thank you!

Attached Files


Gabisonfire - Habs all the way!

#4 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:18 AM

Posted 11 April 2008 - 03:29 PM

You don't have Window's Recovery Console installed. Whilst it may not be needed at this time, current infections tend to patch a lot of critical system files now, these often result to multiple problems and sometimes, they can cause unbootable machines. Having Window's Recovery Console installed on your machine will help you and I in case something goes wrong while we are in the process of cleaning your machine.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#5 Gabisonfire

Gabisonfire
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:18 AM

Posted 11 April 2008 - 08:14 PM

Here you go again.
Thank you! It is really appreciated.

Attached Files


Gabisonfire - Habs all the way!

#6 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:18 AM

Posted 12 April 2008 - 09:24 AM

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Temporary disable Real-Time Protection:

Spybot S&D (Teatimer)
  • 1. Run Spybot-S&D in Advanced Mode.
  • 2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • 3. On the left hand side, Click on Tools
  • 4. Then click on the Resident Icon in the List
  • 5. Uncheck "Resident TeaTimer" and OK any prompts.
  • 6. Restart your computer.
Ad-Aware 2007 Service
  • 1.On your desktop, click Start -> Run and type services.msc in the open box
  • 2.Click OK or hit Enter
  • 3. Scroll down the list of services and double-click "Ad-Aware 2007 Service".
  • 4. In the service properties window that opens, click the "STOP" button.
  • 5.Under Startup Type, use the pull down menu and select "Disabled" from the list of options.
  • 6.Click OK
  • 7.Exit the Services Control Manager
Open notepad and copy/paste the text in the quotebox below into it: ( Please make sure you copy everything in the code box )

File::
C:\WINDOWS\system32\ebjuprfo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMeba3747b"=-


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

_____________

Did you set these policies?

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000

_____________

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#7 Gabisonfire

Gabisonfire
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:18 AM

Posted 13 April 2008 - 02:52 AM

Hi!
So i did all you posted, here are the logs.

I ran avg twice this is why there are 2 logs and btw, the link for avg you provided is dead :thumbsup:.
also a bmp of an error i get everytime i boot. Also the combofix log generated with the script.
And i don't understand the quote about the policies... anyways no i didn't set them!

Thank you again! :blink:

Attached Files


Gabisonfire - Habs all the way!

#8 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:18 AM

Posted 13 April 2008 - 09:12 AM

the link for avg you provided is dead

I'm sorry for that.

What a bummer , there was something i did not add to my previous CFScript, and that is why it did not work.

Open notepad and copy/paste the text in the quotebox below into it: ( Please make sure you copy everything in the code box )

File::
C:\WINDOWS\system32\ebjuprfo.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMeba3747b"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"=-
"NoSMMyPictures"=-

Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

____________________

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Turn off the real time scanner of any existing antivirus program while performing the online scan
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#9 Gabisonfire

Gabisonfire
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:18 AM

Posted 14 April 2008 - 06:48 AM

Here's the log, unfortunately, the scan gets stuck at 68%. Tried many times and it gets stuck at this point.

Attached Files


Gabisonfire - Habs all the way!

#10 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:18 AM

Posted 14 April 2008 - 08:04 AM

Hi!

Delete this folder:

D:\Apps&Junk\Nero 7.8.5.0 Ultra Incl Keygen

Perform an online scan with Internet Explorer with Panda Active Scan

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

* If it finds any malware, it will offer you a report.
* Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan.n
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#11 Gabisonfire

Gabisonfire
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:18 AM

Posted 14 April 2008 - 04:12 PM

We're having problems again ;)
I get an update error.
Maybe I can scan with my nod32?
Thank you!

Attached Files


Gabisonfire - Habs all the way!

#12 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:18 AM

Posted 15 April 2008 - 07:23 AM

Maybe I can scan with my nod32?


