Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

anti-malware disabled, search engine redirect, task manager disabled


  • This topic is locked This topic is locked
13 replies to this topic

#1 granty17

granty17

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 09 June 2009 - 12:18 PM

hi, this is the tenth time i have tried to post this as my computer keeps freezing up.

The problem started when i logged onto my PC the other day. before i logged onto my user account a "googleupdate.exe" application error box appeared. when i got onto my account a black box appeared on the screen briefly aswell as a message saying something about "personalising DCOM service ( i disabled DCOM service when i seen the message"). i connected to the internet and went to google. everything was normal up until i clicked on a search result, which opened up a new tab with a completely irrelevant page such as myspace or britannia search. I then noticed that my Mcafee total protection 2009 had been disabled and would not re-open. i was not able to open any anti-malware programs, aswell as HJT. sometimes the screen will just go black, forcing me to restart. task manager and regedit are also disabled by admin ( i am the administrator). IE also tries to open on its own occasionally.

******************************************************************************************************************
here is my DDS report:


DDS (Ver_09-05-14.01) - NTFSx86 MINIMAL
Run by grant at 15:30:45.98 on Tue 06/09/2009
Internet Explorer: 6.0.2900.2180
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============


============== Pseudo HJT Report ===============

mWinlogon: userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: MSN helper: {10c0b0c0-fc01-473b-8ebb-4376353f96e4} - bekbn.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {500BCA15-57A7-4eaf-8143-8C619470B13D} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: : {69ae5539-3323-4d37-81e2-ac4f0bb9332f} - c:\windows\system32\nttrrol.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No File
EB: {FABA076A-478A-4c32-A0A5-C774607901C2} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
uRun: [<NO NAME>]
uRun: [Nokia.PCSync] "c:\program files\nokia\nokia pc suite 6\PCSync2.exe" /NoDialog
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 6\PCSuite.exe" -onlytray
uRun: [SpeedItUpEX] c:\program files\speeditupfree\SpeedItUp.exe -MINI
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [CnxDslTaskBar] "c:\program files\conexant\accessrunner adsl\CnxDslTb.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [net] "c:\windows\system32\net.net"
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\grant\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winman~1.lnk - c:\program files\pc-tv\winmanager\WinManager.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - hxxp://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941}
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
TCP: {5F374860-6ED7-486E-8221-40DF789B0CB1} = 212.139.132.44 212.139.132.43
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: byXOffeB - byXOffeB.dll
Notify: kjghfwho - nttrrol.dll
AppInit_DLLs: c:\windows\system32\zigehuze.dll irxleq.dll c:\windows\system32\bamukitu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJDsTKA
LSA: Notification Packages = scecli c:\windows\system32\zigehuze.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\grant\applic~1\mozilla\firefox\profiles\h59d003c.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.beyondfootball.com/gallery-Tutorials-5,1,5,1.html
FF - component: c:\documents and settings\grant\application data\mozilla\firefox\profiles\h59d003c.default\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}\components\FFAlert.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\nsgkff20_meter1.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_19.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-06-08 23:42 45 a------- c:\windows\system32\ca.dat
2009-06-08 20:17 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-08 20:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-08 18:42 <DIR> --d----- C:\_backupD
2009-06-08 18:42 280,286 a------- C:\win32delfkil.exe
2009-06-08 18:42 90,112 a------- c:\windows\system32\regdacl.exe
2009-06-08 18:42 53,248 a------- c:\windows\system32\process.exe
2009-06-08 18:42 42,496 a------- c:\windows\system32\swreg.exe
2009-06-08 18:42 16,384 a------- c:\windows\system32\restart.exe
2009-06-08 18:42 4,096 a------- c:\windows\system32\reboot.exe
2009-06-08 18:42 <DIR> --d----- c:\windows\system32\regdacl
2009-06-08 18:11 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-08 17:59 <DIR> --d----- c:\windows\pss
2009-06-08 17:11 1 a------- c:\windows\system32\q1.dat
2009-06-08 17:11 1 a------- c:\windows\system32\idm.dat
2009-06-08 17:11 1 a------- c:\windows\system32\ck.dat
2009-06-08 17:11 1 a------- c:\windows\system32\c2d.dat
2009-06-08 17:05 70,144 a------- c:\windows\system32\inform.dat
2009-06-08 17:05 42,496 a------- c:\windows\system32\bekbn.dll
2009-06-08 17:05 16,164 a------- c:\windows\system32\fkas
2009-06-08 17:02 171,008 a------- c:\windows\system32\net.net
2009-06-02 20:12 <DIR> --d----- c:\program files\CasinoOnNet
2009-06-02 15:24 107,520 a------- c:\windows\system32\UnCasino5.exe
2009-06-02 02:12 <DIR> --d----- c:\program files\InterCasino
2009-05-30 16:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Microgaming
2009-05-30 16:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MGS
2009-05-30 16:35 <DIR> --d----- C:\Microgaming
2009-05-30 15:50 987 a------- C:\settings12.html
2009-05-30 15:50 261 a------- C:\Firewall.html
2009-05-30 15:50 9 a------- C:\validationcode13.php
2009-05-30 15:24 <DIR> --d----- c:\program files\Roulette Sniper
2009-05-25 16:02 <DIR> --d----- C:\Casino
2009-05-24 00:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\VOWSoft
2009-05-24 00:14 <DIR> --d----- c:\program files\ABC 3GP Converter
2009-05-15 19:45 54,156 a---h--- c:\windows\QTFont.qfn
2009-05-15 19:45 1,409 a------- c:\windows\QTFont.for
2009-05-13 21:14 <DIR> --d----- c:\program files\Bullfrog

