Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo and possibly others


  • This topic is locked This topic is locked
11 replies to this topic

#1 Amy79

Amy79

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 09 January 2009 - 07:53 PM

I had multiple infections from a web page which happened on the 5th - the sagipsul.com pop-ups, frmwrk32.exe, real-av.org pop-ups, Virtumonde, Vundo, Malware.Trace and god knows what else. I tried Search and Destroy, Super Anti-spyware and Malwarebytes, which finally did the best job in getting rid of most of the problems.

But there's a couple remaining problems that won't go away. Malware.Trace and Vundo were found again by Malwarebytes. On Firefox, I'm still getting pop-ups from hxxp://70.38.98.32/red.php?lid=... and hxxp://82.98.235.113/dot.gif/?ver=...

Occasionally an ad page will manage to load, but mostly they are failed blank pages. It keeps turning off the option in Firefox to block pop-ups. Malware.Trace and Vundo were found again by Malwarebytes.
I use Adblock Plus on Firefox and also have Protowall IP blocker, so I can see when my computer tries sending packets to those IPs.


Here's my DDS log...


DDS (Version 1.1.0) - NTFSx86
Run by Amy at 16:01:40.32 on Fri 01/09/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1090 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\DOCUME~1\Amy\LOCALS~1\Temp\clclean.0001
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Bluetack\ProtoWall\ProtoWall.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Amy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
mSearchAssistant = hxxp://start.earthlink.net/AL/Search
BHO: {1F05A15D-B65F-4709-BB8E-FB06AD3220A2} - No File
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: NTIECatcher Class: {c56cb6b0-0d96-11d6-8c65-b2868b609932} - c:\program files\xi\nettransport 2\NTIEHelper.dll
TB: NetXfer: {c16cbaac-a75c-4db5-a0dd-cdf5cafcdd3a} - c:\program files\xi\netxfer\NXToolBar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {4064EA35-578D-4073-A834-C96D82CBCF40} - No File
EB: iOpus iMacros: {0483894e-2422-45e0-8384-021aff1af3cd} - c:\program files\imacros\imacros.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6]
uRun: [ProtoWall] c:\program files\bluetack\protowall\ProtoWall.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\amy\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\amy\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\WebshotsTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all by Net Transport - c:\program files\xi\nettransport 2\NTAddList.html
IE: Download all by NetXfer - c:\program files\xi\netxfer\NXAddList.html
IE: Download by Net Transport - c:\program files\xi\nettransport 2\NTAddLink.html
IE: Download by NetXfer - c:\program files\xi\netxfer\NXAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD} - c:\program files\imacros\imacros.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: imageshack.us\toolbar
Trusted Zone: pandasoftware.com\www
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: lthwqh.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssqQHyAr

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\amy\applic~1\mozilla\firefox\profiles\icwubrst.new profile\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/news?oe=UTF-8&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&tab=wn&scoring=d&hl=en&q=%22russell+crowe%22+-Scruggs+-@inbox.ru+-@ctortaal.cn&btnG=Search
FF - HiddenExtension: XUL Cache: {CEF91D7C-1E79-4C14-8BED-B1651A48D67D} - c:\windows\system32\config\systemprofile\local settings\application data\{cef91d7c-1e79-4c14-8bed-b1651a48d67d}\
FF - HiddenExtension: XUL Cache: {95274806-AF8E-4098-B862-1C57FD6291A6} - c:\documents and settings\amy\local settings\application data\{95274806-af8e-4098-b862-1c57fd6291a6}\

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-11 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-11 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-11 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-11 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-11 33832]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-11 40488]
R3 ProtoWall;ProtoWall Network Service;c:\windows\system32\drivers\ProtoWall.sys [2006-1-1 23296]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
R4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-11 359248]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-11 144704]
R4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R4 SDPASVC;SDPAUMS server service;c:\windows\system32\sdpasvc.exe -service --> c:\windows\system32\sdpasvc.exe -service [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\bw2ndis5.sys --> c:\windows\system32\drivers\BW2NDIS5.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2004-10-29 32000]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-11-11 31872]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2009-01-07 17:20 <DIR> --d----- c:\docume~1\amy\applic~1\Malwarebytes
2009-01-07 17:20 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 17:20 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 17:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-07 17:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 14:03 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-07 13:55 129,536 a------- c:\windows\system32\lthwqh.dll
2009-01-07 13:55 129,536 a------- c:\windows\system32\xgmsscvp.dll
2009-01-07 00:14 1,320,830 ---sh--- c:\windows\system32\carglxjr.ini
2009-01-07 00:11 129,536 a------- c:\windows\system32\lrfmjz.dll
2009-01-07 00:11 129,536 a------- c:\windows\system32\igxadcoi.dll
2009-01-06 01:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-06 01:41 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-06 01:41 <DIR> --d----- c:\docume~1\amy\applic~1\SUPERAntiSpyware.com
2009-01-06 01:40 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-06 00:20 <DIR> --d----- c:\program files\Trend Micro
2009-01-05 23:31 1,306,349 ---sh--- c:\windows\system32\wgbsjjcm.ini
2009-01-05 23:21 1 a------- c:\windows\system32\uniq.tll
2009-01-05 22:32 734,978 a--sh--- c:\windows\system32\rAyHQqss.ini2
2009-01-05 22:29 95 a------- c:\windows\wininit.ini
2009-01-05 20:43 734,978 a--sh--- c:\windows\system32\rAyHQqss.ini
2009-01-02 23:07 <DIR> --d----- c:\program files\AudioConverter Studio

