Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with antivirus 2009 and Skynetxxxx


  • This topic is locked This topic is locked
12 replies to this topic

#1 ci8irish

ci8irish

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 22 July 2009 - 09:35 PM

system locked by System Security spyware popups, took over my homepage would not allow me to connect to anything so started computer in safe mode and ran combofix (not the best move by an amature, but had no other idea at the time). After running, the malware is gone...i think, at least Iam now able to get to this forum to ask for help. here is the DDS log:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 19:20:36.53 on Wed 07/22/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.120 [GMT -7:00]

AV: The Shield Deluxe 2009 Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\vsserv.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
svchost.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\System32\svchost.exe -k HPZ12
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe -k HPZ12
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\bdagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\3CYIHUOY\dds[1].scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.comcast.net/
mLocal Page = \blank.htm
mStart Page = hxxp://www.google.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: The Shield Deluxe 2009 Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\pcsecurityshield\bitdefender 2009\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
mRun: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [ServiceConfig] "c:\program files\comcast\migcfg\programs\ispbeg.exe"
mRun: [NeroFilterCheck] c:\winnt\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BDAgent] "c:\program files\pcsecurityshield\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\pcsecurityshield\bitdefender 2009\IEShow.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {459729AC-727D-4D97-B18A-72EE224EFEC0} - hxxp://defender.veloz.com/pub/download/scandl_burst.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB
DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} - hcp://system/StartFirstControl.CAB
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.9499768519
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://attmotive.broadband.att.com/prequal/files/MotivePreQual.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\winnt\system32\drivers\PCTCore.sys [2009-7-19 130936]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [2002-9-16 6736]
R3 bdfm;BDFM;c:\winnt\system32\drivers\bdfm.sys [2008-9-18 111112]
S2 gqcutvdpv;gqcutvdpv;\??\c:\winnt\system32\drivers\peviwkmskvqu.sys --> c:\winnt\system32\drivers\peviwkmskvqu.sys [?]
S3 Arrakis3;The Shield Deluxe 2009 Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2009-1-20 172032]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\qctest\pcdoc\pcdrdrv.sys --> c:\atf\qctest\pcdoc\PCDRDRV.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-7-19 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-7-19 1095560]

=============== Created Last 30 ================

2009-07-21 18:56 <DIR> --d----- c:\winnt\system32\dllcache\cache
2009-07-21 18:18 <DIR> a-dshr-- C:\cmdcons
2009-07-21 18:13 219,648 a------- c:\winnt\PEV.exe
2009-07-21 18:13 161,792 a------- c:\winnt\SWREG.exe
2009-07-21 18:13 98,816 a------- c:\winnt\sed.exe
2009-07-21 16:09 <DIR> --d----- c:\program files\Trend Micro
2009-07-20 20:49 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-07-20 20:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-20 16:44 1,053 a------- c:\winnt\system32\BDUpdateV1.xml
2009-07-19 19:28 <DIR> --d----- c:\program files\True Sword 5
2009-07-19 15:08 159,600 a------- c:\winnt\system32\drivers\pctgntdi.sys
2009-07-19 15:07 130,936 a------- c:\winnt\system32\drivers\PCTCore.sys
2009-07-19 15:07 73,840 a------- c:\winnt\system32\drivers\PCTAppEvent.sys
2009-07-19 15:07 64,392 a------- c:\winnt\system32\drivers\pctplsg.sys
2009-07-19 15:07 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-19 15:07 <DIR> --d----- c:\program files\Spyware Doctor
2009-07-19 15:07 <DIR> --d----- c:\docume~1\owner\applic~1\PC Tools
2009-07-19 15:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-07-19 14:03 <DIR> --d----- c:\docume~1\owner\applic~1\ConsumerSoft
2009-07-19 14:03 <DIR> --d----- c:\program files\ConsumerSoft
2009-07-19 11:48 19,781 a------- c:\winnt\system32\umakuhosaz.scr
2009-07-19 11:48 18,619 a------- c:\docume~1\alluse~1\applic~1\fyxah.pif
2009-07-19 11:48 18,309 a------- c:\winnt\system32\fajez.db
2009-07-19 11:48 17,918 a------- c:\docume~1\owner\applic~1\vero.exe
2009-07-19 11:48 15,199 a------- c:\winnt\dypabe.pif
2009-07-19 11:48 15,084 a------- c:\winnt\bulu.bat
2009-07-19 11:48 13,919 a------- c:\winnt\xucenizity.ban
2009-07-19 11:48 13,389 a------- c:\winnt\exixisahi.reg
2009-07-19 11:48 12,626 a------- c:\winnt\system32\ozyhocab.pif
2009-07-19 11:48 12,074 a------- c:\winnt\atelakagoc.inf
2009-07-19 11:48 11,415 a------- c:\winnt\fabah.vbs
2009-07-19 11:48 11,387 a------- c:\winnt\zuhol.com
2009-07-19 11:48 10,483 a------- c:\winnt\system32\zovyrofoti.lib
2009-07-19 11:48 10,188 a------- c:\winnt\wowin.exe
2009-07-19 11:45 <DIR> --d----- c:\program files\HomeAntivirus2010
2009-07-19 11:45 180,690 a------- c:\winnt\system32\wisdstr.exe
2009-07-19 10:33 1,089,593 -------- c:\winnt\system32\dllcache\ntprint.cat
2009-07-18 14:33 81,984 a------- c:\winnt\system32\bdod.bin
2009-07-18 14:32 121 a------- c:\winnt\bdagent.INI
2009-07-18 12:18 850 a------- c:\winnt\system32\ProductTweaks.xml
2009-07-18 12:18 385 a------- c:\winnt\system32\user_gensett.xml
2009-07-18 12:10 <DIR> --d----- c:\docume~1\owner\applic~1\BitDefender
2009-07-18 12:09 <DIR> --d----- c:\program files\PCSecurityShield
2009-07-18 12:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-07-18 12:05 <DIR> --d----- c:\program files\common files\BitDefender
2009-07-18 11:21 <DIR> --d----- c:\winnt\system32\XPSViewer
2009-07-18 11:20 1,676,288 -------- c:\winnt\system32\xpssvcs.dll
2009-07-18 11:20 1,676,288 -------- c:\winnt\system32\dllcache\xpssvcs.dll
2009-07-18 11:20 597,504 -------- c:\winnt\system32\dllcache\printfilterpipelinesvc.exe
2009-07-18 11:20 575,488 -------- c:\winnt\system32\xpsshhdr.dll
2009-07-18 11:20 575,488 -------- c:\winnt\system32\dllcache\xpsshhdr.dll
2009-07-18 11:20 117,760 -------- c:\winnt\system32\prntvpt.dll
2009-07-18 11:20 89,088 -------- c:\winnt\system32\dllcache\filterpipelineprintproc.dll
2009-07-18 11:20 <DIR> --d----- C:\506dfb967e43e28492
2009-07-18 11:19 <DIR> --d----- c:\winnt\SxsCaPendDel
2009-07-18 10:53 138,752 a------- c:\winnt\msb.exe
2009-06-27 13:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\WEBREG
2009-06-27 13:39 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-06-27 13:38 <DIR> --d----- c:\program files\HP
2009-06-27 13:32 16,496 a----r-- c:\winnt\system32\drivers\HPZipr12.sys
2009-06-27 13:32 49,920 a----r-- c:\winnt\system32\drivers\HPZid412.sys
2009-06-27 13:32 146,736 a------- c:\winnt\hphins32.dat
2009-06-27 13:32 458 -------- c:\winnt\hphmdl32.dat
2009-06-27 13:32 126,976 a------- c:\winnt\system32\hpfll6en.dll
2009-06-27 13:32 271,704 a----r-- c:\winnt\system32\hpzids01.dll
2009-06-27 13:31 309,760 a----r-- c:\winnt\system32\difxapi.dll
2009-06-27 13:31 372,736 a----r-- c:\winnt\system32\hppldcoi.dll
2009-06-27 13:31 21,568 a----r-- c:\winnt\system32\drivers\HPZius12.sys
2009-06-27 13:22 25,856 a------- c:\winnt\system32\drivers\usbprint.sys
2009-06-27 13:22 25,856 a------- c:\winnt\system32\dllcache\usbprint.sys
2009-06-27 13:21 32,128 a------- c:\winnt\system32\drivers\usbccgp.sys
2009-06-27 13:21 32,128 a------- c:\winnt\system32\dllcache\usbccgp.sys

