Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

a so far unidentified redirect


  • This topic is locked This topic is locked
13 replies to this topic

#1 oh ok

oh ok

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 11 August 2009 - 05:40 AM

so this all started a little earlier this morning when a program named ac scan or av scan took over my computer. it would invade my desktop and started redirecting my internet. i removed it from the registry and deleted the files, which seems to have stopped the pop ups, but i'm still getting browser redirects and generally suspicious behavior. i have tried to run malwarebytes anti malware but it will not run.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Dad at 6:30:35.71 on Tue 08/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1338 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090810-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\DOCUME~1\Dad\LOCALS~1\Temp\b.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Dad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:\windows\system32\msxml71.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NordBull] c:\windows\msb.exe
uRun: [Monopod] c:\docume~1\dad\locals~1\temp\b.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [EasyTuneVPro] c:\program files\gigabyte\et5pro\ETcall.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [net] "c:\windows\system32\net.net"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\dad\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\little shop - road trip\images\stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190405697781
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\little shop - road trip\images\armhelper.ocx

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-8-11 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-11 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-8-11 138680]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\nbservice.exe --> c:\program files\common files\nero\nero backitup 4\NBService.exe [?]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-8-11 352920]
S3 OMNUSB;Omnikey AG CardMan 2020 USB Smart Card Reader;c:\windows\system32\drivers\sccmusbm.sys [2007-10-17 23936]
SUnknown GVTDrv;GVTDrv; [x]

=============== Created Last 30 ================

2009-08-11 04:28 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-11 04:28 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-11 04:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 04:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-11 04:13 144,896 a------- c:\windows\msb.exe
2009-08-11 04:05 <DIR> --d----- c:\docume~1\dad\applic~1\Logs
2009-08-11 03:58 144,896 a------- c:\windows\msa.exe
2009-08-11 03:58 207,364 a------- c:\windows\system32\msxml71.dll
2009-08-11 03:57 70,656 a------- c:\windows\system32\drivers\SKYNETursuwndy.sys
2009-08-11 03:57 44,544 a------- c:\windows\system32\SKYNETjycuqqjo.dll
2009-08-11 03:57 70,656 a------- c:\windows\system32\drivers\SKYNETmwwwxnye.sys
2009-08-11 03:57 44,544 a------- c:\windows\system32\SKYNETbgkucftd.dll
2009-08-11 03:57 164,622 a------- c:\windows\system32\net.net
2009-08-11 03:48 <DIR> --d----- c:\program files\uTorrent
2009-08-11 03:47 <DIR> --d----- c:\docume~1\dad\applic~1\uTorrent
2009-08-10 01:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Age of Empires 3
2009-08-10 00:48 <DIR> --d----- c:\program files\Microsoft Games
2009-08-10 00:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-08-10 00:43 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-08-10 00:40 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-08-10 00:40 <DIR> --d----- c:\docume~1\dad\applic~1\DAEMON Tools Lite
2009-08-09 17:20 32,738 a------- c:\windows\scunin.dat
2009-08-09 17:20 94,208 a------- c:\windows\ScUnin.exe
2009-08-09 17:20 967 a------- c:\windows\ScUnin.pif
2009-08-09 17:19 <DIR> --d----- c:\program files\Starcraft
2009-07-19 16:20 36,576 a---h--- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2009-08-11 05:55 24,944 a------- c:\windows\system32\drivers\GVTDrv.sys
2009-08-10 20:44 138,784 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-10 20:44 202,008 a------- c:\windows\system32\PnkBstrB.exe
2009-05-02 20:21 22,328 a------- c:\docume~1\dad\applic~1\PnkBstrK.sys

============= FINISH: 6:31:32.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:47 PM

Posted 11 August 2009 - 08:43 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 oh ok

oh ok
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 11 August 2009 - 10:29 AM

i was able to install and run mbam through a method to be detailed in a later post

the computer instability and insanity problems appear to be gone; however, i am still receiving browser redirects


DDS (Ver_09-07-30.01) - NTFSx86
Run by Dad at 11:23:11.78 on Tue 08/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1454 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [EasyTuneVPro] c:\program files\gigabyte\et5pro\ETcall.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
StartupFolder: c:\docume~1\dad\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\little shop - road trip\images\stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190405697781
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\little shop - road trip\images\armhelper.ocx
AppInit_DLLs: cru629.dat

