Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I May Have The Virtumonde Virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 WhiteWood

WhiteWood

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 19 June 2009 - 10:56 AM

DDS (Ver_09-05-14.01) - NTFSx86
Run by OfficeMax at 11:50:24.64 on Fri 06/19/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {13e79c15-b1c3-4e15-96b3-d956600f82d0} - c:\programdata\wuyofage\wuyofage.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: {b57bde9d-1dbf-47a6-95cf-4622c58faa59} - c:\programdata\napijelu\napijelu.dll
BHO: ZeonIEEventHelper Class: {da986d7d-ccaf-47b2-84fe-bfa1549bebf9} - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.21.0\gears.dll
TB: Nuance PDF: {e3286bf1-e654-42ff-b4a6-5e111731df6b} - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [BitTorrent DNA] "c:\users\officemax\program files\dna\btdna.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [LSA Shellu] c:\users\officemax\lsass.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [PDFHook] c:\program files\nuance\pdf professional 5\pdfpro5hook.exe
mRun: [PDF5 Registry Controller] c:\program files\nuance\pdf professional 5\RegistryController.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [Nuance PDF Professional 5-reminder] "c:\program files\nuance\pdf professional 5\ereg\ereg.exe" -r "c:\programdata\nuance\pdf professional 5\ereg\Ereg.ini"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [TuneClone] c:\program files\tuneclone\TuneClone.exe /silence
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [xrt_Shell] c:\windows\system32\config\systemprofile\xrt_yrre.exe
dRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
dRun: [A00F1E62B8.exe] c:\windows\temp\_A00F1E62B8.exe
dRun: [SYS32DLL] SYS32DLL
dRun: [<NO NAME>] c:\windows\temp\h9cwx.exe
dRun: [nzdflkioezncfiunfindiuchiuenfcdc] c:\windows\temp\h9cwx.exe
dRun: [Windows System Recover!] c:\windows\temp\4108710280.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\p2card~1.lnk - c:\program files\panasonic p2\drivers\app\P2TaskTray.exe
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &AIM Toolbar Search - c:\programdata\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Open with Nuance PDF Converter 5.0 - c:\program files\nuance\pdf professional 5\cnvres_eng.dll /100
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.21.0\gears.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: facebook.com\www
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com\download
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\programdata\zavoneru\zavoneru.dll c:\programdata\bujasojo\bujasojo.dll c:\programdata\jelulede\jelulede.dll c:\programdata\teteripe\teteripe.dll c:\programdata\napijelu\napijelu.dll c:\programdata\yurizoye\yurizoye.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\office~1\appdata\roaming\mozilla\firefox\profiles\ovwvjtm3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - component: c:\users\officemax\appdata\roaming\mozilla\firefox\profiles\ovwvjtm3.default\extensions\{ddb7e7f0-96e4-11dd-ad8b-0800200c9a66}\components\srff.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\officemax\program files\dna\plugins\npbtdna.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============


============== File Associations ===============

txtfile="c:\windows\system32\nctedit.exe" "%1"

=============== Created Last 30 ================

2009-06-19 10:42 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-19 10:42 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-19 10:42 <DIR> --d----- c:\program files\iPod
2009-06-19 10:42 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-19 10:42 <DIR> --d----- c:\program files\iTunes
2009-06-19 10:42 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-18 15:03 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-06-18 04:36 421,888 a------- c:\windows\system32\RealMediaSplitter.ax
2009-06-17 05:27 72,192 ---shr-- c:\users\officemax\OfficeMax.exe
2009-06-17 05:26 86,016 a--sh--- c:\users\officemax\lsass.exe
2009-06-17 01:34 692,224 a------- c:\windows\system32\bsrmgcv.dll
2009-06-17 01:34 192,512 a------- c:\windows\system32\bsrmgps.dll
2009-06-17 01:33 585,728 a------- c:\windows\system32\bsratswf.dll
2009-06-17 01:33 147,456 a------- c:\windows\system32\bsratwmv.dll
2009-06-16 20:31 <DIR> --d----- c:\program files\DivX
2009-06-16 19:14 <DIR> --d----- c:\users\office~1\appdata\roaming\VistaCodecs
2009-06-16 19:14 <DIR> --d----- c:\program files\VistaCodecPack
2009-06-15 23:39 1,035,264 a------- c:\windows\system32\VSFilter.dll
2009-06-15 21:41 <DIR> --d----- c:\program files\VS Revo Group
2009-06-12 13:32 <DIR> --d----- c:\program files\Griffin Technology
2009-06-12 10:30 1,056,768 a------- c:\windows\system32\defltbase.sdb
2009-06-12 04:04 <DIR> --d----- c:\windows\CheckSur
2009-06-12 03:51 <DIR> --d----- c:\windows\system32\EventProviders
2009-06-12 00:54 311,296 a------- c:\windows\system32\portmon.dll
2009-06-12 00:54 <DIR> --d----- c:\programdata\Datagenn.com
2009-06-12 00:54 <DIR> --d----- c:\program files\Datagenn.com
2009-06-12 00:54 <DIR> --d----- c:\progra~2\Datagenn.com
2009-06-11 16:01 176,235 a------- c:\windows\system32\Primomonnt.dll
2009-06-11 16:01 <DIR> --d----- c:\program files\Nitro PDF
2009-06-11 15:02 <DIR> --d----- c:\program files\common files\Software Update Utility
2009-06-11 15:02 <DIR> --d----- c:\programdata\AIM Toolbar
2009-06-11 15:02 <DIR> --d----- c:\program files\AIM Toolbar
2009-06-11 15:02 <DIR> --d----- c:\progra~2\AIM Toolbar
2009-06-11 15:01 <DIR> --d----- c:\program files\Viewpoint
2009-06-11 15:00 <DIR> --d----- c:\program files\AIM6
2009-06-10 19:07 <DIR> --d----- c:\program files\ARAR
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-05 11:42 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-04 11:44 <DIR> --d----- c:\programdata\15383764
2009-06-04 11:44 <DIR> --d----- c:\progra~2\15383764
2009-06-02 17:13 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-05-29 17:02 61,440 a------- c:\windows\system32\xvid.ax
2009-05-29 16:52 204,800 a------- c:\windows\system32\xvidvfw.dll
2009-05-29 16:47 881,664 a------- c:\windows\system32\xvidcore.dll
2009-05-29 10:01 45,056 a------- c:\windows\system32\lmn_setup.exe
2009-05-29 05:11 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
2009-05-26 15:19 192 a------- C:\487656.bat
2009-05-26 08:17 2 ----h--- c:\windows\sonce122730.dat
2009-05-26 08:17 <DIR> --d----- c:\windows\system32\sysloc
2009-05-25 07:45 <DIR> a-d----- c:\programdata\TEMP
2009-05-25 07:45 <DIR> --d----- c:\programdata\TuneClone
2009-05-25 07:45 <DIR> --d----- c:\progra~2\TuneClone
2009-05-25 07:41 20,352 a------- c:\windows\system32\drivers\tclondrv.sys
2009-05-25 07:41 <DIR> --d----- c:\program files\TuneClone
2009-05-22 13:01 1 a------- c:\windows\system32\uniq.tll
2009-05-21 19:00 <DIR> --d----- c:\programdata\Gtek