==================== Find3M ====================

2008-10-19 12:47 61,208 a------- c:\windows\system32\x264vfw-uninstall.exe
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2007-02-02 16:45 87,608 a------- c:\docume~1\amy\applic~1\ezpinst.exe
2007-02-02 16:45 47,360 a------- c:\docume~1\amy\applic~1\pcouffin.sys
2005-05-13 16:12 217,073 a--shr-- c:\windows\meta4.exe
2005-10-24 10:13 66,560 a--shr-- c:\windows\MOTA113.exe
2005-10-13 20:27 422,400 a--shr-- c:\windows\x2.64.exe
2005-07-14 11:31 27,648 a--sh--- c:\windows\system32\AVSredirect.dll
2007-02-17 20:22 104 ---sh--- c:\windows\system32\BA3018150B.sys
2005-06-26 14:32 616,448 a--sh--- c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 a--sh--- c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll
2007-02-17 20:22 4,184 a--sh--- c:\windows\system32\KGyGaAvL.sys
2006-04-27 09:24 2,945,024 a--sh--- c:\windows\system32\Smab.dll
2005-02-28 12:16 240,128 a--sh--- c:\windows\system32\x.264.exe
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll

============= FINISH: 16:02:47.50 ===============

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:41 PM

Posted 10 January 2009 - 10:50 AM

Hello Amy79 and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Amy79

Amy79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 10 January 2009 - 04:50 PM

Combofix stopped working during the process. (I didn't click on it or anything!) But it rebooted OK. There was notice from SpybotS&D of a registry change. Something with the following info deleted after the reboot...

Current filename:
Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: system32.exe
Description
Added by the _AGOBOT-KU_ WORM! Note - has a blank entry under the Startup Item/Name field
Source: Paul Collins Startup list


So there's no Combofix log. But here's the updated DDS log.
I should add that I just turned McAfee back on before running DDS - it was off for Combofix as it requested.



DDS (Version 1.1.0) - NTFSx86
Run by Amy at 13:43:30.34 on 2009-01-10
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1356 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\DOCUME~1\Amy\LOCALS~1\Temp\clclean.0001
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Bluetack\ProtoWall\ProtoWall.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Amy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: {1F05A15D-B65F-4709-BB8E-FB06AD3220A2} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: NTIECatcher Class: {c56cb6b0-0d96-11d6-8c65-b2868b609932} - c:\program files\xi\nettransport 2\NTIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Adblock Pro: {f385c231-605b-4d8f-aca9-dbff765bbe17} - c:\program files\adblock pro\AdblockPro.dll
TB: NetXfer: {c16cbaac-a75c-4db5-a0dd-cdf5cafcdd3a} - c:\program files\xi\netxfer\NXToolBar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {4064EA35-578D-4073-A834-C96D82CBCF40} - No File
EB: iOpus iMacros: {0483894e-2422-45e0-8384-021aff1af3cd} - c:\program files\imacros\imacros.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6]
uRun: [ProtoWall] c:\program files\bluetack\protowall\ProtoWall.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
StartupFolder: c:\docume~1\amy\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\amy\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\WebshotsTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Block This Image (ABP) - c:\program files\adblock pro\blockimg.html
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all by Net Transport - c:\program files\xi\nettransport 2\NTAddList.html
IE: Download all by NetXfer - c:\program files\xi\netxfer\NXAddList.html
IE: Download by Net Transport - c:\program files\xi\nettransport 2\NTAddLink.html
IE: Download by NetXfer - c:\program files\xi\netxfer\NXAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD} - c:\program files\imacros\imacros.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - {7685B225-8229-4321-BA13-A24485B0A760} - c:\program files\adblock pro\AdblockPro.dll
Trusted Zone: imageshack.us\toolbar
Trusted Zone: pandasoftware.com\www
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\amy\applic~1\mozilla\firefox\profiles\icwubrst.new profile\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/news?oe=UTF-8&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&tab=wn&scoring=d&hl=en&q=%22russell+crowe%22+-Scruggs+-@inbox.ru+-@ctortaal.cn&btnG=Search
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npphbkpublish2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-11 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-11 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-11 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-11 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-11 40488]
R3 ProtoWall;ProtoWall Network Service;c:\windows\system32\drivers\ProtoWall.sys [2006-1-1 23296]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
R4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-11 359248]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-11 144704]
R4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R4 SDPASVC;SDPAUMS server service;c:\windows\system32\sdpasvc.exe -service --> c:\windows\system32\sdpasvc.exe -service [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\bw2ndis5.sys --> c:\windows\system32\drivers\BW2NDIS5.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-11 33832]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-11-11 31872]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2009-01-10 12:51 <DIR> a-dshr-- C:\cmdcons
2009-01-10 12:42 161,792 a------- c:\windows\SWREG.exe
2009-01-10 12:42 98,816 a------- c:\windows\sed.exe
2009-01-10 12:41 <DIR> --d----- C:\ComboFix
2009-01-10 12:41 388,608 a------- c:\windows\system32\CF8754.exe
2009-01-09 21:59 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-09 17:05 <DIR> --d----- c:\program files\Adblock Pro
2009-01-09 17:05 <DIR> --d----- c:\docume~1\amy\applic~1\Adblock Pro
2009-01-07 17:20 <DIR> --d----- c:\docume~1\amy\applic~1\Malwarebytes
2009-01-07 17:20 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 17:20 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 17:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-07 17:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-06 01:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-06 01:41 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-06 01:41 <DIR> --d----- c:\docume~1\amy\applic~1\SUPERAntiSpyware.com
2009-01-06 01:40 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-06 00:20 <DIR> --d----- c:\program files\Trend Micro
2009-01-05 22:29 95 a------- c:\windows\wininit.ini