==================== Find3M ====================

2009-06-16 07:36 119,808 a------- c:\winnt\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\winnt\system32\fontsub.dll
2009-06-16 07:36 119,808 -------- c:\winnt\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 -------- c:\winnt\system32\dllcache\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\winnt\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\winnt\system32\dllcache\quartz.dll
2009-05-07 08:32 345,600 a------- c:\winnt\system32\localspl.dll
2009-05-07 08:32 345,600 -------- c:\winnt\system32\dllcache\localspl.dll
2009-04-28 21:56 827,392 a------- c:\winnt\system32\wininet.dll
2009-04-28 21:56 827,392 a------- c:\winnt\system32\dllcache\wininet.dll
2009-04-28 21:56 827,392 a------- c:\winnt\system32\dllcache\cache\wininet.dll
2009-04-28 21:56 233,472 -------- c:\winnt\system32\dllcache\webcheck.dll
2009-04-28 21:56 1,159,680 a------- c:\winnt\system32\dllcache\urlmon.dll
2009-04-28 21:56 671,232 a------- c:\winnt\system32\dllcache\mstime.dll
2009-04-28 21:56 44,544 a------- c:\winnt\system32\dllcache\pngfilt.dll
2009-04-28 21:56 105,984 -------- c:\winnt\system32\dllcache\url.dll
2009-04-28 21:56 102,912 -------- c:\winnt\system32\dllcache\occache.dll
2009-04-28 21:56 3,596,288 a------- c:\winnt\system32\dllcache\mshtml.dll
2009-04-28 21:56 477,696 a------- c:\winnt\system32\dllcache\mshtmled.dll
2009-04-28 21:56 193,024 a------- c:\winnt\system32\dllcache\msrating.dll
2009-04-28 02:05 70,656 -------- c:\winnt\system32\dllcache\ie4uinit.exe
2009-04-28 02:05 13,824 -------- c:\winnt\system32\dllcache\ieudinit.exe
2009-04-24 22:27 636,088 -------- c:\winnt\system32\dllcache\iexplore.exe
2009-04-24 22:26 161,792 a------- c:\winnt\system32\dllcache\ieakui.dll
2006-06-04 20:05 78,960 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2004-08-09 20:30 40,960 a------- c:\program files\Uninstall_CDS.exe
2008-07-12 14:12 32,768 a--sh--- c:\winnt\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071220080713\index.dat

============= FINISH: 19:22:12.34 ===============

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:38 AM

Posted 01 August 2009 - 08:39 AM

Hello ci8irish,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 ci8irish

ci8irish
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 01 August 2009 - 10:31 AM

Muchas Gracias Tea! here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:37 AM, on 8/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\vsserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\bdagent.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: The Shield Deluxe 2009 Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\PCSecurityShield\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ServiceConfig] "C:\Program Files\Comcast\MigCfg\programs\ispbeg.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\PCSecurityShield\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\PCSecurityShield\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459729AC-727D-4D97-B18A-72EE224EFEC0} - http://defender.veloz.com/pub/download/scandl_burst.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://attmotive.broadband.att.com/prequal...tivePreQual.cab
O23 - Service: The Shield Deluxe 2009 Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: The Shield Deluxe 2009 Desktop Update Service (LIVESRV) - PCSecurityShield - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: The Shield Deluxe 2009 Virus Shield (VSSERV) - PCSecurityShield - C:\Program Files\PCSecurityShield\BitDefender 2009\vsserv.exe

--
End of file - 7075 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:38 AM

Posted 02 August 2009 - 05:18 AM

De nada amigo :thumbup2:

Do you happen to still have the ComboFix report?

