Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.TDSS stopping Combofix? [Moved]


  • Please log in to reply
9 replies to this topic

#1 Deldad

Deldad

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 15 July 2009 - 10:13 PM

Hello,

I have been battling a nasty piece of malware (I think it is called rootkit). MBAM calls it a Trojan.TDSS. GMER calls it \\?\globalroot\systemroot\system32\geyek------.dll

It has stopped NAV, SFC/scannow, AVG, and safemode from working. I have got these all working but none including Spybot S&D and MBAM cannot remove it.

Now I wish to try Combofix. I have been trying to run Combofix but everytime that I do it goes to a BSOD with a 0x000000BE error code. It doesn't matter if I try Normal or Safe mode.

Any ideas why Combofix won't work?

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:49 PM

Posted 15 July 2009 - 10:41 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:49 PM

Posted 16 July 2009 - 07:59 PM

Hello let's see if we can run RootRepeal.

Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished,

click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Deldad

Deldad
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 16 July 2009 - 09:20 PM

Thanks in advance for all of your help.

RootRepeal ran succesfully. Here is the resultant logfile:





ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/16 22:07
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 00000064
Image Path: \Driver\00000064
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAC8EA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79DF000 Size: 8192 File Visible: No Signed: -
Status: -

Name: lpaotopp.sys
Image Path: C:\DOCUME~1\Dad\LOCALS~1\Temp\lpaotopp.sys
Address: 0xA8D9A000 Size: 81664 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8EB9000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\geyekrbcjwbeet.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrbcvpesmi.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrblxexnke.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrdqwbrprt.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrerxmdutr.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrfnixlnsp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekriemuerqo.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrjeddpeix.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrjnfcptuy.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrlhwqlbtx.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrmkbcjpwi.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekroeutoqba.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrqpctfgnw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrrrsmsdgp.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrsnadmlon.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrumdkroda.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekruwyksixr.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrvbcbjxrt.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrxvsiwtrx.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrymcxrieb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\geyekrsahnppua.sys
Status: Invisible to the Windows API!

Path: C:\RECYCLER\S-1-5-21-746137067-2000478354-725345543-1006\Dc4\geyekrsjvtpdorbc.tmp
Status: Invisible to the Windows API!

Path: C:\RECYCLER\S-1-5-21-746137067-2000478354-725345543-1006\Dc4\geyekrxuwfpevqtb.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090715.016\EraserUtilDrv10910.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\DadOld\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\DadOld\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDBD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Chs.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDBD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Cht.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDBD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Deu.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDBD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Enu.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDBD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Esp.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDBD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Fra.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDBD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Ita.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDBD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Jpn.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDBD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Kor.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDHD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Chs.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDHD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Cht.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDHD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Deu.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDHD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Enu.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDHD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Esp.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDHD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Fra.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDHD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Ita.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDHD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Jpn.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dad\My Documents\BitTorrent Downloads\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\Cyberlink.PowerDVD.Ultra.v7.2.Multilingual-DOiT\PDVDHD\GoogleToolbar\win2kxp\GoogleToolbarInstaller_Kor.exe
Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: geyekrqpctfgnw.dll]
Process: svchost.exe (PID: 1136) Address: 0x10000000 Address: 53248

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8abcaa40 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x89ea40e8 Address: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CREATE]
Process: System Address: 0x8aaed0e8 Address: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CLOSE]
Process: System Address: 0x8aaed0e8 Address: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aaed0e8 Address: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aaed0e8 Address: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_POWER]
Process: System Address: 0x8aaed0e8 Address: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aaed0e8 Address: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_PNP]
Process: System Address: 0x8aaed0e8 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8aab20e8 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8aab20e8 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8aab20e8 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8aab20e8 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aab20e8 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aab20e8 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aab20e8 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aab20e8 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8aab20e8 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aab20e8 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8aab20e8 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_CREATE]
Process: System Address: 0x8abcac78 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_CLOSE]
Process: System Address: 0x8abcac78 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_READ]
Process: System Address: 0x8abcac78 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_WRITE]
Process: System Address: 0x8abcac78 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8abcac78 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8abcac78 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8abcac78 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8abcac78 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_POWER]
Process: System Address: 0x8abcac78 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8abcac78 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_PNP]
Process: System Address: 0x8abcac78 Address: 15