Please do it. ( full system scan )

let me know the results, paste the scan results here or txt or upload..
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#13 Gabisonfire

Gabisonfire
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:18 AM

Posted 16 April 2008 - 12:27 PM

Here's the nod32 log :thumbsup:

Scan Log
Version of virus signature database: 3031 (20080416)
Date: 4/16/2008 Time: 1:14:23 PM
Scanned disks, folders and files: C:\;D:\;F:\
C:\pagefile.sys - error opening [4]
C:\Documents and Settings\Administrator\ntuser.dat - error opening [4]
C:\Documents and Settings\Administrator\ntuser.dat.LOG - error opening [4]
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {10F7B5C0-82D4-4A8E-95B7-84EE0E075A4B} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {1432D7FE-BE24-4993-B131-9220FF63B432} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {144D822A-EFB4-46E2-8823-DD0DDF8A9BC7} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {20FD7058-4A2F-4DCF-8121-E1CFE2DD58AE} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {21DAA8BB-54B7-421E-A899-078D8606AE6D} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {26062ADC-E458-4B5D-A9AF-CCB13DEE5261} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {28B50DBE-6362-4466-BEBF-BDC246E770A3} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {28E46263-CD7B-408D-9A23-9C725B3D34EB} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {41784266-C0EA-41DE-9F9C-118F3F9DEA9C} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {461E2AE7-1EC1-4DDB-9D94-B635395B00FB} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {4A3E0DFE-15BD-4938-B0B6-366EA7F24D89} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {4C9B8347-EDCB-417C-8B2C-45827674831C} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {4EDD6D17-9742-4118-A133-C887DBCEEA2C} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {551238B2-7022-4BB7-8C9D-53E81438630F} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {5D65364D-631D-47F7-B4E5-D68E4AD12698} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {5DA31A82-25AF-4392-941E-690A91FE127E} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {5EC57089-8B7E-4699-A856-5CD1FCA96408} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {5F06CD91-EA70-4D1D-9BCD-6846FAD25171} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {693DA282-1D02-4FFB-957A-CAF974F9F104} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {757E50C2-8C06-45F6-BA3F-7468909FB6ED} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {8D304B95-FE09-46AF-B360-7C0280C1BCF5} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {8E623593-B58C-4C5C-8298-26307251451F} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {902D438F-5005-4605-A790-FECB4D5B67B7} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {97681561-36D1-4212-8C6F-7AC3F6311822} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {A61C1097-9281-4628-83D4-7E87D7F9B58D} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {AE61D2A0-1171-410C-99E6-23D227C2A6A9} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {B325F22D-883B-4740-9D41-8445981514F6} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {BEEA437E-736B-472F-A8FD-AC9703635099} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {C052B8F0-5CF9-47A4-A39E-F176027F4E2D} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {C27AFD4E-DF1D-4967-9889-C0D9EF075BA8} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {CED13566-3FD2-46CB-AAB1-52A474B22F42} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {CFA583A7-B3E7-4CD7-BD86-9236A589DD56} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {D0718B6B-A24B-416F-9E31-892785A02E65} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {D6EE1402-5A63-4A68-948C-8D107DF221F4} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {D75563D1-99E7-448B-A5ED-4E1847502370} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {D7C19F73-C946-4ADB-BB2C-9883D674BA9B} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {D7CF3069-5B30-4C76-9F8B-773767333BD6} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {E270AE58-BCDB-48E1-9DDA-919573A9AD77} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {E4300A17-776A-4B0F-AFB6-9C49A4E1A935} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {E8731E79-94C9-46FE-9F61-7D611FF19D81} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {EFD1E14A-0572-4BFF-B371-7D195E282336} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP {F7063E8C-1795-490B-960B-009A34ED0918} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 05-51-06.SBU ZIP backup.db - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 14-07-08.SBU ZIP {AA4E117E-4134-4AA4-92E8-D5805928B5D7} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-09-2008 - 14-07-08.SBU ZIP backup.db - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {09EE00EB-C7F0-4FBB-9C0B-BC5FA7FE3177} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {16F0A462-23C5-46D4-875C-CD4230CF5669} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {1891C17C-DCB8-4D48-9B95-B4F763EFC6E9} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {53C999ED-A5A6-4345-9C6E-98E43A43BB0E} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {6610ADD5-F885-418D-8287-C734B7DB1F18} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {919D9F1E-38EA-411F-ADD5-6C7A2D5CD377} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {A5C2746D-49AE-43C9-AAC9-B1B7FB866E90} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {B5CE10ED-890E-4667-A039-98843D0F06F4} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {B696AF5C-AD09-488A-A157-F62D4FB1384D} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {BF07A2EB-DBE8-4664-AD4F-B78CE219C3CF} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {C5F1D439-7437-4BDE-BA9E-C7E40FA02B25} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {CCA0F716-3899-49C3-BF06-5071474F56DA} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {CFA4B4AC-D028-4578-AB29-49C1D9B2820B} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {F6ACD4DD-E2E8-4E8B-BD5E-E8AA5F7CB371} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {F79034E7-9F3B-4A94-8717-BF0542B27FBE} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP {FA77C979-330C-4008-A2BE-9EAD9A58C341} - error - password-protected file
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-11-2008 - 01-47-48.SBU ZIP backup.db - error - password-protected file
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{51CB442D-66DF-49CD-ABED-38BD41A80EFB}\Microsoft\Outlook Express\Inbox.dbx DBX - is OK (internal scanning not performed)
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening [4]
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening [4]
C:\Documents and Settings\Administrator\Local Settings\Temp\GLB4EB.tmp WISE WISE0132.DLL - archive damaged
C:\Documents and Settings\Administrator\Local Settings\Temp\GLBA4.tmp WISE WISE0132.DLL - archive damaged
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommonDialogs.zip ZIP sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommonDialogs.zip ZIP sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip ZIP qjlkxvbe.dll - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip ZIP sbRecovery.ini - error - password-protected file
C:\Documents and Settings\LocalService\NTUSER.DAT - error opening [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening [4]
C:\Documents and Settings\NetworkService\ntuser.dat - error opening [4]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening [4]
C:\DrvSetup\RES\EULA\EC_French.txt MIME - is OK (internal scanning not performed)
C:\DrvSetup\RES\EULA\EC_Italian.txt MIME - is OK (internal scanning not performed)
C:\DrvSetup\RES\EULA\EC_Portuguese.txt MIME - is OK (internal scanning not performed)
C:\DrvSetup\RES\EULA\EC_Spanish.txt MIME - is OK (internal scanning not performed)
C:\DrvSetup\RES\EULA\US_Spanish.TXT MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab CAB PROCESS_LIBRARY.FDT MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab CAB HIRING_REQUISITION_CUSTOMIZED.FDT MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab CAB HARDWARE_TRACKER.FDT MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab CAB HIRING_REQUISITION.FDT MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab CAB CUSTOMER_SUPPORT.FDT MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab CAB TRACK_ISSUES.FDT MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab CAB STATUS_REPORT.FDT MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab CAB POLICIES.FDT MIME - is OK (internal scanning not performed)