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 ci8irish

ci8irish
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 02 August 2009 - 09:41 AM

Below is mbam log and fresh HJT log, and yes I still have the combofix report, let me know if you would like to see it: Thanks Tea! : :thumbup2:

Malwarebytes' Anti-Malware 1.39
Database version: 2546
Windows 5.1.2600 Service Pack 3

8/2/2009 7:32:08 AM
mbam-log-2009-08-02 (07-32-08).txt

Scan type: Quick Scan
Objects scanned: 89253
Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
---------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:21 AM, on 8/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\vsserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\bdagent.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: The Shield Deluxe 2009 Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\PCSecurityShield\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ServiceConfig] "C:\Program Files\Comcast\MigCfg\programs\ispbeg.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\PCSecurityShield\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\PCSecurityShield\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459729AC-727D-4D97-B18A-72EE224EFEC0} - http://defender.veloz.com/pub/download/scandl_burst.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://attmotive.broadband.att.com/prequal...tivePreQual.cab
O23 - Service: The Shield Deluxe 2009 Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: The Shield Deluxe 2009 Desktop Update Service (LIVESRV) - PCSecurityShield - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: The Shield Deluxe 2009 Virus Shield (VSSERV) - PCSecurityShield - C:\Program Files\PCSecurityShield\BitDefender 2009\vsserv.exe

--
End of file - 7123 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:38 AM

Posted 02 August 2009 - 10:10 AM

Hi there,

Yes, I'd like to see it please. Not only will it tell me what it deleted, but what might be lurking that other scanners might not pick up. :thumbup2: Those both look all right.....just a few clutter lines in the HijackThis log, but nothing malicious.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 ci8irish

ci8irish
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 02 August 2009 - 10:21 AM

O.K. here is the combofix log:

ComboFix 09-07-21.02 - Owner 07/21/2009 18:31.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.110 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: The Shield Deluxe 2009 Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ALLUSE~1\APPLIC~1\19653754
c:\docume~1\ALLUSE~1\APPLIC~1\19653754\19653754
c:\docume~1\ALLUSE~1\APPLIC~1\19653754\19653754.exe
c:\docume~1\Owner\APPLIC~1\EurekaLog
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\epypeleqim.scr
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\supohoqy.dat
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\yhec.inf
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ysicoze.bat
c:\documents and settings\Owner\nah_sxrl.exe
c:\program files\QUAD Utilities
c:\program files\QUAD Utilities\QUAD Registry Cleaner\program.log
c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner.exe
c:\program files\QUAD Utilities\QUAD Registry Cleaner\Styles\Vista.cjstyles
c:\winnt\COUPON~1.OCX
c:\winnt\CouponPrinter.ocx
c:\winnt\system32\DelSelf.bat
c:\winnt\system32\drivers\geyekrjwmybxth.sys
c:\winnt\system32\drivers\str.sys
c:\winnt\system32\geyekrigjlmouw.dat
c:\winnt\system32\geyekrnhlhvkmn.dat
c:\winnt\system32\geyekrqvmtkdqx.dll
c:\winnt\system32\geyekrwmqputxt.dll
c:\winnt\TEMP\slu1a0e.tmp\CCERASER.DLL