==================== Find3M ====================

2009-04-17 19:30 22,764 ac------ c:\windows\system32\emptyregdb.dat
2008-05-22 22:24 94,208 a------- c:\docume~1\grant\applic~1\ezplay.sys
2008-05-22 22:24 87,608 a------- c:\docume~1\grant\applic~1\inst.exe
2007-07-21 16:23 47,360 a------- c:\docume~1\grant\applic~1\pcouffin.sys
2009-02-16 00:39 2 a--shrot c:\windows\winstart.bat
2009-02-12 20:36 345 a--sh--- c:\windows\system32\YadggMoq.ini2

============= FINISH: 15:32:49.56 ===============

*****************************************************************************************************************

i would be very grateful if someone could help me with this problem.


thanks,

grant K
Attached File  Attach.txt   4.99KB   8 downloads

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:08 PM

Posted 09 June 2009 - 06:18 PM

Hi granty17,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

In case the malware prevented installing or running Malwarebytes, don't spend much time on it and let me know quickly.

Please download Malwarebytes' Anti-Malware from one of these locations:
malwarebytes.org
majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#3 granty17

granty17
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 10 June 2009 - 10:32 AM

hi Farbar,

thanks for the quick reply, i downloaded Malwarebytes' Anti-Malware, and was able to install with no problems, but the malware is preventing it from running.

thanks

grant K

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:08 PM

Posted 10 June 2009 - 11:11 AM

Hi Grant,

Using Windows Explorer (right-click start > Explorer) navigate to the following folder:C"\Program Files\Malwarebyte' Anti-Malware
  • Locate the file mbam.exe and rename it to clear.exe then double-click to run it.
  • Wait until it opens up.
  • Update it first. When you get the message that it is updated successfully check under Update tab the Database version should read 2258 or above.
  • Run a quick scan. Let it remove what it finds by checking all the find items, let reboot if needed and copy/paste the log to your reply.
Note: The logs are saved by default under the Logs tab. If the log did not automatically open after reboot you can obtain the latest log from there.

#5 granty17

granty17
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 10 June 2009 - 11:54 AM

Hi Farbar,

Ran malwarebytes software, found 61 infected files, managed to remove all but a few.

