Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.TDSS.rtk


  • Please log in to reply
5 replies to this topic

#1 VinnyP

VinnyP

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 10 July 2009 - 02:36 PM

I have been trying to rid my computer of this hijack/trojan and with all the help that Boopme could give I am still invaded. He suggested that I come here for some more advanced help. I have read the preparation guide and ran DDS. Attached are the results of that scan. Please help me get rid of this thing. Also, the forum topic with all info so far is http://www.bleepingcomputer.com/forums/t/239833/win32tdssrtk/
I am running Vista Home Premium. I use Vipre antivirus. I identified the trojan with Spybot and removed but it keeps coming back. Also ran MalwareByte and removed with that but still coming back.

See attached:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Vincent at 14:08:25.53 on Fri 07/10/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_03
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3198.1907 [GMT -5:00]

AV: Sunbelt VIPRE *On-access scanning enabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Sunbelt VIPRE *enabled* (Updated) {9817B764-AE4E-4B29-AEE7-725B7A50BD48}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Vincent\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/
uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local
BHO: -{00C6482D-C502-44C8-8409-FCE54AD9C208} - No File
BHO: -{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {88249a81-5327-46f9-b602-260f85fc35ce} - c:\windows\system32\jkkHWPFV.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SBAMTray] c:\program files\sunbelt software\vipre\SBAMTray.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: isqft.com\www
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://webmail.gsa.gov/s07ggems01/iNotes6W.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
AppInit_DLLs: kotobd.dll
SEH: {9e563692-6e8f-4db6-ba56-42ef3ba3f84f} - c:\windows\system32\byXRhiGY.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkHWPFV

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-12-30 202928]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2007-9-19 41456]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-5-15 61424]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-5-13 69936]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-6-27 335872]
R3 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2007-10-4 15360]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2009-6-10 980264]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-11-18 7808]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-4-30 93360]

=============== Created Last 30 ================

2009-07-08 12:19 --d----- c:\users\vincent\appdata\roaming\Malwarebytes
2009-07-08 12:19 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 12:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-08 12:19 --d----- c:\programdata\Malwarebytes
2009-07-08 12:19 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 12:19 --d----- c:\progra~2\Malwarebytes
2009-07-07 13:38 --d----- c:\programdata\Lavasoft
2009-07-06 16:15 2,432 a------- c:\windows\wininit.ini
2009-07-06 15:41 --d----- c:\programdata\Spybot - Search & Destroy
2009-07-06 15:41 --d----- c:\progra~2\Spybot - Search & Destroy
2009-07-06 15:14 --d----- c:\programdata\16551264
2009-07-06 15:14 --d----- c:\progra~2\16551264
2009-06-29 09:44 --d----- c:\windows\system32\EventProviders
2009-06-25 10:54 --d----- c:\programdata\99033686
2009-06-25 10:54 --d----- c:\programdata\19023694
2009-06-25 10:54 --d----- c:\progra~2\99033686
2009-06-25 10:54 --d----- c:\progra~2\19023694
2009-06-14 02:41 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-14 02:41 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-14 02:41 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-14 02:41 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-14 02:41 80,896 a------- c:\windows\system32\MSNP.ax