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x89fe2c60 Address: 15

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x89fe2c60 Address: 15

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x89fe2c60 Address: 15

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x89fe2c60 Address: 15

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89fe2c60 Address: 15

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89fe2c60 Address: 15

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x89fe2c60 Address: 15

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89fe2c60 Address: 15

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x89fe2c60 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8abca0e8 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8abca0e8 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8abca0e8 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8abca0e8 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8abca0e8 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8abca0e8 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8abca0e8 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8abca0e8 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8abca0e8 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8abca0e8 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8abca0e8 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8ab7a550 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8ab7a550 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8ab7a550 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ab7a550 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab7a550 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ab7a550 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ab7a550 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8ab7a550 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8ab7a550 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ab7a550 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8ab7a550 Address: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89ef56a8 Address: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89ef56a8 Address: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ef56a8 Address: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89ef56a8 Address: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89ef56a8 Address: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89ef56a8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_CREATE]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_CLOSE]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_READ]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_WRITE]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_QUERY_EA]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_SET_EA]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_CLEANUP]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_POWER]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: UDFReadrࠆ䵃慖ࠁఆ䵃慖, IRP_MJ_PNP]
Process: System Address: 0x89fcc0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_CREATE]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_CLOSE]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_READ]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_WRITE]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_QUERY_EA]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_SET_EA]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_CLEANUP]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_POWER]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_PNP]
Process: System Address: 0x89fdf0e8 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLOSE]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_WRITE]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_EA]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_EA]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLEANUP]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89efe510 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89efe510 Address:Hidden Services
-------------------
Service Name: geyekrkukvqpwo
Image PathC:\WINDOWS\system32\drivers\geyekrsahnppua.sys

==EOF==

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:49 PM

Posted 16 July 2009 - 09:55 PM

Now remove these core files and that should free up MBAM.
Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\geyekrbcvpesmi.dll
C:\WINDOWS\system32\geyekrerxmdutr.dll
C:\WINDOWS\system32\geyekrfnixlnsp.dll
C:\WINDOWS\system32\geyekrlhwqlbtx.dll
C:\WINDOWS\system32\geyekrmkbcjpwi.dll
C:\WINDOWS\system32\geyekroeutoqba.dll
C:\WINDOWS\system32\geyekrqpctfgnw.dll
C:\WINDOWS\system32\geyekrumdkroda.dll
C:\WINDOWS\system32\geyekrxvsiwtrx.dll
C:\WINDOWS\system32\geyekrymcxrieb.dll
C:\WINDOWS\system32\drivers\geyekrsahnppua.sys


Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.



Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Deldad

Deldad
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 16 July 2009 - 10:56 PM

Ok, I ran everything as requested except I didn't know where to start so I started RootRepeal in safemode then I followed the rest of the directions, here is the MBAM log:

Malwarebytes' Anti-Malware 1.39
Database version: 2447
Windows 5.1.2600 Service Pack 2

7/16/2009 11:25:55 PM
mbam-log-2009-07-16 (23-25-55).txt

Scan type: Quick Scan
Objects scanned: 144856
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\recycler\s-1-5-21-746137067-2000478354-725345543-1006\Dc49.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\recycler\s-1-5-21-746137067-2000478354-725345543-1006\Dc50.dad (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#7 Deldad

Deldad
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 16 July 2009 - 11:00 PM

I re-ran MBAM and it says that it is clean! Not only that but those geyekxxxx.dll and .dat files are now visible in the \system32 folder and I can delete them. Amazing, I can't thank you enough. I am running all of the other tools just to be sure, but if I don't reply today or tomorrow that means everything is great!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:49 PM

Posted 17 July 2009 - 11:28 AM

Ok that's fine. Let's run these also to get whatever may be left.
Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Deldad

Deldad
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 18 July 2009 - 03:51 PM

Well, the nasty malware is still gone, although I had some registry permission issues with Windows Update and BITS, but those are fixed now too. My only concern now seems to be damage repair and seeing of there is still another problem lurking because when I search for files in Windows it never stops and I get multiples of the same files. Some sort of infinite loop.

