Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Redirecting me to suspicious sites


  • This topic is locked This topic is locked
25 replies to this topic

#1 Dirk Pro

Dirk Pro

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 04 January 2009 - 09:47 PM

I have been referred to here by boopme. http://www.bleepingcomputer.com/forums/t/191948/search-engine-redirects/. My search engines (google, yahoo) are redirecting me to other suspicious sites. Here is the HJT log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:42:33, on 1/4/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Accessories\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Accessories\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Accessories\HiJack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sports.yahoo.com/fantasy
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230404567437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1228448062703
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Accessories\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\ACCESS~1\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 2140 bytes

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 11 January 2009 - 12:20 PM

Hello Dirk Pro.

Your Hijackthis log, look extremly small, have you been fixing anything with Hijackthis?

Please follow the instructions on Preparation Guide For Use Before Using Hijackthis

Post the log and attach the other one, once you are done.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Dirk Pro

Dirk Pro
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 11 January 2009 - 01:49 PM

Thank you for your reply extreme boy. Yes, I sometimes look at HiJack This to delete things that are unneccessary. Should I be doing that? Here is the dds log:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Administrator at 13:41:53.03 on Sun 01/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1505 [GMT -5:00]

AV: AVG 7.5.518 *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Accessories\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Accessories\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sports.yahoo.com/fantasy
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoSMHelp = 01000000
Trusted Zone: turbotax.com
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\access~1\window~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hu3p0pw2.default\
FF - prefs.js: browser.startup.homepage - hxxp://sports.yahoo.com/fantasy
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-3-8 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-3-8 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-3-8 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-3-8 10760]
R1 SASDIFSV;SASDIFSV;c:\program files\accessories\superantispyware\sasdifsv.sys [2008-8-19 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\accessories\superantispyware\SASKUTIL.SYS [2008-8-19 55024]
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\accessories\powerdvd\000.fcl [2006-11-2 13560]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\accessories\ad-aware\aawservice.exe [2008-9-10 611664]
R4 WinDefend;Windows Defender;c:\program files\accessories\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\access~1\avg7\avgupsvc.exe [2008-3-8 49664]
S3 SASENUM;SASENUM;c:\program files\accessories\superantispyware\SASENUM.SYS [2008-8-19 7408]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-01-10 08:32 <DIR> --d----- C:\ComboFix
2009-01-04 16:57 <DIR> --d----- c:\windows\ERUNT
2009-01-03 20:17 1,092 a------- c:\windows\system32\tmp.reg
2009-01-03 20:17 289,144 a------- c:\windows\system32\VCCLSID.exe
2009-01-03 20:17 288,417 a------- c:\windows\system32\SrchSTS.exe
2009-01-03 20:17 135,168 a------- c:\windows\system32\swreg.exe
2009-01-03 20:17 82,944 a------- c:\windows\system32\IEDFix.exe
2009-01-03 20:17 79,360 a------- c:\windows\system32\swxcacls.exe
2009-01-03 20:17 53,248 a------- c:\windows\system32\Process.exe
2009-01-03 20:17 51,200 a------- c:\windows\system32\dumphive.exe
2009-01-03 20:17 25,600 a------- c:\windows\system32\WS2Fix.exe
2009-01-03 09:22 <DIR> a-dshr-- C:\cmdcons
2009-01-02 08:48 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-30 17:07 <DIR> --d----- c:\windows\system32\Adobe
2008-12-28 08:28 <DIR> --d----- C:\Piano Lessons
2008-12-27 18:19 <DIR> --d----- c:\temp\gta4
2008-12-27 14:21 1,700,352 a------- c:\windows\system32\gdiplus.dll
2008-12-27 13:44 <DIR> --d----- c:\windows\system32\xlive
2008-12-27 13:44 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2008-12-27 12:21 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-27 12:21 14,048 -------- c:\windows\system32\spmsg2.dll
2008-12-27 12:20 <DIR> --d----- C:\GTA IV

==================== Find3M ====================

2009-01-04 18:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 18:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-03 09:24 507,904 a------- c:\windows\system32\winlogon.exe
2008-12-29 13:30 138,376 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-12-29 13:29 202,448 a------- c:\windows\system32\PnkBstrB.exe
2008-12-27 13:46 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-04 22:37 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-12 13:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:07 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-02-01 03:39 113,664 a------- c:\windows\inf\hdaudio.sys
2008-03-07 23:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008030720080308\index.dat

============= FINISH: 13:42:04.42 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 11 January 2009 - 02:43 PM

Hello.

Yes, I sometimes look at HiJack This to delete things that are unneccessary. Should I be doing that? Here is the dds log:

No.

Hijackthis warning

HijackThis is an advanced tool, and therefore requires advanced knowledge about Windows and operating systems in general. If you delete items that it shows, without knowing what they are, it can lead to other problems such as your Internet no longer working or problems with running Windows itself.
If you do not have advanced knowledge about computers you should NOT fix entries using HijackThis without consulting an expert on using this program.

I also see you ran Combofix.. Please post back with the Combofix log..
It can be found at C:\Combofix.txt.

Also what problems do you still have? I will leave soon, so I will analyze your log once I get back.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Dirk Pro

Dirk Pro
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 11 January 2009 - 03:14 PM

Ok, I will refrain myself from using HiJackThis now. I am still having the redirects. Whenever I use google or yahoo, the links that are brought up are irrelevant. Also, on the bottom left hand corner of my mozilla windows, it says "Waiting for 7.7.7.0". Do you think the computer is safe to use on the web (like logging onto bank sites, other things) or should the computer be turned on at all? Here's the Log for ComboFix. Thanks for looking and I will be waiting for your response.

ComboFix 09-01-01.02 - Administrator 2009-01-03 9:23:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1645 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Webroot Spy Sweeper *On-access scanning disabled* (Updated)
AV: AVG 7.5.518 *On-access scanning disabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\winlogon.exe