==================== Find3M ====================

2008-10-19 12:47 61,208 a------- c:\windows\system32\x264vfw-uninstall.exe
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2007-02-02 16:45 87,608 a------- c:\docume~1\amy\applic~1\ezpinst.exe
2007-02-02 16:45 47,360 a------- c:\docume~1\amy\applic~1\pcouffin.sys
2005-05-13 16:12 217,073 a--shr-- c:\windows\meta4.exe
2005-10-24 10:13 66,560 a--shr-- c:\windows\MOTA113.exe
2005-10-13 20:27 422,400 a--shr-- c:\windows\x2.64.exe
2005-07-14 11:31 27,648 a--sh--- c:\windows\system32\AVSredirect.dll
2007-02-17 20:22 104 ---sh--- c:\windows\system32\BA3018150B.sys
2005-06-26 14:32 616,448 a--sh--- c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 a--sh--- c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll
2007-02-17 20:22 4,184 a--sh--- c:\windows\system32\KGyGaAvL.sys
2006-04-27 09:24 2,945,024 a--sh--- c:\windows\system32\Smab.dll
2005-02-28 12:16 240,128 a--sh--- c:\windows\system32\x.264.exe
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll

============= FINISH: 13:44:31.10 ===============

Edited by Amy79, 10 January 2009 - 04:51 PM.


#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:41 PM

Posted 11 January 2009 - 06:27 AM

Hello Amy79,

Please delete your current ComboFix copy from your desktop,
and download the latest version.
That one should run to completion without any problems. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Amy79

Amy79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 11 January 2009 - 07:33 PM

Still didn't finish, but didn't have to reboot this time.

It completed stage 50 and then ended with this line...

' "C:\WINDOWS\system32\"' is not recognized as an internal or external command, operable program or batch file.

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:41 PM

Posted 12 January 2009 - 05:36 AM

Hello Amy79,

Go to Start > Run and type (or copy/paste) : ComboFix /U and click OK.
This will uninstall ComboFix.

Then download it again and run it.
This time it should complete.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Amy79

Amy79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 12 January 2009 - 10:34 PM

Ah, that worked.

Earlier McAfee updated itself and right away started zapping some Vundo files, so it might have finally caught up with what I had. I then updated and ran Malwarebytes again which also found some Vundo files and delted them. After rebooting, there were no more noticeable pop-up problems. So this Combofix log is from after that...



