Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browswer redirect, unauthorized Windows change, BSOD parity error


  • This topic is locked This topic is locked
29 replies to this topic

#1 kenno3

kenno3

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 22 July 2009 - 02:56 AM

(Some key words are highlighted to help other users with related problems find them easier, that's how I found this forum.)

Hi can an expert please help me? Malware / Trojan got on my computer because my antivirus system checks “allowed” it to make a registry change without asking me.
The problems are:

1) Im redirected to malware sites when I do a google search using IE and Firefox.
These are some of the redirects, please don’t click.
htt p://mycustomsearch.cn/searchresults .. Etc.
htt p://64.21.19.2/pass/?c= ….
Htt p://toseeka.com
Htt p://overlick.cn


I think I got the malware from ads using an exploit (maybe related to this:
http://labs.idefense.com/intelligence/vuln...play.php?id=478 ).

I know it got it while browsing websites using IE v7. But I didn’t choose to install or load anything new.
McAfee Security center log shows that it allowed C\users\username\appdata\local\temp\f.exe and e.exe to run and make a registry change without asking me. Usually McAfee pops up and tells me it prevented something, but this time it didn’t and im upset.
Process description: Freeware Promotion (the malware)
Publisher: PROMO Software
Process version: 9.6.1.5 HKEY_local_machine\software\Microsoft\windows NT\current version
winlogon\userinit

I also had delself.bat show up on my desktop. The file says:
@echo off
:try
del "C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BF3Q2XAM\installb[1].exe"
if exist "C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BF3Q2XAM\installb[1].exe" goto try
del delself.bat

I did a search about “mycustomsearch.cn” and found this which shows some of the things true about what I got but not all the registry changes are the same:
http://www.threatexpert.com/report.aspx?md...942056a41748a12

# The following Registry Value was modified:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
o Userinit = "%System%\userinit.exe,%System%\drivers\smss.exe"


I found a fake smss.exe running (description listed as Freeware Promotion, memory size= 1792). The real smss and fake smss were running and I deleted the fake one which was in my drivers folder but I still get the browser redirect.
And I removed the %System%\drivers\smss.exe from my registry and this may or may not be why im having problem 2. But problem 2 didn’t happen until after my computer restarted.

This line is from a HijackThis report, im not sure if the malware created the fake smss and userinit.exe line but I only deleted the smss part of the registry line. In other words, im not sure if userinit.exe belongs at [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


"F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe"


2) Im getting a Vista pop up error that says: “An unauthorized change was made to Windows.
Error 0xc004d401
The security processor reported a system file mismatch error.”

I started getting this error after the malware and I tried getting rid of it.
Also I get this error sometimes after starting Vista and I login to my user. The desktop or windows bar doesn’t load but the error pops up and I must restart my computer or go in safe mode to load it.


3) My computer is getting a BSOD sometimes without a specific error listed. It says something about if this is the first time seeing this then contact system maker or something, then there’s a 20 sec countdown and my computer restarts. Ive never had a BSOD with Vista on this computer for the 2-3 years ive had it. Im also getting another BSOD about a parity error.
This may be related to the heat here, but I put extra fans on my computer and took off the side panel to vent better, and this has happened before I got the malware, etc


4) I cant start up Internet Explorer v7 anymore after I tried disabling some Browser Helper Objects (after I got the malware). I get a data execution error when I try to start it. Is there a way to fix these settings without starting up IE, like an on/off key in the registry?



============
A) Extra info:
I got infected and got the browser problems on 7-19-09 but I think the files related to delself.bat tried to install on 7-16-09 because that’s its creation date.
My hosts file only shows 127.0.0.1 local host.
It’s a Dell computer so it came with some start up programs preinstalled. The warranty is over.
I found e.exe and f.exe in my temp folders but deleted them. I didn’t find one in my System32 folder.
I also found a registry thing about Braviax.exe which I deleted.
I have McAfee antivirus but its not up to date and update subscription has expired. But I didn’t install any new things when this happened except the new AIM a few days earlier.
My system restore was turned off before this happened (because I ran out of HD space) but now I get an error when I try enabling it.
Windows cannot create a shadow copy due to internal error in other system components. For more info view the event log. (0x81000109)
I updated Malwarebytes and ran a scan but it kept freezing after 3 mins when it performed extra and heuristics scans.
*Edit: since then Ive turned off extra scan and posted the log.*


B ) I have 2 main questions: How can I fix these errors? Please help.

And how can I find out who PROMO Software, Freeware Promotion, mycustomsearch.cn, toseeka.com, overlick.cn, 64.21.19.2 is so I can take legal action or report them to (who - what agency or website? ) so we can get these fraud companies shut down and prevent others from going through all the hassle I’ve been through?

Thank you. :thumbup2:


*Edit* I added Malwarebytes scan file to help you identify what I have but I didn't remove these things yet :


================================
Malwarebytes' Anti-Malware 1.39
Database version: 2464
Windows 6.0.6000

7/22/2009 3:31:42 AM
mbam-log-2009-07-22 (03-31-37).txt

Scan type: Quick Scan
Objects scanned: 36740
Time elapsed: 3 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\System32\lowsec (Stolen.data) -> No action taken.

Files Infected:
c:\Windows\System32\msansspc.dll (Trojan.Agent) -> No action taken.
c:\Windows\System32\drivers\smss.exex (Trojan.Agent) -> No action taken.
c:\Users\x410\~.exe (Trojan.Agent) -> No action taken.
c:\Windows\System32\lowsec\local.ds (Stolen.data) -> No action taken.
c:\Windows\System32\lowsec\user.ds (Stolen.data) -> No action taken.
c:\Windows\System32\lowsec\user.ds.lll (Stolen.data) -> No action taken.





================================
DDS (Ver_09-06-26.01) - NTFSx86
Run by x410 at 0:06:43.37 on Wed 07/22/2009
Internet Explorer: 7.0.6000.16575
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.1007 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
SP: McAfee VirusScan *enabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Windows\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Windows\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Windows\system32\wuauclt.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Works\wkswp.exe
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Media\Record\hypercam\HyCam2.exe
C:\Games\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AdobeBridge]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [VolPanel] "c:\program files\creative\sbaudigy\volume panel\VolPanlu.exe" /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [<NO NAME>]
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\x410\appdata\roaming\microsoft\windows\start menu\programs\imvu\Run IMVU.lnk
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~2.0_0\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SecurityProviders: credssp.dll, msansspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\x410\appdata\roaming\mozilla\firefox\profiles\oi4cgjua.default\
FF - plugin: c:\media\player\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\media\player\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\media\player\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-7-13 5504]
R3 physX32;physX32;c:\windows\system32\drivers\physX32.sys [2007-9-13 120320]
S3 athena;athena;c:\windows\system32\drivers\athena.sys [2007-7-13 110336]
S3 CrystalSysInfo;CrystalSysInfo;c:\media\converter\mediacoder\SysInfo.sys [2007-9-25 15152]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-7-19 38160]
SUnknown jickp;jickp; [x]

=============== Created Last 30 ================

2009-07-19 14:50 <DIR> --d----- C:\MGADiagToolOutput
2009-07-19 14:45 <DIR> --d----- c:\programdata\Office Genuine Advantage
2009-07-19 13:39 <DIR> --d----- c:\users\x410\appdata\roaming\Malwarebytes
2009-07-19 13:39 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 13:39 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-19 13:39 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-19 13:39 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 13:39 <DIR> --d----- c:\program files\cleaner
2009-07-19 13:35 <DIR> --d----- c:\program files\CCleaner
2009-07-19 01:58 213,024 a------- c:\windows\system32\drivers\str.sys
2009-07-19 01:58 48,128 a---h--- c:\windows\system32\drivers\smss.exex
2009-07-19 01:57 <DIR> --dsh--- c:\windows\system32\lowsec
2009-07-19 01:57 76,160 a------- c:\windows\system32\drivers\cvbio.sys
2009-07-11 14:12 <DIR> --d----- c:\windows\system32\Adobe
2009-07-10 17:27 <DIR> --d----- c:\programdata\AOL Downloads
2009-07-07 00:36 244 a---h--- C:\sqmnoopt00.sqm
2009-07-07 00:36 232 a---h--- C:\sqmdata00.sqm
2009-07-05 01:01 <DIR> --d----- c:\users\x410\appdata\roaming\FlashGet
2009-07-05 01:00 <DIR> --d----- c:\program files\FlashGet

==================== Find3M ====================

2009-07-21 23:59 25,482 a------- c:\users\x410\appdata\roaming\wklnhst.dat
2009-07-19 20:27 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-19 20:27 86,016 a------- c:\windows\inf\infpub.dat
2009-05-23 14:19 136,531 ---shr-- c:\windows\winudpmgr.exe
2009-04-27 20:30 3,383,125 a------- c:\program files\70406-Oops(md).wmv
2009-03-15 05:38 12,288 a------- c:\users\x410\appdata\roaming\nSvcAppFlt.exe
2009-01-02 17:51 86,016 a------- c:\windows\inf\infstor.dat
2008-10-16 20:04 21,504 a------- c:\users\x410\~.exe
2008-01-03 11:38 665,600 a------- c:\windows\inf\drvindex.dat
2007-10-11 17:44 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-07-13 12:19 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 0:08:41.37 ===============

Attached Files


Edited by kenno3, 22 July 2009 - 05:48 AM.


BC AdBot (Login to Remove)

 


m

#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:02 AM

Posted 01 August 2009 - 07:37 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 kenno3

kenno3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 01 August 2009 - 09:31 AM

Hi, thanks for the reply. I mostly learned to fix the problems myself because I needed to resolve the issue.
I’m not getting redirects or BSOD anymore but the problem I still have is I cannot open Internet Explorer. I get a data execution error but it loads ok in safe mode.
After I got the Trojan, I disabled some BHO in IE and I think that’s when I started getting the execution errors or it might have been because of the Trojan, but since then, I think I re-enabled the ones I disabled.
Also IE sometimes starts on its own but doesn’t do anything since it gets the data execution error.
And the other problem is I am still getting infected by the same ad. I’ve been infected 3 times from the same ad at an art site. I told them but I don’t know if they took it off.

So my question is how can I prevent infection? An exe loads itself when the ad shows even though I did not download, click, or install anything when I got infected at the website. McAfee security system blocks the exe from connecting to the internet but just viewing the ad (in the browser when the page loads) makes it install many hidden files and registry changes on my computer AKA a Rootkit. And Windows Defender doesn’t help either. I don’t know if the ad is java or what exploit it is using but I updated sun java.

