Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Root Kit Virus Infection Need Help Removing


  • This topic is locked This topic is locked
1 reply to this topic

#1 jaszd

jaszd

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 06 March 2009 - 12:12 PM

Good morning!
I am new to this site and the forum....I am hoping someone can help me with my computer issues....the other personal issues I have are beyond help or medication!

I am running Windows XP Pro SP3 on a Dell system (optiplex 3800) that was my old work machine (prior to the company going bankrupt...my severance package I guess). It was a networked machine and I have had it at home as a home computer for a year now (no home network) and it has been operating fine until just recently. Started when I attempted to run a virus scan using Super Antispyware....system would give the Blue Screen of death telling me there was a page fault on a non paged area. I updated the BIOS and still the probelms. I started to experience other operational problems with other software. Internet was no longer functional with either IE or Firefox. I started to look at Rootkit virus software and ran several programs and then came across Combofix. Things started to look up when I ran RegRun and it was identifying some of the .exe files that were infected. It supoosedly fixed things and everything went back to normal....well for a few days. I now have an issue when I connect to the internet as the system will re-boot shortly after connecting. I ran a winsock fix that did nothing.....then tryed replacing userinit.exe as it was an infected file.....that enabled me to now run Super Antispyware and not get a blue screen. The internet still causes the machine to re-boot so before I left the machine and kicked it this morning I ran Combofix and have the log as follows:

I am trying to think if I have missed any other things that I have attempted to do........I have followed some other advice to no avail....defrag!!!....checkdisk......numerous other spyware programs that have done nothing other than tell me the machine was fine. I think the virus came with a MCH piece of downloaded software for converting .avi files. Hope someone can help. I am using my work machione so my responses may be limited as the weekend is upon us.....any help would be so welcome and appreciated.


ComboFix 09-03-04.01 - SteveJ 2009-03-06 0:20:37.11 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.990.666 [GMT -5:00]
Running from: c:\documents and settings\stevej\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\stevej\userinit.exe
c:\windows\system32\drivers\ntndis.sys