==================== Find3M ====================

2009-06-19 10:35 86,016 a------- c:\windows\inf\infstor.dat
2009-06-19 10:35 51,200 a------- c:\windows\inf\infpub.dat
2009-06-19 10:35 86,016 a------- c:\windows\inf\infstrng.dat
2009-06-14 17:07 8,492 a------- c:\users\office~1\appdata\roaming\wklnhst.dat
2009-06-12 16:24 174 a--sh--- c:\program files\desktop.ini
2009-05-22 13:01 19,968 a------- c:\windows\system32\loader49.exe
2009-05-18 16:00 37,376 a------- c:\windows\system32\glsetup.exe
2009-05-15 11:49 190 a------- C:\43214354.bat
2009-05-01 17:02 90,112 a------- c:\windows\system32\dpl100.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 17:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 17:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 17:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 17:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-27 14:45 35,328 a------- c:\windows\system32\cl.exe
2009-04-27 14:30 39,936 a------- c:\windows\system32\winglsetup.exe
2009-04-23 19:27 84,045 a------- c:\windows\system32\ftp_non_crp.exe
2009-04-17 15:57 112,128 a------- c:\windows\system32\winsetup66.exe
2009-04-15 05:10 44,544 a------- c:\windows\system32\Winset20.exe
2009-04-11 19:44 465,874 a------- C:\psvrr.exe
2009-04-08 10:19 38,400 a------- c:\windows\system32\winsetupgl.exe
2009-04-05 09:39 61,440 a--sh--- c:\windows\system32\jevetedo.exe
2009-04-04 21:40 61,440 a--sh--- c:\windows\system32\lotibuye.exe
2009-04-03 12:40 61,440 a--sh--- c:\windows\system32\jirohowu.exe
2009-04-03 10:43 132,096 a------- c:\windows\system32\winsetup63.exe
2009-04-03 00:39 61,440 a--sh--- c:\windows\system32\refeyeka.exe
2009-04-02 12:39 61,440 a--sh--- c:\windows\system32\hulayoba.exe
2009-04-01 03:37 61,440 a--sh--- c:\windows\system32\pojovosa.exe
2009-03-31 15:36 61,440 a--sh--- c:\windows\system32\gupupehi.exe
2009-03-31 03:36 61,440 a--sh--- c:\windows\system32\kegovahe.exe
2009-03-30 14:08 61,440 a--sh--- c:\windows\system32\niguviya.exe
2009-03-30 01:57 62,149 a------- c:\windows\system32\pthreadGC2.dll
2009-03-27 23:58 61,440 a--sh--- c:\windows\system32\ribayiro.exe
2009-03-25 18:34 3,833,856 a------- c:\windows\system32\cdintf300.dll
2009-03-22 12:45 40,448 a------- c:\windows\system32\KuzSmall.exe
2009-03-22 12:45 40,448 a------- c:\windows\Cninineput.dll
2009-03-08 13:49 384 a------- c:\users\officemax\iaZIyYfpUW.bat
2009-02-05 02:59 28,672 a------- c:\users\officemax\ieframes.dll
2009-01-04 06:44 6,834 a------- c:\program files\KLF2.5GPU.log
2008-12-27 07:59 550 a------- c:\users\officemax\513.bat
2008-12-27 07:39 550 a------- c:\users\officemax\438.bat
2008-12-27 07:09 550 a------- c:\users\officemax\386.bat
2008-12-27 05:58 550 a------- c:\users\officemax\980.bat
2008-12-27 05:28 549 a------- c:\users\officemax\54.bat
2008-12-27 00:54 550 a------- c:\users\officemax\267.bat
2008-12-26 20:35 550 a------- c:\users\officemax\185.bat
2008-12-26 19:50 550 a------- c:\users\officemax\116.bat
2008-12-26 11:10 550 a------- c:\users\officemax\762.bat
2008-12-26 04:00 550 a------- c:\users\officemax\808.bat
2008-12-26 03:44 550 a------- c:\users\officemax\402.bat
2008-12-26 03:22 549 a------- c:\users\officemax\95.bat
2008-08-06 05:33 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-03-13 22:46 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-03-13 22:46 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-03-13 22:46 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 11:50:48.51 ===============

Attached Files


Edited by WhiteWood, 19 June 2009 - 10:57 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:27 PM

Posted 20 June 2009 - 05:17 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh DDS log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In case you lost internet access after performing above instructions:

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 WhiteWood

WhiteWood
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 20 June 2009 - 10:22 AM

Malwarebytes' Anti-Malware 1.38
Database version: 2315
Windows 6.0.6001 Service Pack 1

6/20/2009 11:20:44 AM
mbam-log-2009-06-20 (11-20-44).txt

Scan type: Quick Scan
Objects scanned: 83651
Time elapsed: 5 minute(s), 11 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 12
Registry Data Items Infected: 6
Folders Infected: 3
Files Infected: 35