==================== Find3M ====================

2009-07-09 10:25 1,646 a------- c:\windows\system32\tmp.reg
2009-07-08 10:36 51,200 a------- c:\windows\inf\infpub.dat
2009-07-08 10:36 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-08 10:36 143,360 a------- c:\windows\inf\infstor.dat
2009-07-08 10:24 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-10 06:00 68,392 a------- c:\windows\system32\sbbd.exe
2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-13 17:30 69,936 a------- c:\windows\system32\drivers\sbapifs.sys
2009-05-09 00:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 00:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-05-01 16:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 16:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 16:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 16:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 16:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 16:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-23 07:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 07:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 06:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-04-15 15:25 129,784 -------- c:\windows\system32\pxafs.dll
2009-04-15 15:24 90,112 a------- c:\windows\system32\dpl100.dll
2009-04-14 16:12 3,018 a------- c:\windows\system32\SpoonUninstall-dBpoweramp CLI Encoder.dat
2009-04-14 14:14 2,649 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Midi Decoder.dat
2009-04-14 14:14 1,844 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Mp2 and BwfMp2 codec.dat
2009-04-14 14:12 3,400 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2009-04-14 14:11 3,311 a------- c:\windows\system32\SpoonUninstall-dBpowerAMP Windows Media Audio 9 Codec.dat
2009-04-14 14:10 3,008 a------- c:\windows\system32\SpoonUninstall-dBpoweramp WavPack Codec.dat
2009-04-14 14:09 3,417 a------- c:\windows\system32\SpoonUninstall-dBpoweramp TTA Codec.dat
2009-04-14 14:08 2,228 a------- c:\windows\system32\SpoonUninstall-dBPoweramp tooLame MP2 codec.dat
2009-04-14 14:07 2,980 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Speex Codec.dat
2009-04-14 14:07 3,411 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Shorten Codec.dat
2009-04-14 14:07 3,467 a------- c:\windows\system32\SpoonUninstall-dBpoweramp OptimFROG Codec.dat
2009-04-14 14:07 88,576 a------- c:\windows\system32\OptimFROG.dll
2009-04-14 14:06 3,065 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.dat
2009-04-14 14:06 3,283 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Musepack Codec.dat
2009-04-14 14:06 3,107 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
2009-04-14 14:05 3,153 a------- c:\windows\system32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.dat
2009-04-14 14:05 3,625 a------- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2009-04-14 14:04 2,830 a------- c:\windows\system32\SpoonUninstall-dBpoweramp [ID Tag Update] Codec.dat
2009-04-14 14:04 2,993 a------- c:\windows\system32\SpoonUninstall-dBpoweramp [Channel Split] Codec.dat
2009-04-14 14:04 2,865 a------- c:\windows\system32\SpoonUninstall-dBpoweramp [Audio Info] Codec.dat
2009-04-14 14:04 2,873 a------- c:\windows\system32\SpoonUninstall-dBpoweramp [Arrange Audio] Codec.dat
2009-04-14 14:04 2,863 a------- c:\windows\system32\SpoonUninstall-dBpoweramp [Tag From Filename] Codec.dat
2009-04-14 14:03 2,987 a------- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-04-14 14:00 10,099 a------- c:\windows\system32\SpoonUninstall-dBpoweramp DSP Effects.dat
2009-04-14 13:59 14,051 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-04-14 13:15 355,192 a------- c:\windows\system32\SpoonUninstall.exe
2009-04-09 11:34 3,506 a------- c:\users\vincent\appdata\roaming\wklnhst.dat
2008-05-06 14:15 87,608 a------- c:\users\vincent\appdata\roaming\inst.exe
2008-05-06 14:15 47,360 a------- c:\users\vincent\appdata\roaming\pcouffin.sys
2008-04-02 15:02 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-01-14 10:14 8 ---shr-- c:\windows\system32\38FDB3C84E.sys
2006-05-03 04:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2008-01-15 10:22 3,140 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-02-21 05:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2007-12-17 07:43 27,648 ---sh--- c:\windows\system32\Smab0.dll
2009-04-02 09:04 16,384 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2007-11-02 10:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012007110220071103\index.dat
2007-11-06 14:56 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012007110620071107\index.dat
2008-04-02 11:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008040220080403\index.dat
2008-09-22 09:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008091520080922\index.dat
2008-09-22 09:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008092220080923\index.dat
2008-09-23 10:53 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008092320080924\index.dat
2008-09-24 09:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008092420080925\index.dat
2008-09-25 09:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008092520080926\index.dat
2008-09-26 09:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008092620080927\index.dat
2008-09-29 09:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008092920080930\index.dat
2008-12-30 18:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008123020081231\index.dat
2009-01-06 09:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009010620090107\index.dat
2009-01-07 09:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009010720090108\index.dat
2009-01-19 09:55 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009011920090120\index.dat
2009-01-20 13:04 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009012020090121\index.dat
2009-01-27 10:09 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009012720090128\index.dat
2009-01-28 10:04 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009012820090129\index.dat
2009-02-10 09:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009021020090211\index.dat
2009-02-11 10:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009021120090212\index.dat
2009-02-25 09:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009021620090223\index.dat
2009-02-25 09:48 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009022520090226\index.dat
2009-02-26 09:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009022620090227\index.dat
2009-03-03 11:33 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009030320090304\index.dat
2009-03-04 10:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009030420090305\index.dat
2009-03-05 10:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009030520090306\index.dat
2009-03-06 10:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009030620090307\index.dat
2009-03-09 09:22 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009030920090310\index.dat
2009-03-24 08:55 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009032420090325\index.dat
2009-03-25 14:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009032520090326\index.dat
2009-03-30 09:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009033020090331\index.dat
2009-03-31 11:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009033120090401\index.dat
2009-04-01 09:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009040120090402\index.dat
2009-04-02 09:05 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009040220090403\index.dat
2009-04-03 09:33 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009040320090404\index.dat
2009-04-06 10:14 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009040620090407\index.dat
2009-04-08 09:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009040820090409\index.dat
2009-04-09 09:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009040920090410\index.dat
2009-04-10 09:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009041020090411\index.dat

============= FINISH: 14:09:30.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 13 July 2009 - 12:53 PM

We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the combofix log and a new HijackThis log as a reply to this topic.