c:\winnt\TEMP\slu1a0e.tmp\ECMSVR32.DLL
c:\winnt\TEMP\slu1a0e.tmp\eeCtrl.sys
c:\winnt\TEMP\slu1a0e.tmp\eraser.sys
c:\winnt\TEMP\slu1a0e.tmp\NAVENG.SYS
c:\winnt\TEMP\slu1a0e.tmp\NAVENG32.DLL
c:\winnt\TEMP\slu1a0e.tmp\NAVEX15.SYS
c:\winnt\TEMP\slu1a0e.tmp\NAVEX32A.DLL
c:\winnt\TEMP\slu1f60.tmp\CCERASER.DLL
c:\winnt\TEMP\slu1f60.tmp\ECMSVR32.DLL
c:\winnt\TEMP\slu1f60.tmp\eeCtrl.sys
c:\winnt\TEMP\slu1f60.tmp\eraser.sys
c:\winnt\TEMP\slu1f60.tmp\NAVENG.SYS
c:\winnt\TEMP\slu1f60.tmp\NAVENG32.DLL
c:\winnt\TEMP\slu1f60.tmp\NAVEX15.SYS
c:\winnt\TEMP\slu1f60.tmp\NAVEX32A.DLL
c:\winnt\TEMP\slu2358.tmp\CCERASER.DLL
c:\winnt\TEMP\slu2358.tmp\ECMSVR32.DLL
c:\winnt\TEMP\slu2358.tmp\eeCtrl.sys
c:\winnt\TEMP\slu2358.tmp\eraser.sys
c:\winnt\TEMP\slu2358.tmp\NAVENG.SYS
c:\winnt\TEMP\slu2358.tmp\NAVENG32.DLL
c:\winnt\TEMP\slu2358.tmp\NAVEX15.SYS
c:\winnt\TEMP\slu2358.tmp\NAVEX32A.DLL
c:\winnt\TEMP\slu42f6.tmp\CCERASER.DLL
c:\winnt\TEMP\slu42f6.tmp\ECMSVR32.DLL
c:\winnt\TEMP\slu42f6.tmp\eeCtrl.sys
c:\winnt\TEMP\slu42f6.tmp\eraser.sys
c:\winnt\TEMP\slu42f6.tmp\NAVENG.SYS
c:\winnt\TEMP\slu42f6.tmp\NAVENG32.DLL
c:\winnt\TEMP\slu42f6.tmp\NAVEX15.SYS
c:\winnt\TEMP\slu42f6.tmp\NAVEX32A.DLL
c:\winnt\TEMP\slu5044.tmp\CCERASER.DLL
c:\winnt\TEMP\slu5044.tmp\ECMSVR32.DLL
c:\winnt\TEMP\slu5044.tmp\eeCtrl.sys
c:\winnt\TEMP\slu5044.tmp\eraser.sys
c:\winnt\TEMP\slu5044.tmp\NAVENG.SYS
c:\winnt\TEMP\slu5044.tmp\NAVENG32.DLL
c:\winnt\TEMP\slu5044.tmp\NAVEX15.SYS
c:\winnt\TEMP\slu5044.tmp\NAVEX32A.DLL
c:\winnt\TEMP\slu508c.tmp\CCERASER.DLL
c:\winnt\TEMP\slu508c.tmp\ECMSVR32.DLL
c:\winnt\TEMP\slu508c.tmp\eeCtrl.sys
c:\winnt\TEMP\slu508c.tmp\eraser.sys
c:\winnt\TEMP\slu508c.tmp\NAVENG.SYS
c:\winnt\TEMP\slu508c.tmp\NAVENG32.DLL
c:\winnt\TEMP\slu508c.tmp\NAVEX15.SYS
c:\winnt\TEMP\slu508c.tmp\NAVEX32A.DLL
c:\winnt\TEMP\slu5eec.tmp\CCERASER.DLL
c:\winnt\TEMP\slu5eec.tmp\ECMSVR32.DLL
c:\winnt\TEMP\slu5eec.tmp\eeCtrl.sys
c:\winnt\TEMP\slu5eec.tmp\eraser.sys
c:\winnt\TEMP\slu5eec.tmp\NAVENG.SYS
c:\winnt\TEMP\slu5eec.tmp\NAVENG32.DLL
c:\winnt\TEMP\slu5eec.tmp\NAVEX15.SYS
c:\winnt\TEMP\slu5eec.tmp\NAVEX32A.DLL
c:\winnt\TEMP\slu6006.tmp\CCERASER.DLL
c:\winnt\TEMP\slu6006.tmp\ECMSVR32.DLL
c:\winnt\TEMP\slu6006.tmp\eeCtrl.sys
c:\winnt\TEMP\slu6006.tmp\eraser.sys
c:\winnt\TEMP\slu6006.tmp\NAVENG.SYS
c:\winnt\TEMP\slu6006.tmp\NAVENG32.DLL
c:\winnt\TEMP\slu6006.tmp\NAVEX15.SYS
c:\winnt\TEMP\slu6006.tmp\NAVEX32A.DLL
c:\winnt\TEMP\slu6c8d.tmp\CCERASER.DLL
c:\winnt\TEMP\slu6c8d.tmp\ECMSVR32.DLL
c:\winnt\TEMP\slu6c8d.tmp\eeCtrl.sys
c:\winnt\TEMP\slu6c8d.tmp\eraser.sys
c:\winnt\TEMP\slu6c8d.tmp\NAVENG.SYS
c:\winnt\TEMP\slu6c8d.tmp\NAVENG32.DLL
c:\winnt\TEMP\slu6c8d.tmp\NAVEX15.SYS
c:\winnt\TEMP\slu6c8d.tmp\NAVEX32A.DLL
c:\winnt\TEMP\slu6fb.tmp\CCERASER.DLL
c:\winnt\TEMP\slu6fb.tmp\ECMSVR32.DLL
c:\winnt\TEMP\slu6fb.tmp\eeCtrl.sys
c:\winnt\TEMP\slu6fb.tmp\eraser.sys
c:\winnt\TEMP\slu6fb.tmp\NAVENG.SYS
c:\winnt\TEMP\slu6fb.tmp\NAVENG32.DLL
c:\winnt\TEMP\slu6fb.tmp\NAVEX15.SYS
c:\winnt\TEMP\slu6fb.tmp\NAVEX32A.DLL
c:\winnt\TEMP\slu7eea.tmp\CCERASER.DLL
c:\winnt\TEMP\slu7eea.tmp\ECMSVR32.DLL
c:\winnt\TEMP\slu7eea.tmp\eeCtrl.sys
c:\winnt\TEMP\slu7eea.tmp\eraser.sys
c:\winnt\TEMP\slu7eea.tmp\NAVENG.SYS
c:\winnt\TEMP\slu7eea.tmp\NAVENG32.DLL
c:\winnt\TEMP\slu7eea.tmp\NAVEX15.SYS
c:\winnt\TEMP\slu7eea.tmp\NAVEX32A.DLL
c:\winnt\TEMP\slu7f3b.tmp\CCERASER.DLL
c:\winnt\TEMP\slu7f3b.tmp\ECMSVR32.DLL
c:\winnt\TEMP\slu7f3b.tmp\eeCtrl.sys
c:\winnt\TEMP\slu7f3b.tmp\eraser.sys
c:\winnt\TEMP\slu7f3b.tmp\NAVENG.SYS
c:\winnt\TEMP\slu7f3b.tmp\NAVENG32.DLL
c:\winnt\TEMP\slu7f3b.tmp\NAVEX15.SYS
c:\winnt\TEMP\slu7f3b.tmp\NAVEX32A.DLL

