Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit backdoor infection DDS log


  • This topic is locked This topic is locked
26 replies to this topic

#1 RobiSuicide

RobiSuicide

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 11 March 2009 - 10:46 AM

DDS (Ver_09-02-01.01) - NTFSx86
Run by Parent at 8:42:03.93 on Wed 03/11/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.426 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\Parent\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fptb-msgr
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\parent\startm~1\programs\startup\ccc.lnk - c:\program files\ati technologies\ati.ace\core-static\CCC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182892836953
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: psnsxw.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\parent\applic~1\mozilla\firefox\profiles\a5uwtev9.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\parent\application data\mozilla\firefox\profiles\a5uwtev9.default\extensions\oberongamehost@oberongames.com\platform\winnt_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-23 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-23 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-23 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-23 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-23 298264]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-11-25 991232]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-1-12 603904]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2002-12-31 36608]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S0 partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-3-10 34760]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [2007-7-17 35072]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\71.tmp --> c:\windows\system32\71.tmp [?]
S3 SamsonLLDriver;Samson LL Driver;c:\windows\system32\drivers\SamsonLLDriver.sys [2006-12-12 56832]
S3 SWWDM_multi;Samson Audio (WDM);c:\windows\system32\drivers\SWAudWDM.sys [2006-12-12 25088]

=============== Created Last 30 ================

2009-03-10 11:08 <DIR> --d----- c:\program files\Sophos
2009-03-10 11:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-10 11:06 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-10 11:06 <DIR> --d----- c:\docume~1\parent\applic~1\SUPERAntiSpyware.com
2009-03-10 01:37 <DIR> --d----- C:\RootkitNO
2009-03-10 01:37 34,760 a------- c:\windows\system32\drivers\Partizan.sys
2009-03-10 01:37 32,480 a------- c:\windows\system32\Partizan.exe
2009-03-10 01:36 2 a--shrot c:\windows\winstart.bat
2009-03-10 01:36 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-03-10 01:36 <DIR> --d----- c:\program files\UnHackMe
2009-03-07 22:33 <DIR> --d----- c:\docume~1\parent\applic~1\id Software
2009-03-07 22:31 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-07 22:31 22,328 a------- c:\docume~1\parent\applic~1\PnkBstrK.sys
2009-03-07 22:30 107,832 a------- c:\windows\system32\PnkBstrB.exe
2009-03-07 22:30 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-03-07 22:30 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-03-07 22:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\id Software
2009-03-04 20:42 <DIR> --d----- c:\docume~1\parent\applic~1\MySpace
2009-03-04 20:42 <DIR> --d----- c:\program files\MySpace
2009-02-24 13:19 <DIR> --d----- c:\program files\uTorrent
2009-02-24 13:19 <DIR> --d----- c:\docume~1\parent\applic~1\uTorrent
2009-02-22 21:03 480 a------- c:\windows\system32\tversity.cookies
2009-02-22 20:23 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-02-22 20:23 7,680 a------- c:\windows\system32\ff_vfw.dll
2009-02-22 20:23 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-02-22 20:23 <DIR> --d----- c:\program files\ffdshow
2009-02-22 20:22 <DIR> --d----- c:\program files\TVersity Codec Pack
2009-02-22 20:20 <DIR> --d----- c:\program files\TVersity
2009-02-19 21:13 <DIR> --d----- c:\documents and settings\parent\Tracing
2009-02-19 20:15 <DIR> --d----- c:\program files\Microsoft
2009-02-19 20:15 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-02-19 20:12 <DIR> --d----- c:\program files\common files\Windows Live
2009-02-17 16:38 <DIR> --d----- c:\docume~1\parent\applic~1\Unity
2009-02-17 16:35 <DIR> --d----- c:\program files\Unity
2009-02-12 18:36 240 a------- c:\windows\myClean.bat

==================== Find3M ====================

2009-03-10 01:50 93,420 a------- c:\windows\system32\drivers\50B0607C.SYS.del
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-01 12:09 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-01 12:09 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-01 12:08 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-25 11:05 4,096 a------- c:\windows\d3dx.dat
2009-01-12 03:38 603,904 a------- c:\windows\system32\TUProgSt.exe
2009-01-12 03:38 360,192 a------- c:\windows\system32\TuneUpDefragService.exe
2009-01-03 02:04 29,480 a------- c:\windows\system32\msxml3a.dll
2009-01-02 15:37 87,608 a------- c:\docume~1\parent\applic~1\inst.exe
2009-01-02 15:37 47,360 a------- c:\docume~1\parent\applic~1\pcouffin.sys
2008-12-15 23:55 98,304 a------- c:\windows\system32\CmdLineExt.dll
2008-12-13 21:33 109,750 a------- c:\windows\hpoins11.dat
2008-12-11 20:03 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 8:42:29.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 20 March 2009 - 07:28 PM

Hello.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 RobiSuicide

RobiSuicide
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 20 March 2009 - 10:23 PM

Sadly I don't have a boot disk so I can't reinstall and reformat. I tried windows back up recovery and it would restart do its thing and then it would say it couldn't restore. Also I can't start up the windows updates, it says access denied in the services, this was probably caused from the infection. So I really don't know what to do.