I ran ATF cleaner and SAS. the log file is below and Combofix also works now. The log is also below:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/18/2009 at 04:36 PM

Application Version : 4.26.1006

Core Rules Database Version : 4003
Trace Rules Database Version: 1943

Scan type : Complete Scan
Total Scan Time : 01:02:19

Memory items scanned : 256
Memory threats detected : 0
Registry items scanned : 8716
Registry threats detected : 0
File items scanned : 64541
File threats detected : 134

Adware.Tracking Cookie
data.coremetrics.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Firefox\Profiles\tods8qss.default\cookies.txt ]
www.3dstats.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Firefox\Profiles\tods8qss.default\cookies.txt ]
www.googleadservices.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Firefox\Profiles\tods8qss.default\cookies.txt ]
.track.monitis.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Firefox\Profiles\tods8qss.default\cookies.txt ]
.track.monitis.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Firefox\Profiles\tods8qss.default\cookies.txt ]
.statcounter.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Firefox\Profiles\tods8qss.default\cookies.txt ]
.at.atwola.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.atwola.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.interclick.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.specificclick.net [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.specificclick.net [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.specificclick.net [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.specificclick.net [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.specificclick.net [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.specificclick.net [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.specificclick.net [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.c7.zedo.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.specificclick.net [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.interclick.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.interclick.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.apmebf.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.apmebf.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.imrworldwide.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
ads.revsci.net [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.insightexpressai.com [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
.earthlink.122.2o7.net [ D:\vanessahd\Documents and Settings\Vanessa1\Application Data\Mozilla\Profiles\default\6dn53l08.slt\cookies.txt ]
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@at.atwola[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@adv.dmv[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@www.lakecountyfl[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@eb.adbureau[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@www.burstbeacon[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ads.mediamayhemcorp[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ads.as4x.tmcs.ticketmaster[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@anad.tacoda[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@partner2profit[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@dynamic.media.adrevolver[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@a.findarticles[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@specificmedia[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@server.iad.liveperson[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@webstat.yamaha[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@e-2dj6wjliokdpaco.stats.esomniture[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@stats.crossmediaservices[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@media.mtvnservices[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@cz8.clickzs[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@bizrate[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@m1.webstats.motigo[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@acronymfinder[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@media6degrees[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ads.cartoonnetwork[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@traffic.prod.cobaltgroup[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@paypal.112.2o7[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@adrevolver[3].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@track.bestbuy[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@sierraflowerfinder[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@media.zoominfo[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@collective-media[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@try.starware[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@findapet[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@richmedia.yahoo[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@pt.crossmediaservices[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ads.traderonline[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@apmebf[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@www.burstnet[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@adinterax[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@accounts[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@findarticles[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ad.m5prod[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@atwola[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@interclick[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@superstats[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@eztracks.aavalue[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ads.adultswim[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@kango.112.2o7[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@stats.manticoretechnology[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@adcache.cycletrader[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ads.realtechnetwork[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@stats.foresite[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ez-tracks[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@banners.iop[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@borders.112.2o7[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@specificclick[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@kontera[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@adserver.adtechus[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@windowsmedia[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@mywebsearch[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@sales.liveperson[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ads.addynamix[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ads.awesomehouseparty[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@www.clickmanage[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@data2.perf.overture[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@gamefinder.disney.go[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ads.as4x.tmcs[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@oasc02.247realmedia[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@statcounter[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@h.starware[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@crossmediaservices[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ad.motiveinteractive[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@www.ez-tracks[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ads.toonamijetstream[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@redorbit[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@chitika[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@nextag[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@adultswim[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ads.pointroll[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@insightexpressai[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@wwwinfoclick[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ads.cnn[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@cendantchg.112.2o7[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@ads.bridgetrack[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@adopt.specificclick[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@iacas.adbureau[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Cookies\vanessa1@amlocalhost.trymedia[1].txt
D:\vanessahd\Documents and Settings\Vanessa1\Local Settings\Temp\Cookies\vanessa1@media.mtvnservices[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Local Settings\Temp\Cookies\vanessa1@ads.adbrite[2].txt
D:\vanessahd\Documents and Settings\Vanessa1\Local Settings\Temp\Cookies\vanessa1@adopt.specificclick[2].txt