#3 VinnyP

VinnyP
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 13 July 2009 - 02:46 PM

Attached per your request is ComboFix log. Please advise if anything else needs to be done. tks



ComboFix 09-07-12.03 - Vincent 07/13/2009 14:12.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3198.2251 [GMT -5:00]
Running from: c:\users\Vincent\Desktop\ComboFix.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
SP: Sunbelt VIPRE *disabled* (Updated) {9817B764-AE4E-4B29-AEE7-725B7A50BD48}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
ADS - Windows: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\users\Vincent\AppData\Roaming\inst.exe
c:\windows\Installer\935d15.msi
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\SKYNETnhndplpb.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\SKYNETdrccaqim.dll
c:\windows\system32\SKYNETlog.dat
c:\windows\system32\SKYNETpojiixvr.dll
c:\windows\system32\SKYNETremyxosu.dat
c:\windows\system32\SKYNETrexpoxvh.dat
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETmtkxgmcc


((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
.

2009-07-13 19:20 . 2009-07-13 19:23 -------- d-----w- c:\users\Vincent\AppData\Local\temp
2009-07-08 17:19 . 2009-07-08 17:19 -------- d-----w- c:\users\Vincent\AppData\Roaming\Malwarebytes
2009-07-08 17:19 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 17:19 . 2009-07-08 17:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 17:19 . 2009-07-08 17:19 -------- d-----w- c:\programdata\Malwarebytes
2009-07-08 17:19 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-07 18:38 . 2009-07-08 17:34 -------- d-----w- c:\programdata\Lavasoft
2009-07-06 20:41 . 2009-07-08 17:45 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-07-06 20:14 . 2009-07-06 20:14 -------- d-----w- c:\programdata\16551264
2009-06-29 17:17 . 2009-06-29 17:17 10134 ----a-r- c:\users\Vincent\AppData\Roaming\Microsoft\Installer\{3101CB58-3482-4D21-AF1A-7057FC935355}\ARPPRODUCTICON.exe
2009-06-29 14:44 . 2009-06-29 14:44 -------- d-----w- c:\windows\system32\EventProviders
2009-06-27 17:22 . 2009-06-27 17:22 746744 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-06-25 15:54 . 2009-07-06 14:11 -------- d-----w- c:\programdata\19023694
2009-06-25 15:54 . 2009-07-06 14:11 -------- d-----w- c:\programdata\99033686
2009-06-14 07:41 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-06-14 07:41 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 21:41 . 2008-03-13 15:11 -------- d-----w- c:\users\Vincent\AppData\Roaming\uTorrent
2009-07-09 14:31 . 2008-10-15 23:00 680 ----a-w- c:\users\Vincent\AppData\Local\d3d9caps.dat
2009-07-08 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-07-08 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-07-08 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-07-08 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-07-08 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-07-08 15:36 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-08 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-07-08 15:24 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-23 20:22 . 2007-12-17 17:14 -------- d-----w- c:\programdata\FLEXnet
2009-06-22 21:26 . 2009-04-28 14:58 -------- d-----w- c:\program files\DivX
2009-06-22 21:26 . 2009-04-28 14:58 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-10 11:00 . 2009-06-10 11:00 68392 ----a-w- c:\windows\system32\sbbd.exe
2009-06-10 08:03 . 2007-10-09 18:50 -------- d-----w- c:\program files\Microsoft Works
2009-05-29 21:16 . 2007-10-08 22:03 -------- d-----w- c:\users\Vincent\AppData\Roaming\Image Zone Express
2009-05-16 06:06 . 2009-05-16 06:06 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-05-13 22:30 . 2009-05-13 22:30 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2009-05-09 05:50 . 2009-06-10 05:29 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-10 05:29 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-30 18:56 . 2009-04-30 18:56 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-04-23 12:43 . 2009-06-10 05:28 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-06-10 05:29 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-06-10 05:29 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 20:25 . 2008-01-28 21:49 129784 ------w- c:\windows\system32\pxafs.dll
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-04-14 21:12 . 2009-04-14 19:14 3018 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp CLI Encoder.dat
2001-12-03 22:09 . 2009-04-01 21:33 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-01-14 15:14 . 2008-01-14 15:14 8 --sh--r- c:\windows\System32\38FDB3C84E.sys
2006-05-03 09:06 . 2008-06-18 21:03 163328 --sh--r- c:\windows\System32\flvDX.dll
2008-01-15 15:22 . 2008-01-14 15:14 3140 --sha-w- c:\windows\System32\KGyGaAvL.sys
2007-02-21 10:47 . 2008-06-18 21:03 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 12:43 . 2008-06-18 21:03 27648 --sh--w- c:\windows\System32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 92704]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-06-10 959784]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-12-30 4317184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Vincent^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Vincent\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Vincent^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\Vincent\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ce8f9a02