Edited by extremeboy, 21 March 2009 - 07:38 AM.
Remove Unnecessary quotes.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 21 March 2009 - 07:39 AM

Hello.

I believe you don't want to format then? If, so let's continue. Doing a system restore usually won't work with infections like this..

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 RobiSuicide

RobiSuicide
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 21 March 2009 - 11:48 PM

Yeah reformating the drive isn't really an option since I don't have the boot disks. Here's the log. Also let me list the things going on with the computer.
Windows updates is disabled, can't enable it access denied.
Google links redirect to other pages, so I just copy and paste the links instead.
Roadrunner said that I sent them spam from my roadrunner email (which I didn't know I had) when I started up my firefox browser awhile back. They said they would disable my internet if it kept happening, had to click a link to turn it back on.
Everything else if pretty much fine though, I'm not really have problems with the computer itself.

ComboFix 09-03-19.02 - Parent 2009-03-21 21:35:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.459 [GMT -7:00]
Running from: c:\documents and settings\Parent\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Parent\Application Data\inst.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\pthreadGC2.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.

2009-03-19 23:00 . 2009-03-19 23:00 <DIR> d-------- c:\program files\Logitech
2009-03-19 23:00 . 2009-03-19 23:00 0 --a------ C:\Debug.QC6
2009-03-19 18:19 . 2009-03-19 18:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-16 23:31 . 2009-03-16 23:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-14 22:45 . 2009-03-14 22:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\MediaMall
2009-03-10 11:08 . 2009-03-10 11:08 <DIR> d-------- c:\program files\Sophos
2009-03-10 11:06 . 2009-03-16 23:31 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-10 11:06 . 2009-03-10 11:06 <DIR> d-------- c:\documents and settings\Parent\Application Data\SUPERAntiSpyware.com
2009-03-10 01:37 . 2009-03-11 19:37 <DIR> d-------- C:\RootkitNO
2009-03-10 01:37 . 2009-03-10 01:37 34,760 --a------ c:\windows\system32\drivers\Partizan.sys
2009-03-10 01:37 . 2009-03-10 01:37 32,480 --a------ c:\windows\system32\Partizan.exe
2009-03-10 01:36 . 2009-03-10 01:37 <DIR> d-------- c:\program files\UnHackMe
2009-03-10 01:36 . 2008-12-22 15:56 12,752 --a------ c:\windows\system32\drivers\UnHackMeDrv.sys
2009-03-10 01:36 . 2009-03-10 01:36 (2) -rahs-ot- c:\windows\winstart.bat
2009-03-07 22:33 . 2009-03-07 22:33 <DIR> d-------- c:\documents and settings\Parent\Application Data\id Software
2009-03-07 22:31 . 2009-03-07 22:31 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-03-07 22:31 . 2009-03-07 22:31 22,328 --a------ c:\documents and settings\Parent\Application Data\PnkBstrK.sys
2009-03-07 22:30 . 2009-03-07 22:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\id Software
2009-03-07 22:30 . 2009-03-07 22:30 2,246,144 --a------ c:\windows\system32\pbsvc.exe
2009-03-07 22:30 . 2009-03-07 22:31 107,832 --a------ c:\windows\system32\PnkBstrB.exe
2009-03-07 22:30 . 2009-03-07 22:30 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-03-05 10:19 . 2009-03-05 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-03-04 20:42 . 2009-03-05 10:18 <DIR> d-------- c:\program files\MySpace
2009-03-04 20:42 . 2009-03-04 20:42 <DIR> d-------- c:\documents and settings\Parent\Application Data\MySpace
2009-02-24 13:19 . 2009-02-24 13:19 <DIR> d-------- c:\program files\uTorrent
2009-02-24 13:19 . 2009-03-04 11:43 <DIR> d-------- c:\documents and settings\Parent\Application Data\uTorrent
2009-02-22 21:03 . 2009-03-19 04:04 480 --a------ c:\windows\system32\tversity.cookies
2009-02-22 20:23 . 2009-02-22 20:23 <DIR> d-------- c:\program files\ffdshow
2009-02-22 20:23 . 2007-12-24 14:47 7,680 --a------ c:\windows\system32\ff_vfw.dll
2009-02-22 20:23 . 2007-11-29 13:52 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-02-22 20:22 . 2009-02-22 20:24 <DIR> d-------- c:\program files\TVersity Codec Pack
2009-02-22 20:20 . 2009-02-22 20:20 <DIR> d-------- c:\program files\TVersity