***************************************************

ComboFix 09-07-14.08 - Dad 07/18/2009 14:50.1.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1507 [GMT -4:00]
Running from: c:\documents and settings\Dad\Desktop\AV Stuff\Combo-Fix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\install.exe
c:\windows\Install.txt
c:\windows\Installer\2c524032.msi
c:\windows\system32\Cache
c:\windows\system32\hljwugsf.bin
c:\windows\system32\Install.txt
c:\windows\system32\system

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_msncache
-------\Legacy_NPF
-------\Legacy_pcmstub
-------\Legacy_sopidkc
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-06-18 to 2009-07-18 )))))))))))))))))))))))))))))))
.

2009-07-17 23:41 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-17 23:41 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 23:00 . 2009-07-17 23:00 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2009-07-17 23:00 . 2009-07-17 23:00 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2009-07-17 23:00 . 2009-07-17 23:09 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2009-07-17 15:21 . 2009-07-17 15:21 7718 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{B3A70E2C-E608-4B0B-BF10-2AAAC182F209}\_f3e99.exe
2009-07-17 15:21 . 2009-07-17 15:21 7718 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{B3A70E2C-E608-4B0B-BF10-2AAAC182F209}\_4d064db7.exe
2009-07-17 15:21 . 2009-07-17 15:21 7718 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{B3A70E2C-E608-4B0B-BF10-2AAAC182F209}\_124305e.exe
2009-07-17 15:21 . 2009-07-17 15:21 3638 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{B3A70E2C-E608-4B0B-BF10-2AAAC182F209}\_7a5a767d.exe
2009-07-17 15:21 . 2009-07-17 15:21 3638 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{B3A70E2C-E608-4B0B-BF10-2AAAC182F209}\_74d4dc8.exe
2009-07-17 15:21 . 2009-07-17 15:21 3638 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{B3A70E2C-E608-4B0B-BF10-2AAAC182F209}\_440d491c.exe
2009-07-17 15:21 . 2009-07-17 15:21 3638 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{B3A70E2C-E608-4B0B-BF10-2AAAC182F209}\_428b26a6.exe
2009-07-17 15:21 . 2009-07-17 15:21 25214 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{B3A70E2C-E608-4B0B-BF10-2AAAC182F209}\_39b32d12.exe
2009-07-17 15:21 . 2009-07-17 15:21 25214 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{B3A70E2C-E608-4B0B-BF10-2AAAC182F209}\_154754de.exe
2009-07-17 15:21 . 2009-07-17 15:21 1406 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{B3A70E2C-E608-4B0B-BF10-2AAAC182F209}\_701f5d03.exe
2009-07-17 15:21 . 2009-07-17 15:21 1078 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{B3A70E2C-E608-4B0B-BF10-2AAAC182F209}\_644366bb.exe
2009-07-17 15:20 . 2009-07-17 15:20 -------- d-----w- c:\windows\system32\URTTemp
2009-07-16 13:32 . 2009-07-16 13:33 -------- d-s---w- C:\CombowFix
2009-07-15 22:04 . 2005-07-28 21:52 91856 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-07-15 22:04 . 2005-07-28 21:52 123712 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-15 12:55 . 2006-11-01 17:06 162616 ----a-w- C:\RegDelNull.exe
2009-07-15 12:13 . 2009-07-15 12:13 -------- d-s---w- C:\CombFix
2009-07-15 05:22 . 2009-07-17 02:38 117760 ----a-w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-15 05:22 . 2009-07-15 05:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-07-15 05:22 . 2009-07-15 05:22 -------- d-----w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com
2009-07-14 03:27 . 2009-07-17 23:41 3775175 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-14 01:02 . 2009-07-14 01:02 -------- d-sh--w- c:\windows\System Volume Information
2009-07-14 01:02 . 2009-07-14 01:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\15859684
2009-07-09 18:34 . 2009-07-09 18:34 -------- d-----w- c:\documents and settings\Dad\Application Data\ImgBurn
2009-07-09 16:48 . 2009-07-09 16:48 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NCH Swift Sound
2009-07-09 00:07 . 2009-07-09 00:07 -------- d-----w- c:\program files\BCL Technologies
2009-07-03 23:45 . 2009-07-18 05:36 138784 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-03 23:14 . 2009-07-03 23:45 139152 ----a-w- c:\documents and settings\Dad\Application Data\PnkBstrK.sys