*************************************************************************************

here is the log:

Malwarebytes' Anti-Malware 1.37
Database version: 2258
Windows 5.1.2600 Service Pack 2

6/10/2009 5:44:33 PM
mbam-log-2009-06-10 (17-44-33).txt

Scan type: Quick Scan
Objects scanned: 109763
Time elapsed: 9 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 54
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\bekbn.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\nttrrol.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{10c0b0c0-fc01-473b-8ebb-4376353f96e4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{69ae5539-3323-4d37-81e2-ac4f0bb9332f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\videoegg.activexloader (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{faba076a-478a-4c32-a0a5-c774607901c2} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00110011-4b0b-44d5-9718-90c88817369b} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{086ae192-23a6-48d6-96ec-715f53797e85} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0f8f84cf-dcba-4426-ac18-30a8ab00c526} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10c0b0c0-fc01-473b-8ebb-4376353f96e4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{150fa160-130d-451f-b863-b655061432ba} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d38a51a-23c9-48a1-a33c-48675aa2b494} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2e9caff6-30c7-4208-8807-e79d4ec6f806} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{32131238-5434-4234-4234-432432423432} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321e378-ffad-4999-8c62-03ca8155f0b3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{587dbf2d-9145-4c9e-92c2-1f953da73773} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{69ae5539-3323-4d37-81e2-ac4f0bb9332f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{79369d5c-2903-4b7a-ade2-d5e0dee14d24} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{799a370d-5993-4887-9df7-0a4756a77d00} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9506910a-0f94-4ea1-b567-7070428b8b2b} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{98dbbf16-ca43-4c33-be80-99e6694468a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a55581dc-2cdb-4089-8878-71a080b22342} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b847676d-72ac-4393-bfff-43a1eb979352} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bc97b254-b2b9-4d40-971d-78e0978f5f26} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cf021f40-3e14-23a5-cba2-717765721306} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e2ddf680-9905-4dee-8c64-0a5de7fe133c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e7afff2a-1b57-49c7-bf6b-e5123394c970} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f53bafe5-ce7a-4e95-95ac-a3912efd3739} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fd9bc004-8331-4457-b830-4759ff704c22} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kjghfwho (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10c0b0c0-fc01-473b-8ebb-4376353f96e4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69ae5539-3323-4d37-81e2-ac4f0bb9332f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zjzyaaik (Trojan.Vundo.H) -> Delete on reboot.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\2052 (Malware.Trace) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bekbn.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\c2d.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ck.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idm.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msupdt.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\q1.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\MOTA113.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\nttrrol.dll (Trojan.Vundo.H) -> Delete on reboot.

thanks,

grant K

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:08 PM

Posted 10 June 2009 - 12:36 PM

Well done Grant. :thumbup2:
  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop. (In case you use Firefox, rightclick the link and choose "Save Link As").
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.



  • Run MBAM quick scan once more, if you get get a clean log no need to post it.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#7 granty17

granty17
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 10 June 2009 - 12:47 PM

:thumbup2:

was not able to run search and destroy, but task manager is now enabled and i stopped the teatimer.exe process. will this work aswell??

thanks

grant K

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:08 PM

Posted 10 June 2009 - 01:04 PM

Yes that will do for now. Run also the ResetTeaTimer.exe to empty its cache. After running ComboFix you will be able to disable it.

#9 granty17

granty17
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 10 June 2009 - 02:36 PM

hi,

ran malwarebytes software again, here is log:

Malwarebytes' Anti-Malware 1.37
Database version: 2258
Windows 5.1.2600 Service Pack 2

6/10/2009 7:15:32 PM
mbam-log-2009-06-10 (19-15-32).txt


Scan type: Quick Scan
Objects scanned: 109528
Time elapsed: 6 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\bekbn.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\nttrrol.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69ae5539-3323-4d37-81e2-ac4f0bb9332f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kjghfwho (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{69ae5539-3323-4d37-81e2-ac4f0bb9332f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c900b400-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10c0b0c0-fc01-473b-8ebb-4376353f96e4} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10c0b0c0-fc01-473b-8ebb-4376353f96e4} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zjzyaaik (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{69ae5539-3323-4d37-81e2-ac4f0bb9332f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\nttrrol.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bekbn.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