.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-02 08:48 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2009-01-01 17:36 . 2009-01-01 17:36 <DIR> d-------- C:\VundoFix Backups
2009-01-01 15:01 . 2009-01-01 15:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Webroot
2009-01-01 15:01 . 2009-01-01 15:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Webroot
2009-01-01 15:01 . 2008-11-13 17:11 1,553,272 --a------ c:\windows\WRSetup.dll
2008-12-30 17:07 . 2008-12-30 17:08 <DIR> d-------- c:\windows\system32\Adobe
2008-12-28 08:28 . 2009-01-01 09:38 <DIR> d-------- C:\Piano Lessons
2008-12-27 18:19 . 2008-12-27 18:19 <DIR> d-------- c:\temp\gta4
2008-12-27 14:21 . 2008-12-27 14:21 1,700,352 --a------ c:\windows\system32\gdiplus.dll
2008-12-27 13:44 . 2008-12-27 13:44 <DIR> d-------- c:\windows\system32\xlive
2008-12-27 13:44 . 2008-12-27 14:00 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2008-12-27 12:22 . 2008-12-27 12:22 <DIR> d-------- c:\program files\MSBuild
2008-12-27 12:21 . 2008-12-27 14:11 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-27 12:21 . 2008-12-27 12:21 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-27 12:21 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-27 12:20 . 2008-12-27 12:26 <DIR> d-------- C:\GTA IV
2008-12-06 09:14 . 2008-12-06 09:14 <DIR> d-------- c:\program files\iTunes
2008-12-06 09:14 . 2008-12-06 09:14 <DIR> d-------- c:\program files\iPod
2008-12-06 09:14 . 2008-12-06 09:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-04 22:37 . 2008-12-04 22:37 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-03 01:35 . 2008-12-03 01:35 <DIR> d-------- c:\windows\Logs
2008-12-03 01:35 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-12-03 01:35 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-12-03 01:35 . 2008-05-30 14:19 507,400 --a------ c:\windows\system32\XAudio2_1.dll
2008-12-03 01:35 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-12-03 01:35 . 2008-05-30 14:18 238,088 --a------ c:\windows\system32\xactengine3_1.dll
2008-12-03 01:35 . 2008-05-30 14:17 65,032 --a------ c:\windows\system32\XAPOFX1_0.dll
2008-12-03 01:35 . 2008-05-30 14:17 25,608 --a------ c:\windows\system32\X3DAudio1_4.dll
2008-12-03 01:24 . 2008-12-03 01:36 <DIR> d-------- C:\Call of Duty 5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 14:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-01-01 20:01 --------- d-----w c:\program files\Accessories
2009-01-01 02:39 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2008-12-30 19:36 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-29 18:35 --------- d-----w c:\program files\Call of Duty Game of the Year Edition
2008-12-29 18:30 138,376 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-27 17:26 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-22 02:03 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2008-12-06 14:13 --------- d-----w c:\program files\Apple Software Update
2008-12-05 03:37 --------- d-----w c:\program files\Java
2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-03 06:04 --------- d-----w c:\documents and settings\Administrator\Application Data\Azureus
2008-12-03 02:36 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 02:34 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-02 07:12 --------- d-----w c:\program files\AGEIA Technologies
2008-12-02 05:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 05:23 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-02 04:13 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-02 04:13 --------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-11-30 04:52 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 04:52 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-26 05:59 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-16 20:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-16 18:46 --------- d-----w c:\program files\QuickTime
2008-11-16 18:46 --------- d-----w c:\program files\Bonjour
2008-11-16 18:45 --------- d-----w c:\program files\Common Files\Apple
2008-11-13 13:24 --------- d-----w c:\program files\Veoh
2008-11-12 21:02 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-12 21:02 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2008-11-12 21:02 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys
2008-11-12 19:54 6,188,320 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-11-07 00:05 --------- d-----w c:\program files\Nick Jr. Arcade
2008-11-07 00:05 --------- d-----w c:\program files\La Casa de Dora
2008-02-01 08:39 113,664 ----a-w c:\windows\inf\hdaudio.sys
2008-03-08 04:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008030720080308\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-11-13 17:04 238968 --a------ c:\program files\Accessories\SpySweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000
"NoSMHelp"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"aux2"= wdmaud.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Accessories\\AVG7\\avginet.exe"=
"c:\\Program Files\\Accessories\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Accessories\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Accessories\\Azureus\\Azureus.exe"=
"c:\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Call of Duty 4\\iw3mp.exe"=
"c:\\Program Files\\Accessories\\LimeWire\\LimeWire.exe"=
"c:\\FreeStyle Street Basketball™\\FreeStyle.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDUOMP.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Veoh\\VeohClient.exe"=
"c:\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Warcraft III\\War3.exe"=
"c:\\MVP Baseball 2005\\mvp2005.exe"=
"c:\\FIFA 2006\\FIFAWC06.exe"=
"c:\\Madden NFL 08\\Updater.exe"=
"c:\\Madden NFL 08\\mainapp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Call of Duty 5\\CoDWaWmp.exe"=
"c:\\Call of Duty 5\\CoDWaW.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\GTA IV\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\GTA IV\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\GTA IV\\Grand Theft Auto IV\\GTAIV.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-11-12 29808]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\Accessories\SUPERAntiSpyware\SASDIFSV.SYS [2008-08-19 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\Accessories\SUPERAntiSpyware\SASKUTIL.sys [2008-08-19 55024]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\c:\program files\Accessories\PowerDVD\000.fcl [2006-11-02 16:51:58 13560]
R2 WRConsumerService;Webroot Client Service;"c:\program files\Accessories\SpySweeper\WRConsumerService.exe" [2009-01-01 1086840]
S2 WinDefend;Windows Defender;"c:\program files\Accessories\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S3 SASENUM;SASENUM;\??\c:\program files\Accessories\SUPERAntiSpyware\SASENUM.SYS [2008-08-19 7408]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-01-01 c:\windows\Tasks\wrSpySweeper_LD2B5B4429B4842819D3AFB788C29C0F4.job
- c:\program files\Accessories\SpySweeper\SpySweeperUI.exe [2008-11-13 17:11]

2009-01-01 c:\windows\Tasks\wrSpySweeper_LD2B5B4429B4842819D3AFB788C29C0F4.job
- c:\program files\Accessories\SpySweeper\SpySweeperUI.exe [2008-11-13 17:11]

