Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I need help removing Virtumonde / Seneka


  • This topic is locked This topic is locked
18 replies to this topic

#1 prose

prose

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 06 May 2009 - 10:01 PM

Hello, I first realised I was infected with Virtumonde back in january which NOD 32 found and removed but it kept coming back. I then found this forum and I downloaded "super anti spyware" and "malware bytes anti malware". S.A.S found and deleted virtumonde files and it also detected rootkit.seneka and claimed to have deleted it, MBAM said everything was clean too.
Everything seemed to be fine until march when virtumonde appeared again, I used S.A.S to get rid of it and it appeared to have worked, but obviously not because now its back again! NOD 32 detected it but S.A.S and MBAM didnt find anything after a scan.
Im struggling to get rid of virtumonde and seneka for good, the two of which seem to be linked to each other.
I just recently used macaffes "rootkit detective" to find hidden registry entries and I have attatched the log along with hijackthis log.
Thank you in advance for any help.

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:10:44 PM

Posted 21 May 2009 - 08:32 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 prose

prose
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 21 May 2009 - 09:22 PM

Here is my DDS results and the Attached results are attached. Thanks in advance for any help :thumbup2:



DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 3:14:25.77 on 22/05/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.725 [GMT 1:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe
C:\Program Files\Mouse Driver\MouseDrv.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local.,;*.local
uSearchAssistant = hxxp://ie.search.msn.com
uSearchURL,(Default) = hxxp://www.zpecialoffer.com/results.asp?keyword=%s
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [FFTI] c:\documents and settings\owner\application data\mozilla\firefox\profiles\w060azka.default\extensions\{b13721c7-f507-4982-b2e5-502a71474fed}\ffti.exe /verysilent /suppressmsgboxes /norestart /destpath="c:\documents and settings\owner\application data\mozilla\firefox\profiles/w060azka.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [WCOLOREAL] "c:\program files\compaq\coloreal\coloreal.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [nwiz] nwiz.exe /installquiet /keeploaded
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [UpdReg] c:\windows\Updreg.exe
mRun: [nwqqtjka] c:\windows\system32\autgiujl.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Windows Media Connect 2] "c:\program files\windows media connect 2\WMCCFG.exe" /StartQuiet
mRun: [WireLessKeyboard ] c:\program files\multimedia combo set\PS2USBKbdDrv.exe
mRun: [CreativeMouse ] c:\program files\mouse driver\MouseDrv.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SoundMan] SOUNDMAN.EXE
mRunServices: [virtual-ie] winlogi.exe
uExplorerRun: [{74CAD299-0853-1033-1216-02030112002c}] "c:\program files\common files\{74cad299-0853-1033-1216-02030112002c}\Update.exe" mc-110-12-0000513
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\omegaa~1.lnk - c:\program files\lexicon\omega\driver\ASIOSysTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\belkin\bluetooth software\BTTray.exe
uPolicies-explorer: <NO NAME> = 1 (0x1)
mPolicies-explorer: <NO NAME> =
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\belkin\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\belkin\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: mmohsix.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233613013312
DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - hxxp://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {87FFFF49-EC23-4576-8F95-810D5AA99AF8} = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\ddcAqOhf

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\w060azka.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\w060azka.default\extensions\npmozax@real.com\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
R2 musm3gld;musm3gld;c:\windows\system32\drivers\musm3gld.sys [2006-8-30 5513]
R3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [2003-11-1 17920]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\elbyvcd.sys --> c:\windows\system32\drivers\ElbyVCD.sys [?]
S3 mdxgthkn;mdxgthkn;\??\c:\docume~1\owner\locals~1\temp\mdxgthkn.sys --> c:\docume~1\owner\locals~1\temp\mdxgthkn.sys [?]
S3 ptO2_bus;O2 Composite Device;c:\windows\system32\drivers\ptO2_bus.sys [2009-4-1 22144]
S3 ptO2_flt;O2 USB Filter Service;c:\windows\system32\drivers\ptO2_flt.sys [2009-4-1 4608]
S3 ptO2_mdm;O2 USB Modem;c:\windows\system32\drivers\ptO2_mdm.sys [2009-4-1 39808]
S3 ptO2_prt;O2 Diagnostic Serial Port;c:\windows\system32\drivers\ptO2_prt.sys [2009-4-1 38528]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2006-10-15 18432]
S4 Ks_cmirbvem;Ks_cmirbvem; [x]

=============== Created Last 30 ================

2009-05-21 21:48 <DIR> --d----- c:\windows\system32\XPSViewer
2009-05-21 21:46 14,048 -------- c:\windows\system32\spmsg2.dll
2009-05-21 21:40 <DIR> --d----- c:\program files\MSXML 6.0
2009-05-11 22:36 49,152 a------- c:\windows\system32\ChCfg.exe
2009-05-11 22:35 <DIR> --d----- c:\program files\Realtek AC97
2009-05-11 22:34 10,528,768 a------- c:\windows\system32\RTLCPL.exe
2009-05-11 22:34 577,536 a------- c:\windows\soundman.exe
2009-05-11 22:34 147,456 a------- c:\windows\system32\RtlCPAPI.dll
2009-05-11 22:34 315,392 a------- c:\windows\alcupd.exe
2009-05-11 22:34 217,088 a------- c:\windows\Alcrmv.exe
2009-05-07 03:39 2,021,790 a------- c:\windows\system32\76523C2.mht
2009-05-07 00:41 <DIR> --d----- c:\program files\Uniblue
2009-05-07 00:41 <DIR> --d----- c:\docume~1\owner\applic~1\Uniblue
2009-05-07 00:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DriverScanner
2009-05-07 00:35 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-04-29 21:10 <DIR> --d----- c:\program files\TRACKERS
2009-04-25 22:20 <DIR> --d----- c:\documents and settings\owner\Tracing
2009-04-25 22:13 <DIR> --d----- c:\program files\Microsoft
2009-04-25 22:12 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-04-25 22:04 <DIR> --d----- c:\program files\common files\Windows Live
2009-04-24 21:50 95 a------- c:\windows\eJay_se.inf
2009-04-24 21:50 <DIR> --d----- C:\eJay_se