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RESTORE
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-05 23:44 . 2009-03-05 23:44 33,280 --a------ c:\windows\system32\1B.tm_
2009-03-05 22:04 . 2009-03-05 22:07 161,792 --a------ c:\windows\system32\EF.tmp
2009-03-05 22:04 . 2009-03-05 22:04 124 --a------ c:\windows\system32\EE.tmp
2009-03-05 22:01 . 2009-03-05 22:01 161,792 --a------ c:\windows\system32\ED.tmp
2009-03-05 22:01 . 2009-03-05 22:01 124 --a------ c:\windows\system32\EC.tmp
2009-03-05 21:50 . 2009-03-05 06:54 2,932,444 --a------ c:\documents and settings\stevej\ComboFix.exe
2009-03-05 21:44 . 2009-03-05 21:45 161,792 --a------ c:\windows\system32\EB.tmp
2009-03-05 21:44 . 2009-03-05 21:44 124 --a------ c:\windows\system32\EA.tmp
2009-03-05 21:41 . 2009-03-05 21:41 161,792 --a------ c:\windows\system32\E9.tmp
2009-03-05 21:41 . 2009-03-05 21:41 124 --a------ c:\windows\system32\E7.tmp
2009-03-05 21:38 . 2009-03-05 21:38 161,792 --a------ c:\windows\system32\E6.tmp
2009-03-05 21:38 . 2009-03-05 21:38 124 --a------ c:\windows\system32\E4.tmp
2009-03-05 21:36 . 2008-04-14 05:42 26,112 --a------ c:\windows\system32\userinit.ex_
2009-03-05 21:24 . 2009-03-05 21:24 25,601 --a------ c:\windows\system32\E8.tmp
2009-03-05 21:21 . 2009-03-05 21:23 161,792 --a------ c:\windows\system32\E3.tmp
2009-03-05 21:21 . 2009-03-05 21:21 124 --a------ c:\windows\system32\E2.tmp
2009-03-05 21:17 . 2009-03-05 21:17 25,601 --a------ c:\windows\system32\E5.tmp
2009-03-05 21:14 . 2009-03-05 21:17 161,792 --a------ c:\windows\system32\E0.tmp
2009-03-05 21:14 . 2009-03-05 21:14 124 --a------ c:\windows\system32\DF.tmp
2009-03-05 21:11 . 2009-03-05 21:11 25,601 --a------ c:\windows\system32\E1.tmp
2009-03-05 21:08 . 2009-03-05 21:11 161,792 --a------ c:\windows\system32\DE.tmp
2009-03-05 21:08 . 2009-03-05 21:08 124 --a------ c:\windows\system32\DC.tmp
2009-03-05 21:00 . 2009-03-05 21:00 24,577 --a------ c:\windows\system32\DD.tmp
2009-03-05 20:57 . 2009-03-05 21:00 162,304 --a------ c:\windows\system32\DB.tmp
2009-03-05 20:57 . 2009-03-05 20:57 124 --a------ c:\windows\system32\D9.tmp
2009-03-05 20:54 . 2009-03-05 20:54 24,577 --a------ c:\windows\system32\DA.tmp
2009-03-05 20:52 . 2009-03-05 20:54 162,304 --a------ c:\windows\system32\D8.tmp
2009-03-05 20:52 . 2009-03-05 20:52 124 --a------ c:\windows\system32\D6.tmp
2009-03-05 20:49 . 2009-03-05 20:49 162,304 --a------ c:\windows\system32\D5.tmp
2009-03-05 20:49 . 2009-03-05 20:49 24,577 --a------ c:\windows\system32\D7.tmp
2009-03-05 20:49 . 2009-03-05 20:49 124 --a------ c:\windows\system32\D3.tmp
2009-03-05 20:46 . 2009-03-05 20:46 162,304 --a------ c:\windows\system32\D2.tmp
2009-03-05 20:46 . 2009-03-05 20:46 24,577 --a------ c:\windows\system32\D4.tmp
2009-03-05 20:46 . 2009-03-05 20:46 124 --a------ c:\windows\system32\D0.tmp
2009-03-05 20:44 . 2009-03-05 20:44 24,577 --a------ c:\windows\system32\D1.tmp
2009-03-05 20:41 . 2009-03-05 20:44 162,304 --a------ c:\windows\system32\CF.tmp