============= SERVICES / DRIVERS ===============

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-11 38160]
RUnknown ayilbh;ayilbh; [x]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\nbservice.exe --> c:\program files\common files\nero\nero backitup 4\NBService.exe [?]
S3 OMNUSB;Omnikey AG CardMan 2020 USB Smart Card Reader;c:\windows\system32\drivers\sccmusbm.sys [2007-10-17 23936]
SUnknown GVTDrv;GVTDrv; [x]

=============== Created Last 30 ================

2009-08-11 10:48 <DIR> --d----- c:\docume~1\dad\applic~1\Malwarebytes
2009-08-11 10:25 19,263 a------- c:\program files\common files\evygyvi.scr
2009-08-11 10:25 18,847 a------- c:\windows\zyfabiti.dll
2009-08-11 10:25 18,724 a------- c:\docume~1\dad\applic~1\sive.dat
2009-08-11 10:25 18,543 a------- c:\windows\qonoxaliji.lib
2009-08-11 10:25 17,707 a------- c:\docume~1\dad\applic~1\etohufi.scr
2009-08-11 10:25 17,665 a------- c:\docume~1\dad\applic~1\qupeviz.vbs
2009-08-11 10:25 17,127 a------- c:\windows\system32\gyko.dll
2009-08-11 10:25 16,967 a------- c:\docume~1\alluse~1\applic~1\kipu.reg
2009-08-11 10:25 16,404 a------- c:\windows\cysasul.inf
2009-08-11 10:25 15,806 a------- c:\windows\kubo.com
2009-08-11 10:25 12,824 a------- c:\windows\vajypage.bat
2009-08-11 10:25 11,710 a------- c:\docume~1\alluse~1\applic~1\ogagisi.bin
2009-08-11 10:25 11,043 a------- c:\windows\ramuk.lib
2009-08-11 10:25 10,314 a------- c:\docume~1\dad\applic~1\agexami.vbs
2009-08-11 10:00 10,752 a------- c:\windows\DCEBoot.exe
2009-08-11 04:28 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-11 04:28 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-11 04:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 04:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-11 04:05 <DIR> --d----- c:\docume~1\dad\applic~1\Logs
2009-08-10 01:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Age of Empires 3
2009-08-10 00:48 <DIR> --d----- c:\program files\Microsoft Games
2009-08-10 00:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-08-10 00:43 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-08-10 00:40 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-08-10 00:40 <DIR> --d----- c:\docume~1\dad\applic~1\DAEMON Tools Lite
2009-08-09 17:20 32,738 a------- c:\windows\scunin.dat
2009-08-09 17:20 94,208 a------- c:\windows\ScUnin.exe
2009-08-09 17:20 967 a------- c:\windows\ScUnin.pif
2009-08-09 17:19 <DIR> --d----- c:\program files\Starcraft
2009-07-19 16:20 36,576 a---h--- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2009-08-11 11:17 24,944 a------- c:\windows\system32\drivers\GVTDrv.sys
2009-08-10 20:44 138,784 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-10 20:44 202,008 a------- c:\windows\system32\PnkBstrB.exe
2009-05-02 20:21 22,328 a------- c:\docume~1\dad\applic~1\PnkBstrK.sys

============= FINISH: 11:24:55.35 ===============

and here are the mbam logs

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/11/2009 10:55:42 AM
mbam-log-2009-08-11 (10-55-42).txt

Scan type: Quick Scan
Objects scanned: 97532
Time elapsed: 6 minute(s), 5 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 8
Registry Data Items Infected: 6
Folders Infected: 4
Files Infected: 41

Memory Processes Infected:
C:\WINDOWS\msb.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pc_antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nordbull (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Dad\Start Menu\Programs\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\data (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Rogue.HomeAntiVirus) -> Delete on reboot.
C:\Documents and Settings\Dad\Local Settings\Temp\mxsrwenoca.tmp (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\nasoemcxwr.tmp (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\neomxcawsr.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\xnmoecawrs.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.PC_Antispyware2010) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.cfg (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.PC_Antispyware2010) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\Uninstall.exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\wscui.cpl (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\data\daily.cvd (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Desktop\PC_Antispyware2010.lnk (Rogue.PCAntispy) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\b.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETbgkucftd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETjycuqqjo.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\SKYNETmwwwxnye.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\SKYNETursuwndy.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/11/2009 10:55:42 AM
mbam-log-2009-08-11 (10-55-42).txt