Memory Processes Infected:
C:\Users\OfficeMax\lsass.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{684ee1db-cd52-4ca9-9ccf-93d5f6b419ba} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdmcon.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsa shellu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mms (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\txtfile\shell\open\command\(default) (Hijack.Notepad) -> Bad: ("C:\Windows\system32\nctedit.exe" "%1") Good: (notepad.exe %1) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\txtfile\shell\open\command\(default) (Hijack.Notepad) -> Bad: ("C:\Windows\system32\nctedit.exe" "%1") Good: (notepad.exe %1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\Users\OfficeMax\AppData\Roaming\Twain (Trojan.Matcash) -> Quarantined and deleted successfully.
c:\Users\WhiteWood\AppData\Roaming\Twain (Trojan.Matcash) -> Quarantined and deleted successfully.
C:\Windows\System32\sysloc (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
c:\Windows\Cninineput.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\gupupehi.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\hulayoba.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\jevetedo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\jirohowu.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\kegovahe.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\lotibuye.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\msncache.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Windows\System32\nctedit.exe (Adware.Coolezweb) -> Quarantined and deleted successfully.
c:\Windows\System32\niguviya.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\pojovosa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\refeyeka.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\ribayiro.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\tpsaxyd.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Windows\System32\winglsetup.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\Windows\System32\winsetupgl.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\Windows\System32\wtukd32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\igcrfu.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\psvr32.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
c:\psvrr.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
c:\tkokhf.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
c:\Users\officemax\AppData\Local\Temp\VRT2222.tmp (Virus.Virut) -> Quarantined and deleted successfully.
c:\Users\officemax\AppData\Local\Temp\VRTA5EF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\officemax\AppData\Local\Temp\VRTF9C0.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\OfficeMax\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ftp_non_crp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\ovfsthwdogubmrochkttuwpsbasdlshxhkediw.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\System32\loader49.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\lmn_setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\glsetup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\sonce122730.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\487656.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\Winset20.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:27 PM

Posted 20 June 2009 - 10:24 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Also, is there any reason why you don't have an Antivirus installed? This would have prevented this all though...

Edited by miekiemoes, 20 June 2009 - 10:26 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 WhiteWood

WhiteWood
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 20 June 2009 - 11:56 AM

ComboFix 09-06-19.01 - OfficeMax 06/20/2009 12:26.1 - NTFSx86
Running from: c:\users\OfficeMax\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1051937583-4224277036-431392144-500
c:\$recycle.bin\S-1-5-21-3130209440-3918283758-3104656682-500
c:\recycler\S-1-5-21-1739541696-8756496298-893601206-3056
c:\recycler\S-1-5-21-4194556354-9391010279-414918223-5153
c:\temp\tn3
D:\resycled
G:\resycled
c:\$recycle.bin\S-1-5-21-1051937583-4224277036-431392144-500\desktop.ini
c:\$recycle.bin\S-1-5-21-3130209440-3918283758-3104656682-500\desktop.ini
c:\recycler\S-1-5-21-1739541696-8756496298-893601206-3056\Desktop.ini
c:\recycler\S-1-5-21-4194556354-9391010279-414918223-5153\Desktop.ini
c:\users\OfficeMax\OfficeMax.exe
c:\windows\Install.txt
c:\windows\irc.txt
c:\windows\system32\config\systemprofile\AppData\Local\part.exe
c:\windows\system32\drivers\ovfsth.sys
c:\windows\system32\drivers\SKYNETpxksdecb.sys
c:\windows\system32\Install.txt
c:\windows\system32\KuzSmall.exe
c:\windows\system32\ovfsthqcaqphmwcfmfcjepvycyirkwbdtlmoor.db
c:\windows\system32\pic.jpg
c:\windows\system32\SelfDel.bat
c:\windows\system32\SKYNETivxxswob.dat
c:\windows\system32\SKYNETlekrhqhn.dll
c:\windows\system32\SKYNETnwobrbnf.dat
c:\windows\system32\SKYNETtmqottbi.dll
c:\windows\system32\sys.bat
c:\windows\system32\tb.dr
c:\windows\system32\test.ttt
c:\windows\system32\tmpxccacj1.exe
c:\windows\system32\xcchit32.ini
c:\windows\Tasks\yenixden.job
c:\windows\xccwinsys.ini
D:\Desktop.ini
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETbxevvqwi
-------\Service_ovfsthefprxxoerxqaoirtvxvwgbhcimigjipp
-------\Service_ovfsthupnxysnrpwtuxdorkiqjslcgfxxiovkr


((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.