==================== Find3M ====================

2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 15:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-25 22:42 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-02-25 22:41 325,120 a------- c:\windows\system32\ati2dvag.dll
2009-02-25 22:30 11,841,536 a------- c:\windows\system32\atioglxx.dll
2009-02-25 22:30 204,800 a------- c:\windows\system32\atipdlxx.dll
2009-02-25 22:29 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-02-25 22:29 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2009-02-25 22:29 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-02-25 22:29 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-02-25 22:27 602,112 a------- c:\windows\system32\ati2evxx.exe
2009-02-25 22:26 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-02-25 22:16 3,817,984 a------- c:\windows\system32\ati3duag.dll
2009-02-25 22:09 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-02-25 21:59 2,670,080 a------- c:\windows\system32\ativvaxx.dll
2009-02-25 21:44 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-02-25 21:40 475,136 a------- c:\windows\system32\atikvmag.dll
2009-02-25 21:38 126,976 a------- c:\windows\system32\atiadlxx.dll
2009-02-25 21:38 17,408 a------- c:\windows\system32\atitvo32.dll
2009-02-25 21:35 290,816 a------- c:\windows\system32\atiok3x2.dll
2009-02-25 21:32 45,056 a------- c:\windows\system32\aticalrt.dll
2009-02-25 21:32 45,056 a------- c:\windows\system32\aticalcl.dll
2009-02-25 21:32 626,688 a------- c:\windows\system32\ati2cqag.dll
2009-02-25 21:30 3,227,648 a------- c:\windows\system32\aticaldd.dll
2009-02-25 15:15 593,920 -------- c:\windows\system32\ati2sgag.exe
2009-01-13 12:24 40 a------- c:\documents and settings\owner\language.dat
2007-01-12 16:54 87,608 a------- c:\docume~1\owner\applic~1\ezpinst.exe
2007-01-12 16:54 47,360 a------- c:\docume~1\owner\applic~1\pcouffin.sys
2006-06-05 13:22 184,880 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2004-06-26 16:28 2,475 a------- c:\documents and settings\owner\ttdpttxt.dat
2001-07-12 23:25 1,581 a------- c:\program files\zoo.ini

============= FINISH: 3:15:58.30 ===============

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:44 AM

Posted 22 May 2009 - 06:27 AM

Hi prose,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Empty all p2p download folders. They might contain infected files. Please avoid using these p2p applications until the system is clean. Using these applications at this stage might lead to reinfection or infecting other users.

  • You have the latest version of Java and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 9


  • Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint Media Player
    Viewpoint Toolbar


    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  • You have still some leftovers or uninstalled Norton products on your computer.

    To remove the leftovers please download and run the Norton Removal Tool.

    Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.

    Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

  • This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.
  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:44 AM

Posted 23 May 2009 - 06:18 PM

Looks nobody is there. I'll wait one more day before closing the topic.

#6 prose

prose
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 23 May 2009 - 09:54 PM

Please do not close the topic, Im very sorry about my lack of activity but Ive been very busy with my job over the last few days. A complete MBAM scan is in progress but its currently been running for nearly 6 hours and hasnt finished yet. lve done all the other steps and I shall post the log when the scan is complete.

#7 prose

prose
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 23 May 2009 - 10:15 PM

Sorry about the delay but here is my MBAM log.



Malwarebytes' Anti-Malware 1.36
Database version: 2166
Windows 5.1.2600 Service Pack 2

24/05/2009 04:05:08
mbam-log-2009-05-24 (04-05-08).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 498045
Time elapsed: 5 hour(s), 54 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\{74cad299-0853-1033-1216-02030112002c} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\winupdates (Worm.P2P) -> Quarantined and deleted successfully.
C:\Program Files\MsMovies (Worm.P2P) -> Quarantined and deleted successfully.

Files Infected:
G:\Torrents\Tiger Woods PGA Tour 08 (PC) with Crack + Keygen\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\winupdates\a.zip (Worm.P2P) -> Quarantined and deleted successfully.
C:\Program Files\MsMovies\p.zip (Worm.P2P) -> Quarantined and deleted successfully.
C:\WINDOWS\Shooting Stars.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\libavidd-1.3.1.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\libfilefmt-1.4.2.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:44 AM

Posted 24 May 2009 - 05:47 AM

No worries about the delay, I understand you are busy. Take your time and post the log when ready.
  • Please tell me if you have carried out the steps (1-4) too.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


#9 prose

prose
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 24 May 2009 - 08:25 AM

I have carried out steps 1-4. viewpoint toolbar would not uninstall at first but cc cleaner got rid of it in the end.