The Trojan is Win32/Vundo.gen!AJ and I have been infected when using IE and FireFox.
I used a rootkit scanner (Sophos Anti-Rootkit) to delete the hidden sys and tmp files of the Trojan since Malwarebytes' Anti-Malware could not detect and/or delete the hidden files.

The Trojan Ad name is “e-bonusrewards.us.com” It is red with a picture of a smiling lady and offers a $500 JCPenny card. And the Advertiser URL is: htt p://www.easaiesuyo.com/ewioqa/
(I never clicked it but used the MouseOver to see the link. Don’t click this, I’m only showing it for additional info.)


This line is from a HijackThis report, I’m not sure if the Trojan created the fake smss and userinit.exe line but I only deleted the smss part of the registry line. In other words, im not sure if userinit.exe belongs at [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


"F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe"
Is this correct to have for Vista?


Also who do I report these evil Malware/Trojan Ad companies to, so that other users can be saved from the headache I went through?

I first got infected July 19th. The log file shows strx-bad.xsys and cvbio-bad q.xsys ( I renamed these) which are some of the Trojan files. But I kept them as evidence and to identify the culprit.

Thanks for your time and help.




=========


DDS (Ver_09-07-30.01) - NTFSx86
Run by x410 at 6:12:01.26 on Sat 08/01/2009
Internet Explorer: 7.0.6000.16575 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.908 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
SP: McAfee VirusScan *enabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Windows\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Program Files\cleaner\Spy bot Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Windows\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\cleaner\Spy bot Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\Taskmgr.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
C:\Users\x410\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\cleaner\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [AdobeBridge]
uRun: [SUPERAntiSpyware]
uRun: [SpybotSD TeaTimer] c:\program files\cleaner\spy bot search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [VolPanel] "c:\program files\creative\sbaudigy\volume panel\VolPanlu.exe" /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [<NO NAME>]
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\browsertool\fiddler2-logger\Fiddler.exe"
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\x410\appdata\roaming\microsoft\windows\start menu\programs\imvu\Run IMVU.lnk
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\cleaner\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\cleaner\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll, c:\windows\system32\muhemive.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\cleaner\superantispyware\SASSEH.DLL
SecurityProviders: credssp.dll, msansspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\x410\appdata\roaming\mozilla\firefox\profiles\oi4cgjua.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\media\player\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\media\player\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\media\player\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\cleaner\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\cleaner\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\cleaner\spy bot search & destroy\SDWinSec.exe [2009-7-25 1153368]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-7-13 5504]
R3 physX32;physX32;c:\windows\system32\drivers\physX32.sys [2007-9-13 120320]
S3 athena;athena;c:\windows\system32\drivers\athena.sys [2007-7-13 110336]
S3 CrystalSysInfo;CrystalSysInfo;c:\media\converter\mediacoder\SysInfo.sys [2007-9-25 15152]
S3 SASENUM;SASENUM;c:\program files\cleaner\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 scansafe;scansafe;c:\windows\system32\drivers\scansafe.sys [2009-7-26 34304]

=============== Created Last 30 ================

2009-07-30 01:50 <DIR> --d----- c:\users\x410\appdata\roaming\mmMacromedia
2009-07-26 19:49 34,304 a------- c:\windows\system32\drivers\scansafe.sys
2009-07-26 17:50 <DIR> --d----- c:\program files\browsertool
2009-07-25 18:59 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-07-25 18:59 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-07-24 02:08 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-07-24 02:08 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-07-24 02:08 <DIR> --d----- c:\users\x410\appdata\roaming\SUPERAntiSpyware.com
2009-07-23 23:50 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-23 23:50 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-23 23:27 6,144 -------- c:\windows\system32\DC6B.tmp
2009-07-23 23:27 6,144 -------- c:\windows\system32\DB71.tmp
2009-07-23 23:27 6,144 -------- c:\windows\system32\AF03.tmp
2009-07-22 16:06 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-19 14:50 <DIR> --d----- C:\MGADiagToolOutput
2009-07-19 14:45 <DIR> --d----- c:\programdata\Office Genuine Advantage
2009-07-19 13:39 <DIR> --d----- c:\users\x410\appdata\roaming\Malwarebytes
2009-07-19 13:39 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-19 13:39 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-19 13:39 <DIR> --d----- c:\program files\cleaner
2009-07-19 13:35 <DIR> --d----- c:\program files\CCleaner
2009-07-19 01:58 213,024 a------- c:\windows\system32\drivers\strx-bad.xsys
2009-07-19 01:57 76,160 a------- c:\windows\system32\drivers\cvbio-bad q.xsys
2009-07-11 14:12 <DIR> --d----- c:\windows\system32\Adobe
2009-07-10 17:27 <DIR> --d----- c:\programdata\AOL Downloads
2009-07-07 00:36 244 a---h--- C:\sqmnoopt00.sqm
2009-07-07 00:36 232 a---h--- C:\sqmdata00.sqm
2009-07-05 01:01 <DIR> --d----- c:\users\x410\appdata\roaming\FlashGet
2009-07-05 01:00 <DIR> --d----- c:\program files\FlashGet

==================== Find3M ====================

2009-07-30 22:37 25,386 a------- c:\users\x410\appdata\roaming\wklnhst.dat
2009-07-19 20:27 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-19 20:27 86,016 a------- c:\windows\inf\infpub.dat
2009-04-27 20:30 3,383,125 a------- c:\program files\70406-Oops(md).wmv
2009-01-02 17:51 86,016 a------- c:\windows\inf\infstor.dat
2008-01-03 11:38 665,600 a------- c:\windows\inf\drvindex.dat
2007-10-11 17:44 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-07-13 12:19 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 6:12:35.90 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 02 August 2009 - 09:14 AM

Hello.

One of the infections Malwarebytes detected was a backdoor bot.

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

---

If you do wish to continue, then please post a new set of DDS logs and run the scan below as well.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 kenno3

kenno3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 03 August 2009 - 06:19 AM

Hi extremeboy, Id like to continue with the help. Thanks for your time.

New DDS:
=================


DDS (Ver_09-07-30.01) - NTFSx86
Run by x410 at 3:58:35.04 on Mon 08/03/2009
Internet Explorer: 7.0.6000.16575 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.572 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
SP: McAfee VirusScan *enabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Windows\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Program Files\cleaner\Spy bot Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Windows\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Windows\System32\mspaint.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Users\x410\Desktop\Trash\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\cleaner\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [AdobeBridge]
uRun: [SUPERAntiSpyware]
uRun: [SpybotSD TeaTimer] c:\program files\cleaner\spy bot search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [VolPanel] "c:\program files\creative\sbaudigy\volume panel\VolPanlu.exe" /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [<NO NAME>]
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\browsertool\fiddler2-logger\Fiddler.exe"
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\x410\appdata\roaming\microsoft\windows\start menu\programs\imvu\Run IMVU.lnk
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\cleaner\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\cleaner\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll, c:\windows\system32\muhemive.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\cleaner\superantispyware\SASSEH.DLL
SecurityProviders: credssp.dll, msansspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\x410\appdata\roaming\mozilla\firefox\profiles\oi4cgjua.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\media\player\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\media\player\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\media\player\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\cleaner\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\cleaner\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\cleaner\spy bot search & destroy\SDWinSec.exe [2009-7-25 1153368]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-7-13 5504]
R3 physX32;physX32;c:\windows\system32\drivers\physX32.sys [2007-9-13 120320]
S3 athena;athena;c:\windows\system32\drivers\athena.sys [2007-7-13 110336]
S3 CrystalSysInfo;CrystalSysInfo;c:\media\converter\mediacoder\SysInfo.sys [2007-9-25 15152]
S3 SASENUM;SASENUM;c:\program files\cleaner\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 scansafe;scansafe;c:\windows\system32\drivers\scansafe.sys [2009-7-26 34304]

=============== Created Last 30 ================

2009-07-30 01:50 <DIR> --d----- c:\users\x410\appdata\roaming\mmMacromedia
2009-07-26 19:49 34,304 a------- c:\windows\system32\drivers\scansafe.sys
2009-07-26 17:50 <DIR> --d----- c:\program files\browsertool
2009-07-25 18:59 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-07-25 18:59 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-07-24 02:08 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-07-24 02:08 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-07-24 02:08 <DIR> --d----- c:\users\x410\appdata\roaming\SUPERAntiSpyware.com
2009-07-23 23:50 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-23 23:50 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-23 23:27 6,144 -------- c:\windows\system32\DC6B.tmp
2009-07-23 23:27 6,144 -------- c:\windows\system32\DB71.tmp
2009-07-23 23:27 6,144 -------- c:\windows\system32\AF03.tmp
2009-07-22 16:06 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-19 14:50 <DIR> --d----- C:\MGADiagToolOutput
2009-07-19 14:45 <DIR> --d----- c:\programdata\Office Genuine Advantage
2009-07-19 13:39 <DIR> --d----- c:\users\x410\appdata\roaming\Malwarebytes
2009-07-19 13:39 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-19 13:39 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-19 13:39 <DIR> --d----- c:\program files\cleaner
2009-07-19 13:35 <DIR> --d----- c:\program files\CCleaner
2009-07-19 01:58 213,024 a------- c:\windows\system32\drivers\strx-bad.xsys
2009-07-19 01:57 76,160 a------- c:\windows\system32\drivers\cvbio-bad q.xsys
2009-07-11 14:12 <DIR> --d----- c:\windows\system32\Adobe
2009-07-10 17:27 <DIR> --d----- c:\programdata\AOL Downloads
2009-07-07 00:36 244 a---h--- C:\sqmnoopt00.sqm
2009-07-07 00:36 232 a---h--- C:\sqmdata00.sqm
2009-07-05 01:01 <DIR> --d----- c:\users\x410\appdata\roaming\FlashGet
2009-07-05 01:00 <DIR> --d----- c:\program files\FlashGet

==================== Find3M ====================

2009-08-02 08:59 25,346 a------- c:\users\x410\appdata\roaming\wklnhst.dat
2009-07-19 20:27 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-19 20:27 86,016 a------- c:\windows\inf\infpub.dat
2009-04-27 20:30 3,383,125 a------- c:\program files\70406-Oops(md).wmv
2009-01-02 17:51 86,016 a------- c:\windows\inf\infstor.dat
2008-01-03 11:38 665,600 a------- c:\windows\inf\drvindex.dat
2007-10-11 17:44 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-07-13 12:19 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 3:59:18.05 ===============


GMER with registry option unchecked:
=============================================================

GMER 1.0.15.15011 [n8bcgydq.exe] - http://www.gmer.net
Rootkit scan 2009-08-03 03:50:27
Windows 6.0.6000


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x9E22274B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x9E222775]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x9E22279D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x9E22275F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x9E222737]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x9E2227B3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x9E222789]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service system32\drivers\geyekreefmcpsl.sys (*** hidden *** ) [SYSTEM] geyekrijtjhkex <-- ROOTKIT !!!
Service system32\drivers\vsfocervprfupy.sys (*** hidden *** ) [SYSTEM] vsfoceyajubvvu <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 03 August 2009 - 09:39 AM

Hello.