*****************************************************************************

then ran combofix, here is the log:

ComboFix 09-06-09.06 - grant 06/10/2009 19:59.3 - NTFSx86
Running from: c:\documents and settings\grant\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
ADS - WINDOWS: deleted 72 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\david\a.exe
c:\documents and settings\david\Application Data\inst.exe
c:\documents and settings\grant\Application Data\inst.exe
c:\documents and settings\grant\Local Settings\Temporary Internet Files\CSC2.1U-EN-639-I.sbr.sgn.unsgn
c:\documents and settings\grant\Local Settings\Temporary Internet Files\CSC2.1U-EN-724-I.sbr.sgn.unsgn
c:\documents and settings\grant\Local Settings\Temporary Internet Files\CSC2.1U-EN-759-I.sbr.sgn.unsgn
c:\documents and settings\grant\Local Settings\Temporary Internet Files\CSC2.1U-EN-767-I.sbr.sgn
c:\documents and settings\grant\Local Settings\Temporary Internet Files\CSC2.1U-EN-782-I.sbr.sgn
c:\documents and settings\grant\Local Settings\Temporary Internet Files\CSC2.1U-EN-799-I.sbr.sgn
c:\documents and settings\grant\Local Settings\Temporary Internet Files\CSC2.1U-EN-799-I.sbr.sgn.unsgn
c:\documents and settings\grant\Local Settings\Temporary Internet Files\CSC2.1U-EN-800-I.sbr.sgn.unsgn
c:\documents and settings\grant\Local Settings\Temporary Internet Files\CSC2.1U-EN-803-F.sbr.sgn
c:\documents and settings\grant\Local Settings\Temporary Internet Files\CSC2.1U-EN-804-F.sbr.sgn
c:\documents and settings\grant\Local Settings\Temporary Internet Files\CSC2.1U-EN-807-F.sbr.sgn
c:\documents and settings\grant\Local Settings\Temporary Internet Files\CSC2.1U-EN-809-F.sbr.sgn
c:\documents and settings\grant\Local Settings\Temporary Internet Files\CSC2.1U-EN-813-I.sbr.sgn
c:\documents and settings\grant\Local Settings\Temporary Internet Files\CSC2.1U-EN-813-I.sbr.sgn.unsgn
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\windows\IE4 Error Log.txt
c:\windows\system32\AKTsDJjl.ini
c:\windows\system32\AKTsDJjl.ini2
c:\windows\system32\drivers\eomk.sys
c:\windows\system32\drivers\SKYNETbqpappbi.sys
c:\windows\system32\drivers\UACxrwqfgvxxmltoiy.sys
c:\windows\system32\GOXIiQru.ini
c:\windows\system32\inform.dat
c:\windows\system32\Process.exe
c:\windows\system32\SKYNETgodttono.dat
c:\windows\system32\SKYNETmwpyktlw.dll
c:\windows\system32\SKYNETvyuevssw.dll
c:\windows\system32\UACbcisdanirfvhvkg.dll
c:\windows\system32\UACgyuqjprxlvnecfx.dll
c:\windows\system32\UACikudikkwnfrkioa.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClnbnvnidrxgjrnx.dll
c:\windows\system32\UACmiotidrjtxmhxva.dll
c:\windows\system32\UACpbpyhpnivjldjyx.dll
c:\windows\system32\UACpxjkakwvxipgcvy.log
c:\windows\system32\UACqbqvhlcryykcnna.log
c:\windows\system32\UACqyoruwtpdbhxfrg.dat
c:\windows\system32\UACrruvutfeehuoqlk.db
c:\windows\system32\UACrulvbddomsdrbon.log
c:\windows\system32\YadggMoq.ini