#10 prose

prose
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 24 May 2009 - 09:15 AM

ComboFix 09-05-23.04 - Owner 24/05/2009 14:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.484 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\asks~1
c:\program files\ystem3~1
c:\windows\ppatch~1
c:\windows\Readme.txt
c:\windows\sstem3~1
c:\windows\system32\_000117_.tmp.dll
c:\windows\system32\imagr5.dll
c:\windows\system32\lsprst7.dll
c:\windows\system32\mdm.exe
c:\windows\system32\ssprs.dll
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\Tasks\zyxhmkrr.job
D:\Autorun.inf
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IWIN_SERVICE
-------\Legacy_NTLOAD


((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-22 15:10 . 2009-05-22 15:10 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-22 14:20 . 2009-05-22 14:21 -------- d-----w c:\program files\CCleaner
2009-05-22 14:05 . 2009-05-22 14:05 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-05-21 20:48 . 2009-05-21 20:48 -------- d-----w c:\program files\MSBuild
2009-05-21 20:48 . 2009-05-21 20:48 -------- d-----w c:\windows\system32\XPSViewer
2009-05-21 20:47 . 2009-05-21 20:47 -------- d-----w c:\program files\Reference Assemblies
2009-05-21 20:46 . 2006-06-29 12:07 14048 ------w c:\windows\system32\spmsg2.dll
2009-05-21 20:40 . 2009-05-21 20:40 -------- d-----w c:\program files\MSXML 6.0
2009-05-11 21:36 . 2006-08-01 14:02 49152 ----a-w c:\windows\system32\ChCfg.exe
2009-05-11 21:35 . 2009-05-11 21:35 -------- d-----w c:\program files\Realtek AC97
2009-05-11 21:34 . 2006-12-08 14:20 10528768 ----a-w c:\windows\system32\RTLCPL.exe
2009-05-11 21:34 . 2007-04-16 14:28 577536 ----a-w c:\windows\soundman.exe
2009-05-11 21:34 . 2006-10-18 01:53 147456 ----a-w c:\windows\system32\RtlCPAPI.dll
2009-05-11 21:34 . 2006-07-31 10:19 315392 ----a-w c:\windows\alcupd.exe
2009-05-11 21:34 . 2006-07-31 10:27 217088 ----a-w c:\windows\Alcrmv.exe
2009-05-11 21:14 . 2009-05-11 21:14 -------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-05-07 00:42 . 2009-05-07 00:42 40091352 ----a-w c:\documents and settings\Owner\Application Data\Uniblue\DriverScanner\Download\pci_ven_1002_dev_41728_591_0_0000.exe
2009-05-07 00:19 . 2009-05-07 00:19 18734784 ----a-w c:\documents and settings\Owner\Application Data\Uniblue\DriverScanner\Download\pci_ven_1106_dev_3059_subsys_901215095_10_00_6300.exe
2009-05-07 00:09 . 2009-05-07 00:09 4821128 ----a-w c:\documents and settings\Owner\Application Data\Uniblue\DriverScanner\Download\monitor_cpq144d2_60.exe
2009-05-06 23:41 . 2009-03-29 01:27 2653048 -c--a-w c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.exe
2009-05-06 23:41 . 2009-05-06 23:51 -------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2009-05-06 23:41 . 2009-05-06 23:41 -------- d-----w c:\program files\Uniblue
2009-05-06 23:41 . 2009-05-06 23:41 -------- d-----w c:\documents and settings\Owner\Application Data\Uniblue
2009-05-06 23:35 . 2009-05-06 23:41 -------- dc-h--w c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-04-29 20:10 . 2009-04-29 20:23 -------- d-----w c:\program files\TRACKERS
2009-04-25 21:20 . 2009-05-22 02:24 -------- d-----w c:\documents and settings\Owner\Tracing
2009-04-25 21:13 . 2009-04-25 21:13 -------- d-----w c:\program files\Microsoft
2009-04-25 21:12 . 2009-04-25 21:12 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-25 21:04 . 2009-04-25 21:04 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-24 20:50 . 2009-04-24 20:50 -------- d-----w C:\eJay_se