ComboFix 09-01-11.04 - Amy 2009-01-12 17:30:00.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1467 [GMT -8:00]
Running from: c:\documents and settings\Amy\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-09 21:59 . 2009-01-09 21:59 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-09 17:05 . 2009-01-09 17:05 <DIR> d-------- c:\program files\Adblock Pro
2009-01-09 17:05 . 2009-01-09 17:05 <DIR> d-------- c:\documents and settings\Amy\Application Data\Adblock Pro
2009-01-07 17:20 . 2009-01-07 17:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-07 17:20 . 2009-01-07 17:20 <DIR> d-------- c:\documents and settings\Amy\Application Data\Malwarebytes
2009-01-07 17:20 . 2009-01-07 17:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-07 17:20 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 17:20 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-07 16:05 . 2009-01-07 16:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-01-06 01:41 . 2009-01-06 01:41 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-06 01:41 . 2009-01-06 01:41 <DIR> d-------- c:\documents and settings\Amy\Application Data\SUPERAntiSpyware.com
2009-01-06 01:41 . 2009-01-06 01:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-06 01:40 . 2009-01-06 01:40 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-06 01:24 . 2009-01-08 22:17 <DIR> d-------- c:\program files\Panda Security
2009-01-06 00:20 . 2009-01-06 00:20 <DIR> d-------- c:\program files\Trend Micro
2009-01-05 22:29 . 2009-01-05 22:29 95 --a------ c:\windows\wininit.ini
2009-01-02 23:07 . 2009-01-02 23:07 <DIR> d-------- c:\program files\AudioConverter Studio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 01:10 --------- d-----w c:\program files\McAfee
2009-01-12 20:46 --------- d-----w c:\documents and settings\Amy\Application Data\uTorrent
2009-01-10 20:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-10 05:59 --------- d-----w c:\program files\Java
2009-01-09 06:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-09 06:24 --------- d-----w c:\program files\AVSMedia
2009-01-09 06:23 --------- d-----w c:\program files\Common Files\AVSMedia
2009-01-09 06:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-09 06:16 --------- d-----w c:\program files\Vstplugins
2009-01-09 06:16 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2009-01-07 21:53 --------- d-----w c:\program files\Google
2009-01-07 21:51 --------- d-----w c:\program files\Semagic
2009-01-06 06:01 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-06 00:23 --------- d-----w c:\program files\Avidemux 2.4
2008-12-14 20:48 --------- d-----w c:\documents and settings\Amy\Application Data\gtk-2.0
2008-12-09 19:54 --------- d-----w c:\program files\eMule++
2008-12-07 06:22 --------- d-----w c:\documents and settings\All Users\Application Data\1Click DVD Copy Pro
2008-12-07 04:22 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-29 21:40 --------- d-----w c:\documents and settings\Amy\Application Data\SopCast
2008-11-21 13:42 --------- d-----w c:\program files\Replay Media Catcher
2007-02-03 00:45 87,608 ----a-w c:\documents and settings\Amy\Application Data\ezpinst.exe
2007-02-03 00:45 47,360 ----a-w c:\documents and settings\Amy\Application Data\pcouffin.sys
2005-05-14 00:12 217,073 --sha-r c:\windows\meta4.exe
2005-10-24 18:13 66,560 --sha-r c:\windows\MOTA113.exe
2005-10-14 04:27 422,400 --sha-r c:\windows\x2.64.exe
2005-07-14 19:31 27,648 --sha-w c:\windows\system32\AVSredirect.dll
2007-02-18 04:22 104 --sh--w c:\windows\system32\BA3018150B.sys
2005-06-26 22:32 616,448 --sha-w c:\windows\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-w c:\windows\system32\cygz.dll
2004-01-25 07:00 70,656 --sha-r c:\windows\system32\i420vfw.dll
2007-02-18 04:22 4,184 --sha-w c:\windows\system32\KGyGaAvL.sys
2006-04-27 17:24 2,945,024 --sha-w c:\windows\system32\Smab.dll
2005-02-28 20:16 240,128 --sha-w c:\windows\system32\x.264.exe
2004-01-25 07:00 70,656 --sha-r c:\windows\system32\yv12vfw.dll
.