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 22:36 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-20 01:18 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-20 01:18 --------- d-----w c:\program files\Java
2009-03-10 18:06 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-09 00:06 --------- d-----w c:\documents and settings\Parent\Application Data\LimeWire
2009-03-05 17:22 --------- d-----w c:\program files\Common Files\Adobe
2009-03-05 17:18 --------- d-----w c:\program files\Yahoo!
2009-03-05 01:11 --------- d-----w c:\documents and settings\Parent\Application Data\Vso
2009-03-03 01:11 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-24 20:32 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-23 20:12 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-21 00:55 --------- d-----w c:\documents and settings\All Users\Application Data\Sandlot Games
2009-02-20 03:15 --------- d-----w c:\program files\Windows Live SkyDrive
2009-02-20 03:15 --------- d-----w c:\program files\Windows Live
2009-02-20 03:15 --------- d-----w c:\program files\Microsoft
2009-02-20 03:12 --------- d-----w c:\program files\Common Files\Windows Live
2009-02-17 23:38 --------- d-----w c:\documents and settings\Parent\Application Data\Unity
2009-02-17 23:35 --------- d-----w c:\program files\Unity
2009-02-12 01:13 --------- d-----w c:\program files\FriendBlasterPro
2009-02-11 21:07 --------- d-----w c:\program files\My Friends Manager
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-08 23:25 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2009-02-08 15:49 --------- d-----w c:\program files\THQ
2009-02-07 20:45 --------- d-----w c:\documents and settings\Parent\Application Data\PlayFirst
2009-02-07 20:45 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-02-07 02:52 49,504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-02 15:41 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-02 00:34 --------- d-----w c:\program files\coolpro2
2009-02-01 19:09 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-01 19:09 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-01 19:08 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-25 17:40 --------- d-----w c:\documents and settings\All Users\Application Data\FarmFrenzy2
2009-01-25 00:17 --------- d-----w c:\documents and settings\Parent\Application Data\panoramik
2009-01-24 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\DivoGames
2009-01-24 21:39 --------- d-----w c:\documents and settings\Parent\Application Data\Alawar
2009-01-24 21:12 --------- d-----w c:\documents and settings\Parent\Application Data\iWin
2009-01-23 17:01 --------- d-----w c:\documents and settings\All Users\Application Data\Intenium
2009-01-23 16:33 --------- d-----w c:\documents and settings\Parent\Application Data\ITTNord
2009-01-12 10:38 603,904 ----a-w c:\windows\system32\TUProgSt.exe
2009-01-12 10:38 360,192 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-01-03 09:04 29,480 ----a-w c:\windows\system32\msxml3a.dll
2009-01-02 22:37 47,360 ----a-w c:\documents and settings\Parent\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-12-16 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1282048]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-01-20 159744]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-26 180269]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-01 1601304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-19 148888]

c:\documents and settings\Parent\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-07-17 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 561213]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 12:09 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe"
"SpyHunter Security Suite"=c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\BitLord2\\BitLord.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-23 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-23 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-23 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-23 298264]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2008-11-25 991232]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-01-12 603904]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2002-12-31 36608]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S0 partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-03-10 34760]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [2007-07-17 35072]
S3 SamsonLLDriver;Samson LL Driver;c:\windows\system32\drivers\SamsonLLDriver.sys [2006-12-12 56832]
S3 SWWDM_multi;Samson Audio (WDM);c:\windows\system32\drivers\SWAudWDM.sys [2006-12-12 25088]

--- Other Services/Drivers In Memory ---

*Deregistered* - UnHackMeDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-03-22 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 13:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fptb-msgr
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
FF - ProfilePath - c:\documents and settings\Parent\Application Data\Mozilla\Firefox\Profiles\a5uwtev9.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Parent\Application Data\Mozilla\Firefox\Profiles\a5uwtev9.default\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 21:36:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-21 21:38:39
ComboFix-quarantined-files.txt 2009-03-22 04:38:06

Pre-Run: 36,592,775,168 bytes free
Post-Run: 37,563,490,304 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

242 --- E O F --- 2009-01-14 11:03:39

Edited by extremeboy, 22 March 2009 - 04:50 PM.
Remove Unnecessary Quotes


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 22 March 2009 - 05:14 PM

Hello.

Okay. Let's see what we can do. A few things you need to be warned first.

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case Limewire, BitLord and UTorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

See if using services.msc can start Windows Update. If it doesn't show me the error message that you get when you try to enable/start it please.

1. Click Start, and then click Run.
2. Type services.msc and then click OK.
3. In the list of services, double-click on Automatic Updates and then click Properties.
4. In the Startup type list, select Automatic and click Apply.
5. Verify that the Service status is started, if the Service Status is Stopped click on the Start Button.
6. In the list of services, double-click on Background Intelligent Transfer Service (BITS) and then click Properties.
7. In the Startup type list, select Manual and click Apply.
8. Verify that the Service status is started, If the Service Status is Stopped click on the Start Button.
9. In the list of services, double-click on Event Log and then click Properties.
10. In the Startup type list, select Automatic and click Apply.
11. Verify that the Service status is started, If the Service Status is Stopped click on the Start Button.




Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    c:\windows\winstart.bat
    REGNULL:
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
    Folder::
    c:\windows\system32\tversity.cookies
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"=-
    "5353:TCP"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Question: Where do you get redirected? When using IE, FF or both? Is there any specific site you get redirected to?

----------------
Post back with:
-Combofix log
-MBAM log
-Is Windows Update working now?
-Answer to my question


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 RobiSuicide

RobiSuicide
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 22 March 2009 - 09:31 PM

For the services

Automatic updates: I can't put it on manual or automatic, it says access denied. (Yes I'm logged in as the administer for the computer so its not that)
BITS: It's set to manual however I can't start it, it says Error 2: The system cannot find the file specified.
Event Log: Enables and working

So no it's not working.

Your Question

As for the redirecting from google, it'll show an ip address, then a random ad site. If I click the cached link under the link of the search it'll let me go to the page and usually shows this 74.125.47.132
I also get a lot of area connect/yellow page redirects from google. It never happens if I type in something like yahoo in google, and go to yahoo's main page from there, yet it will happen sometimes if I look up a question on google and go to a yahoo answers page, and get redirected.