C:\Program Files\Audacity\audacity-1.2-help.htb ZIP audacity.hhp MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\core3.zip ZIP lib/deploy/ffjcext.zip ZIP {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}/chrome.manifest MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\core3.zip ZIP lib/resources.jar ZIP com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages.properties MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\core3.zip ZIP lib/resources.jar ZIP com/sun/xml/internal/fastinfoset/resources/ResourceBundle.properties MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\core3.zip ZIP lib/resources.jar ZIP javax/xml/bind/Messages.properties MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\Getting Started.mht MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre1.6.0_05\lib\resources.jar ZIP com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages.properties MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre1.6.0_05\lib\resources.jar ZIP com/sun/xml/internal/fastinfoset/resources/ResourceBundle.properties MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre1.6.0_05\lib\resources.jar ZIP javax/xml/bind/Messages.properties MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre1.6.0_05\lib\deploy\ffjcext.zip ZIP {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}/chrome.manifest MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\browser.manifest MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\comm.manifest MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\pippki.manifest MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\toolkit.manifest MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome.manifest MIME - is OK (internal scanning not performed)
C:\Program Files\Nero\Nero 7\Core\CDI\CDI_VCD.CFG MIME - is OK (internal scanning not performed)
C:\Program Files\Nero\Nero 7\Nero BackItUp\BackItUp_ImageTool\root.img GZIP - archive damaged
C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe NSIS - bad archive
C:\WINDOWS\S62611C8E.tmp - error opening [4]
C:\WINDOWS\SoftwareDistribution\EventCache\{3FEDD006-7E94-4211-BDD9-228D80E59F33}.bin - error opening [4]
C:\WINDOWS\system32\mmf.sys - error opening [4]
C:\WINDOWS\system32\config\DEFAULT - error opening [4]
C:\WINDOWS\system32\config\default.LOG - error opening [4]
C:\WINDOWS\system32\config\SAM - error opening [4]
C:\WINDOWS\system32\config\SAM.LOG - error opening [4]
C:\WINDOWS\system32\config\SECURITY - error opening [4]
C:\WINDOWS\system32\config\SECURITY.LOG - error opening [4]
C:\WINDOWS\system32\config\SOFTWARE - error opening [4]
C:\WINDOWS\system32\config\software.LOG - error opening [4]
C:\WINDOWS\system32\config\SYSTEM - error opening [4]
C:\WINDOWS\system32\config\system.LOG - error opening [4]
D:\gabishere.rar RAR gabishere\counter-strike\cstrike\maps\x-mas_tree.txt MIME - is OK (internal scanning not performed)
D:\gabishere.rar RAR gabishere\counter-strike\cstrike\maps\xmas_nipperhouse.txt MIME - is OK (internal scanning not performed)
D:\Apps&Junk\AnyDVD.&.AnyDVD.HD.v6.3.1.5.FiNAL + HD & BlueRay Support.rar RAR AnyDVD.&.AnyDVD.HD.v6.3.1.5.FiNAL + HD & BlueRay Support\SetupAnyDVD6315.exe NSIS - bad archive
D:\Apps&Junk\M6A00mux.exe ZIP DrvSetup/RES/EULA/EC_French.txt MIME - is OK (internal scanning not performed)
D:\Apps&Junk\M6A00mux.exe ZIP DrvSetup/RES/EULA/EC_Italian.txt MIME - is OK (internal scanning not performed)
D:\Apps&Junk\M6A00mux.exe ZIP DrvSetup/RES/EULA/EC_Portuguese.txt MIME - is OK (internal scanning not performed)
D:\Apps&Junk\M6A00mux.exe ZIP DrvSetup/RES/EULA/EC_Spanish.txt MIME - is OK (internal scanning not performed)
D:\Apps&Junk\M6A00mux.exe ZIP DrvSetup/RES/EULA/US_Spanish.TXT MIME - is OK (internal scanning not performed)
D:\Apps&Junk\Flash_FXP With Crack-Serial\Flash_FXP-Patch.exe RAR Patch.exe - probably a variant of Win32/Hupigon trojan
D:\Apps&Junk\SWAT 4 - Special Edition DVD [vertigo173]\SWAT4.part01.rar RAR SWAT 4 - Special Edition DVD.iso - next archive volume not found
D:\RIPS\AnyDVD & AnyDVD HD 6.3.1.2 FINAL with HD-BluRay\SetupAnyDVD6312.exe NSIS - bad archive
D:\Torrents\AnyDVD HD 6.3.0.3 setup.exe NSIS - bad archive
D:\Torrents\SlySoft AnyDVD HD 6.3.0.3.zip ZIP SlySoft AnyDVD HD 6.3.0.3/AnyDVD HD 6.3.0.3 setup.exe NSIS - bad archive
D:\TxtFiles\Admission Network.mht MIME - is OK (internal scanning not performed)
Number of scanned objects: 218802
Number of threats found: 1
Number of cleaned objects: 0
Time of completion: 1:25:38 PM Total scanning time: 675 sec (00:11:15)