You have quite a lot of real-time protection of securtiy programs enabled here. We need to disable ALL of them but I'll give you specific instructions for a few of them since they are quite difficult to disable completely. If you can't disable it completely, you should uninstall it and re-install it afterwards if possible.

Realtime security programs are important for keeping out malware. However, they can interfere with the tools we need to run. Please disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Disabling McAfee Real-Time Protection

McAfee is causing a lot of interference. It's important to disable it properly or it will continue to fight with us, so do not miss a step here. If any portions are greyed out, uninstall McAfee until we're through:

Open McAfee Security Centre
  • Under Common Tasks click on Home
  • Click Computer Files
  • Click Configure
  • Make sure the following are disabled by ticking the "Off" button.

    Virus protection
    Spyware protection
    System Guards Protection
    Script Scanning Protection (you may have to scroll down to see it)

  • Next, select never for "When to re-enable real time scanning"
  • and click OK.
Disable SpyBot's TeaTimer

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
---

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 kenno3

kenno3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 04 August 2009 - 04:59 AM

Hi, I disabled McAfee and SpyBot's TeaTimer as instructed but not Windows Defender.
When I started combofix it said it was outdated and I chose to run it in REDUCED FUNCTIONALITY MODE. But the file was downloaded 7-25-09.
At the time, my internet would not connect to the bleeping computer network, so I renamed the combofix exe to a random name and went ahead with the scan. Tell me if you want me to update combofix and run the scan again or not.

Combo fix did not restart my computer after running.

Also my first known infection was 7-19 if that helps you pinpoint info.

Thank you.


========

ComboFix 09-07-24.03 - x410 08/04/2009 2:22.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.1386 [GMT -7:00]
Running from: c:\users\x410\Desktop\sdfhdfj.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: McAfee VirusScan *disabled* (Outdated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500\desktop.ini
c:\$recycle.bin\S-1-5-21-1653860645-1336781724-2940610242-500
c:\$recycle.bin\S-1-5-21-1653860645-1336781724-2940610242-500\desktop.ini
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500\desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))
.

2100-02-23 21:35 . 2001-02-22 16:54 768 ----a-w- c:\windows\x73_lut.dat
2009-08-04 09:24 . 2009-08-04 09:25 -------- d-----w- c:\users\x410\AppData\Local\temp
2009-08-04 09:11 . 2009-08-04 09:12 -------- d-s---w- C:\cbfix
2009-08-04 09:11 . 2009-08-04 09:11 6736 ----a-w- c:\windows\system32\drivers\PROCEXP90.SYS
2009-07-31 07:02 . 2009-07-31 07:02 -------- d-----w- c:\users\x410\AppData\Roaming\mnMacromedia
2009-07-30 08:50 . 2009-07-30 08:50 -------- d-----w- c:\users\x410\AppData\Roaming\mmMacromedia
2009-07-27 02:49 . 2009-07-27 02:49 34304 ----a-w- c:\windows\system32\drivers\scansafe.sys
2009-07-27 00:50 . 2009-07-27 00:54 -------- d-----w- c:\program files\browsertool
2009-07-26 01:59 . 2009-07-26 02:03 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-07-24 09:09 . 2009-07-24 09:10 117760 ----a-w- c:\users\x410\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-24 09:08 . 2009-07-24 09:08 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-07-24 09:08 . 2009-07-24 09:08 -------- d-----w- c:\users\x410\AppData\Roaming\SUPERAntiSpyware.com
2009-07-24 06:50 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 06:50 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-22 23:06 . 2009-07-22 23:06 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 06:29 . 2009-07-21 06:29 -------- d-----w- c:\program files\FLV Player
2009-07-19 21:50 . 2009-07-19 21:50 -------- d-----w- C:\MGADiagToolOutput
2009-07-19 21:45 . 2009-07-19 21:45 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-07-19 20:39 . 2009-07-19 20:39 -------- d-----w- c:\users\x410\AppData\Roaming\Malwarebytes
2009-07-19 20:39 . 2009-07-19 20:39 -------- d-----w- c:\programdata\Malwarebytes
2009-07-19 20:39 . 2009-07-27 02:49 -------- d-----w- c:\program files\cleaner
2009-07-19 20:35 . 2009-07-25 21:56 -------- d-----w- c:\program files\CCleaner
2009-07-11 21:12 . 2009-07-11 21:12 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-02 15:59 . 2007-07-19 21:17 25346 ----a-w- c:\users\x410\AppData\Roaming\wklnhst.dat
2009-07-31 16:21 . 2007-07-16 22:02 86512 ----a-w- c:\users\x410\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-25 02:30 . 2009-07-31 16:17 99112 ----a-w- c:\windows\Fonts\WoW-plexus.ttf
2009-07-24 09:07 . 2007-11-02 20:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-24 05:45 . 2007-09-07 07:05 1356 ----a-w- c:\users\x410\AppData\Local\d3d9caps.dat
2009-07-22 23:06 . 2007-07-13 11:31 -------- d-----w- c:\program files\Java
2009-07-21 19:48 . 2009-07-31 16:13 130252 ----a-w- c:\windows\Fonts\AngelicWar.ttf
2009-07-21 10:52 . 2009-05-23 21:38 -------- d-----w- c:\programdata\FLEXnet
2009-07-19 08:58 . 2009-07-19 08:58 213024 ----a-w- c:\windows\system32\drivers\strx-bad.xsys
2009-07-19 08:57 . 2009-07-19 08:57 76160 ----a-w- c:\windows\system32\drivers\cvbio-bad q.xsys
2009-07-14 21:30 . 2009-01-03 00:52 -------- d-----w- c:\programdata\Apple Computer
2009-07-11 00:31 . 2009-01-23 05:27 -------- d-----w- c:\program files\AIM6
2009-07-11 00:29 . 2009-01-23 05:28 -------- d-----w- c:\program files\Viewpoint
2009-07-11 00:29 . 2009-01-23 05:29 -------- d-----w- c:\programdata\Viewpoint
2009-07-11 00:27 . 2009-07-11 00:27 -------- d-----w- c:\programdata\AOL Downloads
2009-07-07 06:46 . 2009-07-31 16:15 30716 ----a-w- c:\windows\Fonts\DamaskDings1.ttf
2009-07-05 08:14 . 2009-07-05 08:00 -------- d-----w- c:\program files\FlashGet
2009-07-05 08:01 . 2009-07-05 08:01 -------- d-----w- c:\users\x410\AppData\Roaming\FlashGet
2009-07-01 07:27 . 2008-07-02 02:17 -------- d-----w- c:\users\x410\AppData\Roaming\BitTorrent
2009-06-20 02:56 . 2009-01-05 06:31 -------- d-----w- c:\program files\Lineage II
2009-06-18 19:54 . 2009-07-24 06:27 6144 ------w- c:\windows\system32\DC6B.tmp
2009-06-18 19:54 . 2009-07-24 06:27 6144 ------w- c:\windows\system32\DB71.tmp
2009-06-18 19:54 . 2009-07-24 06:27 6144 ------w- c:\windows\system32\AF03.tmp
2009-06-12 09:17 . 2009-06-12 07:15 -------- d-----w- c:\program files\AVS4YOU
2009-06-12 07:30 . 2009-06-12 07:30 -------- d-----w- c:\users\x410\AppData\Roaming\Broad Intelligence
2009-06-12 07:15 . 2009-06-12 07:15 -------- d-----w- c:\programdata\AVS4YOU
2009-06-12 07:15 . 2009-06-12 07:15 -------- d-----w- c:\users\x410\AppData\Roaming\AVS4YOU
2009-06-12 07:15 . 2009-06-12 07:14 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-05-19 08:36 . 2009-07-11 00:27 2884832 ----a-w- c:\programdata\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 08:36 . 2009-07-11 00:27 28 ----a-w- c:\programdata\AOL Downloads\SUD4426\unregister.bat
2009-05-19 08:36 . 2009-07-11 00:27 25 ----a-w- c:\programdata\AOL Downloads\SUD4426\register.bat
2009-05-19 08:36 . 2009-07-11 00:27 1484856 ----a-w- c:\programdata\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 08:36 . 2009-07-11 00:27 97072 ----a-w- c:\programdata\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 08:36 . 2009-07-11 00:27 142040 ----a-w- c:\programdata\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 08:36 . 2009-07-11 00:27 30512 ----a-w- c:\programdata\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 08:36 . 2009-07-11 00:27 111920 ----a-w- c:\programdata\AOL Downloads\SUD4426\AOLSearch.dll
2009-04-28 03:30 . 2009-04-28 03:29 3383125 ----a-w- c:\program files\70406-Oops(md).wmv
2009-07-05 07:55 . 2009-01-05 03:52 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2007-07-13 19:19 . 2007-07-13 19:18 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-07-13 1006264]
"VolPanel"="c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 180224]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-12 81920]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-02-08 303104]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-24 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\cleaner\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\cleaner\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders credssp.dll, msansspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^x410^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\x410\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1653860645-1336781724-2940610242-1001]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7B9E6C4B-EBF3-4A92-9A98-56EB05E91B0D}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{FE0BF857-57F9-46E7-8C2D-3B81A1CF5365}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{52D1A5E0-7F31-4F60-A579-B36A8DD9BC71}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{2547C6FB-DA83-487F-A5F6-AE99B7FA2D41}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{25D2AF8E-1887-4CB5-B181-0B84CFBD4117}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{9DF9A5AA-E1E0-47E2-88ED-602B19CB2525}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{38E2A893-3CB5-4B40-B07F-BDDBC6765CF7}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{209C983C-2098-4F92-8135-013D37132E63}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{5509BF9A-136D-4119-B91F-1828B90C7501}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{85EBAEA7-B330-43F5-A1BF-8DED7C39A212}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{51AE5C60-FAE1-4B76-95C5-C839138421A3}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{2007E346-5D91-42B7-907B-408F744A7CC0}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F3C1DE05-8D78-42AA-B95F-74065A9945CD}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{1F59995C-1C51-436F-819B-8A8206A34EF1}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{50BA60D6-0DF2-496D-8E63-5A1D71CED4B7}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{73A251D2-0205-4138-AF20-0E755E9DAD7E}"= UDP:c:\games\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{8B05AA97-DB97-417B-BAF7-13205F420E86}"= TCP:c:\games\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"TCP Query User{88A82AAA-1AE9-4E68-A853-88716B168E5A}c:\\program files\\emule\\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule
"UDP Query User{48DA0BA6-ED93-4C71-B1CC-51D9862987FB}c:\\program files\\emule\\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule
"TCP Query User{D2A90CF9-D8D1-4E2F-835A-3109F266CEBE}c:\\games\\secondlife\\slvoice.exe"= UDP:c:\games\secondlife\slvoice.exe:SLVoice
"UDP Query User{3049E693-D20C-4176-8932-331C758680E4}c:\\games\\secondlife\\slvoice.exe"= TCP:c:\games\secondlife\slvoice.exe:SLVoice
"TCP Query User{E6ADBA33-1F23-450E-A44F-728E752E167F}c:\\games\\secondlifemono\\slvoice.exe"= UDP:c:\games\secondlifemono\slvoice.exe:SLVoice
"UDP Query User{2005CCBB-05A7-40CE-9356-2C3D8FC839DD}c:\\games\\secondlifemono\\slvoice.exe"= TCP:c:\games\secondlifemono\slvoice.exe:SLVoice
"TCP Query User{B2A794B8-73CB-4FA2-AA1A-918DFCD69281}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{E681CA94-3580-4408-B82D-F3411B205D5A}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{68CEDEDC-E7F7-46BE-B4DC-5296F0BE36A9}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{97349958-D7D4-4ACF-BBE0-EE46B69D2A29}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{50768FDA-1895-457F-9C55-3AE9CFB2F041}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{54A1739E-2F17-4B76-B245-DA94445C2311}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{FCD61902-2B13-4B75-A7D0-8630051168DE}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{C2D4ECDC-229D-4040-BF9E-7F4916832564}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{C3EF6074-2472-4047-980B-2878947AECAB}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{BF1746A8-1CC9-414E-A033-8CFE538E0C59}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{94FF65C9-E73E-4335-AA69-11DFAAD108DD}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{ADA84D79-F107-4051-8CBA-7FEA57C0E03C}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{63FE725C-625E-4FB7-9299-AE6323F87358}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{39DCA072-D76E-4D21-8698-FDB5B0120FDB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{53A2ED5C-A474-4E2C-A88C-B5B9FEF42CA8}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{07AC682A-1BC5-4D0F-8601-6F2E1E9F7B69}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{8E1FF90B-94E2-4B1F-AE5E-1A96AAF3B21E}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{E2E97F63-E5C8-463E-9DA7-3F33CFA44508}"= UDP:5353:Adobe CSI CS4
"{14B52392-9237-4D66-9F21-8A88EF78E798}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{1A0D5766-C7E2-44DD-A346-345157CF07BD}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"TCP Query User{02DD08F3-DEDC-4487-BE02-8073BCE70358}c:\\program files\\flashget\\flashget.exe"= UDP:c:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{5BDE15DD-A3FD-4784-8297-B4B2E2188AA2}c:\\program files\\flashget\\flashget.exe"= TCP:c:\program files\flashget\flashget.exe:FlashGet
"{8ABAAF03-FECE-4FE7-B5AF-4EDBD1F50FE5}"= UDP:c:\windows\explorer.exe:Explorer
"{A0C99EC5-20B5-42E1-B489-1405CF973B2B}"= TCP:c:\windows\explorer.exe:Explorer
"{FAA5C600-9539-4B3D-938B-835602F2DCF5}"= UDP:c:\windows\explorer.exe:Explorer
"{98FC35CD-316E-42AA-8C0A-3ACB75A73B88}"= TCP:c:\windows\explorer.exe:Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"c:\\Users\\x410\\AppData\\Roaming\\nSvcAppFlt.exe"= c:\users\x410\AppData\Roaming\nSvcAppFlt.exe:*:Enabled:Win32load
"c:\\Users\\x410\\AppData\\Local\\Temp\\reptile.exe"= c:\users\x410\AppData\Local\Temp\reptile.exe:*:Enabled:Windows UDP Control Center