Heres the log from the Combofix script:

ComboFix 09-03-22.01 - Parent 2009-03-22 19:14:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.487 [GMT -7:00]
Running from: c:\documents and settings\Parent\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Parent\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\winstart.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tversity.cookies\
c:\windows\winstart.bat

.
((((((((((((((((((((((((( Files Created from 2009-02-23 to 2009-03-23 )))))))))))))))))))))))))))))))
.

2009-03-22 12:36 . 2009-03-22 12:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-22 12:06 . 2009-03-22 12:06 <DIR> d-------- c:\program files\Nick Arcade
2009-03-19 23:00 . 2009-03-19 23:00 <DIR> d-------- c:\program files\Logitech
2009-03-19 23:00 . 2009-03-19 23:00 0 --a------ C:\Debug.QC6
2009-03-19 18:19 . 2009-03-19 18:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-16 23:31 . 2009-03-16 23:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-14 22:45 . 2009-03-14 22:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\MediaMall
2009-03-10 11:08 . 2009-03-10 11:08 <DIR> d-------- c:\program files\Sophos
2009-03-10 11:06 . 2009-03-16 23:31 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-10 11:06 . 2009-03-10 11:06 <DIR> d-------- c:\documents and settings\Parent\Application Data\SUPERAntiSpyware.com
2009-03-10 01:37 . 2009-03-11 19:37 <DIR> d-------- C:\RootkitNO
2009-03-10 01:37 . 2009-03-10 01:37 34,760 --a------ c:\windows\system32\drivers\Partizan.sys
2009-03-10 01:37 . 2009-03-10 01:37 32,480 --a------ c:\windows\system32\Partizan.exe
2009-03-10 01:36 . 2009-03-10 01:37 <DIR> d-------- c:\program files\UnHackMe
2009-03-10 01:36 . 2008-12-22 15:56 12,752 --a------ c:\windows\system32\drivers\UnHackMeDrv.sys
2009-03-07 22:33 . 2009-03-07 22:33 <DIR> d-------- c:\documents and settings\Parent\Application Data\id Software
2009-03-07 22:31 . 2009-03-07 22:31 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-03-07 22:31 . 2009-03-07 22:31 22,328 --a------ c:\documents and settings\Parent\Application Data\PnkBstrK.sys
2009-03-07 22:30 . 2009-03-07 22:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\id Software
2009-03-07 22:30 . 2009-03-07 22:30 2,246,144 --a------ c:\windows\system32\pbsvc.exe
2009-03-07 22:30 . 2009-03-07 22:31 107,832 --a------ c:\windows\system32\PnkBstrB.exe
2009-03-07 22:30 . 2009-03-07 22:30 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-03-05 10:19 . 2009-03-05 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-03-04 20:42 . 2009-03-05 10:18 <DIR> d-------- c:\program files\MySpace
2009-03-04 20:42 . 2009-03-04 20:42 <DIR> d-------- c:\documents and settings\Parent\Application Data\MySpace
2009-02-24 13:19 . 2009-02-24 13:19 <DIR> d-------- c:\program files\uTorrent
2009-02-24 13:19 . 2009-03-04 11:43 <DIR> d-------- c:\documents and settings\Parent\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-22 19:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-22 19:06 --------- d-----w c:\program files\Yahoo!
2009-03-20 01:18 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-20 01:18 --------- d-----w c:\program files\Java
2009-03-10 18:06 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-09 00:06 --------- d-----w c:\documents and settings\Parent\Application Data\LimeWire
2009-03-05 17:22 --------- d-----w c:\program files\Common Files\Adobe
2009-03-05 01:11 --------- d-----w c:\documents and settings\Parent\Application Data\Vso
2009-03-03 01:11 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-24 20:32 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-23 20:12 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-23 03:24 --------- d-----w c:\program files\TVersity Codec Pack
2009-02-23 03:23 --------- d-----w c:\program files\ffdshow
2009-02-23 03:20 --------- d-----w c:\program files\TVersity
2009-02-21 00:55 --------- d-----w c:\documents and settings\All Users\Application Data\Sandlot Games
2009-02-20 03:15 --------- d-----w c:\program files\Windows Live SkyDrive
2009-02-20 03:15 --------- d-----w c:\program files\Windows Live
2009-02-20 03:15 --------- d-----w c:\program files\Microsoft
2009-02-20 03:12 --------- d-----w c:\program files\Common Files\Windows Live
2009-02-17 23:38 --------- d-----w c:\documents and settings\Parent\Application Data\Unity
2009-02-17 23:35 --------- d-----w c:\program files\Unity
2009-02-12 01:13 --------- d-----w c:\program files\FriendBlasterPro
2009-02-11 21:07 --------- d-----w c:\program files\My Friends Manager
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-08 23:25 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2009-02-08 15:49 --------- d-----w c:\program files\THQ
2009-02-07 20:45 --------- d-----w c:\documents and settings\Parent\Application Data\PlayFirst
2009-02-07 20:45 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-02-07 02:52 49,504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-02 15:41 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-02 00:34 --------- d-----w c:\program files\coolpro2
2009-02-01 19:09 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-01 19:09 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-01 19:08 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-25 17:40 --------- d-----w c:\documents and settings\All Users\Application Data\FarmFrenzy2
2009-01-25 00:17 --------- d-----w c:\documents and settings\Parent\Application Data\panoramik
2009-01-24 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\DivoGames
2009-01-24 21:39 --------- d-----w c:\documents and settings\Parent\Application Data\Alawar
2009-01-24 21:12 --------- d-----w c:\documents and settings\Parent\Application Data\iWin
2009-01-23 17:01 --------- d-----w c:\documents and settings\All Users\Application Data\Intenium
2009-01-23 16:33 --------- d-----w c:\documents and settings\Parent\Application Data\ITTNord
2009-01-12 10:38 603,904 ----a-w c:\windows\system32\TUProgSt.exe
2009-01-12 10:38 360,192 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-01-03 09:04 29,480 ----a-w c:\windows\system32\msxml3a.dll
2009-01-02 22:37 47,360 ----a-w c:\documents and settings\Parent\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-03-21_21.37.11.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-23 02:08:12 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-12-16 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1282048]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-01-20 159744]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-26 180269]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-01 1601304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-19 148888]