2009-03-05 20:41 . 2009-03-05 20:41 124 --a------ c:\windows\system32\CD.tmp
2009-03-05 20:38 . 2009-03-05 20:38 24,577 --a------ c:\windows\system32\CE.tmp
2009-03-05 20:35 . 2009-03-05 20:38 162,304 --a------ c:\windows\system32\CB.tmp
2009-03-05 20:35 . 2009-03-05 20:35 124 --a------ c:\windows\system32\CA.tmp
2009-03-05 20:32 . 2009-03-05 20:32 24,577 --a------ c:\windows\system32\CC.tmp
2009-03-05 20:29 . 2009-03-05 20:32 162,304 --a------ c:\windows\system32\C9.tmp
2009-03-05 20:29 . 2009-03-05 20:29 124 --a------ c:\windows\system32\C7.tmp
2009-03-05 20:21 . 2009-03-05 20:21 11,293 --a------ c:\windows\system32\C8.tmp
2009-03-05 20:21 . 2009-03-05 20:21 124 --a------ c:\windows\system32\C6.tmp
2009-03-05 20:10 . 2009-03-05 20:12 162,304 --a------ c:\windows\system32\C4.tmp
2009-03-05 20:10 . 2009-03-05 20:10 124 --a------ c:\windows\system32\C0.tmp
2009-03-05 20:07 . 2009-03-05 20:07 24,577 --a------ c:\windows\system32\C1.tmp
2009-03-05 20:04 . 2009-03-05 20:06 162,304 --a------ c:\windows\system32\BE.tmp
2009-03-05 20:04 . 2009-03-05 20:04 124 --a------ c:\windows\system32\E.tmp
2009-03-05 20:01 . 2009-03-05 20:01 24,577 --a------ c:\windows\system32\BC.tmp
2009-03-05 19:58 . 2009-03-05 20:01 162,304 --a------ c:\windows\system32\C.tmp
2009-03-05 19:58 . 2009-03-05 19:58 124 --a------ c:\windows\system32\5.tmp
2009-03-05 19:52 . 2009-03-05 19:52 124 --a------ c:\windows\system32\8.tmp
2009-03-05 07:33 . 2009-03-05 07:33 161,792 --a------ c:\windows\system32\BF.tmp
2009-03-05 07:33 . 2009-03-05 07:33 124 --a------ c:\windows\system32\BA.tmp
2009-03-05 07:30 . 2009-03-05 07:30 161,792 --a------ c:\windows\system32\BD.tmp
2009-03-05 07:30 . 2009-03-05 07:30 124 --a------ c:\windows\system32\B8.tmp
2009-03-05 07:27 . 2009-03-05 07:27 161,792 --a------ c:\windows\system32\BB.tmp
2009-03-05 07:27 . 2009-03-05 07:27 124 --a------ c:\windows\system32\B6.tmp
2009-03-05 07:24 . 2009-03-05 07:24 161,792 --a------ c:\windows\system32\B9.tmp
2009-03-05 07:24 . 2009-03-05 07:24 124 --a------ c:\windows\system32\B4.tmp
2009-03-05 07:22 . 2009-03-05 07:22 161,792 --a------ c:\windows\system32\B7.tmp
2009-03-05 07:22 . 2009-03-05 07:22 124 --a------ c:\windows\system32\B2.tmp
2009-03-05 07:19 . 2009-03-05 07:19 161,792 --a------ c:\windows\system32\B5.tmp
2009-03-05 07:19 . 2009-03-05 07:19 124 --a------ c:\windows\system32\B0.tmp
2009-03-05 07:16 . 2009-03-05 07:16 161,792 --a------ c:\windows\system32\B3.tmp
2009-03-05 07:16 . 2009-03-05 07:16 124 --a------ c:\windows\system32\AE.tmp
2009-03-05 07:11 . 2009-03-05 07:13 161,792 --a------ c:\windows\system32\B1.tmp
2009-03-05 07:11 . 2009-03-05 07:11 124 --a------ c:\windows\system32\AC.tmp
2009-03-05 07:05 . 2009-03-05 07:08 161,792 --a------ c:\windows\system32\AF.tmp
2009-03-05 07:05 . 2009-03-05 07:05 124 --a------ c:\windows\system32\AB.tmp
2009-03-05 07:02 . 2009-03-05 07:02 162,304 --a------ c:\windows\system32\AD.tmp
2009-03-05 07:01 . 2009-03-05 07:01 124 --a------ c:\windows\system32\A8.tmp