2009-01-01 c:\windows\Tasks\wrSpySweeper_LD2B5B4429B4842819D3AFB788C29C0F4.job
- a:\","c:\","d:\","e:\","f:\","g:\" []
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://sports.yahoo.com/fantasy
Trusted Zone: *.turbotax.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hu3p0pw2.default\
FF - prefs.js: browser.startup.homepage - hxxp://sports.yahoo.com/fantasy
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 09:28:21
Windows 5.1.2600 Service Pack 3, v.5657 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\Accessories\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\License information*NULL*]
"datasecu"=hex:02,f1,e8,da,9c,58,34,53,c9,57,6b,05,3b,58,13,17,3c,6f,6d,c1,50,\
bf,2e,df,4d,83,19,6d,03,85,94,13,ef,22,08,b8,ef,a1,5a,93,11,36,ae,cd,26,51,\
0c,7c,f9,9d,69,82,85,c0,c7,e5,85,3c,24,d4,59,52,26,44,3f,80,ec,df,e5,47,5e,\
0f,22,76,b0,df,d9,75,30,f4,29,8f,4c,a5,a6,14,20,57,34,bb,9b,43,38,45,49,be,\
75,d6,85,a1,17,7b,68,35,2d,e5,cb,c6,09,3d,ff,46,47,1e,4f,ea,1b,d2,53,a2,19,\
a2,5a,59,8f,8d,e4,6e,74,73,21,40,fd,4e,be,5f,45,fd,7a,77,5a,3d,5a,ca,79,7f,\
01,75,bb,e0,d4,be,25,97,41,fd,21,0e,e5,50,98,d2,16,ec,d9,2e,39,0f,78,c9,6f,\
7e,a4,c6,d1,98,05,af,b8,65,82,60,ea,b5,26,fa,52,6a,a0,6c,50,88,45,bc,c8,c6,\
24,be,04,21,db,71,e1,2e,20,ef,f2,b2,02,b5,b9,8e,22,ec,c3,25,f1,3a,db,55,07,\
74,6f,2a,9d,a7,07,44,c9,19,91,2c,30,6b,ef,17,4b,50,5d,73,bd,51,09,c6,b3,9b,\
f8,45,77,a6,ef,8b,5f,a8,f0,23,74,e8,2a,dc,74,1b,c5,01,3e,a2,05,48,6a,39,0b,\
67,62,fb,90,b2,e0,bf,ce,c8,8d,0a,57,f4,aa,eb,b4,b7,d1,42,94,27,f8,31,c7,47,\
36,2b,a1,a4,c9,3a,bd,24,c8,8c,be,c0,99,78,51,85,4c,4c,26,cd,77,f4,39,d2,e3,\
81,2e,8d,d8,62,9d,e9,18,ec,f3,66,52,71,b2,6d,b0,9d,55,91,19,74,21,6d,87,e4,\
91,ce,27,ee,dc,62,36,3b,d9,ca,e9,4e,e6,d4,1f,11,ab,e2,e8,00,77,45,e4,3c,d1,\
27,11,1f,5e,b6,c9,1f,e6,59,b7,17,07,df,da,0c,92,a1,8c,fd,8a,6b,1a,9d,23,9f,\
25,9d,67,5c,da,c6,32,99,06,18,4f,0f,0e,8e,bd,74,ba,80,bf,ba,1d,97,72,ea,02,\
40,67,3f,9f,1c,a7,cf,df,0b,85,be,0b,d1,50,4d,60,78,d0,a8,91,a3,50,eb,02,6f,\
5a,d8,53,36,5f,7a,e9,ca,94,84,ab,da,8d,02,35,3c,8e,ec,a6,9e,b7,c5,a7,58,34,\
68,02,24,57,7d,d0,4b,69,0a,b7,24,1a,95,44,d6,f9,ee,a9,bb,d5,b8,05,cf,a5,d2,\
89,4a,22,4d,93,f4,27,34,71,8c,eb,d9,0a,0a,9d,8f,1f,f7,9c,00,cf,e4,0d,f5,6b,\
ee,9f,04,42,78,dc,3e,e1,1c,d3,50,d9,78,42,65,1f,81,5e,fa,1c,b9,a5,3a,e5,8f,\
80,0e,0f,c8,58,b0,3b,ab,c9,3a,6b,ca,2a,f3,15,99,31,0b,39,d4,20,55,cc,f2,99,\
f0,4d,e6,84,90,3f,62,cc,82,c6,50,f7,cd,0f,31,5c,c9,9d,e8,05,60,4e,24,d0,c7,\
43,22,ba,5f,c3,38,10,e2,c9,be,45,90,aa,f4,24,e6,f3,5e,06,9e,cf,22,46,5e,45,\
34,c1,7c,27,3d,44,d5,c8,2b,03,7c,c7,8d,4a,59,2c,85,8a,3d,e5,27,9b,ee,df,56,\
a1,35,21,97,51,68,9f,74,33,5c,b5,cd,f0,b5,69,65,43,34,e3,d0,fc,43,04,a0,1b,\
ad,9f,cb,f1,5c,b3,a1,9a,fd,6b,57,95,c4,8e,4e,55,c5,b4,6e,0c,46,86,47,7b,2d,\
23,3f,74,69,a2,ff,3d,ab,0b,2e,10,de,70,ea,dd,78,c2,a1,3e,be,fd,77,3c,90,aa,\
ed,68,f5,02,a6,cf,32,b5,ef,45,25,a4,a1,2b,d1,74,4d,a2,46,36,cd,ec,a8,3a,b6,\
4b,64,26,3c,f8,16,70,95,2f,e6,a1,f0,19,b9,76,ab,11,6e,52,0d,8a,62,53,7d,67,\
89,ea,cc,23,90,70,2f,f1,f2,ce,b0,3c,2b,31,a2,51,a9,52,77,2a,1e,5e,46,5d,22,\
c5,21,3a,7a,f7,7f,19,aa,48,f1,80,d4,91,e9,35,20,de,c7,47,34,57,ac,f5,62,dc,\
ae,e5,78,e7,e6,a2,93,06,65,6f,4d,e3,39,12,3e,10,72,b1,b5,1d,bd,1d,9f,40,8e,\
84,c9,a9,23,30,f1,62,47,ec,b1,3f,50,86,b5,e8,02,42,48,cd,39,0e,72,87,e4,da,\
16,f6,84,8c,46,97,9f,f1,51,2b,43,f1,c1,ee,f8,e8,8b,27,b4,e8,74,f5,8e,27,1a,\
86,23,0b,d8,11,d2,d4,f7,49,40,be,3a,e7,f7,54,3c,0e,8d,2f,6a,dc,48,30,89,f8,\
7d,24,ec,f5,d1,a7,74,c7,a5,d8,d2,e1,d9,5b,ca,44,0c,3d,75,07,d4,64,d8,01,5a,\
5a,71,59,31,fa,3c,1e,11,96,a5,e6,47,de,6f,f1,05,08,d4,94,81,07,3a,68,8d,1a,\
71,69,5d,29,40,ca,3d,e1,b0,55,b5,e0,71,66,12,6b,e1,fe,8f,60,72,0d,6d,04,62,\
a2,c6,fd,1c,f9,a1,ef,9c,86,f7,6a,b3,5c,29,52,b2,a0,74,90,9f,41,8d,81,c5,ae,\
86,b0,eb,00,ed,00,2d,7c,40,b6,70,6d,61,4d,fc,2c,7a,e8,6e,dd,95,6e,d8,67,04,\
9b,02,ca,48,d0,8f,a2,27,37,c8,5e,89,a8,eb,79,22,e0,64,d8,f0,0e,0c,1f,d1,5d,\
61,50,7e,6d,8e,0c,07,9f,36,ba,78,cc,88,de,3e,94,50,e5,a0,33,95,c0,f1,e8,f7,\
26,1e,2e,30,c0,03,25,f8,c3,a5,a9,3c,0e,45,9f,47,44,71,ff,f6,b2,d0,4a,fc,ee,\
54,a7,52,8d,68,08,71,bd,dd,f2,79,5f,26,38,ac,2b,de,31,e5,85,29,a9,17,4d,92,\
dd,85,44,bf,3b,8c,f3,b8,49,a0,a4,04,64,9d,68,ef,63,92,73,9a,65,29,d1,df,81,\
a1,0b,97,5d,a2,e7,a7,7e,e9,62,b0,35,28,98,2b,df,ea,48,0d,59,23,c9,78,49,13,\
d3,72,ea,66,d5,71,be,fd,11,14,b5,b2,75,16,21,ae,47,86,3e,b6,ea,3c,f1,e4,a9,\
3b,9a,8d,0d,55,03,d9,a0,8e,be,9f,bc,bb,81,50,21,bc,ea,d7,f6,71,c6,b5,36,91,\
86,a4,91,50,8e,0c,35,8a,69,9a,e0,a7,95,7c,42,03,79,fb,30,9d,bc,9d,68,29,f8,\
c2,39,96,bd,34,32,ef,e7,00,c3,05,55,fe,86,41,9c,c4,9c,ae,fb,39,6e,af,d8,4b,\