2009-06-20 15:13 . 2009-06-20 15:13 3561743 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-20 02:41 . 2009-06-20 03:13 -------- d-----w- c:\users\OfficeMax\AppData\Local\Adobe
2009-06-19 14:42 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-19 14:42 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-06-19 14:42 . 2009-06-19 14:42 -------- d-----w- c:\program files\iPod
2009-06-19 14:42 . 2009-06-19 14:42 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-19 14:42 . 2009-06-19 14:42 -------- d-----w- c:\program files\iTunes
2009-06-19 14:39 . 2009-06-19 14:40 -------- d-----w- c:\program files\QuickTime
2009-06-19 05:03 . 2009-06-19 05:03 -------- d-----w- c:\users\OfficeMax\AppData\Local\Apple Computer
2009-06-18 19:03 . 2009-06-18 19:03 25088 ----a-r- c:\users\OfficeMax\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-06-18 19:03 . 2009-06-18 19:03 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-06-17 05:34 . 2009-06-17 05:34 692224 ----a-w- c:\windows\system32\bsrmgcv.dll
2009-06-17 05:34 . 2009-06-17 05:34 192512 ----a-w- c:\windows\system32\bsrmgps.dll
2009-06-17 05:33 . 2009-06-17 05:33 585728 ----a-w- c:\windows\system32\bsratswf.dll
2009-06-17 05:33 . 2009-06-17 05:33 147456 ----a-w- c:\windows\system32\bsratwmv.dll
2009-06-17 00:31 . 2009-06-17 00:32 -------- d-----w- c:\program files\DivX
2009-06-16 23:14 . 2009-06-16 23:14 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\VistaCodecs
2009-06-16 23:14 . 2009-06-16 23:14 -------- d-----w- c:\program files\VistaCodecPack
2009-06-16 03:39 . 2009-06-16 03:39 1035264 ----a-w- c:\windows\system32\VSFilter.dll
2009-06-16 02:15 . 2009-06-16 02:15 -------- d--h--r- C:\MSOCache
2009-06-16 01:41 . 2009-06-16 01:41 -------- d-----w- c:\program files\VS Revo Group
2009-06-12 17:35 . 2009-06-12 17:35 -------- d-----w- c:\users\OfficeMax\AppData\Local\Griffin_Technology
2009-06-12 17:32 . 2009-06-12 17:32 -------- d-----w- c:\program files\Griffin Technology
2009-06-12 08:04 . 2009-06-12 08:04 -------- d-----w- c:\windows\CheckSur
2009-06-12 07:51 . 2009-06-12 07:51 -------- d-----w- c:\windows\system32\EventProviders
2009-06-12 04:54 . 2009-06-03 05:32 311296 ----a-w- c:\windows\system32\portmon.dll
2009-06-12 04:54 . 2009-06-12 04:54 -------- d-----w- c:\programdata\Datagenn.com
2009-06-12 04:54 . 2009-06-12 04:54 -------- d-----w- c:\program files\Datagenn.com
2009-06-11 20:01 . 2009-04-24 02:55 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2009-06-11 20:01 . 2009-06-11 20:01 -------- d-----w- c:\program files\Nitro PDF
2009-06-11 19:02 . 2009-06-11 19:02 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-06-11 19:02 . 2009-06-11 19:02 -------- d-----w- c:\program files\AIM Toolbar
2009-06-11 19:02 . 2009-06-11 19:02 -------- d-----w- c:\programdata\AIM Toolbar
2009-06-11 19:01 . 2009-06-11 19:01 -------- d-----w- c:\program files\Viewpoint
2009-06-11 19:00 . 2009-06-11 19:02 -------- d-----w- c:\program files\AIM6
2009-06-10 23:07 . 2009-06-20 01:30 -------- d-----w- c:\program files\ARAR
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 15:42 . 2009-06-05 15:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 15:42 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-04 15:44 . 2009-06-04 17:15 -------- d-----w- c:\programdata\15383764
2009-06-02 21:13 . 2009-06-18 18:55 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-05-29 20:52 . 2009-05-29 20:52 204800 ----a-w- c:\windows\system32\xvidvfw.dll
2009-05-29 20:47 . 2009-05-29 20:47 881664 ----a-w- c:\windows\system32\xvidcore.dll
2009-05-29 09:11 . 2009-05-29 09:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-05-25 11:45 . 2009-06-20 16:37 -------- d-----w- c:\programdata\TuneClone
2009-05-25 11:41 . 2008-05-12 16:09 20352 ----a-w- c:\windows\system32\drivers\tclondrv.sys
2009-05-25 11:41 . 2009-05-25 11:44 -------- d-----w- c:\program files\TuneClone
2009-05-24 08:07 . 2009-05-24 08:07 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Google
2009-05-24 08:07 . 2009-06-20 01:30 -------- d-----w- c:\program files\Google
2009-05-24 08:07 . 2009-05-24 08:07 -------- d-----w- c:\users\OfficeMax\AppData\Local\Google
2009-05-21 23:00 . 2009-05-21 23:00 -------- d-----w- c:\programdata\Gtek
2009-05-21 23:00 . 2009-05-21 23:00 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\GTek