c:\documents and settings\Parent\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-07-17 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 561213]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 12:09 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe"
"SpyHunter Security Suite"=c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\BitLord2\\BitLord.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-23 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-23 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-23 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-23 298264]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2008-11-25 991232]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-01-12 603904]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2002-12-31 36608]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S0 partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-03-10 34760]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [2007-07-17 35072]
S3 SamsonLLDriver;Samson LL Driver;c:\windows\system32\drivers\SamsonLLDriver.sys [2006-12-12 56832]
S3 SWWDM_multi;Samson Audio (WDM);c:\windows\system32\drivers\SWAudWDM.sys [2006-12-12 25088]

--- Other Services/Drivers In Memory ---

*Deregistered* - UnHackMeDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-03-23 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 13:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fptb-msgr
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
FF - ProfilePath - c:\documents and settings\Parent\Application Data\Mozilla\Firefox\Profiles\a5uwtev9.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Parent\Application Data\Mozilla\Firefox\Profiles\a5uwtev9.default\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 19:16:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-22 19:18:25
ComboFix-quarantined-files.txt 2009-03-23 02:17:50
ComboFix2.txt 2009-03-22 04:38:41

Pre-Run: 37,505,220,608 bytes free
Post-Run: 37,495,734,272 bytes free

237 --- E O F --- 2009-01-14 11:03:39




MBAM Scan

Malwarebytes' Anti-Malware 1.34
Database version: 1887
Windows 5.1.2600 Service Pack 2

3/22/2009 7:27:03 PM
mbam-log-2009-03-22 (19-27-03).txt

Scan type: Quick Scan
Objects scanned: 71082
Time elapsed: 4 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by extremeboy, 23 March 2009 - 12:01 PM.
Remove Unnecessary Quotes


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 23 March 2009 - 12:06 PM

Hello.

Is it in FF, IE or both?

That IP address you mentioned belongs to Google, so that should be fine.

I will look in to the Windows Update problem as well as the google redirect once I get back. In the meantime run this tool and see if it finds anything and removes anything for you. Reboot your computer afterwards and post back with the log as well as a pair of new DDS logs.

Run GooredFix using Option2 (Removal)

Please download GooredFix and save it to your Desktop.
Alternative Download Mirror #2

Please make sure all instances of Firefox are closed at this point before proceeding.
  • Please double-click Goored.exe on your Desktop to run it.
  • A window will appear, please Select 2. (Fix Goored) by typing 2 and pressing Enter.
  • Type Y at the prompt and press Enter. The removal process will begin
  • A log will open with the file after completion, please post the contents of that log in your next reply
*Note: The log can also be found on your desktop (Goored.txt)

With Regards,
extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 RobiSuicide

RobiSuicide
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 23 March 2009 - 12:19 PM

Hello.

Is it in FF, IE or both?

That IP address you mentioned belongs to Google, so that should be fine.

I will look in to the Windows Update problem as well as the google redirect once I get back. In the meantime run this tool and see if it finds anything and removes anything for you. Reboot your computer afterwards and post back with the log as well as a pair of new DDS logs.

Run GooredFix using Option2 (Removal)

Please download GooredFix and save it to your Desktop.
Alternative Download Mirror #2

Please make sure all instances of Firefox are closed at this point before proceeding.

  • Please double-click Goored.exe on your Desktop to run it.
  • A window will appear, please Select 2. (Fix Goored) by typing 2 and pressing Enter.
  • Type Y at the prompt and press Enter. The removal process will begin
  • A log will open with the file after completion, please post the contents of that log in your next reply
*Note: The log can also be found on your desktop (Goored.txt)

With Regards,
extremeboy



I'm not really sure if it does it in both, considering I mainly use Firefox. I just tried typing a few different searches in google, and it didn't redirect me. I don't know if it's just firefox though, cause usually its random and doesn't happen everytime.

Here's the Goored log.