39,37,42,3a,db,30,37,01,a1,26,44,e3,28,e1,b9,0a,cb,c3,40,cf,04,61,48,3f,56,\
49,12,c2,db,55,aa,cd,38,18,ac,49,0d,f5,2b,4c,e3,46,c1,5d,6e,6c,07,dc,48,cb,\
43,20,82,b9,99,df,88,09,c4,76,ed,7c,b8,27,02,b7,98,89,d5,24,93,13,7b,4f,f3,\
f1,a5,6d,3e,89,7e,8b,3a,8b,0c,18,ed,33,af,a4,72,c7,dc,54,93,d5,e8,41,58,e3,\
11,e3,66,5a,a5,06,d4,91,75,21,9b,5a,2a,4c,90,12,c3,e0,99,b8,af,9d,da,e1,11,\
14,d2,f6,09,aa,95,16,a0,14,a3,f2,14,07,22,a6,25,e2,71,44,8f,83,5c,f1,10,1d,\
b6,d8,22,ae,62,75,d6,80,a5,df,dd,21,ad,2c,ee,fe,8e,9b,25,65,4f,26,7b,74,1e,\
df,3d,3d,2e,76,ce,85,a2,cf,7c,f3,61,9c,32,4a,93,da,65,47,ba,48,6c,ad,59,43,\
54,e5,80,a3,95,e0,5d,99,7e,71,fd,4d,a6,4f,1a,65,e6,6b,35,26,f1,e7,05,43,3f,\
17,37,0f,69,50,02,f7,04,0e,a1,9e,8d,3c,41,b8,f6,e4,60,93,f9,88,fe,7b,74,eb,\
c7,80,ec,e1,ba,2c,30,20,70,1d,d8,9e,e9,d9,41,93,99,45,f4,ad,bb,96,5f,38,6d,\
f1,fc,df,3e,c8,4e,44,71,81,dd,97,2f,88,5a,67,cf,f1,36,64,a9,b8,0c,49,35,9b,\
d8,64,75,ba,6e,c2,0c,66,22,1a,5f,b5,a1,9d,20,68,65,bb,49,5c,3f,1b,ee,7a,06,\
93,e2,ea,d5,4b,43,c3,84,10,14,b2,8a,15,37,a2,c5,81,13,1b,f6,91,40,00,d6,af,\
77,43,18,1b,15,76,9f,f1,01,af,be,a3,d0,b9,41,b7,d0,d0,ca,ee,77,e7,c5,49,7f,\
e2,ac,f3,53,19,ee,7e,0e,5d,e7,9e,e5,65,a6,d8,80,6e,39,0c,a0,a9,8a,b8,29,3f,\
2e,ea,bd,af,2f,2c,07,52,b4,4d,90,50,cc,2c,5f,8b,c1,e6,80,07,93,f4,e7,65,90,\
9e,2c,48,04,ed,98,d7,04,3f,9d,d6,25,e9,3d,9f,fe,a3,f2,37,eb,d7,54,88,8f,1a,\
9f,ce,16,92,32,8c,d2,b4,d1,2e,b4,2e,2a,b6,6d,2a,af,fa,1b,2f,c5,0b,e4,21,c4,\
30,d8,92,e5,12,4a,83,a6,3b,fc,8e,e8,6e,b0,ef,ed,e5,bf,f5,44,0d,61,03,d8,12,\
8c,5e,7e,d4,12,a6,a0,2b,f4,ef,26,a2,ff,11,fc,48,63,f6,93,1a,a8,7f,65,b7,03,\
ff,5b,c9,2f,9f,8c,3f,7a,0a,84,11,98,f7,ed,ff,3b,0d,bf,6d,03,12,7a,08,93,b4,\
24,95,4d,1b,ce,46,32,f9,1a,ad,42,2d,49,3d,3b,13,cb,39,04,48,6b,b7,d5,f8,87,\
79,a3,90,c8,6d,5a,19,5a,cf,1a,20,ee,03,d1,f6,9b,b8,f5,f3,c9,dc,81,64,d1,54,\
3c,83,0d,13,d2,61,cf,59,20,79,bf,9f,21,ba,3e,ab,9b,5a,5c,7c,bb,88,63,1f,1b,\
03,df,3b,d7,c2,ba,8f,e3,f7,f3,e9,b6,32,43,23,6d,a0,4b,aa,76,7b,4c,56,de,a6,\
cf,6c,fe,9d,47,74,c2,c2,ab,28,ab,c0,21,65,54,82,f2,cc,ec,ef,a9,76,1b,69,ee,\
6e,1b,59,f6,76,0b
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*NULL*]
"OODEFRAG10.00.00.01WORKSTATION"="4468EB489B4406E0B8EE6E2C162A835424228518F10B7C1F8811CE4C33973A6107B3C3BBD366D80EE36FA0E8AACBD44F4EB510D79F39E0797F2CAC8AB02F0F1725EA549043C445FB204045A2CCB10DE98F118ED3447AA74E2B41D352E719F400762F5AAFD3C8301DB3BBECC2E050F66B39E608985FEB9DD309FADEEE963ADF64C0C4A7C49EBFD1EC50DFBFF67E7D2D9D8C8F1A73260DE4C308A9006FAED9158E4315A1C0745CB465A24EF631F373204C418372758342F3DC0DC1F9A758A431CE2EAD40D658B2B988474D61FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B5555D575E7D6A3B9808FEBC9E127BECC74CD6C4A35DEA9840673F0BC53B3320848D6EC1DD270C8ED9FEC6B042265582B470FAC1A92CEE9F48E99ADAAB1456CDCF63AE8057E7C7416DB7ED4655FA765A90E4F19B9352D351741B10D892D8E3AF269E30252DEE27232277BD31833E8D1400F028326862001528EDEDBC67E2F39C2307BDE8537A93987077A443EB31F4BF7464CA168F44DFC8EE6743F87C5C22DF0B76E937A599F977F209D48813E90BE00023CD0F55B262BC742164AE08C59035415A8A3163B1CD8AE70E45BDDF52336F5CA5E8176ABAFB3789C769B621F2625052B6B6ABAC7B8391327D2E541EA6525865F7175DE241A3EF231DAE1DC70C43D56A204DAE8A0415BF59E48FF17CF955FA993B964437FBD5955A75D420DB0CDBE15CC16FF6652C003C0861AA6F8F3229AA1D236A62C37592C7EBBA3FB3A1425F011C5A80F48B27C5A10D2707DACC88413039785C024A8DDB1CB86A95FE45D402B4463A2C4D317F6CFEDAFC6C76118B9448D817F321EC75BA9AC695C4DED2B8FCF497CA5DD7EB917E5709BDE9B61B9B1DA18B6E8372B436B9C13DE0FDE23BBA8AA8718347A2358E872153DA52458FEFD9E107049C5D8F2869026987344CD47B6E315B73DCEBEC7A994896553C80F3924D9F216F95FBCBFADCBF3D549E15586E6B5FFCBDD82BD3ADCCABD74500F8B5DEFDE6D5DD0B1C20B22C554C2ABB67E25A4AF82598B70691D5B71EBBD53D742209F638460F5C4222A3738ED0FDC9A376DB59B7464C3B5B30747AE68F47556D6E96468836D62BA2D07B512D26584D5B7862E5C9763A673A1EDB3441BFEA6F9031DF003E8C9D60A88B36E866CED7105832B2C8526E5207E6AD370DDA612AF3BE6693B8B555DF257295A8E4626FAC9B16D162D6E58D9B265B16032DD72A7E920F6BB30CBF42AE6AD319F8ECBECF9C42426760EF0FD3301643700E424F7578BDC806161920A52D635322A1B30CDC01164368E9724C693E6CFE3C7F7E4D42BA2A6CDC64820E769485A9A0F0EBCFA847F12DAF93438F960981245ACE974E33FB52297B9BED37D2308CC6E88BCB"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Accessories\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\oodag.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Accessories\SpySweeper\SpySweeper.exe
.
**************************************************************************
.
Completion time: 2009-01-03 9:29:52 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2009-01-03 14:29:50