------- Sigcheck -------

2005-05-25 11:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 09:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 04:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2004-08-10 03:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
2006-02-13 12:38 359808 7ce34770a87af430ad41e7e8afd39864 c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 18:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
2007-02-08 01:15 359808 8d8949936913b041c6a0e184fbf1030b c:\windows\system32\dllcache\TCPIP.SYS
2007-02-08 01:15 359808 8d8949936913b041c6a0e184fbf1030b c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ProtoWall"="c:\program files\Bluetack\ProtoWall\ProtoWall.exe" [2006-04-17 737280]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-08-01 684032]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2006-05-22 694272]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 163840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-14 155648]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2006-03-17 184320]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"MBMon"="CTMBHA.DLL" [2005-05-19 c:\windows\system32\CTMBHA.DLL]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\Amy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]
Webshots.lnk - c:\program files\Webshots\WebshotsTray.exe [2005-12-22 208896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-12-19 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-19 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=lthwqh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpng"= c:\program files\t@b\0.956\686\tabdec.dll
"vidc.mjpg"= c:\program files\t@b\0.956\686\tabdec.dll
"vidc.mvjp"= c:\program files\t@b\0.956\686\tabdec.dll
"vidc.444p"= c:\program files\t@b\0.956\686\tabdec.dll
"VIDC.MFZ0"= MyFlashZip0.ax
"vidc.CDVC"= cdvccodc.dll
"VIDC.LAGS"= lagarith.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.x264"= x264vfw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"=
"c:\\files\\torrents\\old\\utorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 ProtoWall;ProtoWall Network Service;c:\windows\system32\drivers\ProtoWall.sys [2006-01-01 23296]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
R4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
R4 SDPASVC;SDPAUMS server service;c:\windows\system32\sdpasvc.exe -service --> c:\windows\system32\sdpasvc.exe -service [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-11-11 31872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{300E1A90-B51D-174A-0208-010407000508}]
c:\windows\system32\vmst32.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-13 c:\windows\Tasks\thoylfei.job
- c:\windows\system32\rundll32.exe [2004-08-10 03:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1F05A15D-B65F-4709-BB8E-FB06AD3220A2} - (no file)
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &Block This Image (ABP) - c:\program files\Adblock Pro\blockimg.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all by Net Transport - c:\program files\Xi\NetTransport 2\NTAddList.html
IE: Download all by NetXfer - c:\program files\Xi\NetXfer\NXAddList.html
IE: Download by Net Transport - c:\program files\Xi\NetTransport 2\NTAddLink.html
IE: Download by NetXfer - c:\program files\Xi\NetXfer\NXAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{E7FD3540-AB30-40f1-91E7-101F733C1FD5} - {7685B225-8229-4321-BA13-A24485B0A760} - c:\program files\Adblock Pro\AdblockPro.dll
Trusted Zone: toolbar.imageshack.us
Trusted Zone: www.pandasoftware.com

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Amy\Application Data\Mozilla\Firefox\Profiles\icwubrst.new profile\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npphbkpublish2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 17:36:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-5423089-1823181601-2363028086-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2530D6D2-10FE-6F7C-2B12-67868A80DBD7}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iajgllclfdbclfkoph"=hex:64,61,69,65,63,67,66,61,00,50
"iaffllbcfhfhickojl"=hex:6b,61,69,65,69,67,63,66,68,65,61,63,63,6c,6b,61,65,6b,
6f,64,61,6e,00,00
"halffldfoapeijmn"=hex:6a,61,6a,65,6a,66,64,67,68,6f,64,6b,6a,6f,61,68,63,62,
6b,63,00,fd
"eanfljajpe"=hex:61,62,67,66,69,6c,65,6f,63,6f,69,65,6b,6c,6f,66,70,70,61,6f,
63,6f,64,6a,68,6c,6f,61,61,69,6d,64,63,6f,00,00
"cakgfl"=hex:6f,61,66,65,70,6b,70,66,62,6a,64,6d,67,6b,69,6a,62,6c,6e,63,69,66,
68,6c,65,67,6b,64,6b,65,00,00

[HKEY_USERS\S-1-5-21-5423089-1823181601-2363028086-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4A18DD88-E40B-DF2A-0DE6-6DEBC773B6B7}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iacnoinmodgopadidm"=hex:69,61,6c,69,70,6b,70,69,6f,6f,6c,61,63,6d,63,66,6a,63,
00,00
"hammalnfbhfmkbam"=hex:69,61,6c,69,70,6b,70,69,6f,6f,6c,61,63,6d,63,66,6a,63,
00,00
"hagoijnnaoojngbd"=hex:6b,61,6c,70,69,6d,6e,65,70,65,6d,65,70,6b,69,67,6b,6e,
63,70,68,62,00,00
"hagoijnnlpbiedgh"=hex:70,62,6c,6f,65,61,69,62,62,68,6e,70,66,69,6a,64,6f,70,
6d,63,62,69,61,6a,65,6b,69,65,70,69,6c,70,63,69,6f,6b,67,6d,64,64,62,6c,61,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:63,9f,12,b2,7b,ab,02,aa,ff,c5,32,0f,4b,eb,83,fb,b5,4d,c1,5c,3d,
fd,c9,fb,c3,65,53,13,99,74,3c,4e,d9,0a,89,c6,2c,8e,cf,d6,58,6d,22,9a,16,c9,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:63,9f,12,b2,7b,ab,02,aa,ff,c5,32,0f,4b,eb,83,fb,b5,4d,c1,5c,3d,
fd,c9,fb,c3,65,53,13,99,74,3c,4e,d9,0a,89,c6,2c,8e,cf,d6,58,6d,22,9a,16,c9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1480)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\sdpasvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\docume~1\Amy\LOCALS~1\temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-01-12 17:41:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 01:41:31

Pre-Run: 7,683,764,224 bytes free
Post-Run: 7,585,009,664 bytes free

311 --- E O F --- 2007-06-22 09:35:58

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:41 PM

Posted 13 January 2009 - 04:54 AM

Hello Amy79,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
c:\windows\system32\vmst32.exe
c:\windows\Tasks\thoylfei.job
RegNull::
[HKEY_USERS\S-1-5-21-5423089-1823181601-2363028086-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2530D6D2-10FE-6F7C-2B12-67868A80DBD7}*]
[HKEY_USERS\S-1-5-21-5423089-1823181601-2363028086-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4A18DD88-E40B-DF2A-0DE6-6DEBC773B6B7}*]
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{300E1A90-B51D-174A-0208-010407000508}]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 Amy79

Amy79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 13 January 2009 - 04:01 PM

OK, here is the Combofix log from the script...