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 16:37 . 2008-12-26 21:45 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\Skype
2009-06-20 16:37 . 2008-12-25 16:27 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\DNA
2009-06-20 15:13 . 2009-01-12 15:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 14:50 . 2008-12-26 21:47 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\skypePM
2009-06-20 05:07 . 2008-12-25 16:27 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\BitTorrent
2009-06-20 04:14 . 2009-04-12 19:55 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\Orbit
2009-06-20 02:34 . 2009-01-15 05:43 6648 ----a-w- c:\users\OfficeMax\AppData\Local\d3d9caps.dat
2009-06-20 01:30 . 2009-04-12 19:55 -------- d-----w- c:\program files\Orbitdownloader
2009-06-20 01:30 . 2009-03-08 20:07 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-06-20 01:30 . 2008-12-27 11:57 -------- d-----w- c:\programdata\FLEXnet
2009-06-20 01:30 . 2009-04-05 05:37 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-20 01:30 . 2009-01-13 19:56 -------- d-----w- c:\program files\BSR Screen Recorder 4
2009-06-20 01:30 . 2008-12-25 15:36 -------- d-----w- c:\program files\Common Files\Apple
2009-06-19 14:45 . 2008-08-06 12:13 -------- d-----w- c:\program files\Yahoo!
2009-06-19 14:34 . 2008-12-25 15:36 -------- d-----w- c:\programdata\Apple
2009-06-18 19:40 . 2009-03-12 20:00 117760 ----a-w- c:\users\OfficeMax\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-18 19:21 . 2008-09-30 02:02 77016 ----a-w- c:\users\OfficeMax\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-18 19:03 . 2006-12-31 02:21 -------- d-----w- c:\program files\MSECache
2009-06-18 18:57 . 2008-08-06 11:59 -------- d-----w- c:\programdata\Microsoft Help
2009-06-18 18:50 . 2006-11-02 12:37 -------- d-----w- c:\program files\MSBuild
2009-06-18 18:11 . 2008-08-06 12:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-17 15:27 . 2009-01-12 15:17 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-01-12 15:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 01:49 . 2008-12-28 07:34 -------- d-----w- c:\program files\Common Files\Nero
2009-06-17 01:23 . 2008-12-28 07:36 -------- d-----w- c:\program files\Nero
2009-06-17 00:56 . 2008-12-28 09:17 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\Nero
2009-06-17 00:50 . 2008-12-28 07:34 -------- d-----w- c:\programdata\Nero
2009-06-16 23:14 . 2008-12-27 06:52 -------- d-----w- c:\programdata\VistaCodecs
2009-06-14 21:07 . 2006-12-21 21:57 8492 ----a-w- c:\users\OfficeMax\AppData\Roaming\wklnhst.dat
2009-06-12 16:00 . 2009-01-16 23:51 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\FileZilla
2009-06-12 15:03 . 2008-12-26 07:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-11 19:01 . 2008-09-30 01:57 -------- d-----w- c:\programdata\Viewpoint
2009-06-11 19:00 . 2008-09-30 01:56 -------- d-----w- c:\program files\Common Files\AOL
2009-06-06 17:03 . 2009-01-16 23:50 -------- d-----w- c:\program files\FileZilla FTP Client
2009-06-05 02:27 . 2009-05-02 14:48 -------- d-----w- c:\program files\Unlocker
2009-05-27 17:57 . 2008-12-25 15:39 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\Apple Computer
2009-05-15 16:05 . 2009-05-15 16:05 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\GrabPro
2009-05-15 15:49 . 2009-05-15 15:49 190 ----a-w- C:\43214354.bat
2009-05-12 17:46 . 2009-05-12 05:26 -------- d-----w- c:\programdata\DVD Shrink
2009-05-12 05:26 . 2009-05-12 05:26 -------- d-----w- c:\program files\DVD Shrink
2009-05-06 20:49 . 2009-03-31 05:51 -------- d-----w- c:\programdata\vusumuje
2009-05-06 20:49 . 2009-03-30 17:51 -------- d-----w- c:\programdata\kugehemi
2009-05-06 18:11 . 2009-05-06 18:11 69120 ----a-w- c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\aimtbres.dll
2009-05-06 15:33 . 2009-05-02 14:48 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\Desktopicon
2009-05-02 14:50 . 2009-05-02 14:50 766792 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-05-01 21:02 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-30 17:47 . 2009-04-30 17:13 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\GetRightToGo
2009-04-27 18:45 . 2009-04-27 18:45 85782 ----a-w- c:\windows\system32\cl.exe
2009-04-26 18:34 . 2009-04-26 18:34 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\GrabPro
2009-04-20 01:04 . 2009-04-20 01:02 25476272 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\spinandwin-setup-hplaptop955.exe
2009-04-20 01:03 . 2009-04-20 01:02 14191912 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\SetupGamesClient.exe
2009-04-17 19:57 . 2009-04-17 19:57 137216 ----a-w- c:\windows\system32\winsetup66.exe
2009-04-05 20:01 . 2009-04-05 20:13 10027 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\~tempinfo.dat
2009-04-04 22:55 . 2009-01-04 22:55 61440 --sha-w- c:\programdata\batufuke\batufuke.exe
2009-04-04 10:55 . 2009-01-04 10:55 61440 --sha-w- c:\programdata\femawiko\femawiko.exe
2009-04-03 22:54 . 2009-01-03 22:54 61440 --sha-w- c:\programdata\wuhomuro\wuhomuro.exe
2009-04-03 14:43 . 2009-04-03 14:43 157184 ----a-w- c:\windows\system32\winsetup63.exe
2009-03-31 05:51 . 1601-01-01 00:12 61440 --sha-w- c:\programdata\poliwape\poliwape.exe
2009-03-30 17:51 . 1601-01-01 00:12 61440 --sha-w- c:\programdata\wohibupo\wohibupo.exe
2009-03-30 05:57 . 2009-03-30 05:57 62149 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-03-30 05:51 . 1601-01-01 00:12 61440 --sha-w- c:\programdata\fezogevu\fezogevu.exe
2009-03-29 17:51 . 1601-01-01 00:12 61440 --sha-w- c:\programdata\zihurake\zihurake.exe
2009-03-29 05:51 . 1601-01-01 00:12 61440 --sha-w- c:\programdata\kohoyuza\kohoyuza.exe
2009-03-28 18:41 . 1601-01-01 00:12 61440 --sha-w- c:\programdata\dozilibe\dozilibe.exe
2009-03-28 05:50 . 1601-01-01 00:12 61440 --sha-w- c:\programdata\tevaziva\tevaziva.exe
2009-03-25 22:34 . 2009-02-24 06:38 3833856 ----a-w- c:\windows\system32\cdintf300.dll
2009-01-04 10:44 . 2009-01-04 10:44 6834 ----a-w- c:\program files\KLF2.5GPU.log
2008-08-06 09:33 . 2008-08-06 09:33 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-12-07 2387968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-04 4363504]
"BitTorrent DNA"="c:\users\OfficeMax\Program Files\DNA\btdna.exe" [2008-12-25 342848]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"PDFHook"="c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe" [2008-02-02 795936]
"PDF5 Registry Controller"="c:\program files\Nuance\PDF Professional 5\RegistryController.exe" [2008-02-02 58656]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-03-26 210472]
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" [2007-08-31 328992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"TuneClone"="c:\program files\TuneClone\TuneClone.exe" [2009-01-15 4530176]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-12-07 2387968]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
P2 Card Manager.lnk - c:\program files\Panasonic P2\Drivers\App\P2TaskTray.exe [2007-3-8 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-24 18:08 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{8BAF00BA-DD9A-483D-8BB1-5906E254C119}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{F408E7C9-6C39-4B9A-9881-3CCBE966BCF5}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{D99BC509-C4BE-41FB-84A8-F58D79EFA679}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype
"UDP Query User{81CF3227-0312-4CD4-B44A-53A0CA67F744}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype
"UDP Query User{D3B439C9-5FA5-47AE-8A6E-A973F2D2074D}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{FE72F7CD-6197-4BF7-9F05-05785E740A72}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{B47BE596-828A-487E-85FB-00214325244A}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{17E8E09A-EC93-4192-A023-B3E8E62E6245}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{EA1F0056-2D5D-4100-8502-E9DED6CD431D}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{E2FC72D9-F481-4DEA-8155-A40EF485996E}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{6C2C7920-4845-4632-8504-8AFCE730A9EC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{C30955E9-70C3-4413-A8C7-1FC7F81139CA}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"c:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\zchMiB.exe"= c:\windows\system32\config\systemprofile\AppData\Local\zchMiB.exe:*:Enabled:Windows Time Synchronization
"c:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\websvr.exe"= c:\windows\System32\config\systemprofile\AppData\Local\websvr.exe:*:Enabled:WinSvrHost32
"\\psvr32.exe"= \psvr32.exe:*:Enabled:WinSvrHost32
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"= c:\program files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"= c:\program files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit

R1 gorhjwna;gorhjwna;c:\windows\system32\drivers\gorhjwna.sys [x]
R1 rwqfsnom;rwqfsnom;c:\windows\system32\drivers\rwqfsnom.sys [x]
R1 srvv;srvv;c:\windows\system32\drivers\srvv.sys [x]
R2 gupdate1c9dc46b478a106;Google Update Service (gupdate1c9dc46b478a106);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 133104]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys [2008-05-12 20352]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
S2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2008-02-02 144672]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-26 361808]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-04 113664]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-06-20 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 08:07]
.
- - - - ORPHANS REMOVED - - - -

BHO-{13e79c15-b1c3-4e15-96b3-d956600f82d0} - c:\programdata\wuyofage\wuyofage.dll
BHO-{b57bde9d-1dbf-47a6-95cf-4622c58faa59} - c:\programdata\napijelu\napijelu.dll
SafeBoot-Wdf01000.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Open with Nuance PDF Converter 5.0 - c:\program files\Nuance\PDF Professional 5\cnvres_eng.dll /100
Trusted Zone: facebook.com\www
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com\download
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 12:36
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B2}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000004
"Flags"=dword:00000000
"Count"=dword:00000001
"Time"=hex:d9,07,02,00,06,00,1c,00,0d,00,19,00,19,00,21,03