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_geyekrxumnsrfq


((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-21 23:09 . 2009-07-21 23:09 -------- d-----w- c:\program files\Trend Micro
2009-07-21 03:49 . 2009-07-21 03:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-21 03:49 . 2009-07-21 03:49 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Malwarebytes
2009-07-21 03:49 . 2009-07-21 03:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-20 02:28 . 2009-07-21 02:14 -------- d-----w- c:\program files\True Sword 5
2009-07-19 22:08 . 2008-12-11 15:38 159600 ----a-w- c:\winnt\system32\drivers\pctgntdi.sys
2009-07-19 22:07 . 2009-07-19 22:31 130936 ----a-w- c:\winnt\system32\drivers\PCTCore.sys
2009-07-19 22:07 . 2008-12-18 19:16 73840 ----a-w- c:\winnt\system32\drivers\PCTAppEvent.sys
2009-07-19 22:07 . 2009-07-19 22:16 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-19 22:07 . 2008-12-10 19:36 64392 ----a-w- c:\winnt\system32\drivers\pctplsg.sys
2009-07-19 22:07 . 2009-07-21 03:08 -------- d-----w- c:\program files\Spyware Doctor
2009-07-19 22:07 . 2009-07-19 22:07 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-07-19 22:07 . 2009-07-19 22:07 -------- d-----w- c:\docume~1\Owner\APPLIC~1\PC Tools
2009-07-19 22:07 . 2009-07-19 22:07 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PC Tools
2009-07-19 21:03 . 2009-07-19 21:03 -------- d-----w- c:\documents and settings\Owner\Application Data\ConsumerSoft
2009-07-19 21:03 . 2009-07-19 21:03 -------- d-----w- c:\docume~1\Owner\APPLIC~1\ConsumerSoft
2009-07-19 21:03 . 2009-07-19 21:14 -------- d-----w- c:\program files\ConsumerSoft
2009-07-19 18:48 . 2009-07-19 18:48 19781 ----a-w- c:\winnt\system32\umakuhosaz.scr
2009-07-19 18:48 . 2009-07-19 18:48 17918 ----a-w- c:\documents and settings\Owner\Application Data\vero.exe
2009-07-19 18:48 . 2009-07-19 18:48 15199 ----a-w- c:\winnt\dypabe.pif
2009-07-19 18:48 . 2009-07-19 18:48 15084 ----a-w- c:\winnt\bulu.bat
2009-07-19 18:48 . 2009-07-19 18:48 13389 ----a-w- c:\winnt\exixisahi.reg
2009-07-19 18:48 . 2009-07-19 18:48 12626 ----a-w- c:\winnt\system32\ozyhocab.pif
2009-07-19 18:48 . 2009-07-19 18:48 11415 ----a-w- c:\winnt\fabah.vbs
2009-07-19 18:48 . 2009-07-19 18:48 11387 ----a-w- c:\winnt\zuhol.com
2009-07-19 18:48 . 2009-07-19 18:48 10188 ----a-w- c:\winnt\wowin.exe
2009-07-19 18:45 . 2009-07-20 02:18 -------- d-----w- c:\program files\HomeAntivirus2010
2009-07-19 18:45 . 2009-07-19 18:45 180690 ----a-w- c:\winnt\system32\wisdstr.exe
2009-07-18 21:33 . 2009-07-22 01:46 81984 ----a-w- c:\winnt\system32\bdod.bin
2009-07-18 21:31 . 2009-07-18 21:31 422 ----a-w- c:\documents and settings\Owner\Application Data\Apple Computer\socks32.exe
2009-07-18 21:31 . 2009-07-18 21:31 16141 ----a-w- c:\documents and settings\Owner\Application Data\BitDefender\megalon.exe
2009-07-18 21:31 . 2009-07-18 21:31 13221 ----a-w- c:\documents and settings\Owner\Application Data\Ahead\reniga.dll
2009-07-18 21:31 . 2009-07-18 21:31 131 ----a-w- c:\documents and settings\Owner\Application Data\AstroMenace\horsi.exe
2009-07-18 21:31 . 2009-07-18 21:31 11232 ----a-w- c:\documents and settings\Owner\Application Data\Adobe\moha.exe
2009-07-18 19:10 . 2009-07-18 19:10 -------- d-----w- c:\documents and settings\Owner\Application Data\BitDefender
2009-07-18 19:10 . 2009-07-18 19:10 -------- d-----w- c:\docume~1\Owner\APPLIC~1\BitDefender
2009-07-18 19:09 . 2009-07-18 19:18 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\BitDefender
2009-07-18 19:09 . 2009-07-18 19:09 -------- d-----w- c:\program files\PCSecurityShield
2009-07-18 19:05 . 2009-07-18 19:10 -------- d-----w- c:\program files\Common Files\BitDefender
2009-07-18 18:21 . 2009-07-18 18:21 -------- d-----w- c:\winnt\system32\XPSViewer
2009-07-18 18:21 . 2009-07-18 18:21 -------- d-----w- c:\program files\MSBuild
2009-07-18 18:21 . 2009-07-18 18:21 -------- d-----w- c:\program files\Reference Assemblies
2009-07-18 18:20 . 2008-07-06 12:06 89088 ------w- c:\winnt\system32\dllcache\filterpipelineprintproc.dll
2009-07-18 18:20 . 2008-07-06 12:06 575488 ------w- c:\winnt\system32\xpsshhdr.dll
2009-07-18 18:20 . 2008-07-06 12:06 575488 ------w- c:\winnt\system32\dllcache\xpsshhdr.dll
2009-07-18 18:20 . 2008-07-06 12:06 1676288 ------w- c:\winnt\system32\xpssvcs.dll
2009-07-18 18:20 . 2008-07-06 12:06 1676288 ------w- c:\winnt\system32\dllcache\xpssvcs.dll
2009-07-18 18:20 . 2008-07-06 12:06 117760 ------w- c:\winnt\system32\prntvpt.dll
2009-07-18 18:20 . 2008-07-06 10:50 597504 ------w- c:\winnt\system32\dllcache\printfilterpipelinesvc.exe
2009-07-18 18:20 . 2009-07-18 18:20 -------- d-----w- C:\506dfb967e43e28492
2009-07-18 18:19 . 2009-07-18 18:34 -------- d-----w- c:\winnt\SxsCaPendDel
2009-07-18 17:53 . 2009-07-17 04:37 138752 ----a-w- c:\winnt\msb.exe
2009-06-27 20:47 . 2009-06-27 20:47 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\WEBREG
2009-06-27 20:39 . 2009-06-27 20:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\HP
2009-06-27 20:39 . 2009-06-27 20:39 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-06-27 20:38 . 2009-06-27 20:38 -------- d-----w- c:\program files\HP
2009-06-27 20:32 . 2009-01-08 03:34 16496 ----a-r- c:\winnt\system32\drivers\HPZipr12.sys
2009-06-27 20:32 . 2009-01-08 03:34 49920 ----a-r- c:\winnt\system32\drivers\HPZid412.sys
2009-06-27 20:32 . 2009-06-27 20:43 146736 ----a-w- c:\winnt\hphins32.dat
2009-06-27 20:32 . 2009-01-14 04:06 458 ------w- c:\winnt\hphmdl32.dat
2009-06-27 20:32 . 2008-12-17 01:17 126976 ----a-w- c:\winnt\system32\hpfll6en.dll
2009-06-27 20:32 . 2009-01-08 03:34 271704 ----a-r- c:\winnt\system32\hpzids01.dll
2009-06-27 20:31 . 2009-01-08 03:34 309760 ----a-r- c:\winnt\system32\difxapi.dll
2009-06-27 20:31 . 2009-01-08 03:34 21568 ----a-r- c:\winnt\system32\drivers\HPZius12.sys
2009-06-27 20:31 . 2009-01-08 03:34 372736 ----a-r- c:\winnt\system32\hppldcoi.dll
2009-06-27 20:22 . 2008-04-13 18:47 25856 ----a-w- c:\winnt\system32\drivers\usbprint.sys
2009-06-27 20:22 . 2008-04-13 18:47 25856 ----a-w- c:\winnt\system32\dllcache\usbprint.sys
2009-06-27 20:21 . 2008-04-13 18:45 32128 ----a-w- c:\winnt\system32\drivers\usbccgp.sys
2009-06-27 20:21 . 2008-04-13 18:45 32128 ----a-w- c:\winnt\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-22 01:55 . 2007-07-04 18:39 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-21 02:28 . 2007-12-10 01:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-07-21 02:27 . 2002-09-17 02:56 -------- d-----w- c:\program files\Microsoft Works
2009-07-19 18:49 . 2009-01-26 03:46 -------- d-----w- c:\program files\Common Files\Apple
2009-07-19 18:48 . 2009-07-19 18:48 18619 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\fyxah.pif
2009-07-19 18:48 . 2009-07-19 18:48 17918 ----a-w- c:\docume~1\Owner\APPLIC~1\vero.exe
2009-07-18 19:44 . 2004-09-07 00:54 83976 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-18 17:59 . 2009-05-03 16:37 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Norton
2009-07-18 17:57 . 2002-09-17 02:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-16 14:36 . 1980-01-01 05:00 81920 ----a-w- c:\winnt\system32\fontsub.dll
2009-06-16 14:36 . 1980-01-01 05:00 119808 ----a-w- c:\winnt\system32\t2embed.dll
2009-06-03 19:09 . 2003-08-17 06:35 1291264 ----a-w- c:\winnt\system32\quartz.dll
2009-05-07 15:32 . 1980-01-01 05:00 345600 ----a-w- c:\winnt\system32\localspl.dll
2009-04-29 04:56 . 2004-02-06 22:05 827392 ----a-w- c:\winnt\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\winnt\system32\ieencode.dll
2004-08-10 03:30 . 2006-05-10 19:14 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-03-06 01:08 . 2009-07-18 19:18 61440 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-11-18 155648]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-06-19 684032]
"ServiceConfig"="c:\program files\Comcast\MigCfg\programs\ispbeg.exe" [2003-04-08 139264]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-06-29 32768]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"BDAgent"="c:\program files\PCSecurityShield\BitDefender 2009\bdagent.exe" [2009-03-23 778240]
"BitDefender Antiphishing Helper"="c:\program files\PCSecurityShield\BitDefender 2009\IEShow.exe" [2009-03-18 73728]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\winnt\system32\narrator.exe [2008-04-14 53760]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-12-1 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2002-9-16 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.ex