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 13:50 . 2007-06-22 21:33 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-05-24 13:42 . 2004-12-25 11:29 12 ----a-w c:\windows\bthservsdp.dat
2009-05-24 01:41 . 2008-09-23 20:35 -------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-05-23 23:52 . 2008-03-26 17:07 -------- d-----w c:\program files\Renoise 1.9.1
2009-05-22 15:10 . 2009-01-14 20:50 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-22 14:07 . 2003-05-23 15:24 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-22 14:03 . 2005-09-25 20:19 -------- d-----w c:\program files\Bit Lord 1.1
2009-05-22 13:35 . 2006-03-09 16:51 -------- d-----w c:\program files\LimeWire
2009-05-22 13:31 . 2007-03-06 19:10 -------- d-----w c:\documents and settings\Owner\Application Data\Viewpoint
2009-05-22 13:31 . 2004-06-27 15:23 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-22 13:27 . 2005-03-05 23:23 -------- d-----w c:\program files\Java
2009-05-21 21:22 . 2003-04-12 16:13 1462520 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-16 17:00 . 2009-01-09 00:55 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-15 00:49 . 2009-03-03 22:42 -------- d-----w c:\documents and settings\Owner\Application Data\Audacity
2009-05-12 19:16 . 2007-12-18 21:15 -------- d-----w c:\program files\Last.fm
2009-05-11 21:34 . 2003-01-01 23:54 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-11 21:05 . 2003-03-23 13:58 -------- d-----w c:\program files\ATI Technologies
2009-04-25 21:12 . 2008-02-28 16:14 -------- d-----w c:\program files\Windows Live
2009-04-16 17:20 . 2009-04-16 17:19 -------- d-----w c:\program files\WWAYM
2009-04-16 17:13 . 2009-04-16 17:13 -------- d-----w c:\program files\Antares Audio Technologies
2009-04-16 17:11 . 2009-04-16 17:11 -------- d-----w c:\program files\Antares
2009-04-16 17:08 . 2009-04-16 17:08 -------- d-----w c:\program files\Acon Digital Media
2009-04-16 16:57 . 2009-04-16 16:55 -------- d-----w c:\program files\EDIROL
2009-04-10 00:02 . 2009-04-10 00:02 -------- d-----w c:\program files\Smart FLV Converter Pro
2009-04-08 23:02 . 2009-04-08 23:02 152576 ----a-w c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-06 14:32 . 2009-01-14 20:50 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2009-01-14 20:50 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 01:33 . 2009-04-05 01:33 -------- d-----w c:\documents and settings\Owner\Application Data\Smartelectronix
2009-04-01 00:24 . 2009-04-01 00:24 -------- d-----w c:\program files\O2
2009-03-30 20:58 . 2009-03-30 20:56 -------- d-----w c:\program files\Kontiki
2009-03-09 04:19 . 2008-12-29 02:55 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:44 . 2003-02-12 14:12 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-02-06 17:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-25 22:58 . 2003-01-01 23:41 3565568 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-02-25 21:42 . 2009-01-14 04:49 442368 ----a-w c:\windows\system32\ATIDEMGX.dll
2009-02-25 21:41 . 2003-01-01 23:41 325120 ----a-w c:\windows\system32\ati2dvag.dll
2009-02-25 21:30 . 2003-01-01 23:41 11841536 ----a-w c:\windows\system32\atioglxx.dll
2009-02-25 21:30 . 2003-01-01 23:41 204800 ----a-w c:\windows\system32\atipdlxx.dll
2009-02-25 21:29 . 2009-01-14 04:36 155648 ----a-w c:\windows\system32\Oemdspif.dll
2009-02-25 21:29 . 2003-01-01 23:41 26112 ----a-w c:\windows\system32\Ati2mdxx.exe
2009-02-25 21:29 . 2009-01-14 04:35 43520 ----a-w c:\windows\system32\ati2edxx.dll
2009-02-25 21:29 . 2009-01-14 04:35 155648 ----a-w c:\windows\system32\ati2evxx.dll
2009-02-25 21:27 . 2003-01-01 23:41 602112 ----a-w c:\windows\system32\ati2evxx.exe
2009-02-25 21:26 . 2003-01-01 23:41 53248 ----a-w c:\windows\system32\ATIDDC.DLL
2009-02-25 21:16 . 2003-01-01 23:41 3817984 ----a-w c:\windows\system32\ati3duag.dll
2009-02-25 21:09 . 2003-01-01 23:41 307200 ----a-w c:\windows\system32\atiiiexx.dll
2009-02-25 20:59 . 2004-08-04 07:56 2670080 ----a-w c:\windows\system32\ativvaxx.dll
2009-02-25 20:44 . 2009-01-14 03:50 49664 ----a-w c:\windows\system32\amdpcom32.dll
2009-02-25 20:40 . 2009-01-14 03:45 475136 ----a-w c:\windows\system32\atikvmag.dll
2009-02-25 20:38 . 2009-01-14 03:44 126976 ----a-w c:\windows\system32\atiadlxx.dll
2009-02-25 20:38 . 2003-01-01 23:41 17408 ----a-w c:\windows\system32\atitvo32.dll
2009-02-25 20:37 . 2009-01-14 03:43 53248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2009-02-25 20:35 . 2009-01-14 04:53 290816 ----a-w c:\windows\system32\atiok3x2.dll
2009-02-25 20:32 . 2009-02-25 20:32 45056 ----a-w c:\windows\system32\aticalrt.dll
2009-02-25 20:32 . 2009-02-25 20:32 45056 ----a-w c:\windows\system32\aticalcl.dll
2009-02-25 20:32 . 2004-08-04 07:56 626688 ----a-w c:\windows\system32\ati2cqag.dll
2009-02-25 20:30 . 2009-02-25 20:30 3227648 ----a-w c:\windows\system32\aticaldd.dll
2009-02-25 14:15 . 2009-02-05 23:48 593920 ------w c:\windows\system32\ati2sgag.exe
2001-07-12 22:25 . 2005-08-13 11:16 1581 ----a-w c:\program files\zoo.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-09 483374]
"NVIEW"="nview.dll" - c:\windows\system32\nview.dll [2002-09-30 548933]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [2002-02-20 143360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-22 290816]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"Windows Media Connect 2"="c:\program files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 8704]
"WireLessKeyboard "="c:\program files\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 233472]
"CreativeMouse "="c:\program files\Mouse Driver\MouseDrv.exe" [2004-06-27 503808]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-06-10 1447168]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2002-09-30 372736]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Omega ASIO Control Panel.lnk - c:\program files\Lexicon\Omega\Driver\ASIOSysTray.exe [2007-8-21 311296]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"midi1"= ma_cmidn.dll
"midi2"= ma_cmidn.dll
"midi4"= ma_cmidn.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk
backup=c:\windows\pss\Date Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=c:\windows\pss\PrecisionTime.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\AOL 8.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 14:53 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27/02/2007 13:39 32256]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21/12/2007 08:21 468224]
R2 musm3gld;musm3gld;c:\windows\system32\drivers\musm3gld.sys [30/08/2006 21:40 5513]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 18:51 4096]
S0 ElbyVCD;ElbyVCD;c:\windows\system32\DRIVERS\ElbyVCD.sys --> c:\windows\system32\DRIVERS\ElbyVCD.sys [?]
S2 STOPzilla Local Service;STOPzilla Local Service;c:\program files\STOPzilla!\szntsvc.exe /service "STOPzilla Local Service" --> c:\program files\STOPzilla!\szntsvc.exe [?]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [01/11/2003 21:19 17920]
S3 FLUGKN;FLUGKN;c:\docume~1\Owner\LOCALS~1\Temp\FLUGKN.exe --> c:\docume~1\Owner\LOCALS~1\Temp\FLUGKN.exe [?]
S3 FOCG;FOCG;c:\docume~1\Owner\LOCALS~1\Temp\FOCG.exe --> c:\docume~1\Owner\LOCALS~1\Temp\FOCG.exe [?]
S3 mdxgthkn;mdxgthkn;\??\c:\docume~1\Owner\LOCALS~1\Temp\mdxgthkn.sys --> c:\docume~1\Owner\LOCALS~1\Temp\mdxgthkn.sys [?]
S3 ptO2_bus;O2 Composite Device;c:\windows\system32\drivers\ptO2_bus.sys [01/04/2009 01:25 22144]
S3 ptO2_flt;O2 USB Filter Service;c:\windows\system32\drivers\ptO2_flt.sys [01/04/2009 01:25 4608]
S3 ptO2_mdm;O2 USB Modem;c:\windows\system32\drivers\ptO2_mdm.sys [01/04/2009 01:25 39808]
S3 ptO2_prt;O2 Diagnostic Serial Port;c:\windows\system32\drivers\ptO2_prt.sys [01/04/2009 01:25 38528]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [15/10/2006 21:19 18432]
S4 Ks_cmirbvem;Ks_cmirbvem; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKCU-RunOnce-FFTI - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\w060azka.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local.,;*.local
uSearchURL,(Default) = hxxp://www.zpecialoffer.com/results.asp?keyword=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: mmohsix.com
TCP: {87FFFF49-EC23-4576-8F95-810D5AA99AF8} = 192.168.0.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\w060azka.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\w060azka.default\extensions\npmozax@real.com\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 14:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,e0,05,cd,c5,f3,
3d,17,bf,c8,28,51,af,b0,29,a3,98,f7,04,95,8d,8f,ee,67,07,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{51FEDCF3-37A1-489D-AE91-5A98B3FC30B5}\InProcServer32*]
"jahdjdgnanhgjmdfpomn"=hex:6a,61,69,63,65,6f,68,6b,61,6f,69,6c,6f,64,61,68,6a,
70,6c,67,00,00
"iahdhebomohedomion"=hex:6a,61,69,63,65,6f,68,6b,61,6f,69,6c,6f,64,61,68,6a,70,
6c,67,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,c0,64,56,b7,53,
65,6e,ae,71,3b,04,66,8b,46,0d,96,69,d2,73,9e,6c,f5,0b,8d,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,f7,1d,98,f3,e5,
bd,ea,7c,25,da,ec,7e,55,20,c9,26,41,6d,b1,fb,75,b5,8c,4d,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,4b,a7,27,ae,f9,
c0,c3,b1,3e,1e,9e,e0,57,5a,93,61,9e,78,7a,fe,b0,0a,32,a6,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,ab,c2,80,2b,f1,
2d,8d,ab,cd,44,cd,b9,a6,33,6c,cd,08,a0,cc,f9,8f,06,41,e8,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,4a,ce,4c,23,d9,
10,b3,30,b0,18,ed,a7,3f,8d,37,a4,83,d4,8f,a1,8e,ec,04,d7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,62,b3,47,2e,f8,
c8,69,65,31,77,e1,ba,b1,f8,68,02,9a,13,3d,ef,9f,1c,ae,cc,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,63,4e,30,18,4c,
97,40,cf,83,6c,56,8b,a0,85,96,ab,04,24,4e,05,9b,22,c8,19,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,5c,cd,7b,17,77,
b0,9e,05,51,fa,6e,91,28,9e,14,cc,4c,ea,d7,71,99,3c,38,6c,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,75,70,b3,ce,4c,
12,eb,3d,b1,cd,45,5a,a8,c4,f8,b9,79,88,00,87,e4,15,52,8e,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,25,eb,86,06,61,
38,36,77,e3,0e,66,d5,eb,bc,2f,6b,73,3d,3b,ab,e5,c4,f2,0b,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,26,a3,6c,78,f4,
6d,0b,97,fa,ea,66,7f,d4,3b,6b,70,f6,ca,8e,90,d6,87,01,67,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1184)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3552)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Belkin\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\Crypserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-05-24 15:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-24 14:07