2009-07-03 23:14 . 2009-07-03 23:44 794408 ----a-w- c:\windows\system32\pbsvc.exe
2009-07-03 05:15 . 2009-07-03 05:15 -------- d-----w- c:\documents and settings\Dad\Application Data\NCH Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-18 19:03 . 2006-09-01 14:30 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-18 18:24 . 2008-07-20 04:30 -------- d-----w- c:\documents and settings\Dad\Application Data\FileZilla
2009-07-18 17:00 . 2006-12-20 15:59 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-07-18 05:36 . 2008-04-08 02:34 202008 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-17 23:42 . 2009-06-13 23:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 23:28 . 2009-06-18 02:51 -------- d-----w- c:\documents and settings\Dad\Application Data\uTorrent
2009-07-17 23:09 . 2009-02-08 23:55 -------- d-----w- c:\documents and settings\Dad\Application Data\SuperNZB
2009-07-17 23:09 . 2008-10-11 05:53 -------- d-----w- c:\program files\Replay Media Catcher
2009-07-17 15:21 . 2008-01-05 03:01 -------- d-----w- c:\program files\LogiGamer
2009-07-17 13:16 . 2008-03-30 23:59 -------- d-----w- c:\documents and settings\Dad\Application Data\TeamViewer
2009-07-15 22:14 . 2006-09-01 14:30 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-15 22:04 . 2006-09-01 14:30 -------- d-----w- c:\program files\Symantec
2009-07-15 22:04 . 2008-04-07 02:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Symantec
2009-07-15 05:45 . 2008-04-12 20:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-07-15 05:22 . 2008-01-05 02:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-15 05:22 . 2007-12-09 04:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-15 05:17 . 2009-03-02 00:27 -------- d-----w- c:\program files\Left 4 Dead Demo
2009-07-15 05:15 . 2008-09-28 20:59 -------- d-----w- c:\documents and settings\Dad\Application Data\Move Networks
2009-07-15 05:15 . 2009-04-02 00:32 -------- d-----w- c:\program files\Panda Security
2009-07-15 00:11 . 2008-01-05 02:23 -------- d-----w- c:\program files\RogueRemover FREE
2009-07-14 18:27 . 2009-03-14 22:07 -------- d-----w- c:\program files\Motorola Phone Tools
2009-07-14 03:39 . 2009-07-14 03:39 4892 ----a-w- c:\program files\sfgyma.txt
2009-07-14 01:25 . 2009-04-02 13:18 -------- d-----w- c:\program files\Common Files\BitDefender
2009-07-09 00:17 . 2008-03-30 15:55 1080 ----a-w- c:\windows\AUTOLNCH.REG
2009-07-09 00:07 . 2008-03-09 01:10 -------- d-----w- c:\program files\Common Files\BCL Technologies
2009-07-05 22:30 . 2008-07-11 00:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DVD Shrink
2009-07-03 23:45 . 2008-04-08 02:34 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-03 23:36 . 2008-07-13 01:27 -------- d-----w- c:\program files\Return to Castle Wolfenstein - Game of The Year Edition
2009-06-25 23:18 . 2006-08-26 13:44 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-22 01:12 . 2006-08-24 04:50 -------- d-----w- c:\program files\EPSON Print CD
2009-06-18 02:51 . 2009-06-18 02:51 -------- d-----w- c:\program files\uTorrent
2009-06-15 13:08 . 2009-03-14 22:07 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BVRP Software
2009-06-15 13:08 . 2006-08-19 05:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-29 16:39 . 2008-03-30 04:14 126968 ----a-w- c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 15:17 . 2008-07-30 14:49 335872 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NexonUS\NGM\NGMResource.dll
2009-05-28 15:17 . 2008-07-30 14:49 520192 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NexonUS\NGM\NGMDll.dll
2009-05-28 15:16 . 2008-07-30 14:49 98304 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NexonUS\NGM\nxgameus.dll
2009-05-28 15:16 . 2008-07-30 14:49 81920 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-05-28 15:16 . 2008-07-30 14:49 258352 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NexonUS\NGM\unicows.dll
2009-05-28 15:16 . 2008-07-30 14:49 159744 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NexonUS\NGM\NGM.exe
2008-08-30 22:37 . 2008-08-30 22:37 197 --sha-w- c:\program files\Common Files\maxtreme.dat