2009-03-05 06:58 . 2009-03-05 06:58 162,304 --a------ c:\windows\system32\AA.tmp
2009-03-05 06:58 . 2009-03-05 06:58 25,601 --a------ c:\windows\system32\A9.tmp
2009-03-05 06:58 . 2009-03-05 06:58 124 --a------ c:\windows\system32\A3.tmp
2009-03-05 06:53 . 2009-03-05 06:55 162,304 --a------ c:\windows\system32\A7.tmp
2009-03-05 06:53 . 2009-03-05 06:53 25,601 --a------ c:\windows\system32\A5.tmp
2009-03-05 06:53 . 2009-03-05 06:53 124 --a------ c:\windows\system32\9D.tmp
2009-03-05 06:51 . 2009-03-05 06:51 162,304 --a------ c:\windows\system32\A1.tmp
2009-03-05 06:51 . 2009-03-05 06:51 25,601 --a------ c:\windows\system32\A0.tmp
2009-03-05 06:50 . 2009-03-05 06:51 124 --a------ c:\windows\system32\9C.tmp
2009-03-05 06:45 . 2009-03-05 06:47 162,304 --a------ c:\windows\system32\9F.tmp
2009-03-05 06:45 . 2009-03-05 06:45 25,601 --a------ c:\windows\system32\9E.tmp
2009-03-04 20:53 . 2009-03-04 20:56 162,304 --a------ c:\windows\system32\9B.tmp
2009-03-04 20:53 . 2009-03-04 20:53 24,577 --a------ c:\windows\system32\9A.tmp
2009-03-04 20:53 . 2009-03-04 20:53 84 --a------ c:\windows\system32\98.tmp
2009-03-04 20:45 . 2009-03-04 20:45 24,577 --a------ c:\windows\system32\8A.tmp
2009-03-04 20:40 . 2009-03-04 20:43 162,304 --a------ c:\windows\system32\F.tmp
2009-03-04 20:28 . 2009-03-04 20:30 113,533 --a------ c:\windows\system32\D.tmp
2009-03-04 20:28 . 2009-03-04 20:28 84 --a------ c:\windows\system32\B.tmp
2009-03-04 20:23 . 2009-03-04 20:26 162,304 --a------ c:\windows\system32\A.tmp
2009-03-04 20:23 . 2009-03-04 20:23 84 --a------ c:\windows\system32\3.tmp
2009-03-04 20:09 . 2009-03-04 20:09 84 --a------ c:\windows\system32\7.tmp
2009-03-04 20:04 . 2009-03-04 20:04 84 --a------ c:\windows\system32\4.tmp
2009-03-04 05:55 . 2009-03-05 23:44 136,128 --a------ c:\windows\system32\drivers\ethkhwmj.sys
2009-03-04 05:52 . 2009-03-04 05:52 <DIR> d-------- c:\documents and settings\stevej\Application Data\comidle
2009-03-04 05:52 . 2009-03-04 05:52 2,560 --a------ c:\windows\system32\SVSHOST.del
2009-03-04 05:52 . 2009-03-04 05:52 128 --a------ c:\windows\system32\81.tmp
2009-02-28 16:40 . 2009-03-05 22:36 <DIR> d-------- c:\program files\Any Video Converter
2009-02-28 16:40 . 2009-03-05 22:36 <DIR> d-------- c:\documents and settings\stevej\Application Data\Any Video Converter
2009-02-28 15:32 . 2009-02-28 15:42 <DIR> d-------- c:\documents and settings\stevej\Application Data\gtk-2.0
2009-02-25 06:55 . 2009-02-25 06:55 35,840 --a------ c:\windows\system32\RS32NET.del
2009-02-25 06:50 . 2009-02-25 06:50 30,848 --a------ c:\windows\system32\drivers\TAWQKQRAX.SYS.del
2009-02-24 23:41 . 2009-03-02 01:55 <DIR> d-------- c:\documents and settings\stevej\Application Data\avidemux
2009-02-23 02:55 . 2009-02-23 02:56 37,888 --a------ c:\windows\system32\96.tmp
2009-02-23 02:55 . 2009-02-23 02:55 168 --a------ c:\windows\system32\91.tmp
2009-02-23 02:44 . 2009-02-23 02:44 168 --a------ c:\windows\system32\86.tmp
2009-02-23 01:48 . 2009-02-23 01:48 37,376 --a------ c:\windows\system32\99.tmp