c:\windows\system32\YadggMoq.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-10 16:46 . 2009-06-10 16:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-10 16:31 . 2009-06-10 16:31 -------- d-----w- c:\documents and settings\grant\Application Data\Malwarebytes
2009-06-10 15:28 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-10 15:28 . 2009-06-10 16:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-10 15:28 . 2009-06-10 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-10 15:28 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 20:24 . 2004-08-04 12:00 614429 ----a-w- c:\documents and settings\guest3\Application Data\Creative\Media Database\JetFileBackup\Mswstr10.dll
2009-06-09 20:24 . 2004-08-04 12:00 57344 ----a-w- c:\documents and settings\guest3\Application Data\Creative\Media Database\JetFileBackup\Msadrh15.dll
2009-06-09 20:24 . 2004-08-04 12:00 536576 ----a-w- c:\documents and settings\guest3\Application Data\Creative\Media Database\JetFileBackup\Msado15.dll
2009-06-09 20:24 . 2004-08-04 12:00 53279 ----a-w- c:\documents and settings\guest3\Application Data\Creative\Media Database\JetFileBackup\Msjter40.dll
2009-06-09 20:24 . 2004-08-04 12:00 380957 ----a-w- c:\documents and settings\guest3\Application Data\Creative\Media Database\JetFileBackup\Expsrv.dll
2009-06-08 19:17 . 2009-06-10 17:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-08 19:17 . 2009-06-08 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-08 17:42 . 2009-06-08 17:42 -------- d-----w- C:\_backupD
2009-06-08 17:42 . 2009-06-08 17:42 -------- d-----w- c:\windows\system32\regdacl
2009-06-08 17:42 . 2009-06-08 17:42 90112 ----a-w- c:\windows\system32\regdacl.exe
2009-06-08 17:42 . 2009-06-08 17:42 4096 ----a-w- c:\windows\system32\reboot.exe
2009-06-08 17:42 . 2009-06-08 17:42 16384 ----a-w- c:\windows\system32\restart.exe
2009-06-08 17:42 . 2009-06-08 17:39 280286 ----a-w- C:\win32delfkil.exe
2009-06-08 17:11 . 2009-06-08 17:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-02 19:13 . 2009-06-02 19:34 -------- d-----w- c:\documents and settings\david\Application Data\CasinoOnNet
2009-06-02 19:12 . 2009-06-02 19:13 -------- d-----w- c:\program files\CasinoOnNet
2009-06-02 14:24 . 2007-06-22 17:02 107520 ----a-w- c:\windows\system32\UnCasino5.exe
2009-06-02 01:12 . 2009-06-02 14:49 -------- d-----w- c:\program files\InterCasino
2009-05-30 16:28 . 2009-05-30 16:28 829840 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mptadvancedslots.039a84427e76ab4e1715f80765a76305.dll
2009-05-30 16:27 . 2009-05-30 16:27 254224 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition.26c3e2ce55c7cca8b63e5e8d7b4627e4.dll
2009-05-30 16:27 . 2009-05-30 16:27 823568 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_temp2.198f2a88c7f89c1d0b1ded39e546e22b.dll
2009-05-30 16:27 . 2009-05-30 16:27 823568 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1.d6634c03808be76623e7497fcb1eb424.dll