2003-08-27 19:19 . 2008-03-30 23:49 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2003-02-08 14:48 . 2006-12-20 18:15 13968 ----a-w- c:\program files\mozilla firefox\components\absyncmj.dll
2003-02-08 13:32 . 2006-12-20 18:15 52064 ----a-w- c:\program files\mozilla firefox\components\absyncsv.dll
2003-02-08 13:32 . 2006-12-20 18:15 267568 ----a-w- c:\program files\mozilla firefox\components\addrbook.dll
2003-02-08 13:32 . 2006-12-20 18:15 23616 ----a-w- c:\program files\mozilla firefox\components\emitter.dll
2009-03-05 22:08 . 2009-06-15 02:48 61440 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2003-02-08 14:48 . 2006-12-20 18:15 14832 ----a-w- c:\program files\mozilla firefox\components\impComm4x.dll
2003-02-08 13:32 . 2006-12-20 18:15 17008 ----a-w- c:\program files\mozilla firefox\components\impComm4xMail.dll
2003-02-08 13:32 . 2006-12-20 18:15 54288 ----a-w- c:\program files\mozilla firefox\components\impEudra.dll
2003-02-08 13:32 . 2006-12-20 18:15 45264 ----a-w- c:\program files\mozilla firefox\components\import.dll
2003-02-08 13:32 . 2006-12-20 18:15 35104 ----a-w- c:\program files\mozilla firefox\components\importOE.dll
2003-02-08 13:32 . 2006-12-20 18:15 75440 ----a-w- c:\program files\mozilla firefox\components\impOutlk.dll
2003-02-08 13:32 . 2006-12-20 18:15 24688 ----a-w- c:\program files\mozilla firefox\components\impText.dll
2009-01-04 17:20 . 2008-06-18 01:01 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-01-04 17:20 . 2008-06-18 01:01 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2003-02-08 13:32 . 2006-12-20 18:15 139280 ----a-w- c:\program files\mozilla firefox\components\mime.dll
2003-02-08 13:32 . 2006-12-20 18:15 323536 ----a-w- c:\program files\mozilla firefox\components\msgbase.dll
2003-02-08 13:32 . 2006-12-20 18:15 235856 ----a-w- c:\program files\mozilla firefox\components\msgcompo.dll
2003-02-08 13:32 . 2006-12-20 18:15 71136 ----a-w- c:\program files\mozilla firefox\components\msgdb.dll
2003-02-08 13:32 . 2006-12-20 18:15 333232 ----a-w- c:\program files\mozilla firefox\components\msgimap.dll
2003-02-08 13:32 . 2006-12-20 18:15 160624 ----a-w- c:\program files\mozilla firefox\components\msglocal.dll
2003-02-08 13:32 . 2006-12-20 18:15 39520 ----a-w- c:\program files\mozilla firefox\components\msgMapi.dll
2003-02-08 13:32 . 2006-12-20 18:15 20592 ----a-w- c:\program files\mozilla firefox\components\msgmdn.dll
2003-02-08 13:32 . 2006-12-20 18:15 168688 ----a-w- c:\program files\mozilla firefox\components\msgnews.dll
2003-02-08 13:32 . 2006-12-20 18:15 21648 ----a-w- c:\program files\mozilla firefox\components\msgsmime.dll
2009-01-04 17:20 . 2008-06-18 01:01 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2003-02-08 14:49 . 2006-12-20 18:15 230336 ----a-w- c:\program files\mozilla firefox\components\nsAB4xUpgrader.dll
2009-01-04 17:20 . 2008-06-18 01:01 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2003-02-08 13:33 . 2006-12-20 18:15 37696 ----a-w- c:\program files\mozilla firefox\components\vcard.dll
2009-01-04 17:20 . 2008-06-18 01:01 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-04-29 01:27 . 2009-04-29 01:27 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-04-29 01:27 . 2009-04-29 01:27 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-04-29 01:28 . 2009-04-29 01:28 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2007-08-09 17:08 . 2008-09-12 12:59 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 17:10 . 2008-09-12 12:59 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2005-07-14 16:31 . 2005-07-14 16:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 19:32 . 2005-06-26 19:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 02:37 . 2005-06-22 02:37 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 09:06 . 2008-10-11 21:07 163328 --sh--r- c:\windows\system32\flvDX.dll
2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2007-02-21 10:47 . 2008-10-11 21:07 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2008-10-11 21:07 216064 --sh--r- c:\windows\system32\nbDX.dll
2006-04-27 14:24 . 2006-04-27 14:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 17:16 . 2005-02-28 17:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