R1 SASDIFSV;SASDIFSV;c:\program files\cleaner\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\cleaner\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [10/29/2006 7:03 AM 208896]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\System32\drivers\nmsgopro.sys [9/27/2006 2:37 PM 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [10/19/2006 1:49 PM 7424]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\cleaner\Spy bot Search & Destroy\SDWinSec.exe [7/25/2009 6:59 PM 1153368]
R3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [7/13/2007 4:38 AM 5504]
R3 physX32;physX32;c:\windows\System32\drivers\physX32.sys [9/13/2007 7:43 AM 120320]
S3 athena;athena;c:\windows\System32\drivers\athena.sys [7/13/2007 12:21 PM 110336]
S3 CrystalSysInfo;CrystalSysInfo;c:\media\Converter\MediaCoder\SysInfo.sys [9/25/2007 7:59 AM 15152]
S3 SASENUM;SASENUM;c:\program files\cleaner\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 scansafe;scansafe;c:\windows\System32\drivers\scansafe.sys [7/26/2009 7:49 PM 34304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\autoRcd.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68b2f49a-4132-11dc-bf4f-0019d1e2c0b5}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e13c3ab3-ad2b-11dd-bb71-0019d1e2c0b5}]
\shell\AutoRun\command - F:\StartPortableApps.exe
.
Contents of the 'Scheduled Tasks' folder

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-01-03 02:02]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-01-03 02:02]

2009-08-04 c:\windows\Tasks\User_Feed_Synchronization-{654DED79-4474-4F82-A93D-44207F55242D}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
HKCU-Run-SUPERAntiSpyware - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\x410\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\users\x410\AppData\Roaming\Mozilla\Firefox\Profiles\oi4cgjua.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\media\Player\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\media\Player\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\media\Player\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-04 02:25
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3D6D.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\geyekrijtjhkex]
"imagepath"="\systemroot\system32\drivers\geyekreefmcpsl.sys"
--

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsfoceyajubvvu]
"imagepath"="\systemroot\system32\drivers\vsfocervprfupy.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1653860645-1336781724-2940610242-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*2*6*4*_*A*C*3*000*1*-*2*5*+*s*p*hQÆ–00M*K*V*0\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\geyekrijtjhkex]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\geyekreefmcpsl.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsfoceyajubvvu]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\vsfocervprfupy.sys"
.
Completion time: 2009-08-04 2:34
ComboFix-quarantined-files.txt 2009-08-04 09:34

Pre-Run: 1,868,881,920 bytes free
Post-Run: 4,882,276,352 bytes free

291 --- E O F --- 2008-01-03 18:27

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 04 August 2009 - 11:26 AM

Hello.

Yes, please update Combofix and run the scan again.

Alternatively, you can delete Combofix.exe on your desktop and re-download one and run it.

Thanks.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 kenno3

kenno3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 05 August 2009 - 04:52 PM

I updated and ran the scan again. Combofix restarted my computer while I was afk, after it ran a while. Also before I was able to run the scan, I was browsing a normal forum and a popup ad window came up and tried to load Adobe acrobat reader, and it must have been a different bad ad because Windows defender and McAfee came up with warnings to allow a new exe to run/ change things. It didnt seem to do any damage but how do I fix the Acrobat exploit?

Also why is Combo fix deleting normal URL and text log files that I created years ago? It is because it has a space in the name at the end? I needed those log files. Does Combo fix save a quarantined version of the files it deletes?

c:\users\x410\Documents\bonnie030808 3 sis .rtf

Thanks

==========

ComboFix 09-08-04.03 - x410 08/05/2009 3:45.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.1311 [GMT -7:00]
Running from: c:\users\x410\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: McAfee VirusScan *disabled* (Outdated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\x410\Documents\bonnie030808 3 sis .rtf
c:\users\x410\Documents\jen bike .rtf
c:\users\x410\Documents\Nothing else - Shimins .mp3
c:\users\x410\FAVORI~1\Earthquakes in California .url
c:\users\x410\Favorites\Earthquakes in California .url

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_geyekrijtjhkex
-------\Service_vsfoceyajubvvu


((((((((((((((((((((((((( Files Created from 2009-07-05 to 2009-08-05 )))))))))))))))))))))))))))))))
.