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:thumbup2::e6,30,d7,53,cd,f8,c9,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{30E30985-BADD-4D28-BE8D-6865679FDBBE}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{B1E76157-E4B7-4189-8D18-48BD48C8C862}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{330897FD-F0CF-42A1-AB6C-194DD2457B20}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{9D3A1429-17A0-4E20-8516-5870BF3636FF}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{A7A38045-9BC8-4036-8480-02725B056D92}"= Disabled:UDP:c:\users\Vincent\AppData\Local\Temp\7zSCB6B.tmp\setup\HPZnui01.exe:hpznui01.exe
"{5E71BB46-0B5E-4491-B382-9221B50FA457}"= Disabled:TCP:c:\users\Vincent\AppData\Local\Temp\7zSCB6B.tmp\setup\HPZnui01.exe:hpznui01.exe
"TCP Query User{236A83B3-A5BB-415B-BC7A-06ADBD1CC1F2}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1726F8D2-6252-4AFA-87EE-E828B0E9BED8}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{70C95CED-1BDC-4BDB-9A85-D175DE4DB5D5}"= c:\program files\Cyberlink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{0DE51228-93EF-49E4-8054-4476C8E924EB}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{47ACEA6D-28C6-4125-9DF3-70AF7FFEB7B7}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{9A3393EA-B0C6-4688-8F39-2498D2E8C01E}"= c:\program files\CyberLink\PowerDVD8\PowerDVD8.EXE:CyberLink PowerDVD 8.0
"{BF64DB90-4606-4984-9B20-E6FBD3DADAF5}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{6431DF70-60D7-4AEB-911B-C1D2DC702488}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{ACF723C4-BAA5-4C8B-8D20-6D3E728E2782}"= UDP:c:\program files\PanaVue\ImageAssembler 3\pia3.exe:PanaVue ImageAssembler
"{06CA7C84-DAD6-407A-9AA4-66AF92371FD1}"= TCP:c:\program files\PanaVue\ImageAssembler 3\pia3.exe:PanaVue ImageAssembler
"{5F44C664-F51E-47F2-8C13-CD166050062C}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{67E2C5B0-8D06-40F7-A782-4EE22228B010}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E5A5D224-D927-4594-A237-6EED660D11B0}"= UDP:c:\program files\nbpro\nbpro.exe:NewsBin Pro
"{814B96B5-8ED4-4F3F-908A-25089236188E}"= TCP:c:\program files\nbpro\nbpro.exe:NewsBin Pro
"{61288058-BFDF-4CFA-935C-D16C0DD42518}"= UDP:c:\program files\NewsBin\nbpro.exe:NewsBin Pro
"{09EDE43D-C755-41CE-9A5D-4626B30C7456}"= TCP:c:\program files\NewsBin\nbpro.exe:NewsBin Pro

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R1 sbtis;sbtis;c:\windows\System32\drivers\sbtis.sys [12/30/2008 17:33 202928]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [5/15/2008 12:07 61424]
R2 sbapifs;sbapifs;c:\windows\System32\drivers\sbapifs.sys [5/13/2009 17:30 69936]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\RTL8187.sys [6/27/2008 01:40 335872]
R3 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\System32\drivers\RtlProt.sys [10/4/2007 06:27 15360]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [6/10/2009 06:00 980264]
S3 PSI;PSI;c:\windows\System32\drivers\psi_mf.sys [11/18/2008 08:36 7808]
S3 SBRE;SBRE;c:\windows\System32\drivers\SBREDrv.sys [4/30/2009 13:56 93360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-13 c:\windows\Tasks\RtlVistaStart.job
- c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2007-10-04 16:16]

2009-07-13 c:\windows\Tasks\User_Feed_Synchronization-{11A1BCBB-A17C-4046-82CD-5090B9E1045E}.job
- c:\windows\system32\msfeedssync.exe [2009-06-01 11:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{88249A81-5327-46F9-B602-260F85FC35CE} - c:\windows\system32\jkkHWPFV.dll
Toolbar-Locked - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
ShellExecuteHooks-{9E563692-6E8F-4DB6-BA56-42EF3BA3F84F} - c:\windows\system32\byXRhiGY.dll