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B3}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000004
"Flags"=dword:00000000
"Count"=dword:00000001
"Time"=hex:d9,07,02,00,06,00,1c,00,0d,00,19,00,1a,00,32,00

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Flags"=dword:00000000
"Count"=dword:00000003
"Time"=hex:d9,07,05,00,00,00,11,00,10,00,33,00,12,00,43,00

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3524)
c:\program files\Griffin Technology\iTalk Sync\CopyHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\wlanext.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
.
**************************************************************************
.
Completion time: 2009-06-20 12:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-20 16:42

Pre-Run: 140,576,923,648 bytes free
Post-Run: 140,586,684,416 bytes free

366 --- E O F --- 2009-03-05 18:01

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:27 PM

Posted 20 June 2009 - 12:37 PM

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\winsetup63.exe
c:\windows\system32\winsetup66.exe
C:\43214354.bat
Folder::
c:\programdata\15383764
c:\programdata\vusumuje
c:\programdata\kugehemi
c:\programdata\batufuke
c:\programdata\femawiko
c:\programdata\wuhomuro
c:\programdata\poliwape
c:\programdata\wohibupo
c:\programdata\fezogevu
c:\programdata\zihurake
c:\programdata\kohoyuza
c:\programdata\dozilibe
c:\programdata\tevaziva
Driver::
srvv
rwqfsnom
gorhjwna
Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 WhiteWood

WhiteWood
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 20 June 2009 - 01:35 PM

ComboFix 09-06-19.01 - OfficeMax 06/20/2009 13:48.2 - NTFSx86
Running from: c:\users\OfficeMax\Desktop\ComboFix.exe
Command switches used :: c:\users\OfficeMax\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"C:\43214354.bat"
"c:\windows\system32\winsetup63.exe"
"c:\windows\system32\winsetup66.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\15383764
c:\programdata\batufuke
c:\programdata\dozilibe
c:\programdata\femawiko
c:\programdata\fezogevu
c:\programdata\kohoyuza
c:\programdata\kugehemi
c:\programdata\poliwape
c:\programdata\tevaziva
c:\programdata\vusumuje
c:\programdata\wohibupo
c:\programdata\wuhomuro
c:\programdata\zihurake
C:\43214354.bat
c:\programdata\15383764\15383764.glu
c:\programdata\15383764\pc15383764cnf
c:\programdata\15383764\pc15383764ins
c:\programdata\batufuke\batufuke.exe
c:\programdata\dozilibe\dozilibe.exe
c:\programdata\femawiko\femawiko.exe
c:\programdata\fezogevu\fezogevu.exe
c:\programdata\kohoyuza\kohoyuza.exe
c:\programdata\kugehemi\imeheguk.ini
c:\programdata\poliwape\poliwape.exe
c:\programdata\tevaziva\tevaziva.exe
c:\programdata\vusumuje\ejumusuv.ini
c:\programdata\wohibupo\wohibupo.exe
c:\programdata\wuhomuro\wuhomuro.exe
c:\programdata\zihurake\zihurake.exe
c:\windows\system32\winsetup63.exe
c:\windows\system32\winsetup66.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SRVV
-------\Service_gorhjwna
-------\Service_rwqfsnom
-------\Service_srvv


((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.

2009-06-20 17:51 . 2009-06-20 17:51 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2009-06-20 16:32 . 2009-06-20 18:30 -------- d-----w- c:\users\OfficeMax\AppData\Local\temp
2009-06-20 15:13 . 2009-06-20 15:13 3561743 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-20 02:41 . 2009-06-20 03:13 -------- d-----w- c:\users\OfficeMax\AppData\Local\Adobe
2009-06-19 14:42 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-19 14:42 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-06-19 14:42 . 2009-06-19 14:42 -------- d-----w- c:\program files\iPod
2009-06-19 14:42 . 2009-06-19 14:42 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-19 14:42 . 2009-06-19 14:42 -------- d-----w- c:\program files\iTunes
2009-06-19 14:39 . 2009-06-19 14:40 -------- d-----w- c:\program files\QuickTime
2009-06-19 05:03 . 2009-06-20 17:39 -------- d-----w- c:\users\OfficeMax\AppData\Local\Apple Computer
2009-06-18 19:03 . 2009-06-18 19:03 25088 ----a-r- c:\users\OfficeMax\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-06-18 19:03 . 2009-06-18 19:03 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-06-17 05:34 . 2009-06-17 05:34 692224 ----a-w- c:\windows\system32\bsrmgcv.dll
2009-06-17 05:34 . 2009-06-17 05:34 192512 ----a-w- c:\windows\system32\bsrmgps.dll
2009-06-17 05:33 . 2009-06-17 05:33 585728 ----a-w- c:\windows\system32\bsratswf.dll
2009-06-17 05:33 . 2009-06-17 05:33 147456 ----a-w- c:\windows\system32\bsratwmv.dll
2009-06-17 00:31 . 2009-06-17 00:32 -------- d-----w- c:\program files\DivX
2009-06-16 23:14 . 2009-06-16 23:14 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\VistaCodecs
2009-06-16 23:14 . 2009-06-16 23:14 -------- d-----w- c:\program files\VistaCodecPack
2009-06-16 03:39 . 2009-06-16 03:39 1035264 ----a-w- c:\windows\system32\VSFilter.dll
2009-06-16 02:15 . 2009-06-16 02:15 -------- d--h--r- C:\MSOCache
2009-06-16 01:41 . 2009-06-16 01:41 -------- d-----w- c:\program files\VS Revo Group
2009-06-12 17:35 . 2009-06-12 17:35 -------- d-----w- c:\users\OfficeMax\AppData\Local\Griffin_Technology
2009-06-12 17:32 . 2009-06-12 17:32 -------- d-----w- c:\program files\Griffin Technology
2009-06-12 08:04 . 2009-06-12 08:04 -------- d-----w- c:\windows\CheckSur
2009-06-12 07:51 . 2009-06-12 07:51 -------- d-----w- c:\windows\system32\EventProviders
2009-06-12 04:54 . 2009-06-03 05:32 311296 ----a-w- c:\windows\system32\portmon.dll
2009-06-12 04:54 . 2009-06-12 04:54 -------- d-----w- c:\programdata\Datagenn.com
2009-06-12 04:54 . 2009-06-12 04:54 -------- d-----w- c:\program files\Datagenn.com
2009-06-11 20:01 . 2009-04-24 02:55 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2009-06-11 20:01 . 2009-06-11 20:01 -------- d-----w- c:\program files\Nitro PDF
2009-06-11 19:02 . 2009-06-11 19:02 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-06-11 19:02 . 2009-06-11 19:02 -------- d-----w- c:\program files\AIM Toolbar
2009-06-11 19:02 . 2009-06-11 19:02 -------- d-----w- c:\programdata\AIM Toolbar
2009-06-11 19:00 . 2009-06-11 19:02 -------- d-----w- c:\program files\AIM6
2009-06-10 23:07 . 2009-06-20 01:30 -------- d-----w- c:\program files\ARAR
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 15:42 . 2009-06-05 15:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 15:42 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-02 21:13 . 2009-06-18 18:55 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-05-29 20:52 . 2009-05-29 20:52 204800 ----a-w- c:\windows\system32\xvidvfw.dll
2009-05-29 20:47 . 2009-05-29 20:47 881664 ----a-w- c:\windows\system32\xvidcore.dll
2009-05-29 09:11 . 2009-05-29 09:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-05-25 11:45 . 2009-06-20 18:30 -------- d-----w- c:\programdata\TuneClone
2009-05-25 11:41 . 2008-05-12 16:09 20352 ----a-w- c:\windows\system32\drivers\tclondrv.sys
2009-05-25 11:41 . 2009-05-25 11:44 -------- d-----w- c:\program files\TuneClone
2009-05-24 08:07 . 2009-05-24 08:07 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Google
2009-05-24 08:07 . 2009-06-20 01:30 -------- d-----w- c:\program files\Google
2009-05-24 08:07 . 2009-05-24 08:07 -------- d-----w- c:\users\OfficeMax\AppData\Local\Google
2009-05-21 23:00 . 2009-05-21 23:00 -------- d-----w- c:\programdata\Gtek
2009-05-21 23:00 . 2009-05-21 23:00 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\GTek