2009-05-30 16:27 . 2009-05-30 16:27 944033 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvslotxxx.e5675e7198cee47ae84db3a4020d9441.dll
2009-05-30 16:27 . 2009-05-30 16:27 114960 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\type_5reelnormal3_4_5.07db0a5618a0565d7bde7a2766c54711.dll
2009-05-30 16:26 . 2009-05-30 16:26 110864 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\type_3reelnormal1_2.6d58a1bcaf1d9165fa0b77fa9598b623.dll
2009-05-30 16:26 . 2009-05-30 16:26 45328 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\x\xmlparserplugin.57e9fd94cbd592ad475a3ca59462730f.dll
2009-05-30 16:26 . 2009-05-30 16:26 213264 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gamble2.9d7f0f3cf78a68d28fc5a3e77fdc77da.dll
2009-05-30 16:26 . 2009-05-30 16:26 176400 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gamble.212eaf21a4805f8521d0d0c57b6a933b.dll
2009-05-30 16:26 . 2009-05-30 16:26 86016 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gambleplugin.c4d8c6f5542066f894b7f2e575038afb.dll
2009-05-30 16:26 . 2009-05-30 16:26 307472 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gamble2_tggg.436ea9e59e2a2b9a2106e598920cba26.dll
2009-05-30 16:26 . 2009-05-30 16:26 221456 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gamble2_temp.5a22e38498bf34a124cc458bf6408ad3.dll
2009-05-30 16:26 . 2009-05-30 16:26 204905 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\thunderstruck.0cc1be68d215832fa06fc779c0b3e069.dll
2009-05-30 16:26 . 2009-05-30 16:26 114688 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\e\euroroulette.fa2b524975a5d8bbc30203d094e2b084.dll
2009-05-30 16:25 . 2009-05-30 16:25 45056 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\e\euroblackjackstrategy.9c188ef9cd6c03e5b4bd398d23041cd2.dll
2009-05-30 16:25 . 2009-05-30 16:25 229483 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\e\euroblackjack.6c6f541acc24f3244c0a64fa851edca8.dll
2009-05-30 16:25 . 2009-05-30 16:25 376832 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\e\europeanblackjack.cb403a5bad6b43e2910d2e09c35c47ed.dll
2009-05-30 15:35 . 2009-05-30 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\MGS
2009-05-30 15:35 . 2009-05-30 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microgaming
2009-05-30 15:35 . 2009-05-30 15:35 -------- d-----w- C:\Microgaming
2009-05-30 14:24 . 2009-05-30 14:24 -------- d-----w- c:\program files\Roulette Sniper
2009-05-25 15:02 . 2009-05-27 14:45 -------- d-----w- C:\Casino
2009-05-23 23:14 . 2009-05-23 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\VOWSoft
2009-05-23 23:14 . 2009-05-23 23:14 -------- d-----w- c:\program files\ABC 3GP Converter
2009-05-20 20:33 . 2009-05-20 20:33 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-20 20:32 . 2009-05-20 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-20 20:32 . 2009-05-20 20:34 -------- d-----w- c:\program files\Google
2009-05-13 20:14 . 2009-05-13 20:14 -------- d-----w- c:\program files\Bullfrog