Notes:
[4] Object cannot be opened. It may be in use by another application or operating system.
Gabisonfire - Habs all the way!

#14 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:18 AM

Posted 17 April 2008 - 04:34 PM

Hello there!

Please open Superantispyware quarantine, and empty it.

Also empty Spybot's recovery.

Post a new Combofix log.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#15 Gabisonfire

Gabisonfire
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:18 AM

Posted 17 April 2008 - 09:43 PM

Hey!
They were deleted and here's the log as you asked!

ComboFix 08-04-11.5 - Administrator 2008-04-17 22:39:50.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2729 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! <----- That's a lie ;) I Installed it as you asked and actually used it yesterday I think.
.

((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-15 06:16 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-04-15 06:05 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\ntoskrnl.exe
2008-04-15 06:05 . 2002-12-31 08:00 623,104 --a------ C:\WINDOWS\system32\ntfs.sys
2008-04-15 05:58 . 2002-12-31 08:00 623,104 --a------ C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-15 05:58 . 2002-12-31 08:00 623,104 --a------ C:\WINDOWS\NTFS.SYS
2008-04-15 03:55 . 2008-04-15 03:55 51 --a------ C:\WINDOWS\wb.ini
2008-04-15 03:41 . 2008-04-15 03:41 <DIR> d-------- C:\Program Files\Mgtweak
2008-04-15 03:41 . 2008-04-16 13:31 1,665 --a------ C:\WINDOWS\mgreg.ini
2008-04-15 03:41 . 2008-04-15 03:26 56 --a------ C:\WINDOWS\mgwin.ini
2008-04-15 03:26 . 2008-04-15 03:27 122 --a------ C:\WINDOWS\_vmtxp.ini
2008-04-15 01:50 . 2008-04-15 02:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HLSW
2008-04-13 00:09 . 2008-04-13 00:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-10 12:54 . 2008-04-10 12:54 <DIR> d-------- C:\Program Files\Java
2008-04-10 12:54 . 2008-04-10 12:54 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-10 12:54 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-09 05:55 . 2008-04-09 05:55 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-09 05:53 . 2008-04-09 05:53 16,384 --ahs---- C:\Thumbs.db
2008-04-09 05:53 . 2008-04-16 05:43 14,848 --ahs---- C:\WINDOWS\Thumbs.db
2008-04-09 05:39 . 2008-04-09 06:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-09 05:39 . 2008-04-09 05:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-09 05:39 . 2008-04-09 05:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-09 02:17 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-04-09 02:17 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-04-09 02:16 . 2008-04-09 02:16 <DIR> d-------- C:\Program Files\ESET
2008-04-08 13:30 . 2008-04-08 13:30 <DIR> d-------- C:\Program Files\Illustrate
2008-04-08 13:30 . 2008-04-08 13:30 131,072 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2008-04-08 11:39 . 2008-04-08 23:07 414 --ahs---- C:\WINDOWS\system32\hjarmces.ini
2008-03-27 22:33 . 2008-03-27 22:33 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-27 22:33 . 2008-03-27 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2008-03-19 06:19 . 2008-03-19 06:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MilkShape 3D 1.x.x
2008-03-18 22:19 . 2008-03-18 22:19 268 --ah----- C:\sqmdata00.sqm
2008-03-18 22:19 . 2008-03-18 22:19 244 --ah----- C:\sqmnoopt00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-21 17:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-11-21 02:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-11-21 01:30 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-11-20 05:27 --------- d-----w C:\Program Files\LimeWire
2008-04-15 07:55 --------- d-----w C:\Program Files\Common Files\Stardock
2008-04-15 07:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-04-15 06:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 06:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 05:12 --------- d-----w C:\Program Files\MagicISO
2008-04-13 05:12 --------- d-----w C:\Program Files\LG PC Suite 2
2008-04-13 05:12 --------- d-----w C:\Program Files\LClock
2008-04-13 05:12 --------- d-----w C:\Program Files\FairUse Wizard 2
2008-04-13 05:12 --------- d-----w C:\Program Files\ArtCine NFO Creator 2.0
2008-04-09 17:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-09 09:00 --------- d-----w C:\Program Files\SpeedFan
2008-04-09 05:16 --------- d-----w C:\Program Files\PowerISO
2008-04-09 05:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 02:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-07 20:27 63,248 ----a-w C:\WINDOWS\system32\sc.exe
2008-04-07 20:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-04-03 20:18 --------- d-----w C:\Program Files\LogMeIn
2008-04-01 19:48 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-19 09:40 1,845,888 ------w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:40 1,845,888 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-18 21:40 --------- d-----w C:\Program Files\uTorrent
2008-03-16 15:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-03-15 05:16 --------- d-----w C:\Program Files\isoHunt
2008-03-13 19:45 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-13 19:45 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-03-13 19:20 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-03-10 04:01 --------- d-----w C:\Program Files\eMule
2008-03-01 22:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-22 01:35 --------- d-----w C:\Program Files\AviSynth 2.5
2008-02-20 15:11 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-02-20 15:02 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-02-20 15:01 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:52 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 06:20 --------- d-----w C:\Program Files\Mininova
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-12 18:01 15,872 --sha-w C:\WINDOWS\AnyTrial.exe
2008-02-04 10:12 81,920 ----a-w C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
2008-02-04 10:12 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2008-01-18 15:35 487,424 ----a-w C:\WINDOWS\system32\msvcp70.dll
2007-08-20 06:47 357 ----a-w C:\Documents and Settings\Administrator\.cb_layout.bin
2006-06-23 22:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a6e4a4eb-d169-4e99-8988-250fcbafe767}]
2008-03-15 01:16 1470488 --a------ C:\Program Files\isoHunt\tbiso1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f592709f-ff4a-4862-b659-4afabda56312}]
2008-02-14 15:54 1555480 --a------ C:\Program Files\Mininova\tbMini.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A6E4A4EB-D169-4E99-8988-250FCBAFE767}"= "C:\Program Files\isoHunt\tbiso1.dll" [2008-03-15 01:16 1470488]
"{F592709F-FF4A-4862-B659-4AFABDA56312}"= "C:\Program Files\Mininova\tbMini.dll" [2008-02-14 15:54 1555480]