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\PC-Doctor for Windows\\Pcdrw32.exe"=
"c:\\WINNT\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINNT\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R0 PCTCore;PCTools KDS;c:\winnt\system32\drivers\PCTCore.sys [7/19/2009 3:07 PM 130936]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [9/16/2002 7:57 PM 6736]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/19/2009 3:07 PM 348752]
R3 bdfm;BDFM;c:\winnt\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
S2 gqcutvdpv;gqcutvdpv;\??\c:\winnt\system32\drivers\peviwkmskvqu.sys --> c:\winnt\system32\drivers\peviwkmskvqu.sys [?]
S3 Arrakis3;The Shield Deluxe 2009 Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
*NewlyCreated* - NMSSVC
*NewlyCreated* - SYMTDI
*Deregistered* - mchInjDrv
*Deregistered* - SYMTDI

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ scan
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-True Sword 5 - c:\program files\True Sword 5\TrueSword5.exe
HKLM-Run-19653754 - c:\documents and settings\All Users\Application Data\19653754\19653754.exe


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.comcast.net/
mLocal Page = \blank.htm
mStart Page = hxxp://www.google.com
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {459729AC-727D-4D97-B18A-72EE224EFEC0} - hxxp://defender.veloz.com/pub/download/scandl_burst.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-21 18:49
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3403473811-1161744426-439199626-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3384)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\progra~1\WINDOW~3\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\PCSecurityShield\BitDefender 2009\vsserv.exe
c:\winnt\system32\drivers\CDAC11BA.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\winnt\system32\NMSSvc.Exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\winnt\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2009-07-22 18:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-22 01:59

Pre-Run: 54,578,401,280 bytes free
Post-Run: 55,154,147,328 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

361 --- E O F --- 2009-07-19 19:10

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:38 AM

Posted 02 August 2009 - 10:26 AM

Hi there,

Thank you very much. :thumbup2: That's pretty yucky........I'd like for you to do the following, please:

Delete the ComboFix you have now, and its folder C:\Qoobox, and reboot your computer. I see you ran it on the 22nd of last month, and it's been updated several times since then. So please grab a fresh copy :

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 ci8irish

ci8irish
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 02 August 2009 - 01:03 PM

Combofix log as requested, Thanks!

ComboFix 09-08-01.09 - Owner 08/02/2009 10:32.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.238 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: The Shield Deluxe 2009 Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.

((((((((((((((((((((((((( Files Created from 2009-07-02 to 2009-08-02 )))))))))))))))))))))))))))))))
.