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 19:12 . 2008-05-25 21:39 -------- d-----w- c:\program files\DNA
2009-06-10 19:12 . 2008-05-25 21:39 -------- d-----w- c:\documents and settings\grant\Application Data\DNA
2009-06-10 16:45 . 2009-06-10 16:45 3038 ----a-w- c:\program files\menrbh.txt
2009-06-10 16:36 . 2009-06-08 22:42 45 ----a-w- c:\windows\system32\ca.dat
2009-06-09 20:24 . 2009-06-08 22:36 -------- d-----w- c:\documents and settings\guest3\Application Data\Creative
2009-06-06 21:46 . 2009-02-15 22:30 -------- d-----w- c:\program files\McAfee
2009-06-02 14:49 . 2009-06-02 01:12 -------- d-----w- c:\program files\InterCasino
2009-05-28 21:51 . 2008-06-24 13:16 -------- d-----w- c:\documents and settings\david\Application Data\Vso
2009-05-03 20:31 . 2009-05-03 20:30 1878984 ----a-w- c:\documents and settings\david\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-04-26 15:28 . 2007-06-02 19:16 68200 -c--a-w- c:\documents and settings\david\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 21:45 . 2007-06-03 09:35 -------- d-----w- c:\program files\PC-TV
2009-04-18 21:45 . 2007-05-29 13:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-18 01:35 . 2009-04-18 01:06 -------- d-----w- c:\documents and settings\david\Application Data\Creative
2009-04-17 20:21 . 2008-05-19 02:36 -------- d-----w- c:\program files\SpeedItUpFree
2009-04-17 18:30 . 2007-05-18 16:36 22764 -c--a-w- c:\windows\system32\emptyregdb.dat
2009-04-16 17:20 . 2008-06-17 01:47 -------- d-----w- c:\program files\RegCure
2009-04-14 14:22 . 2009-04-13 21:02 -------- d-----w- c:\program files\Registry Easy
2009-04-11 23:11 . 2007-07-21 15:23 -------- d-----w- c:\documents and settings\grant\Application Data\Vso
2009-04-11 21:30 . 2003-01-02 11:15 -------- d-----w- c:\program files\Veoh Networks
2009-04-03 15:42 . 2007-06-19 23:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-03-25 10:06 . 2009-02-15 22:32 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 10:06 . 2009-02-15 22:32 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 10:06 . 2009-02-15 22:32 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 10:06 . 2009-01-09 12:03 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 10:05 . 2009-02-15 22:30 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2008-12-21 20:21 . 2008-03-17 01:07 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-21 20:21 . 2008-03-17 01:07 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-21 20:21 . 2008-03-17 01:07 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-08-22 14:36 . 2009-02-11 21:20 163840 ----a-w- c:\program files\mozilla firefox\components\nsgkff20_meter1.dll
2008-12-21 20:21 . 2008-03-17 01:07 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-21 20:21 . 2008-03-17 01:07 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-02-15 23:39 . 2009-02-15 23:39 2 --shatr- c:\windows\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 3587120]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-04-12 342848]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-02-12 160592]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-10-05 98304]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"CnxDslTaskBar"="c:\program files\Conexant\AccessRunner ADSL\CnxDslTb.exe" [2003-05-12 454656]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-02-12 160592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\grant\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-5-12 546816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinManager.lnk - c:\program files\PC-TV\WinManager\WinManager.exe [2009-4-18 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=mapledxp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sunbelt Software\\CounterSpy\\SBCSTray.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [x]
R3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\Ndisprot.sys [2008-10-20 27904]
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\netimflt.sys [x]
R3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\DRIVERS\slnt7554.sys [2004-08-03 129535]
R4 gupdate1c9d98a3ca595ae;Google Update Service (gupdate1c9d98a3ca595ae);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-20 133104]
S0 878BDA;DVB-TV 878 BDA Driver;c:\windows\System32\Drivers\878BDA.sys [2007-06-02 86016]
S0 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2008-08-22 8832]
S0 SBHR;SBHR;c:\windows\system32\drivers\sbhr.sys [2007-06-09 15544]
S1 mapledxp;mapledxp;c:\windows\System32\drivers\mapledxp.SYS [2004-04-05 24720]
S1 nnrnstdi;nnrnstdi; [x]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver;c:\windows\system32\DRIVERS\CnxEtP.sys [2003-05-12 60288]
S3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;c:\windows\system32\DRIVERS\CnxEtU.sys [2003-05-12 643200]
S3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver;c:\windows\system32\DRIVERS\CnxTgN.sys [2003-05-12 108547]
S3 DtvAudio;DtvAudio;c:\windows\system32\DRIVERS\DtvAudio.sys [2004-02-26 10330]
S3 DtvVideo;DtvVideo;c:\windows\system32\DRIVERS\DtvVideo.sys [2004-02-26 26730]
S3 SBAPIFS;SBAPIFS;c:\windows\system32\drivers\sbapifs.sys [x]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - SBAPIFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
zjzyaaik