2100-02-23 21:35 . 2001-02-22 16:54 768 ----a-w- c:\windows\x73_lut.dat
2009-08-05 09:21 . 2009-08-05 09:21 -------- d-----w- c:\program files\dccten
2009-08-04 09:34 . 2009-08-05 10:55 -------- d-----w- c:\users\x410\AppData\Local\temp
2009-08-04 09:17 . 2009-08-04 09:34 -------- d-s---w- C:\sdfhdfj
2009-08-04 09:11 . 2009-08-04 09:12 -------- d-s---w- C:\cbfix
2009-08-03 13:26 . 2009-08-03 13:26 -------- d-----w- c:\users\x410\AppData\Roaming\mhMacromedia
2009-07-31 07:02 . 2009-07-31 07:02 -------- d-----w- c:\users\x410\AppData\Roaming\mnMacromedia
2009-07-30 08:50 . 2009-07-30 08:50 -------- d-----w- c:\users\x410\AppData\Roaming\mmMacromedia
2009-07-27 02:49 . 2009-07-27 02:49 34304 ----a-w- c:\windows\system32\drivers\scansafe.sys
2009-07-27 00:50 . 2009-07-27 00:54 -------- d-----w- c:\program files\browsertool
2009-07-26 01:59 . 2009-07-26 02:03 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-07-24 09:09 . 2009-07-24 09:10 117760 ----a-w- c:\users\x410\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-24 09:08 . 2009-07-24 09:08 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-07-24 09:08 . 2009-07-24 09:08 -------- d-----w- c:\users\x410\AppData\Roaming\SUPERAntiSpyware.com
2009-07-24 06:50 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 06:50 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-22 23:06 . 2009-07-22 23:06 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 06:29 . 2009-07-21 06:29 -------- d-----w- c:\program files\FLV Player
2009-07-19 21:50 . 2009-07-19 21:50 -------- d-----w- C:\MGADiagToolOutput
2009-07-19 21:45 . 2009-07-19 21:45 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-07-19 20:39 . 2009-07-19 20:39 -------- d-----w- c:\users\x410\AppData\Roaming\Malwarebytes
2009-07-19 20:39 . 2009-07-19 20:39 -------- d-----w- c:\programdata\Malwarebytes
2009-07-19 20:39 . 2009-07-27 02:49 -------- d-----w- c:\program files\cleaner
2009-07-19 20:35 . 2009-07-25 21:56 -------- d-----w- c:\program files\CCleaner
2009-07-11 21:12 . 2009-07-11 21:12 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 06:48 . 2007-07-19 21:17 25292 ----a-w- c:\users\x410\AppData\Roaming\wklnhst.dat
2009-07-31 16:21 . 2007-07-16 22:02 86512 ----a-w- c:\users\x410\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-25 02:30 . 2009-07-31 16:17 99112 ----a-w- c:\windows\Fonts\WoW-plexus.ttf
2009-07-24 09:07 . 2007-11-02 20:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-24 05:45 . 2007-09-07 07:05 1356 ----a-w- c:\users\x410\AppData\Local\d3d9caps.dat
2009-07-22 23:06 . 2007-07-13 11:31 -------- d-----w- c:\program files\Java
2009-07-21 19:48 . 2009-07-31 16:13 130252 ----a-w- c:\windows\Fonts\AngelicWar.ttf
2009-07-21 10:52 . 2009-05-23 21:38 -------- d-----w- c:\programdata\FLEXnet
2009-07-19 08:58 . 2009-07-19 08:58 213024 ----a-w- c:\windows\system32\drivers\strx-bad.xsys
2009-07-19 08:57 . 2009-07-19 08:57 76160 ----a-w- c:\windows\system32\drivers\cvbio-bad q.xsys
2009-07-14 21:30 . 2009-01-03 00:52 -------- d-----w- c:\programdata\Apple Computer
2009-07-11 00:31 . 2009-01-23 05:27 -------- d-----w- c:\program files\AIM6
2009-07-11 00:29 . 2009-01-23 05:28 -------- d-----w- c:\program files\Viewpoint
2009-07-11 00:29 . 2009-01-23 05:29 -------- d-----w- c:\programdata\Viewpoint
2009-07-11 00:27 . 2009-07-11 00:27 -------- d-----w- c:\programdata\AOL Downloads
2009-07-07 06:46 . 2009-07-31 16:15 30716 ----a-w- c:\windows\Fonts\DamaskDings1.ttf
2009-07-05 08:14 . 2009-07-05 08:00 -------- d-----w- c:\program files\FlashGet
2009-07-05 08:01 . 2009-07-05 08:01 -------- d-----w- c:\users\x410\AppData\Roaming\FlashGet
2009-07-01 07:27 . 2008-07-02 02:17 -------- d-----w- c:\users\x410\AppData\Roaming\BitTorrent
2009-06-20 02:56 . 2009-01-05 06:31 -------- d-----w- c:\program files\Lineage II
2009-06-18 19:54 . 2009-07-24 06:27 6144 ------w- c:\windows\system32\DC6B.tmp
2009-06-18 19:54 . 2009-07-24 06:27 6144 ------w- c:\windows\system32\DB71.tmp
2009-06-18 19:54 . 2009-07-24 06:27 6144 ------w- c:\windows\system32\AF03.tmp
2009-06-12 09:17 . 2009-06-12 07:15 -------- d-----w- c:\program files\AVS4YOU
2009-06-12 07:30 . 2009-06-12 07:30 -------- d-----w- c:\users\x410\AppData\Roaming\Broad Intelligence
2009-06-12 07:15 . 2009-06-12 07:15 -------- d-----w- c:\programdata\AVS4YOU
2009-06-12 07:15 . 2009-06-12 07:15 -------- d-----w- c:\users\x410\AppData\Roaming\AVS4YOU
2009-06-12 07:15 . 2009-06-12 07:14 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-05-19 08:36 . 2009-07-11 00:27 2884832 ----a-w- c:\programdata\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 08:36 . 2009-07-11 00:27 28 ----a-w- c:\programdata\AOL Downloads\SUD4426\unregister.bat
2009-05-19 08:36 . 2009-07-11 00:27 25 ----a-w- c:\programdata\AOL Downloads\SUD4426\register.bat
2009-05-19 08:36 . 2009-07-11 00:27 1484856 ----a-w- c:\programdata\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 08:36 . 2009-07-11 00:27 97072 ----a-w- c:\programdata\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 08:36 . 2009-07-11 00:27 142040 ----a-w- c:\programdata\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 08:36 . 2009-07-11 00:27 30512 ----a-w- c:\programdata\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 08:36 . 2009-07-11 00:27 111920 ----a-w- c:\programdata\AOL Downloads\SUD4426\AOLSearch.dll
2009-04-28 03:30 . 2009-04-28 03:29 3383125 ----a-w- c:\program files\70406-Oops(md).wmv
2007-07-13 19:19 . 2007-07-13 19:18 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-08-04_09.25.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-13 11:51 . 2009-08-03 21:47 60320 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2007-07-13 11:51 . 2009-08-04 20:49 60320 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-04 20:49 75742 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2007-07-16 22:02 . 2009-08-03 21:47 19284 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1653860645-1336781724-2940610242-1001_UserData.bin
+ 2007-07-16 22:02 . 2009-08-04 20:49 19284 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1653860645-1336781724-2940610242-1001_UserData.bin
+ 2007-07-16 21:49 . 2009-08-05 09:22 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-07-16 21:49 . 2009-08-04 09:11 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-07-16 21:49 . 2009-08-05 09:22 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-07-16 21:49 . 2009-08-04 09:11 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-07-16 21:49 . 2009-08-04 09:11 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-07-16 21:49 . 2009-08-05 09:22 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-04 11:09 . 2009-08-04 11:09 836096 c:\windows\Installer\2e1c84f.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-07-13 1006264]
"VolPanel"="c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 180224]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-12 81920]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-02-08 303104]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-24 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\cleaner\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\cleaner\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders credssp.dll, msansspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^x410^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\x410\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1653860645-1336781724-2940610242-1001]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7B9E6C4B-EBF3-4A92-9A98-56EB05E91B0D}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{FE0BF857-57F9-46E7-8C2D-3B81A1CF5365}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{52D1A5E0-7F31-4F60-A579-B36A8DD9BC71}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{2547C6FB-DA83-487F-A5F6-AE99B7FA2D41}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{25D2AF8E-1887-4CB5-B181-0B84CFBD4117}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{9DF9A5AA-E1E0-47E2-88ED-602B19CB2525}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{38E2A893-3CB5-4B40-B07F-BDDBC6765CF7}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{209C983C-2098-4F92-8135-013D37132E63}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{5509BF9A-136D-4119-B91F-1828B90C7501}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{85EBAEA7-B330-43F5-A1BF-8DED7C39A212}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{51AE5C60-FAE1-4B76-95C5-C839138421A3}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{2007E346-5D91-42B7-907B-408F744A7CC0}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F3C1DE05-8D78-42AA-B95F-74065A9945CD}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{1F59995C-1C51-436F-819B-8A8206A34EF1}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{50BA60D6-0DF2-496D-8E63-5A1D71CED4B7}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{73A251D2-0205-4138-AF20-0E755E9DAD7E}"= UDP:c:\games\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{8B05AA97-DB97-417B-BAF7-13205F420E86}"= TCP:c:\games\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"TCP Query User{88A82AAA-1AE9-4E68-A853-88716B168E5A}c:\\program files\\emule\\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule
"UDP Query User{48DA0BA6-ED93-4C71-B1CC-51D9862987FB}c:\\program files\\emule\\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule
"TCP Query User{D2A90CF9-D8D1-4E2F-835A-3109F266CEBE}c:\\games\\secondlife\\slvoice.exe"= UDP:c:\games\secondlife\slvoice.exe:SLVoice
"UDP Query User{3049E693-D20C-4176-8932-331C758680E4}c:\\games\\secondlife\\slvoice.exe"= TCP:c:\games\secondlife\slvoice.exe:SLVoice
"TCP Query User{E6ADBA33-1F23-450E-A44F-728E752E167F}c:\\games\\secondlifemono\\slvoice.exe"= UDP:c:\games\secondlifemono\slvoice.exe:SLVoice
"UDP Query User{2005CCBB-05A7-40CE-9356-2C3D8FC839DD}c:\\games\\secondlifemono\\slvoice.exe"= TCP:c:\games\secondlifemono\slvoice.exe:SLVoice
"TCP Query User{B2A794B8-73CB-4FA2-AA1A-918DFCD69281}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{E681CA94-3580-4408-B82D-F3411B205D5A}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{68CEDEDC-E7F7-46BE-B4DC-5296F0BE36A9}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{97349958-D7D4-4ACF-BBE0-EE46B69D2A29}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{50768FDA-1895-457F-9C55-3AE9CFB2F041}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{54A1739E-2F17-4B76-B245-DA94445C2311}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{FCD61902-2B13-4B75-A7D0-8630051168DE}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{C2D4ECDC-229D-4040-BF9E-7F4916832564}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{C3EF6074-2472-4047-980B-2878947AECAB}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{BF1746A8-1CC9-414E-A033-8CFE538E0C59}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{94FF65C9-E73E-4335-AA69-11DFAAD108DD}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{ADA84D79-F107-4051-8CBA-7FEA57C0E03C}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{63FE725C-625E-4FB7-9299-AE6323F87358}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{39DCA072-D76E-4D21-8698-FDB5B0120FDB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{53A2ED5C-A474-4E2C-A88C-B5B9FEF42CA8}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{07AC682A-1BC5-4D0F-8601-6F2E1E9F7B69}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{8E1FF90B-94E2-4B1F-AE5E-1A96AAF3B21E}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{E2E97F63-E5C8-463E-9DA7-3F33CFA44508}"= UDP:5353:Adobe CSI CS4
"{14B52392-9237-4D66-9F21-8A88EF78E798}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{1A0D5766-C7E2-44DD-A346-345157CF07BD}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"TCP Query User{02DD08F3-DEDC-4487-BE02-8073BCE70358}c:\\program files\\flashget\\flashget.exe"= UDP:c:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{5BDE15DD-A3FD-4784-8297-B4B2E2188AA2}c:\\program files\\flashget\\flashget.exe"= TCP:c:\program files\flashget\flashget.exe:FlashGet
"{8ABAAF03-FECE-4FE7-B5AF-4EDBD1F50FE5}"= UDP:c:\windows\explorer.exe:Explorer
"{A0C99EC5-20B5-42E1-B489-1405CF973B2B}"= TCP:c:\windows\explorer.exe:Explorer
"{FAA5C600-9539-4B3D-938B-835602F2DCF5}"= UDP:c:\windows\explorer.exe:Explorer
"{98FC35CD-316E-42AA-8C0A-3ACB75A73B88}"= TCP:c:\windows\explorer.exe:Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"c:\\Users\\x410\\AppData\\Roaming\\nSvcAppFlt.exe"= c:\users\x410\AppData\Roaming\nSvcAppFlt.exe:*:Enabled:Win32load
"c:\\Users\\x410\\AppData\\Local\\Temp\\reptile.exe"= c:\users\x410\AppData\Local\Temp\reptile.exe:*:Enabled:Windows UDP Control Center