------- Sigcheck -------

[-] 2004-08-04 07:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\svchost.exe

[-] 2004-08-04 07:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\system32\user32.dll

[-] 2004-08-04 07:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\ws2_32.dll

[-] 2004-08-04 07:56 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\system32\wininet.dll

[-] 2004-08-04 06:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-04 07:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\winlogon.exe

[-] 2004-08-04 06:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys

[-] 2004-08-04 06:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys

[-] 2004-08-04 03:59 2015232 FB142B7007CA2EEA76966C6C5CC12150 c:\windows\system32\ntkrnlpa.exe

[-] 2004-08-04 04:18 2148352 626309040459C3915997EF98EC1C8D40 c:\windows\system32\ntoskrnl.exe

[-] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\explorer.exe

[-] 2004-08-04 07:56 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\system32\services.exe

[-] 2004-08-04 07:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\system32\lsass.exe

[-] 2004-08-04 07:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\ctfmon.exe

[-] 2004-08-04 07:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\system32\spoolsv.exe

[-] 2004-08-04 07:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\userinit.exe

[-] 2004-08-04 07:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\system32\termsrv.dll

[-] 2004-08-04 07:56 983552 888190E31455FAD793312F8D087146EB c:\windows\system32\kernel32.dll

[-] 2004-08-04 07:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\system32\powrprof.dll

[-] 2004-08-04 07:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\imm32.dll

[-] 2004-08-04 07:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\sfcfiles.dll

[-] 2004-08-04 07:56 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\system32\appmgmts.dll

[-] 2004-08-04 05:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\system32\drivers\kbdclass.sys

[-] 2004-08-04 07:56 792064 6728270CB7DBB776ED086F5AC4C82310 c:\windows\system32\comres.dll

[-] 2004-08-04 07:56 22016 74D66B3DE265E8789153414E75175F26 c:\windows\system32\lpk.dll

[-] 2003-06-20 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\drivers\beep.sys

[-] 2003-06-20 12:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\drivers\null.sys

[-] 2003-06-20 12:00 924432 DDF8D47ACF8FC3FE5F7F2B95C4D4D136 c:\windows\system32\mfc40u.dll

[-] 2004-08-04 07:56 395776 5C83A4408604F737717AB96371201680 c:\windows\system32\rpcss.dll

[-] 2004-08-04 07:56 33792 95FD808E4AC22ABA025A7B3EAC0375D2 c:\windows\system32\msgsvc.dll