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AC018590-FBBD-4789-A15B-FFBBBE6C8965}]
rundll32 bekbn.dll,InitO
.
Contents of the 'Scheduled Tasks' folder

2008-12-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]

2009-06-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-20 20:32]

2009-06-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-20 20:33]

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-15 10:53]

2009-02-15 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-15 10:53]

2009-04-13 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe [2009-04-13 14:59]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Nokia.PCSync - c:\program files\Nokia\Nokia PC Suite 6\PCSync2.exe
HKCU-Run-PC Suite Tray - c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe
HKCU-Run-SpeedItUpEX - c:\program files\SpeedItUpFree\SpeedItUp.exe
Notify-byXOffeB - byXOffeB.dll


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
FF - ProfilePath - c:\documents and settings\grant\Application Data\Mozilla\Firefox\Profiles\h59d003c.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.beyondfootball.com/gallery-Tutorials-5,1,5,1.html
FF - component: c:\documents and settings\grant\Application Data\Mozilla\Firefox\Profiles\h59d003c.default\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}\components\FFAlert.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\nsgkff20_meter1.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_19.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 20:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-2000478354-725345543-1004\Software\Microsoft\Multimedia\**j9*jjj9*j*jh*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2052111302-2000478354-725345543-1004\Software\Microsoft\Multimedia\f%ff $f%ffEf f s~**f}*t,fEf=rfEf)Ēfs~f}*ufE]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2052111302-2000478354-725345543-1004\Software\Microsoft\Multimedia\MT$B J3$@*p"*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2052111302-2000478354-725345543-1004\Software\Microsoft\Multimedia\JPΉT$4菓*L$0T$$QRD$$P腓*L$0T$,QRz*D$(L$,PQi*j@*t VPRH@*D$(L$$PQA*T$0D$$RP0*L$8Q*L$(D$$A@jL$,D$($R*PR4**S]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2052111302-2000478354-725345543-1004\Software\Microsoft\Multimedia\uy2*yv12*i420*yvu9*if09*iyuv*uyvy*bgr24*bgr32*bgr16*bgr15*bgr8*bgr4*bg4b*bgr1*rgb24*rgb32*rgb16*rgb15*rgb8*rgb4*rg4b*rgb1*rgba*argb*bgra*abgr*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2052111302-2000478354-725345543-1004\Software\Microsoft\Multimedia\(*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(888)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\msi.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Sunbelt Software\CounterSpy\SBCSSvc.exe
c:\windows\system32\slserv.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-06-10 20:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-10 19:26
ComboFix2.txt 2008-11-02 22:02

Pre-Run: 11,172,335,616 bytes free
Post-Run: 17,100,095,488 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=7 Default=7 Failed=0 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
358 --- E O F --- 2009-06-08 21:23

*******************************************************************************

regedit and task manager are now working, google is not redirecting, however i am still not able to run mcafee total protection.



thanks,

grant K

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:08 PM

Posted 10 June 2009 - 03:51 PM

Seems ComboFix is run before.
  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    Driver::
    zjzyaaik
    NetSvc::
    zjzyaaik
    File::
    C:\WINDOWS\system32\bekbn.dll
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AC018590-FBBD-4789-A15B-FFBBBE6C8965}]
    FixCSet::

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Please run MBAM once more and post the log if it still find anything.


#11 granty17

granty17
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 13 June 2009 - 05:24 PM

hi farbar,

here is the combofix log:

ComboFix 09-06-09.06 - grant 06/10/2009 22:03:13.4 - NTFSx86
Running from: C:\Documents and Settings\grant\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\grant\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

FILE ::
"C:\WINDOWS\system32\bekbn.dll"
.

computer seems to be working fine now, although my mp3 player will not connect to it now

thanks,

grant K

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:08 PM

Posted 14 June 2009 - 07:08 AM

The ComboFix log is not complete. See if the the log is the same as you posted, the log is here: C:\ComboFix.txt

If the log is different please post it, other wise run the fix again and post the log.

computer seems to be working fine now, although my mp3 player will not connect to it now


Connect your MP3 player. Go to Start => My Computer see if it is listed there.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:08 PM

Posted 19 June 2009 - 05:34 AM

Are you still there, or the problem is resolved?

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:08 PM

Posted 23 June 2009 - 04:01 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users