Pre-Run: 11,559,587,840 bytes free
Post-Run: 12,327,071,744 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

387 --- E O F --- 2009-04-20 20:30

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:44 AM

Posted 24 May 2009 - 11:07 AM

  • Make sure the following setting is set as it is supposed to be set:
    • Go to Start -> Control Panel -> Double click on Network Connections.
    • Right click on your default connection (usually Local Area Connection) and select Properties.
    • Select the General tab.
    • Double click on Internet Protocol (TCP/IP).
      Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".
    • Click OK twice to save the settings.
    • Reboot.
  • Open notepad and copy/paste the text in the code box below into it:

    Driver::
    FLUGKN
    FOCG
    mdxgthkn
    Ks_cmirbvem
    REGNULL::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{51FEDCF3-37A1-489D-AE91-5A98B3FC30B5}\InProcServer32*]
    RegLockDel:: 
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{51FEDCF3-37A1-489D-AE91-5A98B3FC30B5}\InProcServer32]
    DDS::
    uInternet Settings,ProxyOverride = local.,;*.local
    uInternet Connection Wizard,ShellNext = iexplore
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Post that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.

Edited by farbar, 25 May 2009 - 11:00 AM.


#12 prose

prose
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 25 May 2009 - 03:23 PM

I made sure my IP settings are as you stated and here is my log for combofix.