Pre-Run: 401,229,115,392 bytes free
Post-Run: 401,212,203,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

308 --- E O F --- 2008-12-02 05:05:30

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 11 January 2009 - 05:02 PM

Hello.

Yup, you are really infected including some embeeded nulls and also the well known " Fake sysaudio.sys searchengine hijack" and one of your system file was also infected.. Not good.. That Combofix log is from a while back ago, I need to see a new one. Let's run Combofix again and see what's still there.

Regarding your question:

Do you think the computer is safe to use on the web (like logging onto bank sites, other things) or should the computer be turned on at all?

If it was mine, the best choice would be to format and reinstall. If you have another computer it would be best if you could disable your internet connection and use a CD and CDburner to transfer programs and tools we need from your clean machine to your infected. Also on your clean machine I would recommend you change all passwords if you do banking etc...

If you still want to remove it follow the instructions below.

Please delete the copy of Combofix.exe that is on your desktop.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

I won't be able to reply back until tomorrow, so see you tomorrow.

Post back with:
-Combofix log
-GMER log
-DDS/hijackthis log


With Regards,
Extremeboy

Edited by extremeboy, 11 January 2009 - 05:04 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Dirk Pro

Dirk Pro
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 11 January 2009 - 06:09 PM

Yeah, I want to try to remove this and then reformatting will be the last option. Here is the ComboFix log:

ComboFix 09-01-10.03 - Administrator 2009-01-11 17:40:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1637 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG 7.5.518 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\msrdo20.dll
c:\windows\system32\Process.exe
c:\windows\system32\rdocurs.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\wdmaud.sys
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-04 16:57 . 2009-01-04 16:57 <DIR> d-------- c:\windows\ERUNT
2009-01-02 08:48 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-30 17:07 . 2008-12-30 17:08 <DIR> d-------- c:\windows\system32\Adobe
2008-12-28 08:28 . 2009-01-05 16:25 <DIR> d-------- C:\Piano Lessons
2008-12-27 18:19 . 2008-12-27 18:19 <DIR> d-------- c:\temp\gta4
2008-12-27 14:21 . 2008-12-27 14:21 1,700,352 --a------ c:\windows\system32\gdiplus.dll
2008-12-27 13:44 . 2008-12-27 13:44 <DIR> d-------- c:\windows\system32\xlive
2008-12-27 13:44 . 2008-12-27 14:00 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2008-12-27 12:22 . 2008-12-27 12:22 <DIR> d-------- c:\program files\MSBuild
2008-12-27 12:21 . 2008-12-27 14:11 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-27 12:21 . 2008-12-27 12:21 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-27 12:21 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-27 12:20 . 2008-12-27 12:26 <DIR> d-------- C:\GTA IV

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 23:38 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 23:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-04 18:12 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-04 18:12 --------- d-----w c:\program files\Accessories
2009-01-03 14:24 507,904 ----a-w c:\windows\system32\winlogon.exe
2009-01-03 14:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-01-01 02:39 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2008-12-30 19:36 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-29 18:35 --------- d-----w c:\program files\Call of Duty Game of the Year Edition
2008-12-29 18:30 138,376 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-29 18:29 202,448 ----a-w c:\windows\system32\PnkBstrB.exe
2008-12-27 18:46 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-12-22 02:03 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2008-12-06 14:14 --------- d-----w c:\program files\iTunes
2008-12-06 14:14 --------- d-----w c:\program files\iPod
2008-12-06 14:14 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 14:13 --------- d-----w c:\program files\Apple Software Update
2008-12-05 03:37 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-05 03:37 --------- d-----w c:\program files\Java
2008-12-03 06:04 --------- d-----w c:\documents and settings\Administrator\Application Data\Azureus
2008-12-03 02:36 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 02:34 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-02 07:12 --------- d-----w c:\program files\AGEIA Technologies
2008-12-02 05:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 05:23 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-02 04:13 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-02 04:13 --------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-11-30 04:52 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 04:52 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-26 05:59 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-16 20:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-16 18:46 --------- d-----w c:\program files\QuickTime
2008-11-16 18:46 --------- d-----w c:\program files\Bonjour
2008-11-16 18:45 --------- d-----w c:\program files\Common Files\Apple
2008-11-13 13:24 --------- d-----w c:\program files\Veoh
2008-11-12 18:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-10-28 22:41 14,303,392 ----a-w c:\windows\system32\xlive.dll
2008-10-28 22:41 13,643,936 ----a-w c:\windows\system32\xlivefnt.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-13 14:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-02-01 08:39 113,664 ----a-w c:\windows\inf\hdaudio.sys
2008-03-08 04:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008030720080308\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000
"NoSMHelp"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"aux2"= wdmaud.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Accessories\\AVG7\\avginet.exe"=
"c:\\Program Files\\Accessories\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Accessories\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Accessories\\Azureus\\Azureus.exe"=
"c:\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Call of Duty 4\\iw3mp.exe"=
"c:\\Program Files\\Accessories\\LimeWire\\LimeWire.exe"=
"c:\\FreeStyle Street Basketball™\\FreeStyle.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDUOMP.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Veoh\\VeohClient.exe"=
"c:\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Warcraft III\\War3.exe"=
"c:\\MVP Baseball 2005\\mvp2005.exe"=
"c:\\FIFA 2006\\FIFAWC06.exe"=
"c:\\Madden NFL 08\\Updater.exe"=
"c:\\Madden NFL 08\\mainapp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Call of Duty 5\\CoDWaWmp.exe"=
"c:\\Call of Duty 5\\CoDWaW.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\GTA IV\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\GTA IV\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\GTA IV\\Grand Theft Auto IV\\GTAIV.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\Accessories\SUPERAntiSpyware\sasdifsv.sys [2008-08-19 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\Accessories\SUPERAntiSpyware\SASKUTIL.SYS [2008-08-19 55024]
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\Accessories\PowerDVD\000.fcl [2006-11-02 16:51:58 13560]
S3 SASENUM;SASENUM;c:\program files\Accessories\SUPERAntiSpyware\SASENUM.SYS [2008-08-19 7408]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S4 WinDefend;Windows Defender;c:\program files\Accessories\Windows Defender\MsMpEng.exe [2006-11-03 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5d5d3ec-f764-11dc-83a3-001d7dab2f55}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sports.yahoo.com/fantasy
Trusted Zone: *.turbotax.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hu3p0pw2.default\
FF - prefs.js: browser.startup.homepage - hxxp://sports.yahoo.com/fantasy
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 17:41:59
Windows 5.1.2600 Service Pack 3, v.5657 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\Accessories\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\License information*]
"datasecu"=hex:02,f1,e8,da,9c,58,34,53,c9,57,6b,05,3b,58,13,17,3c,6f,6d,c1,50,
bf,2e,df,4d,83,19,6d,03,85,94,13,ef,22,08,b8,ef,a1,5a,93,11,36,ae,cd,26,51,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="4468EB489B4406E0B8EE6E2C162A835424228518F10B7C1F8811CE4C33973A6107B3C3BBD366D80EE36FA0E8AACBD44F4EB510D79F39E0797F2CAC8AB02F0F1725EA549043C445FB204045A2CCB10DE98F118ED3447AA74E2B41D352E719F400762F5AAFD3C8301DB3BBECC2E050F66B39E608985FEB9DD309FADEEE963ADF64C0C4A7C49EBFD1EC50DFBFF67E7D2D9D8C8F1A73260DE4C308A9006FAED9158E4315A1C0745CB465A24EF631F373204C418372758342F3DC0DC1F9A758A431CE2EAD40D658B2B988474D61FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B5555D575E7D6A3B9808FEBC9E127BECC74CD6C4A35DEA9840673F0BC53B3320848D6EC1DD270C8ED9FEC6B042265582B470FAC1A92CEE9F48E99ADAAB1456CDCF63AE8057E7C7416DB7ED4655FA765A90E4F19B9352D351741B10D892D8E3AF269E30252DEE27232277BD31833E8D1400F028326862001528EDEDBC67E2F39C2307BDE8537A93987077A443EB31F4BF7464CA168F44DFC8EE6743F87C5C22DF0B76E937A599F977F209D48813E90BE00023CD0F55B262BC742164AE08C59035415A8A3163B1CD8AE70E45BDDF52336F5CA5E8176ABAFB3789C769B621F2625052B6B6ABAC7B8391327D2E541EA6525865F7175DE241A3EF231DAE1DC70C43D56A204DAE8A0415BF59E48FF17CF955FA993B964437FBD5955A75D420DB0CDBE15CC16FF6652C003C0861AA6F8F3229AA1D236A62C37592C7EBBA3FB3A1425F011C5A80F48B27C5A10D2707DACC88413039785C024A8DDB1CB86A95FE45D402B4463A2C4D317F6CFEDAFC6C76118B9448D817F321EC75BA9AC695C4DED2B8FCF497CA5DD7EB917E5709BDE9B61B9B1DA18B6E8372B436B9C13DE0FDE23BBA8AA8718347A2358E872153DA52458FEFD9E107049C5D8F2869026987344CD47B6E315B73DCEBEC7A994896553C80F3924D9F216F95FBCBFADCBF3D549E15586E6B5FFCBDD82BD3ADCCABD74500F8B5DEFDE6D5DD0B1C20B22C554C2ABB67E25A4AF82598B70691D5B71EBBD53D742209F638460F5C4222A3738ED0FDC9A376DB59B7464C3B5B30747AE68F47556D6E96468836D62BA2D07B512D26584D5B7862E5C9763A673A1EDB3441BFEA6F9031DF003E8C9D60A88B36E866CED7105832B2C8526E5207E6AD370DDA612AF3BE6693B8B555DF257295A8E4626FAC9B16D162D6E58D9B265B16032DD72A7E920F6BB30CBF42AE6AD319F8ECBECF9C42426760EF0FD3301643700E424F7578BDC806161920A52D635322A1B30CDC01164368E9724C693E6CFE3C7F7E4D42BA2A6CDC64820E769485A9A0F0EBCFA847F12DAF93438F960981245ACE974E33FB52297B9BED37D2308CC6E88BCB"
.
Completion time: 2009-01-11 17:42:35
ComboFix-quarantined-files.txt 2009-01-11 22:42:32
ComboFix2.txt 2009-01-03 14:29:53