2009-07-27 01:29 . 2009-07-13 20:36 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-27 01:29 . 2009-07-27 01:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-27 01:29 . 2009-07-13 20:36 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-07-26 22:34 . 2009-07-26 22:34 -------- d-----w- C:\spoolerlogs
2009-07-21 23:09 . 2009-07-21 23:09 -------- d-----w- c:\program files\Trend Micro
2009-07-21 03:49 . 2009-07-21 03:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-21 03:49 . 2009-07-21 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-20 02:28 . 2009-07-21 02:14 -------- d-----w- c:\program files\True Sword 5
2009-07-19 22:08 . 2008-12-11 15:38 159600 ----a-w- c:\winnt\system32\drivers\pctgntdi.sys
2009-07-19 22:07 . 2009-07-19 22:31 130936 ----a-w- c:\winnt\system32\drivers\PCTCore.sys
2009-07-19 22:07 . 2008-12-18 19:16 73840 ----a-w- c:\winnt\system32\drivers\PCTAppEvent.sys
2009-07-19 22:07 . 2009-07-19 22:16 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-19 22:07 . 2008-12-10 19:36 64392 ----a-w- c:\winnt\system32\drivers\pctplsg.sys
2009-07-19 22:07 . 2009-07-25 23:16 -------- d-----w- c:\program files\Spyware Doctor
2009-07-19 22:07 . 2009-07-19 22:07 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-07-19 22:07 . 2009-07-19 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-19 21:03 . 2009-07-19 21:03 -------- d-----w- c:\documents and settings\Owner\Application Data\ConsumerSoft
2009-07-19 21:03 . 2009-07-19 21:14 -------- d-----w- c:\program files\ConsumerSoft
2009-07-19 18:48 . 2009-07-19 18:48 19781 ----a-w- c:\winnt\system32\umakuhosaz.scr
2009-07-19 18:48 . 2009-07-19 18:48 18619 ----a-w- c:\documents and settings\All Users\Application Data\fyxah.pif
2009-07-19 18:48 . 2009-07-19 18:48 17918 ----a-w- c:\documents and settings\Owner\Application Data\vero.exe
2009-07-19 18:48 . 2009-07-19 18:48 15199 ----a-w- c:\winnt\dypabe.pif
2009-07-19 18:48 . 2009-07-19 18:48 15084 ----a-w- c:\winnt\bulu.bat
2009-07-19 18:48 . 2009-07-19 18:48 13389 ----a-w- c:\winnt\exixisahi.reg
2009-07-19 18:48 . 2009-07-19 18:48 12626 ----a-w- c:\winnt\system32\ozyhocab.pif
2009-07-19 18:48 . 2009-07-19 18:48 11415 ----a-w- c:\winnt\fabah.vbs
2009-07-19 18:48 . 2009-07-19 18:48 11387 ----a-w- c:\winnt\zuhol.com
2009-07-19 18:48 . 2009-07-19 18:48 10188 ----a-w- c:\winnt\wowin.exe
2009-07-18 21:33 . 2009-08-02 17:41 81984 ----a-w- c:\winnt\system32\bdod.bin
2009-07-18 21:31 . 2009-07-18 21:31 422 ----a-w- c:\documents and settings\Owner\Application Data\Apple Computer\socks32.exe
2009-07-18 21:31 . 2009-07-18 21:31 16141 ----a-w- c:\documents and settings\Owner\Application Data\BitDefender\megalon.exe
2009-07-18 21:31 . 2009-07-18 21:31 13221 ----a-w- c:\documents and settings\Owner\Application Data\Ahead\reniga.dll
2009-07-18 21:31 . 2009-07-18 21:31 131 ----a-w- c:\documents and settings\Owner\Application Data\AstroMenace\horsi.exe
2009-07-18 21:31 . 2009-07-18 21:31 11232 ----a-w- c:\documents and settings\Owner\Application Data\Adobe\moha.exe
2009-07-18 19:10 . 2009-07-18 19:10 -------- d-----w- c:\documents and settings\Owner\Application Data\BitDefender
2009-07-18 19:09 . 2009-07-18 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-07-18 19:09 . 2009-07-18 19:09 -------- d-----w- c:\program files\PCSecurityShield
2009-07-18 19:05 . 2009-07-18 19:10 -------- d-----w- c:\program files\Common Files\BitDefender
2009-07-18 18:21 . 2009-07-18 18:21 -------- d-----w- c:\winnt\system32\XPSViewer
2009-07-18 18:21 . 2009-07-18 18:21 -------- d-----w- c:\program files\MSBuild
2009-07-18 18:21 . 2009-07-18 18:21 -------- d-----w- c:\program files\Reference Assemblies
2009-07-18 18:20 . 2008-07-06 12:06 89088 ------w- c:\winnt\system32\dllcache\filterpipelineprintproc.dll
2009-07-18 18:20 . 2008-07-06 12:06 575488 ------w- c:\winnt\system32\xpsshhdr.dll
2009-07-18 18:20 . 2008-07-06 12:06 575488 ------w- c:\winnt\system32\dllcache\xpsshhdr.dll
2009-07-18 18:20 . 2008-07-06 12:06 1676288 ------w- c:\winnt\system32\xpssvcs.dll
2009-07-18 18:20 . 2008-07-06 12:06 1676288 ------w- c:\winnt\system32\dllcache\xpssvcs.dll
2009-07-18 18:20 . 2008-07-06 12:06 117760 ------w- c:\winnt\system32\prntvpt.dll
2009-07-18 18:20 . 2008-07-06 10:50 597504 ------w- c:\winnt\system32\dllcache\printfilterpipelinesvc.exe
2009-07-18 18:20 . 2009-07-18 18:20 -------- d-----w- C:\506dfb967e43e28492
2009-07-18 18:19 . 2009-07-18 18:34 -------- d-----w- c:\winnt\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-02 17:44 . 2007-07-04 18:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-25 19:05 . 2009-07-25 19:05 25496 ----a-w- c:\winnt\system32\bda3E.tmp
2009-07-22 15:17 . 2004-09-07 00:54 82768 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-21 02:28 . 2007-12-10 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-21 02:27 . 2002-09-17 02:56 -------- d-----w- c:\program files\Microsoft Works
2009-07-19 18:49 . 2009-01-26 03:46 -------- d-----w- c:\program files\Common Files\Apple
2009-07-18 17:59 . 2009-05-03 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-18 17:57 . 2002-09-17 02:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-29 16:12 . 2004-02-06 22:05 827392 ----a-w- c:\winnt\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\winnt\system32\ieencode.dll
2009-06-29 16:12 . 1980-01-01 05:00 17408 ----a-w- c:\winnt\system32\corpol.dll
2009-06-27 20:47 . 2009-06-27 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2009-06-27 20:43 . 2009-06-27 20:32 146736 ----a-w- c:\winnt\hphins32.dat
2009-06-27 20:43 . 2009-06-27 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-06-27 20:39 . 2009-06-27 20:39 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-06-27 20:38 . 2009-06-27 20:38 -------- d-----w- c:\program files\HP
2009-06-16 14:36 . 1980-01-01 05:00 81920 ----a-w- c:\winnt\system32\fontsub.dll
2009-06-16 14:36 . 1980-01-01 05:00 119808 ----a-w- c:\winnt\system32\t2embed.dll
2009-06-03 19:09 . 2003-08-17 06:35 1291264 ----a-w- c:\winnt\system32\quartz.dll
2009-05-07 15:32 . 1980-01-01 05:00 345600 ----a-w- c:\winnt\system32\localspl.dll
2004-08-10 03:30 . 2006-05-10 19:14 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-03-06 01:08 . 2009-07-18 19:18 61440 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-11-18 155648]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-06-19 684032]
"ServiceConfig"="c:\program files\Comcast\MigCfg\programs\ispbeg.exe" [2003-04-08 139264]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-06-29 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"BDAgent"="c:\program files\PCSecurityShield\BitDefender 2009\bdagent.exe" [2009-03-23 778240]
"BitDefender Antiphishing Helper"="c:\program files\PCSecurityShield\BitDefender 2009\IEShow.exe" [2009-03-18 73728]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\winnt\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-12-1 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2002-9-16 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.ex