ComboFix 09-01-11.04 - Amy 2009-01-13 2:19:18.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1465 [GMT -8:00]
Running from: c:\documents and settings\Amy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Amy\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\vmst32.exe
c:\windows\Tasks\thoylfei.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\thoylfei.job

.
((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-09 21:59 . 2009-01-09 21:59 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-09 17:05 . 2009-01-09 17:05 <DIR> d-------- c:\program files\Adblock Pro
2009-01-09 17:05 . 2009-01-09 17:05 <DIR> d-------- c:\documents and settings\Amy\Application Data\Adblock Pro
2009-01-07 17:20 . 2009-01-07 17:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-07 17:20 . 2009-01-07 17:20 <DIR> d-------- c:\documents and settings\Amy\Application Data\Malwarebytes
2009-01-07 17:20 . 2009-01-07 17:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-07 17:20 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 17:20 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-07 16:05 . 2009-01-07 16:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-01-06 01:41 . 2009-01-06 01:41 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-06 01:41 . 2009-01-06 01:41 <DIR> d-------- c:\documents and settings\Amy\Application Data\SUPERAntiSpyware.com
2009-01-06 01:41 . 2009-01-06 01:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-06 01:40 . 2009-01-06 01:40 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-06 01:24 . 2009-01-08 22:17 <DIR> d-------- c:\program files\Panda Security
2009-01-06 00:20 . 2009-01-06 00:20 <DIR> d-------- c:\program files\Trend Micro
2009-01-05 22:29 . 2009-01-05 22:29 95 --a------ c:\windows\wininit.ini
2009-01-02 23:07 . 2009-01-02 23:07 <DIR> d-------- c:\program files\AudioConverter Studio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 10:15 --------- d-----w c:\documents and settings\Amy\Application Data\uTorrent
2009-01-13 01:10 --------- d-----w c:\program files\McAfee
2009-01-10 20:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-10 05:59 --------- d-----w c:\program files\Java
2009-01-09 06:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-09 06:24 --------- d-----w c:\program files\AVSMedia
2009-01-09 06:23 --------- d-----w c:\program files\Common Files\AVSMedia
2009-01-09 06:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-09 06:16 --------- d-----w c:\program files\Vstplugins
2009-01-09 06:16 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2009-01-07 21:53 --------- d-----w c:\program files\Google
2009-01-07 21:51 --------- d-----w c:\program files\Semagic
2009-01-06 06:01 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-06 00:23 --------- d-----w c:\program files\Avidemux 2.4
2008-12-14 20:48 --------- d-----w c:\documents and settings\Amy\Application Data\gtk-2.0
2008-12-09 19:54 --------- d-----w c:\program files\eMule++
2008-12-07 06:22 --------- d-----w c:\documents and settings\All Users\Application Data\1Click DVD Copy Pro
2008-12-07 04:22 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-29 21:40 --------- d-----w c:\documents and settings\Amy\Application Data\SopCast
2008-11-21 13:42 --------- d-----w c:\program files\Replay Media Catcher
2008-10-19 20:47 61,208 ----a-w c:\windows\system32\x264vfw-uninstall.exe
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2007-02-03 00:45 87,608 ----a-w c:\documents and settings\Amy\Application Data\ezpinst.exe
2007-02-03 00:45 47,360 ----a-w c:\documents and settings\Amy\Application Data\pcouffin.sys
2005-05-14 00:12 217,073 --sha-r c:\windows\meta4.exe
2005-10-24 18:13 66,560 --sha-r c:\windows\MOTA113.exe
2005-10-14 04:27 422,400 --sha-r c:\windows\x2.64.exe
2005-07-14 19:31 27,648 --sha-w c:\windows\system32\AVSredirect.dll
2007-02-18 04:22 104 --sh--w c:\windows\system32\BA3018150B.sys
2005-06-26 22:32 616,448 --sha-w c:\windows\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-w c:\windows\system32\cygz.dll
2004-01-25 07:00 70,656 --sha-r c:\windows\system32\i420vfw.dll
2007-02-18 04:22 4,184 --sha-w c:\windows\system32\KGyGaAvL.sys
2006-04-27 17:24 2,945,024 --sha-w c:\windows\system32\Smab.dll
2005-02-28 20:16 240,128 --sha-w c:\windows\system32\x.264.exe
2004-01-25 07:00 70,656 --sha-r c:\windows\system32\yv12vfw.dll
.