GooredFix v1.92 by jpshortstuff
Log created at 10:14 on 23/03/2009 running Option #2 (Parent)
Firefox version 3.0.7 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{B8622AF0-3ACB-4DDB-8E65-EEF560FDE2FC}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\mozilla firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\mozilla firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"






DDS Log


DDS (Ver_09-03-16.01) - NTFSx86
Run by Parent at 10:15:30.92 on Mon 03/23/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.445 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Documents and Settings\Parent\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fptb-msgr
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\parent\startm~1\programs\startup\ccc.lnk - c:\program files\ati technologies\ati.ace\core-static\CCC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182892836953
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\parent\applic~1\mozilla\firefox\profiles\a5uwtev9.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\parent\application data\mozilla\firefox\profiles\a5uwtev9.default\extensions\oberongamehost@oberongames.com\platform\winnt_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-23 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-23 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-23 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-23 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-23 298264]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-11-25 991232]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-1-12 603904]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2002-12-31 36608]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S0 partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-3-10 34760]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [2007-7-17 35072]
S3 SamsonLLDriver;Samson LL Driver;c:\windows\system32\drivers\SamsonLLDriver.sys [2006-12-12 56832]
S3 SWWDM_multi;Samson Audio (WDM);c:\windows\system32\drivers\SWAudWDM.sys [2006-12-12 25088]

=============== Created Last 30 ================

2009-03-22 12:06 <DIR> --d----- c:\program files\Nick Arcade
2009-03-21 21:33 <DIR> a-dshr-- C:\cmdcons
2009-03-21 21:32 161,792 a------- c:\windows\SWREG.exe
2009-03-21 21:32 98,816 a------- c:\windows\sed.exe
2009-03-19 23:00 0 a------- C:\Debug.QC6
2009-03-19 18:19 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-17 20:10 <DIR> --d----- c:\windows\pss
2009-03-16 23:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-14 22:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MediaMall
2009-03-10 11:08 <DIR> --d----- c:\program files\Sophos
2009-03-10 11:06 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-10 11:06 <DIR> --d----- c:\docume~1\parent\applic~1\SUPERAntiSpyware.com
2009-03-10 01:37 <DIR> --d----- C:\RootkitNO
2009-03-10 01:37 34,760 a------- c:\windows\system32\drivers\Partizan.sys
2009-03-10 01:37 32,480 a------- c:\windows\system32\Partizan.exe
2009-03-10 01:36 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-03-10 01:36 <DIR> --d----- c:\program files\UnHackMe
2009-03-07 22:33 <DIR> --d----- c:\docume~1\parent\applic~1\id Software
2009-03-07 22:31 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-07 22:31 22,328 a------- c:\docume~1\parent\applic~1\PnkBstrK.sys
2009-03-07 22:30 107,832 a------- c:\windows\system32\PnkBstrB.exe
2009-03-07 22:30 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-03-07 22:30 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-03-07 22:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\id Software
2009-03-04 20:42 <DIR> --d----- c:\docume~1\parent\applic~1\MySpace
2009-03-04 20:42 <DIR> --d----- c:\program files\MySpace
2009-02-24 13:19 <DIR> --d----- c:\program files\uTorrent
2009-02-24 13:19 <DIR> --d----- c:\docume~1\parent\applic~1\uTorrent
2009-02-22 21:03 480 a------- c:\windows\system32\tversity.cookies
2009-02-22 20:23 7,680 a------- c:\windows\system32\ff_vfw.dll
2009-02-22 20:23 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-02-22 20:23 <DIR> --d----- c:\program files\ffdshow
2009-02-22 20:22 <DIR> --d----- c:\program files\TVersity Codec Pack
2009-02-22 20:20 <DIR> --d----- c:\program files\TVersity

==================== Find3M ====================

2009-03-19 18:18 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-01 12:09 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-01 12:09 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-01 12:08 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-25 11:05 4,096 a------- c:\windows\d3dx.dat
2009-01-12 03:38 603,904 a------- c:\windows\system32\TUProgSt.exe
2009-01-12 03:38 360,192 a------- c:\windows\system32\TuneUpDefragService.exe
2009-01-03 02:04 29,480 a------- c:\windows\system32\msxml3a.dll
2009-01-02 15:37 47,360 a------- c:\docume~1\parent\applic~1\pcouffin.sys

============= FINISH: 10:15:53.62 ===============

Attached Files



#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 23 March 2009 - 02:48 PM

Hello.

Next time don't quote everything I said, if there is a specfic part you wish to quote, then that's fine but quoting everything is unnecessary.. This time let's see if we can take care of those problems you have.

Please run the following tool.

Download and run DelDomains

Please download Deldomains and save it to your desktop.
  • Right-click DelDomains.inf and select: Install.
  • You may not see any noticeable changes or prompts; this is normal.
Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.



Now, please manually remove the following older version of Java and remove the following file manually:

Java 2 Runtime Environment, SE v1.4.2_07 <- This program
c:\windows\system32\tversity.cookies <-This file




Now, let's checkup on that Windows Update problem.

Download and Run RegSearch
We need to do a registry search.