2009-02-23 01:48 . 2009-02-23 01:48 168 --a------ c:\windows\system32\95.tmp
2009-02-23 01:13 . 2009-02-23 01:13 67,585 --a------ c:\windows\system32\8D.tmp
2009-02-23 01:13 . 2009-02-23 01:14 37,376 --a------ c:\windows\system32\8F.tmp
2009-02-23 01:13 . 2009-02-23 01:13 24,577 --a------ c:\windows\system32\8C.tmp
2009-02-23 01:13 . 2009-02-23 01:13 168 --a------ c:\windows\system32\8B.tmp
2009-02-23 00:56 . 2009-02-23 00:56 168 --a------ c:\windows\system32\84.tmp
2009-02-23 00:41 . 2009-02-23 00:41 168 --a------ c:\windows\system32\83.tmp
2009-02-23 00:37 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-02-22 23:40 . 2009-02-22 23:40 <DIR> d-------- c:\program files\Uniblue
2009-02-22 23:40 . 2009-02-22 23:46 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-02-22 23:26 . 2009-02-22 23:26 67,585 --a------ c:\windows\system32\81.del
2009-02-22 23:20 . 2009-02-22 23:20 <DIR> dr-hs---- C:\desktop.ini
2009-02-22 23:20 . 2009-02-22 23:20 <DIR> dr-hs---- C:\comment.htt
2009-02-22 22:44 . 2009-02-22 22:45 36,864 --a------ c:\windows\system32\82.tmp
2009-02-22 22:44 . 2009-02-22 22:44 24,577 --a------ c:\windows\system32\7E.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 04:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-06 03:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-03 12:36 --------- d-----w c:\program files\Google
2009-03-02 06:35 --------- d-----w c:\documents and settings\stevej\Application Data\uTorrent
2009-02-26 01:29 --------- d-----w c:\program files\WinRAR 3.80 Beta 1
2009-02-22 21:57 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-21 01:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-20 12:25 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-20 12:25 --------- d-----w c:\documents and settings\stevej\Application Data\SUPERAntiSpyware.com
2009-02-20 12:24 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-20 01:42 --------- d-----w c:\program files\SpywareBlaster
2009-02-20 01:15 --------- d-----w c:\program files\Common Files\Motive
2009-02-19 04:17 --------- d-----w c:\program files\CCleaner
2009-02-19 01:18 --------- d-----w c:\program files\Gabest
2009-02-18 18:54 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-02-16 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-02-16 21:41 --------- d-----w c:\documents and settings\stevej\Application Data\Vso
2009-02-16 17:08 --------- d-----w c:\documents and settings\stevej\Application Data\DVD Flick
2009-02-01 00:53 --------- d-----w c:\documents and settings\stevej\Application Data\LimeWire
2008-06-03 23:11 61,768 -c--a-w c:\documents and settings\stevej\Application Data\GDIPFONTCACHEV1.DAT
2008-03-31 08:43 605,098 -c--a-w c:\program files\Nero 8 Keygen.exe
2008-03-15 03:49 47,360 -c--a-w c:\documents and settings\stevej\Application Data\pcouffin.sys
2007-03-14 12:34 29,224 -c--a-w c:\documents and settings\mattb.THE\Application Data\GDIPFONTCACHEV1.DAT
2008-11-17 17:38 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008111720081118\index.dat
.