ComboFix 09-05-25.03 - Owner 25/05/2009 20:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.565 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FLUGKN
-------\Legacy_FOCG
-------\Legacy_MDXGTHKN
-------\Service_FLUGKN
-------\Service_FOCG
-------\Service_Ks_cmirbvem
-------\Service_mdxgthkn


((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-22 15:10 . 2009-05-22 15:10 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-22 14:20 . 2009-05-22 14:21 -------- d-----w c:\program files\CCleaner
2009-05-22 14:05 . 2009-05-22 14:05 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-05-21 20:48 . 2009-05-21 20:48 -------- d-----w c:\program files\MSBuild
2009-05-21 20:48 . 2009-05-21 20:48 -------- d-----w c:\windows\system32\XPSViewer
2009-05-21 20:47 . 2009-05-21 20:47 -------- d-----w c:\program files\Reference Assemblies
2009-05-21 20:46 . 2006-06-29 12:07 14048 ------w c:\windows\system32\spmsg2.dll
2009-05-21 20:40 . 2009-05-21 20:40 -------- d-----w c:\program files\MSXML 6.0
2009-05-11 21:36 . 2006-08-01 14:02 49152 ----a-w c:\windows\system32\ChCfg.exe
2009-05-11 21:35 . 2009-05-11 21:35 -------- d-----w c:\program files\Realtek AC97
2009-05-11 21:34 . 2006-12-08 14:20 10528768 ----a-w c:\windows\system32\RTLCPL.exe
2009-05-11 21:34 . 2007-04-16 14:28 577536 ----a-w c:\windows\soundman.exe
2009-05-11 21:34 . 2006-10-18 01:53 147456 ----a-w c:\windows\system32\RtlCPAPI.dll
2009-05-11 21:34 . 2006-07-31 10:19 315392 ----a-w c:\windows\alcupd.exe
2009-05-11 21:34 . 2006-07-31 10:27 217088 ----a-w c:\windows\Alcrmv.exe
2009-05-11 21:14 . 2009-05-11 21:14 -------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-05-07 00:42 . 2009-05-07 00:42 40091352 ----a-w c:\documents and settings\Owner\Application Data\Uniblue\DriverScanner\Download\pci_ven_1002_dev_41728_591_0_0000.exe
2009-05-07 00:19 . 2009-05-07 00:19 18734784 ----a-w c:\documents and settings\Owner\Application Data\Uniblue\DriverScanner\Download\pci_ven_1106_dev_3059_subsys_901215095_10_00_6300.exe
2009-05-07 00:09 . 2009-05-07 00:09 4821128 ----a-w c:\documents and settings\Owner\Application Data\Uniblue\DriverScanner\Download\monitor_cpq144d2_60.exe
2009-05-06 23:41 . 2009-03-29 01:27 2653048 -c--a-w c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.exe
2009-05-06 23:41 . 2009-05-06 23:51 -------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2009-05-06 23:41 . 2009-05-06 23:41 -------- d-----w c:\program files\Uniblue
2009-05-06 23:41 . 2009-05-06 23:41 -------- d-----w c:\documents and settings\Owner\Application Data\Uniblue
2009-05-06 23:35 . 2009-05-06 23:41 -------- dc-h--w c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-04-29 20:10 . 2009-04-29 20:23 -------- d-----w c:\program files\TRACKERS
2009-04-25 21:20 . 2009-05-22 02:24 -------- d-----w c:\documents and settings\Owner\Tracing
2009-04-25 21:13 . 2009-04-25 21:13 -------- d-----w c:\program files\Microsoft
2009-04-25 21:12 . 2009-04-25 21:12 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-25 21:04 . 2009-04-25 21:04 -------- d-----w c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 20:01 . 2007-06-22 21:33 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-05-25 19:52 . 2004-12-25 11:29 12 ----a-w c:\windows\bthservsdp.dat
2009-05-24 01:41 . 2008-09-23 20:35 -------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-05-23 23:52 . 2008-03-26 17:07 -------- d-----w c:\program files\Renoise 1.9.1
2009-05-22 15:10 . 2009-01-14 20:50 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-22 14:07 . 2003-05-23 15:24 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-22 14:03 . 2005-09-25 20:19 -------- d-----w c:\program files\Bit Lord 1.1
2009-05-22 13:35 . 2006-03-09 16:51 -------- d-----w c:\program files\LimeWire
2009-05-22 13:31 . 2007-03-06 19:10 -------- d-----w c:\documents and settings\Owner\Application Data\Viewpoint
2009-05-22 13:31 . 2004-06-27 15:23 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-22 13:27 . 2005-03-05 23:23 -------- d-----w c:\program files\Java
2009-05-21 21:22 . 2003-04-12 16:13 1462520 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-16 17:00 . 2009-01-09 00:55 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-15 00:49 . 2009-03-03 22:42 -------- d-----w c:\documents and settings\Owner\Application Data\Audacity
2009-05-12 19:16 . 2007-12-18 21:15 -------- d-----w c:\program files\Last.fm
2009-05-11 21:34 . 2003-01-01 23:54 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-11 21:05 . 2003-03-23 13:58 -------- d-----w c:\program files\ATI Technologies
2009-04-25 21:12 . 2008-02-28 16:14 -------- d-----w c:\program files\Windows Live
2009-04-16 17:20 . 2009-04-16 17:19 -------- d-----w c:\program files\WWAYM
2009-04-16 17:13 . 2009-04-16 17:13 -------- d-----w c:\program files\Antares Audio Technologies
2009-04-16 17:11 . 2009-04-16 17:11 -------- d-----w c:\program files\Antares
2009-04-16 17:08 . 2009-04-16 17:08 -------- d-----w c:\program files\Acon Digital Media
2009-04-16 16:57 . 2009-04-16 16:55 -------- d-----w c:\program files\EDIROL
2009-04-10 00:02 . 2009-04-10 00:02 -------- d-----w c:\program files\Smart FLV Converter Pro
2009-04-08 23:02 . 2009-04-08 23:02 152576 ----a-w c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-06 14:32 . 2009-01-14 20:50 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2009-01-14 20:50 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 01:33 . 2009-04-05 01:33 -------- d-----w c:\documents and settings\Owner\Application Data\Smartelectronix
2009-04-01 00:24 . 2009-04-01 00:24 -------- d-----w c:\program files\O2
2009-03-30 20:58 . 2009-03-30 20:56 -------- d-----w c:\program files\Kontiki
2009-03-09 04:19 . 2008-12-29 02:55 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:44 . 2003-02-12 14:12 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-02-06 17:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-25 22:58 . 2003-01-01 23:41 3565568 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-02-25 21:42 . 2009-01-14 04:49 442368 ----a-w c:\windows\system32\ATIDEMGX.dll
2009-02-25 21:41 . 2003-01-01 23:41 325120 ----a-w c:\windows\system32\ati2dvag.dll
2009-02-25 21:30 . 2003-01-01 23:41 11841536 ----a-w c:\windows\system32\atioglxx.dll
2009-02-25 21:30 . 2003-01-01 23:41 204800 ----a-w c:\windows\system32\atipdlxx.dll
2009-02-25 21:29 . 2009-01-14 04:36 155648 ----a-w c:\windows\system32\Oemdspif.dll
2009-02-25 21:29 . 2003-01-01 23:41 26112 ----a-w c:\windows\system32\Ati2mdxx.exe
2009-02-25 21:29 . 2009-01-14 04:35 43520 ----a-w c:\windows\system32\ati2edxx.dll
2009-02-25 21:29 . 2009-01-14 04:35 155648 ----a-w c:\windows\system32\ati2evxx.dll
2009-02-25 21:27 . 2003-01-01 23:41 602112 ----a-w c:\windows\system32\ati2evxx.exe
2009-02-25 21:26 . 2003-01-01 23:41 53248 ----a-w c:\windows\system32\ATIDDC.DLL
2009-02-25 21:16 . 2003-01-01 23:41 3817984 ----a-w c:\windows\system32\ati3duag.dll
2009-02-25 21:09 . 2003-01-01 23:41 307200 ----a-w c:\windows\system32\atiiiexx.dll
2009-02-25 20:59 . 2004-08-04 07:56 2670080 ----a-w c:\windows\system32\ativvaxx.dll
2009-02-25 20:44 . 2009-01-14 03:50 49664 ----a-w c:\windows\system32\amdpcom32.dll
2009-02-25 20:40 . 2009-01-14 03:45 475136 ----a-w c:\windows\system32\atikvmag.dll
2009-02-25 20:38 . 2009-01-14 03:44 126976 ----a-w c:\windows\system32\atiadlxx.dll
2009-02-25 20:38 . 2003-01-01 23:41 17408 ----a-w c:\windows\system32\atitvo32.dll
2009-02-25 20:37 . 2009-01-14 03:43 53248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2009-02-25 20:35 . 2009-01-14 04:53 290816 ----a-w c:\windows\system32\atiok3x2.dll
2009-02-25 20:32 . 2009-02-25 20:32 45056 ----a-w c:\windows\system32\aticalrt.dll
2009-02-25 20:32 . 2009-02-25 20:32 45056 ----a-w c:\windows\system32\aticalcl.dll
2009-02-25 20:32 . 2004-08-04 07:56 626688 ----a-w c:\windows\system32\ati2cqag.dll
2009-02-25 20:30 . 2009-02-25 20:30 3227648 ----a-w c:\windows\system32\aticaldd.dll
2009-02-25 14:15 . 2009-02-05 23:48 593920 ------w c:\windows\system32\ati2sgag.exe
2001-07-12 22:25 . 2005-08-13 11:16 1581 ----a-w c:\program files\zoo.ini
.