------- Sigcheck -------

2005-05-25 11:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 09:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 04:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2004-08-10 03:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
2006-02-13 12:38 359808 7ce34770a87af430ad41e7e8afd39864 c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 18:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
2007-02-08 01:15 359808 8d8949936913b041c6a0e184fbf1030b c:\windows\system32\dllcache\TCPIP.SYS
2007-02-08 01:15 359808 8d8949936913b041c6a0e184fbf1030b c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot@2009-01-12_17.40.22.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-13 01:17:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-13 05:45:37 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-13 01:17:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-13 05:45:37 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-13 01:17:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-13 05:45:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ProtoWall"="c:\program files\Bluetack\ProtoWall\ProtoWall.exe" [2006-04-17 737280]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-08-01 684032]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2006-05-22 694272]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 163840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-14 155648]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2006-03-17 184320]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"MBMon"="CTMBHA.DLL" [2005-05-19 c:\windows\system32\CTMBHA.DLL]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\Amy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]
Webshots.lnk - c:\program files\Webshots\WebshotsTray.exe [2005-12-22 208896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-12-19 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-19 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpng"= c:\program files\t@b\0.956\686\tabdec.dll
"vidc.mjpg"= c:\program files\t@b\0.956\686\tabdec.dll
"vidc.mvjp"= c:\program files\t@b\0.956\686\tabdec.dll
"vidc.444p"= c:\program files\t@b\0.956\686\tabdec.dll
"VIDC.MFZ0"= MyFlashZip0.ax
"vidc.CDVC"= cdvccodc.dll
"VIDC.LAGS"= lagarith.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.x264"= x264vfw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Soulseek-Test\\slsk.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\files\\torrents\\utorrent.exe"=
"c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"=
"c:\\files\\torrents\\old\\utorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\files\\torrents\\utorrentold.exe"=
"c:\\Program Files\\eMule++\\emule.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\Amy\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrentnew\\uTorrent.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 ProtoWall;ProtoWall Network Service;c:\windows\system32\drivers\ProtoWall.sys [2006-01-01 23296]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
R4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
R4 SDPASVC;SDPAUMS server service;c:\windows\system32\sdpasvc.exe -service --> c:\windows\system32\sdpasvc.exe -service [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-11-11 31872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &Block This Image (ABP) - c:\program files\Adblock Pro\blockimg.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all by Net Transport - c:\program files\Xi\NetTransport 2\NTAddList.html
IE: Download all by NetXfer - c:\program files\Xi\NetXfer\NXAddList.html
IE: Download by Net Transport - c:\program files\Xi\NetTransport 2\NTAddLink.html
IE: Download by NetXfer - c:\program files\Xi\NetXfer\NXAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: {{E7FD3540-AB30-40f1-91E7-101F733C1FD5} - {7685B225-8229-4321-BA13-A24485B0A760} - c:\program files\Adblock Pro\AdblockPro.dll
Trusted Zone: toolbar.imageshack.us
Trusted Zone: www.pandasoftware.com

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Amy\Application Data\Mozilla\Firefox\Profiles\icwubrst.new profile\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npphbkpublish2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 02:21:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:63,9f,12,b2,7b,ab,02,aa,ff,c5,32,0f,4b,eb,83,fb,b5,4d,c1,5c,3d,
fd,c9,fb,c3,65,53,13,99,74,3c,4e,d9,0a,89,c6,2c,8e,cf,d6,58,6d,22,9a,16,c9,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:63,9f,12,b2,7b,ab,02,aa,ff,c5,32,0f,4b,eb,83,fb,b5,4d,c1,5c,3d,
fd,c9,fb,c3,65,53,13,99,74,3c,4e,d9,0a,89,c6,2c,8e,cf,d6,58,6d,22,9a,16,c9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1480)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-01-13 2:24:11
ComboFix-quarantined-files.txt 2009-01-13 10:23:38
ComboFix2.txt 2009-01-13 01:41:38

Pre-Run: 7,550,410,752 bytes free
Post-Run: 7,538,180,096 bytes free

283 --- E O F --- 2007-06-22 09:35:58







And the current DDS...