R1 SASDIFSV;SASDIFSV;c:\program files\cleaner\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\cleaner\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [10/29/2006 7:03 AM 208896]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\System32\drivers\nmsgopro.sys [9/27/2006 2:37 PM 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [10/19/2006 1:49 PM 7424]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\cleaner\Spy bot Search & Destroy\SDWinSec.exe [7/25/2009 6:59 PM 1153368]
R3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [7/13/2007 4:38 AM 5504]
R3 physX32;physX32;c:\windows\System32\drivers\physX32.sys [9/13/2007 7:43 AM 120320]
S3 athena;athena;c:\windows\System32\drivers\athena.sys [7/13/2007 12:21 PM 110336]
S3 CrystalSysInfo;CrystalSysInfo;c:\media\Converter\MediaCoder\SysInfo.sys [9/25/2007 7:59 AM 15152]
S3 SASENUM;SASENUM;c:\program files\cleaner\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 scansafe;scansafe;c:\windows\System32\drivers\scansafe.sys [7/26/2009 7:49 PM 34304]
.
Contents of the 'Scheduled Tasks' folder

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-01-03 02:02]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-01-03 02:02]

2009-08-05 c:\windows\Tasks\User_Feed_Synchronization-{654DED79-4474-4F82-A93D-44207F55242D}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\x410\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\users\x410\AppData\Roaming\Mozilla\Firefox\Profiles\oi4cgjua.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\media\Player\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\media\Player\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\media\Player\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-05 03:55
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3D6D.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1653860645-1336781724-2940610242-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*2*6*4*_*A*C*3*000*1*-*2*5*+*s*p*hQÆ–00M*K*V*0\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(10160)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\LEXBCES.EXE
c:\program files\Intel\IntelDH\CCU\AlertService.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\System32\CTSVCCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\McAfee\VIRUSS~1\mcods.exe
c:\progra~1\McAfee\MSC\mcpromgr.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\issm.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\McAfee\MPS\mps.exe
c:\program files\McAfee\MPS\mpsevh.exe
c:\program files\Intel\IntelDH\CCU\CCU_Engine.exe
c:\program files\Common Files\LogiShrd\KHAL2\KHALMNPR.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\McAfee\MSC\mcuimgr.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
.
**************************************************************************
.
Completion time: 2009-08-05 4:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-05 11:07
ComboFix2.txt 2009-08-04 09:34

Pre-Run: 2,583,515,136 bytes free
Post-Run: 2,329,309,184 bytes free

326 --- E O F --- 2008-01-03 18:27

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 05 August 2009 - 08:56 PM

Hello.

Please post the Combofix-quarantined files log file for me. Will look into it and ask about this. It has occured recently. We can de-quarantine it probably afterwards. First, I want to see the log file.

C:\Qoobox\ComboFix-quarantined-files.txt <- This file.

It can be found in the C:\Qoobox folder.

Thanks.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 kenno3

kenno3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 05 August 2009 - 09:54 PM

Here it is.

*Edit* Nevermind. I found the text log files in the quarantine folder and they are from last year so I know it's not related to my infection. Perhaps just the extra space in the name threw it off.

Also Internet Explorer now loads without the Data execution Error so thanks for helping me fix that :thumbup2:

If there's other things to clean up let me know. Also how do I fix the acrobat exploit?
Thanks.

2009-08-05 10:50:57 . 2009-08-05 10:50:57 3,810 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-08-05 10:45:26 . 2009-08-05 10:51:09 2,624 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_vsfoceyajubvvu.reg.dat
2009-08-05 10:45:26 . 2009-08-05 10:51:09 2,624 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_geyekrijtjhkex.reg.dat
2009-08-04 09:32:48 . 2009-08-04 09:32:48 110 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-SUPERAntiSpyware.reg.dat
2009-08-04 09:32:48 . 2009-08-04 09:32:48 98 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-AdobeBridge.reg.dat
2009-08-04 09:11:48 . 2009-08-05 10:44:34 164 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-02-15 10:31:53 . 2009-02-15 10:36:57 4,379,520 ----a-w- C:\Qoobox\Quarantine\C\Users\x410\Documents\Nothing else - Shimins .mp3.vir
2008-07-29 18:41:51 . 2008-07-29 18:41:51 284 ----a-w- C:\Qoobox\Quarantine\C\Users\x410\FAVORI~1\Earthquakes in California .url.vir
2008-05-30 03:35:30 . 2008-05-30 03:35:30 54,365 ----a-w- C:\Qoobox\Quarantine\C\Users\x410\Documents\jen bike .rtf.vir
2008-03-08 23:21:24 . 2008-03-08 23:21:24 55,432 ----a-w- C:\Qoobox\Quarantine\C\Users\x410\Documents\bonnie030808 3 sis .rtf.vir

Edited by kenno3, 06 August 2009 - 03:02 AM.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 06 August 2009 - 11:50 AM

Hello.

Let's restore those.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    DeQuarantine::
    C:\Qoobox\Quarantine\C\Users\x410\Documents\Nothing else - Shimins .mp3.vir
    C:\Qoobox\Quarantine\C\Users\x410\FAVORI~1\Earthquakes in California .url.vir
    C:\Qoobox\Quarantine\C\Users\x410\Documents\jen bike .rtf.vir
    C:\Qoobox\Quarantine\C\Users\x410\Documents\bonnie030808 3 sis .rtf.vir
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Please post back with the de-quarantine log (this log will be created by Combofix once it's done) as well as the Combofix log.

Then, please run malwarebytes for me.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

~Extremeboy

Edited by extremeboy, 06 August 2009 - 11:51 AM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 kenno3

kenno3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 08 August 2009 - 02:27 AM

I made that script and ran combofix then ran malware bytes.


ComboFix 09-08-04.03 - x410 08/07/2009 22:30.3.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.1143 [GMT -7:00]
Running from: c:\users\x410\Desktop\ComboFix.exe
Command switches used :: c:\users\x410\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: McAfee VirusScan *disabled* (Outdated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\x410\Documents\bonnie030808 3 sis .rtf
c:\users\x410\Documents\jen bike .rtf
c:\users\x410\FAVORI~1\Earthquakes in California .url
c:\users\x410\Favorites\Earthquakes in California .url

.
((((((((((((((((((((((((( Files Created from 2009-07-08 to 2009-08-08 )))))))))))))))))))))))))))))))
.