Pre-Run: 404,393,963,520 bytes free
Post-Run: 404,387,758,080 bytes free

194 --- E O F --- 2008-12-02 05:05:30

#8 Dirk Pro

Dirk Pro
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 11 January 2009 - 06:10 PM

Here is the Gmer log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-11 17:55:35
Windows 5.1.2600 Service Pack 3, v.5657


---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 4468EB489B4406E0B8EE6E2C162A835424228518F10B7C1F8811CE4C33973A6107B3C3BBD366D80EE36FA0E8AACBD44F4EB510D79F39E0797F2CAC8AB02F0F1725EA549043C445FB204045A2CCB10DE98F118ED3447AA74E2B41D352E719F400762F5AAFD3C8301DB3BBECC2E050F66B39E608985FEB9DD309FADEEE963ADF64C0C4A7C49EBFD1EC50DFBFF67E7D2D9D8C8F1A73260DE4C308A9006FAED9158E4315A1C0745CB465A24EF631F373204C418372758342F3DC0DC1F9A758A431CE2EAD40D658B2B988474D61FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B5555D575E7D6A3B9808FEBC9E127BECC74CD6C4A35DEA9840673F0BC53B3320848D6EC1DD270C8ED9FEC6B042265582B470FAC1A92CEE9F48E99ADAAB1456CDCF63AE8057E7C7416DB7ED4655FA765A90E4F19B9352D351741B10D892D8E3AF269E30252DEE27232277BD31833E8D1400F028326862001528EDEDBC67E2F39C2307BDE8537A93987077A443EB31F4BF7464CA168F44DFC8EE6743F87C5C22DF0B76E937A599F977F209D48813E90BE00023CD0F55B262BC742164AE08C59035415A8A3163B1CD8AE70E45BDDF52336F5CA5E8176ABAFB3789C769B621F2625052B6B6ABAC7B8391327D2E541EA6525865F7175DE241A

---- EOF - GMER 1.0.14 ----



Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:56 PM, on 1/11/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Accessories\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Accessories\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Accessories\HiJack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sports.yahoo.com/fantasy
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230404567437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1228448062703
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Accessories\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\ACCESS~1\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 2445 bytes

#9 Dirk Pro

Dirk Pro
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 11 January 2009 - 06:12 PM

And here's the DDS log. I will see you tomorrow and thanks for your reply!:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Administrator at 18:00:29.42 on Sun 01/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1593 [GMT -5:00]

AV: AVG 7.5.518 *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Accessories\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Accessories\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sports.yahoo.com/fantasy
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoSMHelp = 01000000
Trusted Zone: turbotax.com
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\access~1\window~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hu3p0pw2.default\
FF - prefs.js: browser.startup.homepage - hxxp://sports.yahoo.com/fantasy
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-3-8 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-3-8 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-3-8 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-3-8 10760]
R1 SASDIFSV;SASDIFSV;c:\program files\accessories\superantispyware\sasdifsv.sys [2008-8-19 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\accessories\superantispyware\SASKUTIL.SYS [2008-8-19 55024]
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\accessories\powerdvd\000.fcl [2006-11-2 13560]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\accessories\ad-aware\aawservice.exe [2008-9-10 611664]
R4 WinDefend;Windows Defender;c:\program files\accessories\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\access~1\avg7\avgupsvc.exe [2008-3-8 49664]
S3 SASENUM;SASENUM;c:\program files\accessories\superantispyware\SASENUM.SYS [2008-8-19 7408]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-01-11 17:48 345 a------- c:\windows\gmer.ini
2009-01-11 17:40 161,792 a------- c:\windows\SWREG.exe
2009-01-11 17:40 98,816 a------- c:\windows\sed.exe
2009-01-11 17:40 <DIR> --d----- C:\ComboFix
2009-01-04 16:57 <DIR> --d----- c:\windows\ERUNT
2009-01-03 09:22 <DIR> a-dshr-- C:\cmdcons
2009-01-02 08:48 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-30 17:07 <DIR> --d----- c:\windows\system32\Adobe
2008-12-28 08:28 <DIR> --d----- C:\Piano Lessons
2008-12-27 18:19 <DIR> --d----- c:\temp\gta4
2008-12-27 14:21 1,700,352 a------- c:\windows\system32\gdiplus.dll
2008-12-27 13:44 <DIR> --d----- c:\windows\system32\xlive
2008-12-27 13:44 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2008-12-27 12:21 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-27 12:21 14,048 -------- c:\windows\system32\spmsg2.dll
2008-12-27 12:20 <DIR> --d----- C:\GTA IV

==================== Find3M ====================

2009-01-04 18:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 18:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-03 09:24 507,904 a------- c:\windows\system32\winlogon.exe
2008-12-29 13:30 138,376 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-12-29 13:29 202,448 a------- c:\windows\system32\PnkBstrB.exe
2008-12-27 13:46 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-04 22:37 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-12 13:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:07 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-02-01 03:39 113,664 a------- c:\windows\inf\hdaudio.sys
2008-03-07 23:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008030720080308\index.dat

============= FINISH: 18:00:34.46 ===============

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 12 January 2009 - 04:12 PM

Hello.

Sorry that I couldn't respond earlier. A few program I need to warn you about.

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case Azureus Vuze
and LimeWire 4.16.6
). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

View Point Programs Warning
Viewpoint Manager and Viewpoint Media Player is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Additional instructions on remocing program can be found here.


Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    C:\WINDOWS\system32\wdmaud.sys
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux2"=""
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Create and Run batch script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".


    @Echo off

    reg query "HKLM\software\microsoft\windows nt\currentversion\drivers32" /s >peek.txt
    start notepad peek.txt
    exit

    del %0

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input look.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on look.bat, and Black DOS window shall appear and then disappear. This is normal please do not panic. Notepad will then open, please copy and paste the contents of peek.txt in your next reply.

Post back with:
-Combofix log
-Malwarebytes Anti-Malware log
-Peek.txt log
-New DDS/Hijackthis log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Dirk Pro

Dirk Pro
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 12 January 2009 - 06:04 PM

Thanks again. Also, the MBAM quick scan took only 1 minute. Is this normal?