.
------- Supplementary Scan -------
.
uStart Page = www.google.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: isqft.com\www
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
FF - ProfilePath - c:\users\Vincent\AppData\Roaming\Mozilla\Firefox\Profiles\tlodkuau.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-13 14:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.032"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.amr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.amr"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ani"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.arw"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.bay"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.bmp"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.bw"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bwf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.bwf"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cel\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cel"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cr2"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.crw"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cs1"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cur\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cur"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dcr"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dcx"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dib"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.djv"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.djvu"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dng"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.emf"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
@Denied: (2) (S-1-5-21-704769627-1151563731-2068727794-1000)
@Denied: (2) (LocalSystem)
"Progid"="Applications\\mspaint.exe"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.erf"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.fff"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.flc"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fli\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.fli"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.fpx"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.gif"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.hdr"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.icl"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.icn"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ico"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.iff"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ilbm"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.int"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.inta"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.iw4"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.j2c"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.j2k"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jfif"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jif"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jp2"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpc"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (S-1-5-21-704769627-1151563731-2068727794-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpe"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (S-1-5-21-704769627-1151563731-2068727794-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpeg"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpk"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpx"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kar\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.kar"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.lbm"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m15\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m15"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m1a"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m2a"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4b\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m4b"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4p\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m4p"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m4v"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m75\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m75"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.mef"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.mos"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.mpv"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.mrw"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.nef"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.orf"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pbm"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pcd"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pct"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pcx"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pef"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pgm"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pic"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pics\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pics"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pict"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pix"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.png"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ppm"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.psd"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.psp"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pspimage"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.qcp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.qcp"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.qtpf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.qtpf"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.raf"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ras"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.raw"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rgb"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rgba"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rle"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rsb"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sdv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sdv"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sfil\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sfil"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sgi"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.smf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.smf"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.smi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.smi"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.smil\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.smil"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sml"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sr2"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.srf"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.swa\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.swa"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.tga"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.thm"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.tif"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.tiff"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ttc"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ttf"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ulw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ulw"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10o\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10o"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10p\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10p"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10pf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10pf"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vfw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.vfw"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.wbm"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.wbmp"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.wmf"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xbm"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xif"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xmp"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xpm"

[HKEY_USERS\S-1-5-21-704769627-1151563731-2068727794-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:58,82,e2,80,0c,61,b4,00,e4,ce,f9,90,eb,2a,a1,aa,bc,3b,3f,01,6c,4e,48,
b5,e8,4a,d5,85,50,80,d5,f2,a3,62,b8,cb,91,88,f2,c8,a7,c0,10,2b,3a,a3,ef,d8,\
"??"=hex:db,37,09,12,ea,36,c7,e3,91,33,3f,76,2e,a2,60,0b
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\System32\WUDFHost.exe
c:\program files\ASUS\AASP\1.00.32\aaCenter.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-07-13 14:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-13 19:28

Pre-Run: 582,973,681,664 bytes free
Post-Run: 583,052,877,824 bytes free

598 --- E O F --- 2009-07-08 15:21

Attached Files



#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 13 July 2009 - 05:35 PM

Well, it looks like combofix has done a good job of removing the rootkit. Hopefully, there is not too much left to do.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 .
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
You are running a P2P filesharing programme.
  • Many of these programmes come with unwanted components bundled with them.
  • If you wish to find out whether the one you're using does click here.
Please note: Even if you are using a "safe" P2P programme, it is only the programme that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.


Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

My recommendation is you uninstall all P2P programs
  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    DirLook::
    c:\programdata\16551264
    c:\programdata\19023694
    c:\programdata\99033686
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ce8f9a02]
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


#5 VinnyP

VinnyP
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 15 July 2009 - 10:20 AM

What exactly happens when I do as you say above (copying the above to notepad and dragging to ComboFix)? I tried to do this and could not. I received a popup window stating:

"The NTVDM CPU has encountered an illegal instruction.
CS:11e9 IP:0108 OP:63 00 69 00 6f Choose 'close' to terminate the application.
Close Ignore"

Not sure what I should do now. I did update the Java application in the manner you suggested though

BTW, thank you so much for everything you have done. It is very appreciated.
Vincent

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 15 July 2009 - 04:50 PM

We can do it manually:

Copy the contents of the following codebox to a notepad window

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ce8f9a02]

Save it to the desktop as fix.reg, making sure save as type is set to all files

Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.

Now look inside these folders and tell me what is in them:

c:\programdata\16551264
c:\programdata\19023694
c:\programdata\99033686

After that, please post a new DDS log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users