Scan type: Quick Scan
Objects scanned: 97532
Time elapsed: 6 minute(s), 5 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 8
Registry Data Items Infected: 6
Folders Infected: 4
Files Infected: 41

Memory Processes Infected:
C:\WINDOWS\msb.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pc_antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nordbull (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Dad\Start Menu\Programs\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\data (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Rogue.HomeAntiVirus) -> Delete on reboot.
C:\Documents and Settings\Dad\Local Settings\Temp\mxsrwenoca.tmp (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\nasoemcxwr.tmp (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\neomxcawsr.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\xnmoecawrs.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.PC_Antispyware2010) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.cfg (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.PC_Antispyware2010) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\Uninstall.exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\wscui.cpl (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\data\daily.cvd (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Desktop\PC_Antispyware2010.lnk (Rogue.PCAntispy) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\b.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETbgkucftd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETjycuqqjo.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\SKYNETmwwwxnye.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\SKYNETursuwndy.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.40
Database version: 2602
Windows 5.1.2600 Service Pack 3

8/11/2009 11:05:21 AM
mbam-log-2009-08-11 (11-05-21).txt

Scan type: Quick Scan
Objects scanned: 96881
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Dad\Local Settings\Temp\a.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\c.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\d.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\e.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\ecsaronwmx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\escwnoraxm.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\f.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\msxml71.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\J39MJKXY\Install[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

additional scans return a few trojan agents or trojan downloaders which claim to be deleted on reboot

Edited by oh ok, 11 August 2009 - 10:42 AM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:47 PM

Posted 11 August 2009 - 10:44 AM

Hi,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 oh ok

oh ok
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 11 August 2009 - 11:49 AM

ComboFix 09-08-10.06 - Dad 08/11/2009 12:35.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1749 [GMT -4:00]
Running from: c:\documents and settings\Dad\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dad\Local Settings\Temporary Internet Files\oqohysote.ban
c:\documents and settings\Dad\Local Settings\Temporary Internet Files\rexawi.dll
c:\documents and settings\Dad\Local Settings\Temporary Internet Files\rococ.dat
c:\windows\Installer\763915.msi
c:\windows\system32\drivers\UACxdltprumoq.sys
c:\windows\system32\UACboevxfmqho.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACirjixmybwo.dat
c:\windows\system32\UACnwihwyktql.db
c:\windows\system32\UACortgiwwufe.dll
c:\windows\system32\UACrovymospaa.dll
c:\windows\system32\UACxypkhbodas.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-11 16:25 . 2009-01-08 00:52 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2009-08-11 14:48 . 2009-08-11 14:48 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2009-08-11 14:48 . 2009-08-11 08:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 14:39 . 2009-08-11 14:00 10752 ----a-w- c:\windows\DCEBoot.exe
2009-08-11 08:45 . 2009-08-11 08:45 -------- d-----w- c:\program files\Alwil Software
2009-08-11 08:28 . 2009-08-11 08:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-11 08:05 . 2009-08-11 08:05 -------- d-----w- c:\documents and settings\Dad\Application Data\Logs
2009-08-11 00:44 . 2007-09-21 21:47 138784 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-11 00:44 . 2007-09-21 21:46 202008 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-10 16:48 . 2008-10-09 01:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-08-10 07:25 . 2007-09-21 19:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-10 05:13 . 2009-08-10 05:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Age of Empires 3
2009-08-10 04:48 . 2009-08-10 04:48 -------- d-----w- c:\program files\Microsoft Games
2009-08-10 04:46 . 2009-08-10 04:40 -------- d-----w- c:\documents and settings\Dad\Application Data\DAEMON Tools Lite
2009-08-10 04:44 . 2009-08-10 04:44 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\DAEMON Tools Lite
2009-08-10 04:43 . 2009-08-10 04:43 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-08-10 04:43 . 2009-08-09 21:19 -------- d-----w- c:\program files\Starcraft
2009-08-10 04:40 . 2009-08-10 04:40 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-10 03:07 . 2007-11-12 20:43 -------- d-----w- c:\documents and settings\Dad\Application Data\Azureus
2009-08-09 21:28 . 2009-08-09 21:20 32738 ----a-w- c:\windows\scunin.dat
2009-08-09 21:28 . 2009-08-09 21:20 967 ----a-w- c:\windows\ScUnin.pif
2009-08-09 21:28 . 2009-08-09 21:20 94208 ----a-w- c:\windows\ScUnin.exe
2009-08-09 11:30 . 2007-11-11 17:11 -------- d-----w- c:\documents and settings\Dad\Application Data\dvdcss
2009-08-06 17:57 . 2009-03-14 20:23 -------- d-----w- c:\documents and settings\Dad\Application Data\vlc
2009-08-03 17:36 . 2009-08-11 08:28 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-08-11 08:28 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 20:20 . 2009-07-19 20:20 36576 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-02 23:59 . 2009-06-02 23:59 10134 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}\ARPPRODUCTICON.exe
2007-12-26 00:21 . 2007-12-26 00:20 24 --sha-w- c:\windows\SFA96A780.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8523776]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"EasyTuneVPro"="c:\program files\Gigabyte\ET5Pro\ETcall.exe" [2007-07-26 20480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-12 16132608]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-11-07 1626112]