------- Sigcheck -------

2004-08-04 06:00 31232 b413aaec5240a8ac2d9d6bff838b6d8e c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 19:12 31744 f4778d5c9ef8c7abcf9141ac578a7511 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 19:12 31232 bcbfaa0e6ebe44e800b2ba4116e9aec1 c:\windows\system32\svchost.exe

2004-08-04 06:00 182912 1df7f42665c94b825322fae71721130d c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2009-02-18 13:54 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
2009-02-18 13:54 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2008-04-13 19:12 1051136 a1ce5b9be7dd29a0ef6ed733f5945c95 c:\windows\explorer.exe
2007-06-13 06:26 1050112 8b7ef2a1dc648675412aac4e5435335c c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1050624 e07960001ed4a47d734af36e003e1760 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-13 19:12 1051136 b26865b751c333586612ba75cedbd69a c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 06:00 32256 e52dd9fe33ae9bbfa2504a19ba02ac3a c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 32768 0ab6cc170121a90464b86915f0b0a900 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 32256 ce17a3e6ea64af08fe14689dbb1879d0 c:\windows\system32\ctfmon.exe

2005-06-10 19:17 74752 29fa7f3cb6f087113f5882ed069fcd88 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 18:53 74752 d9fa755329815e37b8d77ff348153342 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-13 19:12 74752 265fc76c903d37ee51006f08575c4a6e c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 19:12 75264 0519f5ebcc0f3d17da1dcfa82b8aca8f c:\windows\system32\spoolsv.exe

2004-08-04 06:00 41472 e1e8fe85056eadacde70f156c3606e91 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 43520 ac9a9e3e9a9e258b20b076e5e0759a5c c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 43008 b1cd655fcee72ff58d43adda0b1a3db2 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32256]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-04-30 864256]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"comidle"="c:\documents and settings\stevej\Application Data\comidle\comidle.exe" [2009-03-04 56832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-02-18 20:41 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3105748248-1265112455-2581138496-1115\Scripts\Logon\0\0]
"Script"=Logon.bat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a--c--- 2008-07-10 08:47 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2008-06-24 15:06 1840424 c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2008-07-10 09:51 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-08-18 17:41 1832272 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FLEXnet Licensing Service"=3 (0x3)
"gusvc"=3 (0x3)
"SolidWorks Licensing Service"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\vbuzzer\\VBuzzer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2007-01-04 3456]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-02-21 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-02-29 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-02-29 55024]
S1 ethkhwmj;ethkhwmj;c:\windows\system32\drivers\ethkhwmj.sys [2009-03-04 136128]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-08-25 16512]
S3 epstw2k;SCM Parallel Port SCSI Driver;c:\windows\system32\drivers\epstw2k.sys [2007-01-17 114944]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-02-22 34760]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2007-01-17 11520]
.
Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-03-06 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 03:20]

2009-03-05 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 03:20]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-dbxsfxky.exe - c:\windows\dbxsfxky.exe
HKU-Default-Run-fpodrztw.exe - c:\windows\fpodrztw.exe
HKU-Default-Run-dbxyyloz.exe - c:\windows\dbxyyloz.exe
HKU-Default-Run-rvhtimnz.exe - c:\windows\rvhtimnz.exe
HKU-Default-Run-fpruryzg.exe - c:\windows\fpruryzg.exe
HKU-Default-Run-fprahebp.exe - c:\windows\fprahebp.exe
HKU-Default-Run-jrfuvsyk.exe - c:\windows\jrfuvsyk.exe
HKU-Default-Run-lfzmicdf.exe - c:\windows\lfzmicdf.exe
HKU-Default-Run-hdlvoaiv.exe - c:\windows\hdlvoaiv.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
mStart Page = hxxp://ca.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: Add to Vbuzzer RSS list - c:\program files\vbuzzer\addurl.htm
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - C:\ic2007pp.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
FF - ProfilePath - c:\documents and settings\stevej\Application Data\Mozilla\Firefox\Profiles\l8l5urdd.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - component: c:\documents and settings\stevej\Application Data\Mozilla\Firefox\Profiles\l8l5urdd.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 06:51:09
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4201895857-2897844100-554060356-1117\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-03-06 6:55:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-06 11:55:47
ComboFix2.txt 2009-03-05 22:22:41
ComboFix3.txt 2009-02-27 00:00:24
ComboFix4.txt 2009-02-26 22:44:11
ComboFix5.txt 2009-03-06 05:20:18

Pre-Run: 3,092,172,800 bytes free
Post-Run: 3,090,558,976 bytes free

374


Any help resolving this mess would be greatly appreciated.
Thanks,
Jake

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:09 AM

Posted 06 March 2009 - 01:56 PM

ComboFix logs should not to be posted or discussed outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic in the Am I Infected forum.
http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/
Explain the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

This topic is now closed.
The BC Staff
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users