2100-02-23 21:35 . 2001-02-22 16:54 768 ----a-w- c:\windows\x73_lut.dat
2009-08-08 05:27 . 2009-08-08 05:27 3942048 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-08 01:56 . 2009-08-08 01:56 -------- d-----w- c:\program files\Common Files\Skype
2009-08-08 01:56 . 2009-08-08 01:56 -------- d-----r- c:\program files\Skype
2009-08-05 11:07 . 2009-08-08 05:38 -------- d-----w- c:\users\x410\AppData\Local\temp
2009-08-05 11:07 . 2009-08-05 11:07 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-08-05 11:07 . 2009-08-05 11:07 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2009-08-05 11:07 . 2009-08-05 11:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-05 09:21 . 2009-08-05 09:21 -------- d-----w- c:\program files\dccten
2009-08-04 21:21 . 2009-08-04 21:21 -------- d-----w- c:\users\x410\AppData\Roaming\vMacromedia
2009-08-04 09:17 . 2009-08-04 09:34 -------- d-s---w- C:\sdfhdfj
2009-08-04 09:11 . 2009-08-04 09:12 -------- d-s---w- C:\cbfix
2009-08-03 13:26 . 2009-08-03 13:26 -------- d-----w- c:\users\x410\AppData\Roaming\mhMacromedia
2009-07-31 07:02 . 2009-07-31 07:02 -------- d-----w- c:\users\x410\AppData\Roaming\mnMacromedia
2009-07-30 08:50 . 2009-07-30 08:50 -------- d-----w- c:\users\x410\AppData\Roaming\mmMacromedia
2009-07-27 02:49 . 2009-07-27 02:49 34304 ----a-w- c:\windows\system32\drivers\scansafe.sys
2009-07-27 00:50 . 2009-07-27 00:54 -------- d-----w- c:\program files\browsertool
2009-07-26 01:59 . 2009-07-26 02:03 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-07-24 09:09 . 2009-07-24 09:10 117760 ----a-w- c:\users\x410\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-24 09:08 . 2009-07-24 09:08 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-07-24 09:08 . 2009-07-24 09:08 -------- d-----w- c:\users\x410\AppData\Roaming\SUPERAntiSpyware.com
2009-07-24 06:50 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 06:50 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-22 23:06 . 2009-07-22 23:06 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 06:29 . 2009-07-21 06:29 -------- d-----w- c:\program files\FLV Player
2009-07-19 21:50 . 2009-07-19 21:50 -------- d-----w- C:\MGADiagToolOutput
2009-07-19 21:45 . 2009-07-19 21:45 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-07-19 20:39 . 2009-07-19 20:39 -------- d-----w- c:\users\x410\AppData\Roaming\Malwarebytes
2009-07-19 20:39 . 2009-07-19 20:39 -------- d-----w- c:\programdata\Malwarebytes
2009-07-19 20:39 . 2009-07-27 02:49 -------- d-----w- c:\program files\cleaner
2009-07-19 20:35 . 2009-07-25 21:56 -------- d-----w- c:\program files\CCleaner
2009-07-11 21:12 . 2009-07-11 21:12 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-08 05:23 . 2008-09-23 02:56 -------- d-----w- c:\users\x410\AppData\Roaming\Skype
2009-08-08 03:58 . 2008-09-23 02:58 -------- d-----w- c:\users\x410\AppData\Roaming\skypePM
2009-08-08 01:56 . 2008-09-23 02:54 -------- d-----w- c:\programdata\Skype
2009-08-06 15:03 . 2007-07-19 21:17 25336 ----a-w- c:\users\x410\AppData\Roaming\wklnhst.dat
2009-07-31 16:21 . 2007-07-16 22:02 86512 ----a-w- c:\users\x410\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-25 02:30 . 2009-07-31 16:17 99112 ----a-w- c:\windows\Fonts\WoW-plexus.ttf
2009-07-24 09:07 . 2007-11-02 20:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-24 05:45 . 2007-09-07 07:05 1356 ----a-w- c:\users\x410\AppData\Local\d3d9caps.dat
2009-07-22 23:06 . 2007-07-13 11:31 -------- d-----w- c:\program files\Java
2009-07-21 19:48 . 2009-07-31 16:13 130252 ----a-w- c:\windows\Fonts\AngelicWar.ttf
2009-07-21 10:52 . 2009-05-23 21:38 -------- d-----w- c:\programdata\FLEXnet
2009-07-19 08:58 . 2009-07-19 08:58 213024 ----a-w- c:\windows\system32\drivers\strx-bad.xsys
2009-07-19 08:57 . 2009-07-19 08:57 76160 ----a-w- c:\windows\system32\drivers\cvbio-bad q.xsys
2009-07-14 21:30 . 2009-01-03 00:52 -------- d-----w- c:\programdata\Apple Computer
2009-07-11 00:31 . 2009-01-23 05:27 -------- d-----w- c:\program files\AIM6
2009-07-11 00:29 . 2009-01-23 05:28 -------- d-----w- c:\program files\Viewpoint
2009-07-11 00:29 . 2009-01-23 05:29 -------- d-----w- c:\programdata\Viewpoint
2009-07-11 00:27 . 2009-07-11 00:27 -------- d-----w- c:\programdata\AOL Downloads
2009-07-07 06:46 . 2009-07-31 16:15 30716 ----a-w- c:\windows\Fonts\DamaskDings1.ttf
2009-07-05 08:14 . 2009-07-05 08:00 -------- d-----w- c:\program files\FlashGet
2009-07-05 08:01 . 2009-07-05 08:01 -------- d-----w- c:\users\x410\AppData\Roaming\FlashGet
2009-07-01 07:27 . 2008-07-02 02:17 -------- d-----w- c:\users\x410\AppData\Roaming\BitTorrent
2009-06-20 02:56 . 2009-01-05 06:31 -------- d-----w- c:\program files\Lineage II
2009-06-18 19:54 . 2009-07-24 06:27 6144 ------w- c:\windows\system32\DC6B.tmp
2009-06-18 19:54 . 2009-07-24 06:27 6144 ------w- c:\windows\system32\DB71.tmp
2009-06-18 19:54 . 2009-07-24 06:27 6144 ------w- c:\windows\system32\AF03.tmp
2009-06-12 09:17 . 2009-06-12 07:15 -------- d-----w- c:\program files\AVS4YOU
2009-06-12 07:30 . 2009-06-12 07:30 -------- d-----w- c:\users\x410\AppData\Roaming\Broad Intelligence
2009-06-12 07:15 . 2009-06-12 07:15 -------- d-----w- c:\programdata\AVS4YOU
2009-06-12 07:15 . 2009-06-12 07:15 -------- d-----w- c:\users\x410\AppData\Roaming\AVS4YOU
2009-06-12 07:15 . 2009-06-12 07:14 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-05-19 08:36 . 2009-07-11 00:27 2884832 ----a-w- c:\programdata\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 08:36 . 2009-07-11 00:27 28 ----a-w- c:\programdata\AOL Downloads\SUD4426\unregister.bat
2009-05-19 08:36 . 2009-07-11 00:27 25 ----a-w- c:\programdata\AOL Downloads\SUD4426\register.bat
2009-05-19 08:36 . 2009-07-11 00:27 1484856 ----a-w- c:\programdata\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 08:36 . 2009-07-11 00:27 97072 ----a-w- c:\programdata\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 08:36 . 2009-07-11 00:27 142040 ----a-w- c:\programdata\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 08:36 . 2009-07-11 00:27 30512 ----a-w- c:\programdata\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 08:36 . 2009-07-11 00:27 111920 ----a-w- c:\programdata\AOL Downloads\SUD4426\AOLSearch.dll
2009-04-28 03:30 . 2009-04-28 03:29 3383125 ----a-w- c:\program files\70406-Oops(md).wmv
2007-07-13 19:19 . 2007-07-13 19:18 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-08-04_09.25.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-13 11:51 . 2009-08-08 04:05 60710 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-08 04:05 75846 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-07-16 22:02 . 2009-08-08 04:05 19690 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1653860645-1336781724-2940610242-1001_UserData.bin
- 2007-07-16 21:49 . 2009-08-04 09:11 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-07-16 21:49 . 2009-08-08 05:29 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-07-16 21:49 . 2009-08-08 05:29 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-07-16 21:49 . 2009-08-04 09:11 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-07-16 21:49 . 2009-08-08 05:29 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-07-16 21:49 . 2009-08-04 09:11 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-08-03 21:44 . 2009-08-03 21:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-08-08 04:03 . 2009-08-08 04:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-08-03 21:44 . 2009-08-03 21:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-08-08 04:03 . 2009-08-08 04:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-08-08 01:56 . 2009-08-08 01:56 792576 c:\windows\Installer\58f19b.msi
+ 2009-08-04 11:09 . 2009-08-04 11:09 836096 c:\windows\Installer\2e1c84f.msi
+ 2009-08-08 01:56 . 2009-08-08 01:56 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2009-08-08 01:56 . 2009-08-08 01:56 1565696 c:\windows\Installer\58f195.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-07-13 1006264]
"VolPanel"="c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 180224]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-12 81920]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-02-08 303104]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-24 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\cleaner\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\cleaner\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders credssp.dll, msansspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^x410^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\x410\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1653860645-1336781724-2940610242-1001]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7B9E6C4B-EBF3-4A92-9A98-56EB05E91B0D}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{FE0BF857-57F9-46E7-8C2D-3B81A1CF5365}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{52D1A5E0-7F31-4F60-A579-B36A8DD9BC71}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{2547C6FB-DA83-487F-A5F6-AE99B7FA2D41}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{25D2AF8E-1887-4CB5-B181-0B84CFBD4117}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{9DF9A5AA-E1E0-47E2-88ED-602B19CB2525}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{38E2A893-3CB5-4B40-B07F-BDDBC6765CF7}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{209C983C-2098-4F92-8135-013D37132E63}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{5509BF9A-136D-4119-B91F-1828B90C7501}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{85EBAEA7-B330-43F5-A1BF-8DED7C39A212}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{51AE5C60-FAE1-4B76-95C5-C839138421A3}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{2007E346-5D91-42B7-907B-408F744A7CC0}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F3C1DE05-8D78-42AA-B95F-74065A9945CD}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{1F59995C-1C51-436F-819B-8A8206A34EF1}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{50BA60D6-0DF2-496D-8E63-5A1D71CED4B7}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{73A251D2-0205-4138-AF20-0E755E9DAD7E}"= UDP:c:\games\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{8B05AA97-DB97-417B-BAF7-13205F420E86}"= TCP:c:\games\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"TCP Query User{88A82AAA-1AE9-4E68-A853-88716B168E5A}c:\\program files\\emule\\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule
"UDP Query User{48DA0BA6-ED93-4C71-B1CC-51D9862987FB}c:\\program files\\emule\\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule
"TCP Query User{D2A90CF9-D8D1-4E2F-835A-3109F266CEBE}c:\\games\\secondlife\\slvoice.exe"= UDP:c:\games\secondlife\slvoice.exe:SLVoice
"UDP Query User{3049E693-D20C-4176-8932-331C758680E4}c:\\games\\secondlife\\slvoice.exe"= TCP:c:\games\secondlife\slvoice.exe:SLVoice
"TCP Query User{E6ADBA33-1F23-450E-A44F-728E752E167F}c:\\games\\secondlifemono\\slvoice.exe"= UDP:c:\games\secondlifemono\slvoice.exe:SLVoice
"UDP Query User{2005CCBB-05A7-40CE-9356-2C3D8FC839DD}c:\\games\\secondlifemono\\slvoice.exe"= TCP:c:\games\secondlifemono\slvoice.exe:SLVoice
"TCP Query User{B2A794B8-73CB-4FA2-AA1A-918DFCD69281}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{E681CA94-3580-4408-B82D-F3411B205D5A}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{68CEDEDC-E7F7-46BE-B4DC-5296F0BE36A9}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{97349958-D7D4-4ACF-BBE0-EE46B69D2A29}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{50768FDA-1895-457F-9C55-3AE9CFB2F041}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{54A1739E-2F17-4B76-B245-DA94445C2311}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{FCD61902-2B13-4B75-A7D0-8630051168DE}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{C2D4ECDC-229D-4040-BF9E-7F4916832564}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{C3EF6074-2472-4047-980B-2878947AECAB}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{BF1746A8-1CC9-414E-A033-8CFE538E0C59}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{94FF65C9-E73E-4335-AA69-11DFAAD108DD}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{ADA84D79-F107-4051-8CBA-7FEA57C0E03C}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{63FE725C-625E-4FB7-9299-AE6323F87358}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{39DCA072-D76E-4D21-8698-FDB5B0120FDB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{53A2ED5C-A474-4E2C-A88C-B5B9FEF42CA8}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{07AC682A-1BC5-4D0F-8601-6F2E1E9F7B69}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{8E1FF90B-94E2-4B1F-AE5E-1A96AAF3B21E}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{E2E97F63-E5C8-463E-9DA7-3F33CFA44508}"= UDP:5353:Adobe CSI CS4
"{14B52392-9237-4D66-9F21-8A88EF78E798}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{1A0D5766-C7E2-44DD-A346-345157CF07BD}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"TCP Query User{02DD08F3-DEDC-4487-BE02-8073BCE70358}c:\\program files\\flashget\\flashget.exe"= UDP:c:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{5BDE15DD-A3FD-4784-8297-B4B2E2188AA2}c:\\program files\\flashget\\flashget.exe"= TCP:c:\program files\flashget\flashget.exe:FlashGet
"{8ABAAF03-FECE-4FE7-B5AF-4EDBD1F50FE5}"= UDP:c:\windows\explorer.exe:Explorer
"{A0C99EC5-20B5-42E1-B489-1405CF973B2B}"= TCP:c:\windows\explorer.exe:Explorer
"{FAA5C600-9539-4B3D-938B-835602F2DCF5}"= UDP:c:\windows\explorer.exe:Explorer
"{98FC35CD-316E-42AA-8C0A-3ACB75A73B88}"= TCP:c:\windows\explorer.exe:Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"c:\\Users\\x410\\AppData\\Roaming\\nSvcAppFlt.exe"= c:\users\x410\AppData\Roaming\nSvcAppFlt.exe:*:Enabled:Win32load
"c:\\Users\\x410\\AppData\\Local\\Temp\\reptile.exe"= c:\users\x410\AppData\Local\Temp\reptile.exe:*:Enabled:Windows UDP Control Center