Please download RegSearch and save it to your desktop.
  • Extract the folder regsearch onto your desktop
  • Double-click on regsearch folder and then find regsearch.exe and double click it
  • A Security Window will open please select Run.
  • The Registry Search window will appear please make sure under the Search everything is checked.
  • At the top of the Regsearch where it says: "Enter Search string (case independent) and click Ok..." please input:

wuauserv
  • After inputing the name, please click Ok
  • It will begin searching, once it is finished notepad will open with the log.
  • Please post the contents of that log in your next reply.
Post back with a:
-New DDS log only
-RegSearch log
(The contents of the log will NOT be empty)

With Regards,
extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 RobiSuicide

RobiSuicide
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 23 March 2009 - 08:24 PM

DDS Log


DDS (Ver_09-03-16.01) - NTFSx86
Run by Parent at 18:24:28.12 on Mon 03/23/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.367 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Parent\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fptb-msgr
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\parent\startm~1\programs\startup\ccc.lnk - c:\program files\ati technologies\ati.ace\core-static\CCC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182892836953
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\parent\applic~1\mozilla\firefox\profiles\a5uwtev9.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\parent\application data\mozilla\firefox\profiles\a5uwtev9.default\extensions\oberongamehost@oberongames.com\platform\winnt_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-23 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-23 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-23 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-23 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-23 298264]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-11-25 991232]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-1-12 603904]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2002-12-31 36608]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S0 partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-3-10 34760]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [2007-7-17 35072]
S3 SamsonLLDriver;Samson LL Driver;c:\windows\system32\drivers\SamsonLLDriver.sys [2006-12-12 56832]
S3 SWWDM_multi;Samson Audio (WDM);c:\windows\system32\drivers\SWAudWDM.sys [2006-12-12 25088]

=============== Created Last 30 ================

2009-03-22 12:06 <DIR> --d----- c:\program files\Nick Arcade
2009-03-21 21:33 <DIR> a-dshr-- C:\cmdcons
2009-03-21 21:32 161,792 a------- c:\windows\SWREG.exe
2009-03-21 21:32 98,816 a------- c:\windows\sed.exe
2009-03-19 23:00 0 a------- C:\Debug.QC6
2009-03-19 18:19 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-17 20:10 <DIR> --d----- c:\windows\pss
2009-03-16 23:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-14 22:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MediaMall
2009-03-10 11:08 <DIR> --d----- c:\program files\Sophos
2009-03-10 11:06 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-10 11:06 <DIR> --d----- c:\docume~1\parent\applic~1\SUPERAntiSpyware.com
2009-03-10 01:37 <DIR> --d----- C:\RootkitNO
2009-03-10 01:37 34,760 a------- c:\windows\system32\drivers\Partizan.sys
2009-03-10 01:37 32,480 a------- c:\windows\system32\Partizan.exe
2009-03-10 01:36 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-03-10 01:36 <DIR> --d----- c:\program files\UnHackMe
2009-03-07 22:33 <DIR> --d----- c:\docume~1\parent\applic~1\id Software
2009-03-07 22:31 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-07 22:31 22,328 a------- c:\docume~1\parent\applic~1\PnkBstrK.sys
2009-03-07 22:30 107,832 a------- c:\windows\system32\PnkBstrB.exe
2009-03-07 22:30 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-03-07 22:30 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-03-07 22:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\id Software
2009-03-04 20:42 <DIR> --d----- c:\docume~1\parent\applic~1\MySpace
2009-03-04 20:42 <DIR> --d----- c:\program files\MySpace
2009-02-24 13:19 <DIR> --d----- c:\program files\uTorrent
2009-02-24 13:19 <DIR> --d----- c:\docume~1\parent\applic~1\uTorrent
2009-02-22 20:23 7,680 a------- c:\windows\system32\ff_vfw.dll
2009-02-22 20:23 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-02-22 20:23 <DIR> --d----- c:\program files\ffdshow
2009-02-22 20:22 <DIR> --d----- c:\program files\TVersity Codec Pack
2009-02-22 20:20 <DIR> --d----- c:\program files\TVersity

==================== Find3M ====================

2009-03-19 18:18 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-01 12:09 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-01 12:09 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-01 12:08 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-25 11:05 4,096 a------- c:\windows\d3dx.dat
2009-01-12 03:38 603,904 a------- c:\windows\system32\TUProgSt.exe
2009-01-12 03:38 360,192 a------- c:\windows\system32\TuneUpDefragService.exe
2009-01-03 02:04 29,480 a------- c:\windows\system32\msxml3a.dll
2009-01-02 15:37 47,360 a------- c:\docume~1\parent\applic~1\pcouffin.sys