((((((((((((((((((((((((((((( SnapShot@2009-05-24_13.46.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-25 19:55 . 2009-05-25 19:55 16384 c:\windows\Temp\Perflib_Perfdata_67c.dat
+ 2009-05-25 19:55 . 2009-05-25 19:55 16384 c:\windows\Temp\Perflib_Perfdata_604.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-09 483374]
"NVIEW"="nview.dll" - c:\windows\system32\nview.dll [2002-09-30 548933]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [2002-02-20 143360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-22 290816]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"Windows Media Connect 2"="c:\program files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 8704]
"WireLessKeyboard "="c:\program files\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 233472]
"CreativeMouse "="c:\program files\Mouse Driver\MouseDrv.exe" [2004-06-27 503808]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-06-10 1447168]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2002-09-30 372736]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Omega ASIO Control Panel.lnk - c:\program files\Lexicon\Omega\Driver\ASIOSysTray.exe [2007-8-21 311296]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"midi1"= ma_cmidn.dll
"midi2"= ma_cmidn.dll
"midi4"= ma_cmidn.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk
backup=c:\windows\pss\Date Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=c:\windows\pss\PrecisionTime.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\AOL 8.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 14:53 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27/02/2007 13:39 32256]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21/12/2007 08:21 468224]
R2 musm3gld;musm3gld;c:\windows\system32\drivers\musm3gld.sys [30/08/2006 21:40 5513]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 18:51 4096]
S0 ElbyVCD;ElbyVCD;c:\windows\system32\DRIVERS\ElbyVCD.sys --> c:\windows\system32\DRIVERS\ElbyVCD.sys [?]
S2 STOPzilla Local Service;STOPzilla Local Service;c:\program files\STOPzilla!\szntsvc.exe /service "STOPzilla Local Service" --> c:\program files\STOPzilla!\szntsvc.exe [?]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [01/11/2003 21:19 17920]
S3 ptO2_bus;O2 Composite Device;c:\windows\system32\drivers\ptO2_bus.sys [01/04/2009 01:25 22144]
S3 ptO2_flt;O2 USB Filter Service;c:\windows\system32\drivers\ptO2_flt.sys [01/04/2009 01:25 4608]
S3 ptO2_mdm;O2 USB Modem;c:\windows\system32\drivers\ptO2_mdm.sys [01/04/2009 01:25 39808]
S3 ptO2_prt;O2 Diagnostic Serial Port;c:\windows\system32\drivers\ptO2_prt.sys [01/04/2009 01:25 38528]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [15/10/2006 21:19 18432]
.
Contents of the 'Scheduled Tasks' folder