DDS (Version 1.1.0) - NTFSx86
Run by Amy at 12:31:47.53 on Tue 01/13/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1504 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\DOCUME~1\Amy\LOCALS~1\Temp\clclean.0001
C:\Program Files\dvd43\dvd43_tray.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Bluetack\ProtoWall\ProtoWall.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Amy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: NTIECatcher Class: {c56cb6b0-0d96-11d6-8c65-b2868b609932} - c:\program files\xi\nettransport 2\NTIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Adblock Pro: {f385c231-605b-4d8f-aca9-dbff765bbe17} - c:\program files\adblock pro\AdblockPro.dll
TB: NetXfer: {c16cbaac-a75c-4db5-a0dd-cdf5cafcdd3a} - c:\program files\xi\netxfer\NXToolBar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {4064EA35-578D-4073-A834-C96D82CBCF40} - No File
EB: iOpus iMacros: {0483894e-2422-45e0-8384-021aff1af3cd} - c:\program files\imacros\imacros.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ProtoWall] c:\program files\bluetack\protowall\ProtoWall.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
StartupFolder: c:\docume~1\amy\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\amy\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\WebshotsTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Block This Image (ABP) - c:\program files\adblock pro\blockimg.html
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all by Net Transport - c:\program files\xi\nettransport 2\NTAddList.html
IE: Download all by NetXfer - c:\program files\xi\netxfer\NXAddList.html
IE: Download by Net Transport - c:\program files\xi\nettransport 2\NTAddLink.html
IE: Download by NetXfer - c:\program files\xi\netxfer\NXAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD} - c:\program files\imacros\imacros.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - {7685B225-8229-4321-BA13-A24485B0A760} - c:\program files\adblock pro\AdblockPro.dll
Trusted Zone: imageshack.us\toolbar
Trusted Zone: pandasoftware.com\www
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\amy\applic~1\mozilla\firefox\profiles\icwubrst.new profile\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npphbkpublish2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-11 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-11 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-11 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-11 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-11 40488]
R3 ProtoWall;ProtoWall Network Service;c:\windows\system32\drivers\ProtoWall.sys [2006-1-1 23296]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
R4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-11 359248]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-11 144704]
R4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R4 SDPASVC;SDPAUMS server service;c:\windows\system32\sdpasvc.exe -service --> c:\windows\system32\sdpasvc.exe -service [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\bw2ndis5.sys --> c:\windows\system32\drivers\BW2NDIS5.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-11 33832]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-11-11 31872]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2009-01-13 02:18 <DIR> --d----- C:\ComboFix
2009-01-12 17:29 161,792 a------- c:\windows\SWREG.exe
2009-01-12 17:29 98,816 a------- c:\windows\sed.exe
2009-01-10 12:51 <DIR> a-dshr-- C:\cmdcons
2009-01-09 21:59 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-09 17:05 <DIR> --d----- c:\program files\Adblock Pro
2009-01-09 17:05 <DIR> --d----- c:\docume~1\amy\applic~1\Adblock Pro
2009-01-07 17:20 <DIR> --d----- c:\docume~1\amy\applic~1\Malwarebytes
2009-01-07 17:20 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 17:20 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 17:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-07 17:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-06 01:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-06 01:41 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-06 01:41 <DIR> --d----- c:\docume~1\amy\applic~1\SUPERAntiSpyware.com
2009-01-06 01:40 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-06 01:24 <DIR> --d----- c:\program files\Panda Security
2009-01-06 00:20 <DIR> --d----- c:\program files\Trend Micro
2009-01-05 22:29 95 a------- c:\windows\wininit.ini
2009-01-02 23:07 <DIR> --d----- c:\program files\AudioConverter Studio

==================== Find3M ====================

2008-10-19 12:47 61,208 a------- c:\windows\system32\x264vfw-uninstall.exe
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2007-02-02 16:45 87,608 a------- c:\docume~1\amy\applic~1\ezpinst.exe
2007-02-02 16:45 47,360 a------- c:\docume~1\amy\applic~1\pcouffin.sys
2005-05-13 16:12 217,073 a--shr-- c:\windows\meta4.exe
2005-10-24 10:13 66,560 a--shr-- c:\windows\MOTA113.exe
2005-10-13 20:27 422,400 a--shr-- c:\windows\x2.64.exe
2005-07-14 11:31 27,648 a--sh--- c:\windows\system32\AVSredirect.dll
2007-02-17 20:22 104 ---sh--- c:\windows\system32\BA3018150B.sys
2005-06-26 14:32 616,448 a--sh--- c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 a--sh--- c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll
2007-02-17 20:22 4,184 a--sh--- c:\windows\system32\KGyGaAvL.sys
2006-04-27 09:24 2,945,024 a--sh--- c:\windows\system32\Smab.dll
2005-02-28 12:16 240,128 a--sh--- c:\windows\system32\x.264.exe
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll

============= FINISH: 12:32:47.18 ===============

Edited by Amy79, 13 January 2009 - 04:02 PM.


#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:41 PM

Posted 13 January 2009 - 05:28 PM

Looking good now, Amy79 :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

No more problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 Amy79

Amy79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 13 January 2009 - 07:43 PM

Thanks so much for your help! Everything seems to be OK.

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:41 PM

Posted 14 January 2009 - 09:59 AM

Glad we could help, Amy79 :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users