[-] 2004-08-04 07:56 611328 A77DFB85FAEE49D66C74DA6024EBC69B c:\windows\system32\comctl32.dll
[-] 2003-06-20 12:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2003-06-20 12:00 921600 76B90BD220F1B1CC9E183C6B1AE9FBB4 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
[-] 2004-08-04 07:57 1050624 5AF68A5E44734A082442668E9C787743 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[-] 2003-06-20 12:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\drivers\acpiec.sys

[-] 2004-08-04 07:56 5120 E8A12A12EA9088B4327D49EDCA3ADD3E c:\windows\system32\sfc.dll

[-] 2004-08-04 07:56 435200 B62F29C00AC55A761B2E45877D85EA0F c:\windows\system32\ntmssvc.dll

[-] 2004-08-04 07:56 89088 44DB7A9BDD2FB58747D123FBF1D35ADB c:\windows\system32\rasauto.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"logigamer"="c:\program files\LogiGamer\LogiGamer.NET.exe" [2004-08-05 695920]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TeamViewer"="c:\program files\TeamViewer\TeamViewer.exe" [2007-08-07 988160]
"logitech utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-03-04 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 CamthWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CamthWDM.sys [8/24/2008 12:25 AM 941784]
R2 DRHARD;DRHARD;c:\windows\system32\drivers\drhard.sys [1/14/2009 1:30 PM 23600]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [12/10/2008 4:49 AM 185640]
R3 Astdi;Astdi;c:\program files\Aventail\Connect\asnttdi.sys [8/19/2005 12:47 PM 126917]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [1/14/2009 10:38 AM 89600]
R3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvbi.sys [1/8/2007 9:04 PM 6400]
R3 TD3004F60v;TD3004F60v;c:\windows\system32\drivers\TD3004F60v.sys [3/30/2008 1:16 PM 16320]
S3 Ascrypto;Ascrypto;c:\program files\Aventail\Connect\ascrypto.sys [8/19/2005 12:47 PM 219299]
S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [3/8/2008 9:10 PM 77824]
S3 DuneNtsc;Pinnacle PCTV Deluxe USB (NTSC) Device;c:\windows\system32\drivers\DuneNtsc.sys [1/8/2007 9:05 PM 97408]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [3/14/2009 7:08 PM 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [3/14/2009 7:08 PM 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [3/14/2009 7:08 PM 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [3/14/2009 7:08 PM 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [3/14/2009 7:08 PM 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [3/14/2009 7:08 PM 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [3/14/2009 7:08 PM 109736]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 savroam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [5/31/2006 12:21 AM 124656]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/4/2004 3:56 AM 5120]
S3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 5:13 PM 1553896]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [1/7/2008 4:37 AM 25088]
S3 WPEServ;soft Xpansion Print2Document;c:\program files\Common Files\WPE\wpeserv.exe [3/8/2008 9:15 PM 323584]
S4 93f5f270;93f5f270;c:\windows\system32\drivers\93f5f270.sys --> c:\windows\system32\drivers\93f5f270.sys [?]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [1/29/2009 12:11 AM 13088]
S4 TeamViewer;TeamViewer Remote Control;c:\program files\TeamViewer\TeamViewer.exe [8/7/2007 7:41 AM 988160]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv10910

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-07-16 c:\windows\Tasks\PC DVR-4-Net.job
- c:\program files\PC DVR-4-Net\PC DVR-4-Net\PC DVR-4-Net.exe [2008-03-30 22:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\do50i2q0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-18 15:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wuaueng.dll.wusetup.272500.bak 1712984 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-2000478354-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a"**]
@Class="Shell"

[HKEY_USERS\S-1-5-21-746137067-2000478354-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a"**\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2328)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\SAgent4.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\TeamViewer\Version4\TeamViewer.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
.
**************************************************************************
.
Completion time: 2009-07-18 15:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-18 19:13

Pre-Run: 97,902,743,552 bytes free
Post-Run: 97,830,002,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

334

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:49 PM

Posted 19 July 2009 - 12:36 PM

Ok you look good now.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users