2009-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uSearchURL,(Default) = hxxp://www.zpecialoffer.com/results.asp?keyword=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: mmohsix.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\w060azka.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\w060azka.default\extensions\npmozax@real.com\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 20:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,e0,05,cd,c5,f3,
3d,17,bf,c8,28,51,af,b0,29,a3,98,f7,04,95,8d,8f,ee,67,07,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,c0,64,56,b7,53,
65,6e,ae,71,3b,04,66,8b,46,0d,96,69,d2,73,9e,6c,f5,0b,8d,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,f7,1d,98,f3,e5,
bd,ea,7c,25,da,ec,7e,55,20,c9,26,41,6d,b1,fb,75,b5,8c,4d,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,4b,a7,27,ae,f9,
c0,c3,b1,3e,1e,9e,e0,57,5a,93,61,9e,78,7a,fe,b0,0a,32,a6,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,ab,c2,80,2b,f1,
2d,8d,ab,cd,44,cd,b9,a6,33,6c,cd,08,a0,cc,f9,8f,06,41,e8,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,4a,ce,4c,23,d9,
10,b3,30,b0,18,ed,a7,3f,8d,37,a4,83,d4,8f,a1,8e,ec,04,d7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,62,b3,47,2e,f8,
c8,69,65,31,77,e1,ba,b1,f8,68,02,9a,13,3d,ef,9f,1c,ae,cc,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,63,4e,30,18,4c,
97,40,cf,83,6c,56,8b,a0,85,96,ab,04,24,4e,05,9b,22,c8,19,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,5c,cd,7b,17,77,
b0,9e,05,51,fa,6e,91,28,9e,14,cc,4c,ea,d7,71,99,3c,38,6c,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,75,70,b3,ce,4c,
12,eb,3d,b1,cd,45,5a,a8,c4,f8,b9,79,88,00,87,e4,15,52,8e,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,25,eb,86,06,61,
38,36,77,e3,0e,66,d5,eb,bc,2f,6b,73,3d,3b,ab,e5,c4,f2,0b,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,26,a3,6c,78,f4,
6d,0b,97,fa,ea,66,7f,d4,3b,6b,70,f6,ca,8e,90,d6,87,01,67,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1068)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3884)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Belkin\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\Crypserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-05-25 21:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-25 20:17
ComboFix2.txt 2009-05-24 14:07

Pre-Run: 12,378,787,840 bytes free
Post-Run: 12,359,856,128 bytes free

360 --- E O F --- 2009-04-20 20:30


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:44 AM

Posted 25 May 2009 - 04:37 PM

Well done. :thumbup2:
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

    Note: The startup entry pointing at ALCMTR.EXE is an "Sypware" entry related to Realtek used silently to monitor one's actions. It is not a sinister one and you can remove the start up entry without affecting the function of Realtek software. We have just removed the start up entry but not the file itself. Notice that you should not remove the file itself because it is needed for the subsequent updating of the software.

  • Please copy and paste a fresh Hijackthis log to your reply. Also tell me how is your computer running. Check if you are able to get to Windows update page and all the security programs update without any problem.


#14 prose

prose
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 25 May 2009 - 05:44 PM

I have fixed the named entry. My computer seems to be running faster, it starts and shuts down quicker than it did before. Thank you so much or your time and help :thumbup2:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:42:03, on 25/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe
C:\Program Files\Mouse Driver\MouseDrv.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\TEMP DOWNLOADS\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [CreativeMouse ] C:\Program Files\Mouse Driver\MouseDrv.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Omega ASIO Control Panel.lnk = C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mdz: C:\Program Files\Internet Explorer\Plugins\npmod32.dll
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1233613013312
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9956 bytes

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:44 AM

Posted 25 May 2009 - 05:56 PM

You are most welcome.

Please fix these lines with Hijackthis too and rerun Hijackthis to make sure they are gone:

R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


Go to start > run and copy and paste or type next command in the field then hit enter:

ComboFix /u

Note: There's a space between Combofix and /

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore.

The first reboot might be a little slow, the next one will be faster.

Optional Recommendations:
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office.
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC. Windows XP Service Pack 2 is now outdated. Microsoft has released Service Pack 3 which has more features and is more secure than Service Pack 2.

    You can update by going to start > All Programs > Windows update > click on Custom button.

    Note: Download Service Pack 3 but before installing it disable your antivirus real-time protection.

  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  • Install Javacools SpywareBlaster
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. What you need is updating it once in 2-3 weeks and enabling the restriction. You can find more information and a download link.

  • The rule of thumb: One AntiVirus with real-time protection, one firewall (other than Windows firewall) and one antispyware with real-time protection. Any additional anti-malware shouldn't be running. You might have two or three antispyware but they should not be running at the same time and should be set not to start with Windows.
Happy Surfing!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users