R1 SASDIFSV;SASDIFSV;c:\program files\cleaner\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\cleaner\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [10/29/2006 7:03 AM 208896]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\System32\drivers\nmsgopro.sys [9/27/2006 2:37 PM 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [10/19/2006 1:49 PM 7424]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\cleaner\Spy bot Search & Destroy\SDWinSec.exe [7/25/2009 6:59 PM 1153368]
R3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [7/13/2007 4:38 AM 5504]
R3 physX32;physX32;c:\windows\System32\drivers\physX32.sys [9/13/2007 7:43 AM 120320]
S3 athena;athena;c:\windows\System32\drivers\athena.sys [7/13/2007 12:21 PM 110336]
S3 CrystalSysInfo;CrystalSysInfo;c:\media\Converter\MediaCoder\SysInfo.sys [9/25/2007 7:59 AM 15152]
S3 SASENUM;SASENUM;c:\program files\cleaner\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 scansafe;scansafe;c:\windows\System32\drivers\scansafe.sys [7/26/2009 7:49 PM 34304]
.
Contents of the 'Scheduled Tasks' folder

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-01-03 02:02]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-01-03 02:02]

2009-08-08 c:\windows\Tasks\User_Feed_Synchronization-{654DED79-4474-4F82-A93D-44207F55242D}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\x410\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\users\x410\AppData\Roaming\Mozilla\Firefox\Profiles\oi4cgjua.default\
FF - plugin: c:\media\Player\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\media\Player\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\media\Player\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3D6D.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1653860645-1336781724-2940610242-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*2*6*4*_*A*C*3*000*1*-*2*5*+*s*p*hQÆ–00M*K*V*0\OpenWithList]
@Class="Shell"
.
Completion time: 2009-08-08 22:40
ComboFix-quarantined-files.txt 2009-08-08 05:40
ComboFix2.txt 2009-08-05 11:07
ComboFix3.txt 2009-08-04 09:34
C:\DeQuarantine.txt

Pre-Run: 2,092,572,672 bytes free
Post-Run: 2,035,314,688 bytes free

290 --- E O F --- 2008-01-03 18:27

=============================================================

Malwarebytes' Anti-Malware 1.39
Database version: 2577
Windows 6.0.6000

8/7/2009 10:58:47 PM
mbam-log-2009-08-07 (22-58-47).txt

Scan type: Quick Scan
Objects scanned: 91324
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\drivers\cvbio-bad q.xsys (Rootkit.Rustock) -> Quarantined and deleted successfully.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 08 August 2009 - 10:37 AM

Hello.

One error, I made. Let's do it again.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    DeQuarantine::
    C:\Qoobox\Quarantine\C\Users\x410\Documents\Nothing else - Shimins .mp3.vir
    C:\Qoobox\Quarantine\C\Users\x410\FAVORI~1\Earthquakes in California .url.vir
    C:\Qoobox\Quarantine\C\Users\x410\Documents\jen bike .rtf.vir
    C:\Qoobox\Quarantine\C\Users\x410\Documents\bonnie030808 3 sis .rtf.vir
    Quit::
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Post back with the C:\DeQuarantine.txt log for me please.

Then, take a new DDS run and post back with both DDS and Attach logs for my review.

With Regards,
Extremeboy

Edited by extremeboy, 08 August 2009 - 10:37 AM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 kenno3

kenno3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 10 August 2009 - 04:06 AM

Hi, here it is. Thanks again.


C:\Qoobox\Quarantine\C\Users\x410\Documents\bonnie030808 3 sis .rtf.vir -> C:\Users\x410\Documents\bonnie030808 3 sis .rtf ( 55432 bytes )
C:\Qoobox\Quarantine\C\Users\x410\Documents\jen bike .rtf.vir -> C:\Users\x410\Documents\jen bottle .rtf ( 54365 bytes )
C:\Qoobox\Quarantine\C\Users\x410\FAVORI~1\Earthquakes in California .url.vir -> C:\Users\x410\FAVORI~1\Earthquakes in California .url ( 284 bytes )


=================


DDS (Ver_09-07-30.01) - NTFSx86
Run by x410 at 1:47:46.70 on Mon 08/10/2009
Internet Explorer: 7.0.6000.16575 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.1340 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
SP: McAfee VirusScan *disabled* (Outdated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Windows\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Program Files\cleaner\Spy bot Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Windows\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\DllHost.exe
C:\Users\x410\Desktop\Trash\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptcl.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [VolPanel] "c:\program files\creative\sbaudigy\volume panel\VolPanlu.exe" /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\browsertool\fiddler2-logger\Fiddler.exe"
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\x410\appdata\roaming\microsoft\windows\start menu\programs\imvu\Run IMVU.lnk
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\cleaner\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\cleaner\superantispyware\SASSEH.DLL
SecurityProviders: credssp.dll, msansspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\x410\appdata\roaming\mozilla\firefox\profiles\oi4cgjua.default\
FF - plugin: c:\media\player\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\media\player\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\media\player\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\cleaner\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\cleaner\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\cleaner\spy bot search & destroy\SDWinSec.exe [2009-7-25 1153368]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-7-13 5504]
R3 physX32;physX32;c:\windows\system32\drivers\physX32.sys [2007-9-13 120320]
S3 athena;athena;c:\windows\system32\drivers\athena.sys [2007-7-13 110336]
S3 CrystalSysInfo;CrystalSysInfo;c:\media\converter\mediacoder\SysInfo.sys [2007-9-25 15152]
S3 SASENUM;SASENUM;c:\program files\cleaner\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 scansafe;scansafe;c:\windows\system32\drivers\scansafe.sys [2009-7-26 34304]

=============== Created Last 30 ================

2009-08-10 01:28 <DIR> --ds---- C:\ComboFix
2009-08-08 03:33 66 a------- c:\windows\system32\SQSDRVWC.SYS
2009-08-08 01:35 67 a------- c:\windows\WaveCreator.ini
2009-08-08 01:31 36 a------- c:\windows\system32\drvlock.sys
2009-08-08 01:31 <DIR> --d----- c:\program files\Blaze Audio
2009-08-07 22:40 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-08-07 18:56 <DIR> --d--r-- c:\program files\Skype
2009-08-05 02:21 <DIR> --d----- c:\program files\dccten
2009-08-04 14:21 <DIR> --d----- c:\users\x410\appdata\roaming\vMacromedia
2009-08-04 02:17 219,648 a------- c:\windows\PEV.exe
2009-08-04 02:17 161,792 a------- c:\windows\SWREG.exe
2009-08-04 02:17 98,816 a------- c:\windows\sed.exe
2009-08-04 02:17 <DIR> --ds---- C:\sdfhdfj
2009-08-04 02:11 <DIR> --ds---- C:\cbfix
2009-08-03 06:26 <DIR> --d----- c:\users\x410\appdata\roaming\mhMacromedia
2009-07-31 00:02 <DIR> --d----- c:\users\x410\appdata\roaming\mnMacromedia
2009-07-30 01:50 <DIR> --d----- c:\users\x410\appdata\roaming\mmMacromedia
2009-07-26 19:49 34,304 a------- c:\windows\system32\drivers\scansafe.sys
2009-07-26 17:50 <DIR> --d----- c:\program files\browsertool
2009-07-25 18:59 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-07-25 18:59 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-07-24 02:08 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-07-24 02:08 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-07-24 02:08 <DIR> --d----- c:\users\x410\appdata\roaming\SUPERAntiSpyware.com
2009-07-23 23:50 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-23 23:50 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-23 23:27 6,144 -------- c:\windows\system32\DC6B.tmp
2009-07-23 23:27 6,144 -------- c:\windows\system32\DB71.tmp
2009-07-23 23:27 6,144 -------- c:\windows\system32\AF03.tmp
2009-07-22 16:06 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-19 14:50 <DIR> --d----- C:\MGADiagToolOutput
2009-07-19 14:45 <DIR> --d----- c:\programdata\Office Genuine Advantage
2009-07-19 13:39 <DIR> --d----- c:\users\x410\appdata\roaming\Malwarebytes
2009-07-19 13:39 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-19 13:39 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-19 13:39 <DIR> --d----- c:\program files\cleaner
2009-07-19 13:35 <DIR> --d----- c:\program files\CCleaner
2009-07-19 01:58 213,024 a------- c:\windows\system32\drivers\strx-bad.xsys
2009-07-11 14:12 <DIR> --d----- c:\windows\system32\Adobe

==================== Find3M ====================

2009-08-08 06:35 25,324 a------- c:\users\x410\appdata\roaming\wklnhst.dat
2009-07-19 20:27 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-19 20:27 86,016 a------- c:\windows\inf\infpub.dat
2009-04-27 20:30 3,383,125 a------- c:\program files\70406-Oops(md).wmv
2009-01-02 17:51 86,016 a------- c:\windows\inf\infstor.dat
2008-01-03 11:38 665,600 a------- c:\windows\inf\drvindex.dat
2007-10-11 17:44 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-07-13 12:19 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 1:48:15.70 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users