============= FINISH: 18:24:40.70 ===============




RegSearch Log


Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.6.0

; Results at 3/23/2009 6:20:51 PM for strings:
; 'wuauserv'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\wuauserv]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E}]
"LocalService"="wuauserv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
; Contents of value:
; 6to4
; AppMgmt
; AudioSrv
; Browser
; CryptSvc
; DMServer
; DHCP
; ERSvc
; EventSystem
; FastUserSwitchingCompatibility
; HidServ
; Ias
; Iprip
; Irmon
; LanmanServer
; LanmanWorkstation
; Messenger
; Netman
; Nla
; Ntmssvc
; NWCWorkstation
; Nwsapagent
; Rasauto
; Rasman
; Remoteaccess
; Schedule
; Seclogon
; SENS
; Sharedaccess
; SRService
; Tapisrv
; Themes
; TrkWks
; UxTuneUp
; W32Time
; WZCSVC
; Wmi
; WmdmPmSp
; winmgmt
; wscsvc
; xmlprov
; BITS
; wuauserv
; ShellHWDetection
; helpsvc
; WmdmPmSN
;
"netsvcs"=hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,\
6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,42,\
00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,43,00,72,00,79,00,70,00,74,00,\
53,00,76,00,63,00,00,00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
00,44,00,48,00,43,00,50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,\
76,00,65,00,6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,\
00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,\
69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,\
00,69,00,74,00,79,00,00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,\
49,00,61,00,73,00,00,00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,\
00,6f,00,6e,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,\
76,00,65,00,72,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,\
00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,\
73,00,65,00,6e,00,67,00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,\
00,00,00,4e,00,6c,00,61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,\
00,00,4e,00,57,00,43,00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,\
00,6f,00,6e,00,00,00,4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,\
74,00,00,00,52,00,61,00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,\
00,6d,00,61,00,6e,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,\
63,00,65,00,73,00,73,00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,\
00,00,00,53,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,\
4e,00,53,00,00,00,53,00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,\
00,73,00,73,00,00,00,53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
00,00,54,00,61,00,70,00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,\
00,65,00,73,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,55,00,78,00,\
54,00,75,00,6e,00,65,00,55,00,70,00,00,00,57,00,33,00,32,00,54,00,69,00,6d,\
00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,00,57,00,6d,00,69,00,\
00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,00,00,77,00,69,00,6e,\
00,6d,00,67,00,6d,00,74,00,00,00,77,00,73,00,63,00,73,00,76,00,63,00,00,00,\
78,00,6d,00,6c,00,70,00,72,00,6f,00,76,00,00,00,42,00,49,00,54,00,53,00,00,\
00,77,00,75,00,61,00,75,00,73,00,65,00,72,00,76,00,00,00,53,00,68,00,65,00,\
6c,00,6c,00,48,00,57,00,44,00,65,00,74,00,65,00,63,00,74,00,69,00,6f,00,6e,\
00,00,00,68,00,65,00,6c,00,70,00,73,00,76,00,63,00,00,00,57,00,6d,00,64,00,\
6d,00,50,00,6d,00,53,00,4e,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WUAUSERV]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WUAUSERV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WUAUSERV\0000]
"Service"="wuauserv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters]
; Contents of value:
; C:\WINDOWS\system32\wuauserv.dll
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,75,00,\
61,00,75,00,73,00,65,00,72,00,76,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Enum]
"0"="Root\\LEGACY_WUAUSERV\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WUAUSERV]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WUAUSERV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WUAUSERV\0000]
"Service"="wuauserv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv\Parameters]
; Contents of value:
; C:\WINDOWS\system32\wuauserv.dll
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,75,00,\
61,00,75,00,73,00,65,00,72,00,76,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV\0000]
"Service"="wuauserv"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters]
; Contents of value:
; C:\WINDOWS\system32\wuauserv.dll
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,75,00,\
61,00,75,00,73,00,65,00,72,00,76,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum]
"0"="Root\\LEGACY_WUAUSERV\\0000"

; End Of The Log...

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 23 March 2009 - 08:51 PM

Hello.

Now, please do the following.

Download and Run Script with Swreg.exe
  • Please download SWREG.exe, and save it to your C:\Windows Directory please.
In case you are using Firefox and it get's saved directly onto your desktop do the following:
  • Please copy and paste Swreg.exe to your C:\Windows directory.
  • After you have pasted Swreg.exe into your C:\Windows directory you may delete the other copy on you desktop
  • We need to execute a Batch File now
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the Code.
    @Echo off
    swreg ACL HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv /OA
    swreg ACL HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv /P /GE:F
    swreg ACL HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv /OA
    swreg ACL HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv /P /GE:F
    swreg ACL HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv\Security /OA
    swreg ACL HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv\Security /P /GE:F
    swreg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv /OA
    swreg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv /P /GE:F
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input Remove.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on Remove.bat to run it. You may get a security warning, please select Run. A black window will open and then disappear this is normal.

Reboot Your Computer Now Please.

Let me know if you can start Windows Update now.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 RobiSuicide

RobiSuicide
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 23 March 2009 - 09:17 PM

Well, it's not longer getting the access denied when I try to enable it in Services. Now it says Error 2 the system cannot find the specified file, same with BITS. In the security center it says Automatic Updates is on, but in Services I can't start it.

Also, my UnHackMe monitor found this "C:\COMBOFIX\CATCHME.SYS" and says its a backdoor trojan? Yet it belongs with the Combofix. Is it really, or is it just a false positive?

Edited by RobiSuicide, 23 March 2009 - 09:37 PM.


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 24 March 2009 - 12:08 PM

Hello.

Make sure this file is there. C:\WINDOWS\system32\wuauserv.dll

Let me know in your next reply if it's there.

Would you think I would let you run something that is a backdoor trojan on your computer when I'm trying to clean it? Obviously that was a false-positive. AV programs can't always distinguish what is good/bad.

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 RobiSuicide

RobiSuicide
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 24 March 2009 - 12:43 PM

Yeah the Wuauserv.dll is there.

That's what I was guessing, I wasn't for sure if it was just disguised as part of combofix.

Edited by RobiSuicide, 24 March 2009 - 12:46 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users