Here's the DDS Log:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Administrator at 18:00:17.95 on Mon 01/12/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1580 [GMT -5:00]

AV: AVG 7.5.518 *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Accessories\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sports.yahoo.com/fantasy
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoSMHelp = 01000000
Trusted Zone: turbotax.com
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\access~1\window~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hu3p0pw2.default\
FF - prefs.js: browser.startup.homepage - hxxp://sports.yahoo.com/fantasy
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-3-8 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-3-8 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-3-8 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-3-8 10760]
R1 SASDIFSV;SASDIFSV;c:\program files\accessories\superantispyware\sasdifsv.sys [2008-8-19 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\accessories\superantispyware\SASKUTIL.SYS [2008-8-19 55024]
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\accessories\powerdvd\000.fcl [2006-11-2 13560]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\accessories\ad-aware\aawservice.exe [2008-9-10 611664]
S3 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\access~1\avg7\avgupsvc.exe [2008-3-8 49664]
S3 SASENUM;SASENUM;c:\program files\accessories\superantispyware\SASENUM.SYS [2008-8-19 7408]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S4 WinDefend;Windows Defender;c:\program files\accessories\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2009-01-12 17:49 <DIR> --d----- C:\ComboFix
2009-01-11 17:48 345 a------- c:\windows\gmer.ini
2009-01-11 17:40 161,792 a------- c:\windows\SWREG.exe
2009-01-11 17:40 98,816 a------- c:\windows\sed.exe
2009-01-04 16:57 <DIR> --d----- c:\windows\ERUNT
2009-01-03 09:22 <DIR> a-dshr-- C:\cmdcons
2008-12-30 17:07 <DIR> --d----- c:\windows\system32\Adobe
2008-12-28 08:28 <DIR> --d----- C:\Piano Lessons
2008-12-27 18:19 <DIR> --d----- c:\temp\gta4
2008-12-27 14:21 1,700,352 a------- c:\windows\system32\gdiplus.dll
2008-12-27 13:44 <DIR> --d----- c:\windows\system32\xlive
2008-12-27 13:44 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2008-12-27 12:21 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-27 12:21 14,048 -------- c:\windows\system32\spmsg2.dll
2008-12-27 12:20 <DIR> --d----- C:\GTA IV

==================== Find3M ====================

2009-01-04 18:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 18:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-03 09:24 507,904 a------- c:\windows\system32\winlogon.exe
2008-12-29 13:30 138,376 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-12-29 13:29 202,448 a------- c:\windows\system32\PnkBstrB.exe
2008-12-27 13:46 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-04 22:37 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-12 13:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:07 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-02-01 03:39 113,664 a------- c:\windows\inf\hdaudio.sys
2008-03-07 23:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008030720080308\index.dat

============= FINISH: 18:00:22.09 ===============


Here's the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:09 PM, on 1/12/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Accessories\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Accessories\HiJack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sports.yahoo.com/fantasy
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230404567437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1228448062703
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Accessories\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\ACCESS~1\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 2498 bytes

Here's the peek.txt


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
midimapper REG_SZ midimap.dll
msacm.imaadpcm REG_SZ imaadp32.acm
msacm.msadpcm REG_SZ msadp32.acm
msacm.msg711 REG_SZ msg711.acm
msacm.msgsm610 REG_SZ msgsm32.acm
msacm.trspch REG_SZ tssoft32.acm
vidc.cvid REG_SZ iccvid.dll
vidc.I420 REG_SZ msh263.drv
vidc.iv31 REG_SZ ir32_32.dll
vidc.iv32 REG_SZ ir32_32.dll
vidc.iv41 REG_SZ ir41_32.ax
vidc.iyuv REG_SZ iyuv_32.dll
vidc.mrle REG_SZ msrle32.dll
vidc.msvc REG_SZ msvidc32.dll
vidc.uyvy REG_SZ msyuv.dll
vidc.yuy2 REG_SZ msyuv.dll
vidc.yvu9 REG_SZ tsbyuv.dll
vidc.yvyu REG_SZ msyuv.dll
wavemapper REG_SZ msacm32.drv
msacm.msg723 REG_SZ msg723.acm
vidc.M263 REG_SZ msh263.drv
vidc.M261 REG_SZ msh261.drv
msacm.msaudio1 REG_SZ msaud32.acm
msacm.sl_anet REG_SZ sl_anet.acm
msacm.iac2 REG_SZ C:\WINDOWS\system32\iac25_32.ax
vidc.iv50 REG_SZ ir50_32.dll
msacm.l3acm REG_SZ C:\WINDOWS\system32\l3codeca.acm
wave REG_SZ wdmaud.drv
midi REG_SZ wdmaud.drv
mixer REG_SZ wdmaud.drv
aux REG_SZ wdmaud.drv
VIDC.XFR1 REG_SZ xfcodec.dll
vidc.VP60 REG_SZ vp6vfw.dll
vidc.VP61 REG_SZ vp6vfw.dll
vidc.VP62 REG_SZ vp6vfw.dll
aux2 REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP
wave REG_SZ rdpsnd.dll
mixer REG_SZ rdpsnd.dll
MaxBandwidth REG_DWORD 0x56b9
wavemapper REG_SZ msacm32.drv
EnableMP3Codec REG_DWORD 0x1
midimapper REG_SZ midimap.dll

#12 Dirk Pro

Dirk Pro
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 12 January 2009 - 06:08 PM

Here's the ComboFix log:

ComboFix 09-01-11.04 - Administrator 2009-01-12 17:50:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1606 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG 7.5.518 *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\wdmaud.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Agent.OMZ.Fix.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-11 17:48 . 2009-01-11 17:51 345 --a------ c:\windows\gmer.ini
2009-01-04 16:57 . 2009-01-04 16:57 <DIR> d-------- c:\windows\ERUNT
2008-12-30 17:07 . 2008-12-30 17:08 <DIR> d-------- c:\windows\system32\Adobe
2008-12-28 08:28 . 2009-01-05 16:25 <DIR> d-------- C:\Piano Lessons
2008-12-27 18:19 . 2008-12-27 18:19 <DIR> d-------- c:\temp\gta4
2008-12-27 14:21 . 2008-12-27 14:21 1,700,352 --a------ c:\windows\system32\gdiplus.dll
2008-12-27 13:44 . 2008-12-27 13:44 <DIR> d-------- c:\windows\system32\xlive
2008-12-27 13:44 . 2008-12-27 14:00 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2008-12-27 12:22 . 2008-12-27 12:22 <DIR> d-------- c:\program files\MSBuild
2008-12-27 12:21 . 2008-12-27 14:11 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-27 12:21 . 2008-12-27 12:21 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-27 12:21 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-27 12:20 . 2008-12-27 12:26 <DIR> d-------- C:\GTA IV