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\PC-Doctor for Windows\\Pcdrw32.exe"=
"c:\\WINNT\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINNT\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R0 PCTCore;PCTools KDS;c:\winnt\system32\drivers\PCTCore.sys [7/19/2009 3:07 PM 130936]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [9/16/2002 7:57 PM 6736]
R3 bdfm;BDFM;c:\winnt\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
S2 gqcutvdpv;gqcutvdpv;\??\c:\winnt\system32\drivers\peviwkmskvqu.sys --> c:\winnt\system32\drivers\peviwkmskvqu.sys [?]
S3 Arrakis3;The Shield Deluxe 2009 Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/19/2009 3:07 PM 348752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
*NewlyCreated* - NMSSVC
*NewlyCreated* - SYMTDI
*Deregistered* - SYMTDI

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ scan
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.comcast.net/
mLocal Page = \blank.htm
mStart Page = hxxp://www.google.com
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {459729AC-727D-4D97-B18A-72EE224EFEC0} - hxxp://defender.veloz.com/pub/download/scandl_burst.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-02 10:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3403473811-1161744426-439199626-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3792)
c:\winnt\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\winnt\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\PCSecurityShield\BitDefender 2009\vsserv.exe
c:\winnt\system32\drivers\CDAC11BA.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\winnt\system32\NMSSvc.Exe
c:\winnt\system32\wdfmgr.exe
c:\winnt\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2009-08-02 10:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-02 17:49
ComboFix2.txt 2009-07-25 22:45

Pre-Run: 54,877,917,184 bytes free
Post-Run: 54,882,729,984 bytes free

207 --- E O F --- 2009-07-29 14:00

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:38 AM

Posted 02 August 2009 - 01:20 PM

Hi there,

Could you please upload a file for analysis? It would be a great help for us. :thumbup2:

Please navigate to the following file:

c:\documents and settings\Owner\Application Data\BitDefender\megalon.exe

Please go to VirusTotal and submit the file for a scan and post the results in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 ci8irish

ci8irish
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 02 August 2009 - 03:53 PM

here you go: :thumbup2:

File megalon.exe received on 2009.08.02 20:53:44 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.02 -
AhnLab-V3 5.0.0.2 2009.08.01 -
AntiVir 7.9.0.238 2009.08.02 -
Antiy-AVL 2.0.3.7 2009.07.31 -
Authentium 5.1.2.4 2009.08.02 -
Avast 4.8.1335.0 2009.08.02 -
AVG 8.5.0.406 2009.08.02 -
BitDefender 7.2 2009.08.02 -
CAT-QuickHeal 10.00 2009.07.30 -
ClamAV 0.94.1 2009.08.02 -
Comodo 1842 2009.08.02 -
DrWeb 5.0.0.12182 2009.08.02 -
eSafe 7.0.17.0 2009.07.30 -
eTrust-Vet 31.6.6650 2009.08.01 -
F-Prot 4.4.4.56 2009.08.02 -
F-Secure 8.0.14470.0 2009.08.01 -
Fortinet 3.120.0.0 2009.08.02 -
GData 19 2009.08.02 -
Ikarus T3.1.1.64.0 2009.08.02 -
Jiangmin 11.0.800 2009.08.02 -
K7AntiVirus 7.10.808 2009.08.01 -
Kaspersky 7.0.0.125 2009.08.02 -
McAfee 5696 2009.08.02 -
McAfee+Artemis 5696 2009.08.02 -
McAfee-GW-Edition 6.8.5 2009.08.02 -
Microsoft 1.4903 2009.08.02 -
NOD32 4299 2009.08.02 -
Norman 6.01.09 2009.07.31 -
nProtect 2009.1.8.0 2009.08.02 -
Panda 10.0.0.14 2009.08.02 -
PCTools 4.4.2.0 2009.08.02 -
Prevx 3.0 2009.08.02 -
Rising 21.40.62.00 2009.08.02 -
Sophos 4.44.0 2009.08.02 -
Sunbelt 3.2.1858.2 2009.08.02 -
Symantec 1.4.4.12 2009.08.02 -
TheHacker 6.3.4.3.375 2009.08.01 -
TrendMicro 8.950.0.1094 2009.07.31 -
VBA32 3.12.10.9 2009.08.02 -
ViRobot 2009.7.31.1863 2009.07.31 -
VirusBuster 4.6.5.0 2009.08.02 -

Additional information
File size: 16141 bytes
MD5...: 03a83f37a6029569860b70215df43b23
SHA1..: f65f538598d7677458d4e7cc91454173cd330d0a
SHA256: b2479aae7dd272d8452958df742d101d90f9c248328e87b683dc03a9509d051c
ssdeep: 192:njlsBthI395/IkRy8pls9P8RXhp/zzdA8H/pUgpwz4q9TFiZn:iOzAkRyyly<BR>8RXfzdbfpUA04i+<BR>
PEiD..: -
TrID..: File type identification<BR>Generic Win/DOS Executable (49.9%)<BR>DOS Executable Generic (49.8%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set<BR>-


-

#12 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:38 AM

Posted 21 August 2009 - 09:28 PM

Hello ci8irish,

I will be helping, going forward. While the rootkits are gone, this system appears to have (at least) remnants of the HomeAntivirus rogue. Please do the following:

I highly recommend a full scan with MBAM, after you update to latest version.
Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.
At this time of posting, the current definitions are # 2672 or later. The latest program version is 1.40

If you are prompted to allow a Restart for it to apply the new version, please allow that and then restart MBAM again

When done, click the Scanner tab.
Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=
A new run of DDS which you already have:
Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.
Please include DDS.txt in your next reply.

=
Next,
Go >> here <<
and download RootRepeal and SAVE to your Desktop.

Doubleclick RootRepeal.exe icon on your Desktop.
Click on the Report tab at bottom of window and then click on Scan button.

A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
SSDT
Hidden Services
Stealth Objects


You will then be asked which drive to scan.
Check C: (or the drive your operating system is installed on if not C) and click Ok again.
The scan will start.
It will take a little while so please be patient. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).
When you have done this, please copy and paste it in this thread.
=

Reply with copy of the new MBAM scan log
the DDS.txt
and the RootRepeal.txt

I do not need Attach.txt

Edited by Maurice Naggar, 21 August 2009 - 09:32 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#13 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:38 AM

Posted 08 September 2009 - 10:14 AM

This thread is closed due to lack of response. If you still have issues & need this re-opened, send a PM to me or a moderator.
This applies only to the original poster.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users