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 18:31 . 2008-12-26 21:45 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\Skype
2009-06-20 18:30 . 2008-12-25 16:27 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\DNA
2009-06-20 17:43 . 2008-09-30 01:57 -------- d-----w- c:\programdata\Viewpoint
2009-06-20 15:13 . 2009-01-12 15:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 14:50 . 2008-12-26 21:47 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\skypePM
2009-06-20 05:07 . 2008-12-25 16:27 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\BitTorrent
2009-06-20 04:14 . 2009-04-12 19:55 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\Orbit
2009-06-20 02:34 . 2009-01-15 05:43 6648 ----a-w- c:\users\OfficeMax\AppData\Local\d3d9caps.dat
2009-06-20 01:30 . 2009-04-12 19:55 -------- d-----w- c:\program files\Orbitdownloader
2009-06-20 01:30 . 2009-03-08 20:07 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-06-20 01:30 . 2008-12-27 11:57 -------- d-----w- c:\programdata\FLEXnet
2009-06-20 01:30 . 2009-04-05 05:37 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-20 01:30 . 2009-01-13 19:56 -------- d-----w- c:\program files\BSR Screen Recorder 4
2009-06-20 01:30 . 2008-12-25 15:36 -------- d-----w- c:\program files\Common Files\Apple
2009-06-19 14:45 . 2008-08-06 12:13 -------- d-----w- c:\program files\Yahoo!
2009-06-19 14:34 . 2008-12-25 15:36 -------- d-----w- c:\programdata\Apple
2009-06-18 19:40 . 2009-03-12 20:00 117760 ----a-w- c:\users\OfficeMax\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-18 19:21 . 2008-09-30 02:02 77016 ----a-w- c:\users\OfficeMax\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-18 19:03 . 2006-12-31 02:21 -------- d-----w- c:\program files\MSECache
2009-06-18 18:57 . 2008-08-06 11:59 -------- d-----w- c:\programdata\Microsoft Help
2009-06-18 18:50 . 2006-11-02 12:37 -------- d-----w- c:\program files\MSBuild
2009-06-18 18:11 . 2008-08-06 12:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-17 15:27 . 2009-01-12 15:17 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-01-12 15:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 01:49 . 2008-12-28 07:34 -------- d-----w- c:\program files\Common Files\Nero
2009-06-17 01:23 . 2008-12-28 07:36 -------- d-----w- c:\program files\Nero
2009-06-17 00:56 . 2008-12-28 09:17 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\Nero
2009-06-17 00:50 . 2008-12-28 07:34 -------- d-----w- c:\programdata\Nero
2009-06-16 23:14 . 2008-12-27 06:52 -------- d-----w- c:\programdata\VistaCodecs
2009-06-14 21:07 . 2006-12-21 21:57 8492 ----a-w- c:\users\OfficeMax\AppData\Roaming\wklnhst.dat
2009-06-12 16:00 . 2009-01-16 23:51 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\FileZilla
2009-06-12 15:03 . 2008-12-26 07:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-11 19:00 . 2008-09-30 01:56 -------- d-----w- c:\program files\Common Files\AOL
2009-06-06 17:03 . 2009-01-16 23:50 -------- d-----w- c:\program files\FileZilla FTP Client
2009-06-05 02:27 . 2009-05-02 14:48 -------- d-----w- c:\program files\Unlocker
2009-05-27 17:57 . 2008-12-25 15:39 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\Apple Computer
2009-05-15 16:05 . 2009-05-15 16:05 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\GrabPro
2009-05-12 17:46 . 2009-05-12 05:26 -------- d-----w- c:\programdata\DVD Shrink
2009-05-12 05:26 . 2009-05-12 05:26 -------- d-----w- c:\program files\DVD Shrink
2009-05-06 18:11 . 2009-05-06 18:11 69120 ----a-w- c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\aimtbres.dll
2009-05-06 15:33 . 2009-05-02 14:48 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\Desktopicon
2009-05-02 14:50 . 2009-05-02 14:50 766792 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-05-01 21:02 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-30 17:47 . 2009-04-30 17:13 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\GetRightToGo
2009-04-27 18:45 . 2009-04-27 18:45 85782 ----a-w- c:\windows\system32\cl.exe
2009-04-26 18:34 . 2009-04-26 18:34 -------- d-----w- c:\users\OfficeMax\AppData\Roaming\GrabPro
2009-04-20 01:04 . 2009-04-20 01:02 25476272 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\spinandwin-setup-hplaptop955.exe
2009-04-20 01:03 . 2009-04-20 01:02 14191912 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\SetupGamesClient.exe
2009-04-05 20:01 . 2009-04-05 20:13 10027 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\~tempinfo.dat
2009-03-30 05:57 . 2009-03-30 05:57 62149 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-03-25 22:34 . 2009-02-24 06:38 3833856 ----a-w- c:\windows\system32\cdintf300.dll
2009-01-04 10:44 . 2009-01-04 10:44 6834 ----a-w- c:\program files\KLF2.5GPU.log
2008-08-06 09:33 . 2008-08-06 09:33 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-06-20_16.36.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 13:05 . 2009-06-20 16:37 96986 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-11-28 22:59 . 2009-06-20 16:37 14870 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1051937583-4224277036-431392144-1000_UserData.bin
- 2009-06-20 16:34 . 2009-06-20 16:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-06-20 17:53 . 2009-06-20 17:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-06-20 17:53 . 2009-06-20 17:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-06-20 16:34 . 2009-06-20 16:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-12-07 2387968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-04 4363504]
"BitTorrent DNA"="c:\users\OfficeMax\Program Files\DNA\btdna.exe" [2008-12-25 342848]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"PDFHook"="c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe" [2008-02-02 795936]
"PDF5 Registry Controller"="c:\program files\Nuance\PDF Professional 5\RegistryController.exe" [2008-02-02 58656]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-03-26 210472]
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" [2007-08-31 328992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"TuneClone"="c:\program files\TuneClone\TuneClone.exe" [2009-01-15 4530176]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-12-07 2387968]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
P2 Card Manager.lnk - c:\program files\Panasonic P2\Drivers\App\P2TaskTray.exe [2007-3-8 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-24 18:08 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{8BAF00BA-DD9A-483D-8BB1-5906E254C119}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{F408E7C9-6C39-4B9A-9881-3CCBE966BCF5}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{D99BC509-C4BE-41FB-84A8-F58D79EFA679}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype
"UDP Query User{81CF3227-0312-4CD4-B44A-53A0CA67F744}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype
"UDP Query User{D3B439C9-5FA5-47AE-8A6E-A973F2D2074D}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{FE72F7CD-6197-4BF7-9F05-05785E740A72}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{B47BE596-828A-487E-85FB-00214325244A}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{17E8E09A-EC93-4192-A023-B3E8E62E6245}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{EA1F0056-2D5D-4100-8502-E9DED6CD431D}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{E2FC72D9-F481-4DEA-8155-A40EF485996E}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{6C2C7920-4845-4632-8504-8AFCE730A9EC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{C30955E9-70C3-4413-A8C7-1FC7F81139CA}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"c:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\zchMiB.exe"= c:\windows\system32\config\systemprofile\AppData\Local\zchMiB.exe:*:Enabled:Windows Time Synchronization
"c:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\websvr.exe"= c:\windows\System32\config\systemprofile\AppData\Local\websvr.exe:*:Enabled:WinSvrHost32
"\\psvr32.exe"= \psvr32.exe:*:Enabled:WinSvrHost32
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"= c:\program files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"= c:\program files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit

R2 gupdate1c9dc46b478a106;Google Update Service (gupdate1c9dc46b478a106);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 133104]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys [2008-05-12 20352]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
S2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2008-02-02 144672]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-26 361808]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-04 113664]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-06-20 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 08:07]
.
- - - - ORPHANS REMOVED - - - -

BHO-{13e79c15-b1c3-4e15-96b3-d956600f82d0} - (no file)
BHO-{b57bde9d-1dbf-47a6-95cf-4622c58faa59} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Open with Nuance PDF Converter 5.0 - c:\program files\Nuance\PDF Professional 5\cnvres_eng.dll /100
Trusted Zone: facebook.com\www
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com\download
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 14:30
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B2}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000004
"Flags"=dword:00000000
"Count"=dword:00000001
"Time"=hex:d9,07,02,00,06,00,1c,00,0d,00,19,00,19,00,21,03

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B3}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000004
"Flags"=dword:00000000
"Count"=dword:00000001
"Time"=hex:d9,07,02,00,06,00,1c,00,0d,00,19,00,1a,00,32,00

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Flags"=dword:00000000
"Count"=dword:00000003
"Time"=hex:d9,07,05,00,00,00,11,00,10,00,33,00,12,00,43,00

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4068)
c:\program files\Griffin Technology\iTalk Sync\CopyHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\wlanext.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\iTunes\iTunes.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2009-06-20 14:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-20 18:33
ComboFix2.txt 2009-06-20 16:42

Pre-Run: 145,599,619,072 bytes free
Post-Run: 145,424,334,848 bytes free

365 --- E O F --- 2009-03-05 18:01

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:27 PM

Posted 21 June 2009 - 02:22 AM

Hi,

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 WhiteWood

WhiteWood
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 21 June 2009 - 02:30 AM

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.


I got this message afterwards:
Posted Image


#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:27 PM

Posted 21 June 2009 - 02:47 AM

That's OK. Looks like some were present there after all. :thumbup2:

How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 WhiteWood

WhiteWood
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 21 June 2009 - 02:49 AM

That's OK. Looks like some were present there after all. :thumbup2:

How are things now?


So continue on to ComboFix /u despite that warning?

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:27 PM

Posted 21 June 2009 - 02:51 AM

Yes, continue with the Combofix /u :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 WhiteWood

WhiteWood
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 21 June 2009 - 03:12 AM

Yes, continue with the Combofix /u :thumbup2:



Okay, so it said that it completely uninstalled. How do I report to you how things are?

The reason that I'm trying to do this is because I'm not able to download updates (SP2) to my comp and a man in THIS THREAD thinks that it may be due to a virus or spyware.


#14 WhiteWood

WhiteWood
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 22 June 2009 - 09:56 PM

Hello??

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:27 PM

Posted 23 June 2009 - 01:24 AM

Malware can indeed be a cause why you can't update, but we already removed the malware.
There are 1001 other causes as well why people can't update.
What version of Windows do you have? Because it's unclear here.... In case you're having a RC build, then it explains why you can't update.
It's also a good idea to explain the "not being able to update" issue in detail. What errors you get, how you try to update etc etc...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users