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 23:38 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 23:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-04 18:12 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-04 18:12 --------- d-----w c:\program files\Accessories
2009-01-03 14:24 507,904 ----a-w c:\windows\system32\winlogon.exe
2009-01-03 14:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-01-01 02:39 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2008-12-30 19:36 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-29 18:35 --------- d-----w c:\program files\Call of Duty Game of the Year Edition
2008-12-29 18:30 138,376 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-29 18:29 202,448 ----a-w c:\windows\system32\PnkBstrB.exe
2008-12-27 18:46 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-12-22 02:03 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2008-12-06 14:14 --------- d-----w c:\program files\iTunes
2008-12-06 14:14 --------- d-----w c:\program files\iPod
2008-12-06 14:14 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 14:13 --------- d-----w c:\program files\Apple Software Update
2008-12-05 03:37 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-05 03:37 --------- d-----w c:\program files\Java
2008-12-03 06:04 --------- d-----w c:\documents and settings\Administrator\Application Data\Azureus
2008-12-03 02:36 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 02:34 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-02 07:12 --------- d-----w c:\program files\AGEIA Technologies
2008-12-02 05:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 05:23 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-02 04:13 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-02 04:13 --------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-11-30 04:52 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 04:52 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-26 05:59 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-16 20:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-16 18:46 --------- d-----w c:\program files\QuickTime
2008-11-16 18:46 --------- d-----w c:\program files\Bonjour
2008-11-16 18:45 --------- d-----w c:\program files\Common Files\Apple
2008-11-13 13:24 --------- d-----w c:\program files\Veoh
2008-11-12 18:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-10-28 22:41 14,303,392 ----a-w c:\windows\system32\xlive.dll
2008-10-28 22:41 13,643,936 ----a-w c:\windows\system32\xlivefnt.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-13 14:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-02-01 08:39 113,664 ----a-w c:\windows\inf\hdaudio.sys
2008-03-08 04:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008030720080308\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-11_17.42.06.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-11 22:48:34 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2009-01-11 22:48:34 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2009-01-11 22:32:45 170,343 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-12 14:05:41 170,338 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000
"NoSMHelp"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Accessories\\AVG7\\avginet.exe"=
"c:\\Program Files\\Accessories\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Accessories\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Accessories\\Azureus\\Azureus.exe"=
"c:\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Call of Duty 4\\iw3mp.exe"=
"c:\\Program Files\\Accessories\\LimeWire\\LimeWire.exe"=
"c:\\FreeStyle Street Basketball™\\FreeStyle.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDUOMP.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Veoh\\VeohClient.exe"=
"c:\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Warcraft III\\War3.exe"=
"c:\\MVP Baseball 2005\\mvp2005.exe"=
"c:\\FIFA 2006\\FIFAWC06.exe"=
"c:\\Madden NFL 08\\Updater.exe"=
"c:\\Madden NFL 08\\mainapp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Call of Duty 5\\CoDWaWmp.exe"=
"c:\\Call of Duty 5\\CoDWaW.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\GTA IV\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\GTA IV\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\GTA IV\\Grand Theft Auto IV\\GTAIV.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\Accessories\SUPERAntiSpyware\sasdifsv.sys [2008-08-19 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\Accessories\SUPERAntiSpyware\SASKUTIL.SYS [2008-08-19 55024]
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\Accessories\PowerDVD\000.fcl [2006-11-02 16:51:58 13560]
S3 SASENUM;SASENUM;c:\program files\Accessories\SUPERAntiSpyware\SASENUM.SYS [2008-08-19 7408]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S4 WinDefend;Windows Defender;c:\program files\Accessories\Windows Defender\MsMpEng.exe [2006-11-03 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5d5d3ec-f764-11dc-83a3-001d7dab2f55}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sports.yahoo.com/fantasy
Trusted Zone: *.turbotax.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hu3p0pw2.default\
FF - prefs.js: browser.startup.homepage - hxxp://sports.yahoo.com/fantasy
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 17:51:08
Windows 5.1.2600 Service Pack 3, v.5657 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\Accessories\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\License information*]
"datasecu"=hex:02,f1,e8,da,9c,58,34,53,c9,57,6b,05,3b,58,13,17,3c,6f,6d,c1,50,
bf,2e,df,4d,83,19,6d,03,85,94,13,ef,22,08,b8,ef,a1,5a,93,11,36,ae,cd,26,51,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="4468EB489B4406E0B8EE6E2C162A835424228518F10B7C1F8811CE4C33973A6107B3C3BBD366D80EE36FA0E8AACBD44F4EB510D79F39E0797F2CAC8AB02F0F1725EA549043C445FB204045A2CCB10DE98F118ED3447AA74E2B41D352E719F400762F5AAFD3C8301DB3BBECC2E050F66B39E608985FEB9DD309FADEEE963ADF64C0C4A7C49EBFD1EC50DFBFF67E7D2D9D8C8F1A73260DE4C308A9006FAED9158E4315A1C0745CB465A24EF631F373204C418372758342F3DC0DC1F9A758A431CE2EAD40D658B2B988474D61FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B5555D575E7D6A3B9808FEBC9E127BECC74CD6C4A35DEA9840673F0BC53B3320848D6EC1DD270C8ED9FEC6B042265582B470FAC1A92CEE9F48E99ADAAB1456CDCF63AE8057E7C7416DB7ED4655FA765A90E4F19B9352D351741B10D892D8E3AF269E30252DEE27232277BD31833E8D1400F028326862001528EDEDBC67E2F39C2307BDE8537A93987077A443EB31F4BF7464CA168F44DFC8EE6743F87C5C22DF0B76E937A599F977F209D48813E90BE00023CD0F55B262BC742164AE08C59035415A8A3163B1CD8AE70E45BDDF52336F5CA5E8176ABAFB3789C769B621F2625052B6B6ABAC7B8391327D2E541EA6525865F7175DE241A3EF231DAE1DC70C43D56A204DAE8A0415BF59E48FF17CF955FA993B964437FBD5955A75D420DB0CDBE15CC16FF6652C003C0861AA6F8F3229AA1D236A62C37592C7EBBA3FB3A1425F011C5A80F48B27C5A10D2707DACC88413039785C024A8DDB1CB86A95FE45D402B4463A2C4D317F6CFEDAFC6C76118B9448D817F321EC75BA9AC695C4DED2B8FCF497CA5DD7EB917E5709BDE9B61B9B1DA18B6E8372B436B9C13DE0FDE23BBA8AA8718347A2358E872153DA52458FEFD9E107049C5D8F2869026987344CD47B6E315B73DCEBEC7A994896553C80F3924D9F216F95FBCBFADCBF3D549E15586E6B5FFCBDD82BD3ADCCABD74500F8B5DEFDE6D5DD0B1C20B22C554C2ABB67E25A4AF82598B70691D5B71EBBD53D742209F638460F5C4222A3738ED0FDC9A376DB59B7464C3B5B30747AE68F47556D6E96468836D62BA2D07B512D26584D5B7862E5C9763A673A1EDB3441BFEA6F9031DF003E8C9D60A88B36E866CED7105832B2C8526E5207E6AD370DDA612AF3BE6693B8B555DF257295A8E4626FAC9B16D162D6E58D9B265B16032DD72A7E920F6BB30CBF42AE6AD319F8ECBECF9C42426760EF0FD3301643700E424F7578BDC806161920A52D635322A1B30CDC01164368E9724C693E6CFE3C7F7E4D42BA2A6CDC64820E769485A9A0F0EBCFA847F12DAF93438F960981245ACE974E33FB52297B9BED37D2308CC6E88BCB"
.
Completion time: 2009-01-12 17:51:54
ComboFix-quarantined-files.txt 2009-01-12 22:51:52
ComboFix2.txt 2009-01-11 22:42:36
ComboFix3.txt 2009-01-03 14:29:53

Pre-Run: 404,361,687,040 bytes free
Post-Run: 404,347,502,592 bytes free

198 --- E O F --- 2008-12-02 05:05:30

#13 Dirk Pro

Dirk Pro
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 12 January 2009 - 06:10 PM

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.32
Database version: 1647
Windows 5.1.2600 Service Pack 3, v.5657

1/12/2009 5:55:50 PM
mbam-log-2009-01-12 (17-55-50).txt

Scan type: Quick Scan
Objects scanned: 53162
Time elapsed: 1 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 Dirk Pro

Dirk Pro
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 12 January 2009 - 06:13 PM

Also, for the viewpoint, I can't seem to find the program. It is not shown under the "Add or Remove Programs." but yet it is still in my computer? Do you know why this is? Thanks for your time.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 13 January 2009 - 04:37 PM

Hello.

Thanks again. Also, the MBAM quick scan took only 1 minute. Is this normal?

Well it depends, the quick scan should take fiarly quick. Depending on how much you have on your computer the time may vary. For me it takes about 2-3 minutes.
I wouldn't say it's normal or not but it should be fine.

Also, for the viewpoint, I can't seem to find the program. It is not shown under the "Add or Remove Programs." but yet it is still in my computer? Do you know why this is? Thanks for your time.

Yes, I still see some entries related to it, we will remove that right now. Sometimes uninstallers do a very bad job of removing things..

How is your computer running right now?

We will remove that leftover service and run an online scan, I want to see something..

Download and Run OTMoveIT3
  • Please download OTMoveIt3 by OldTimer and save it to your desktop. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :services
    Viewpoint Manager Service
    :files
    c:\program files\viewpoint
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image button.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-OTMoveIT log
-Kaspersky log
-How is your computer running?
-New OTViewIT logs


With Regards,
Extremeboy

Edit: Double post..

Edited by extremeboy, 13 January 2009 - 04:38 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users