[HKEY_CLASSES_ROOT\clsid\{a6e4a4eb-d169-4e99-8988-250fcbafe767}]

[HKEY_CLASSES_ROOT\clsid\{f592709f-ff4a-4862-b659-4afabda56312}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A6E4A4EB-D169-4E99-8988-250FCBAFE767}"= C:\Program Files\isoHunt\tbiso1.dll [2008-03-15 01:16 1470488]

[HKEY_CLASSES_ROOT\clsid\{a6e4a4eb-d169-4e99-8988-250fcbafe767}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 12:00 15360]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 05:40 86960]
"AnyDVD"="D:\Torrents\AnyDVD.exe" [2007-12-21 05:34 1649600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-19 12:27 65536]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-02-02 15:23 7774208]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 10:36 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-03-21 12:23 1953792]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-04-09 14:49 1423360]
"CTHelper"="CTHELPER.EXE" [2006-08-17 11:32 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 11:32 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-20 15:38 16384512 C:\WINDOWS\RTHDCPL.exe]
"D-Link AirPlus XtremeG DWL-G520"="C:\Program Files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe" [2007-06-21 15:43 1327104]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 19:53 153136]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 16:09 63048]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-02-02 15:23 81920]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Montreal Canadiens Weather.lnk - C:\Program Files\Stardock\DesktopGadgets\Montreal Canadiens Weather\Montreal Canadiens Weather.exe [2008-04-15 03:55:17 882864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-12-15 12:54:50 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoFavoritesMenu"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoViewOnDrive"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"NoStartMenuMyMusic"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"NoFavoritesMenu"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\MyColors\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\Stardock\MyColors\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Sports Interactive\\NHL Eastside Hockey Manager 2007\\ehm2007.exe"=
"C:\\Program Files\\BearShare\\Bearshare.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27015:TCP"= 27015:TCP:Half-life

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R2 AnyTrial;BugSoft AnyTrial;C:\WINDOWS\AnyTrial.exe [2008-02-12 14:01]
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2007-09-13 16:29]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 16:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 16:09]
R2 SBKUPNT;SBKUPNT;C:\WINDOWS\system32\Drivers\SBKUPNT.SYS [2001-07-13 14:56]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2006-10-16 01:58]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]
S2 RoxLiveShare10;LiveShare P2P Server 10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" []
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 10:12]
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;C:\WINDOWS\system32\drivers\aticxcap.sys []
S3 ATICXTUN;ATI TV Wonder 200 Tuner (Philips 1236 MK3);C:\WINDOWS\system32\drivers\aticxtun.sys []
S3 ATICXXBR;ATI TV Wonder 200 A/V Crossbar;C:\WINDOWS\system32\drivers\aticxxbr.sys []
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2007-02-15 14:14]
S4 SessionLauncher;SessionLauncher;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - SETUP.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E888}]
D:\Torrents\AnyDVD leftover killer 1.3.exe -M
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 22:40:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\LClock\LC.dll
.
Completion time: 2008-04-17 22:40:55
ComboFix-quarantined-files.txt 2008-04-18 02:40:51
Pre-Run: 57,952,030,720 bytes free
Post-Run: 57,932,619,776 bytes free
.
2008-04-09 17:26:02 --- E O F ---
Gabisonfire - Habs all the way!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users