c:\documents and settings\Dad\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-6-2 333088]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-9-28 692224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\Dad\\Games\\Return to Castle Wolfenstein on Snowwhite\\WolfMP.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Documents and Settings\\Dad\\Desktop\\Wolf 2\\Wolf2MP.exe"=
"c:\\Documents and Settings\\Dad\\Desktop\\Wolf 2\\Wolf2MPLite.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 5:42 PM 156968]
S3 OMNUSB;Omnikey AG CardMan 2020 USB Smart Card Reader;c:\windows\system32\drivers\sccmusbm.sys [10/17/2007 7:18 PM 23936]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 12:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETijjrxbrq]
"imagepath"="\systemroot\system32\drivers\SKYNETmwwwxnye.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETltvgtqoh]
"imagepath"="\systemroot\system32\drivers\SKYNETursuwndy.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1647877149-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e1,75,c9,13,c7,f1,cc,4f,fa,94,8d,cf,63,bc,d9,a9,fb,05,d3,6c,2b,b3,0f,
6c,26,7d,33,f3,88,a2,c2,bc,7e,b3,5b,3b,f2,b5,d5,d2,bd,51,f0,3e,98,19,ef,62,\
"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1,2f,38

[HKEY_USERS\S-1-5-21-1390067357-1647877149-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:d8,82,90,44,20,2f,61,70,d4,df,87,28,73,0c,cb,28,a4,f5,d7,54,63,
f1,58,24,1b,1b,ce,62,5e,04,14,3f,4e,9d,c1,d4,ac,6a,a6,b5,2d,ea,2b,41,c6,01,\
"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETijjrxbrq]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\SKYNETmwwwxnye.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETltvgtqoh]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\SKYNETursuwndy.sys"
.
Completion time: 2009-08-11 12:46
ComboFix-quarantined-files.txt 2009-08-11 16:46

Pre-Run: 56,845,627,392 bytes free
Post-Run: 57,418,522,624 bytes free

162 --- E O F --- 2009-05-17 04:43




DDS (Ver_09-07-30.01) - NTFSx86
Run by Dad at 12:48:35.03 on Tue 08/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1590 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Dad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [EasyTuneVPro] c:\program files\gigabyte\et5pro\ETcall.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
StartupFolder: c:\docume~1\dad\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\little shop - road trip\images\stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190405697781
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\little shop - road trip\images\armhelper.ocx

============= SERVICES / DRIVERS ===============

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\nbservice.exe --> c:\program files\common files\nero\nero backitup 4\NBService.exe [?]
S3 OMNUSB;Omnikey AG CardMan 2020 USB Smart Card Reader;c:\windows\system32\drivers\sccmusbm.sys [2007-10-17 23936]

=============== Created Last 30 ================

2009-08-11 12:46 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-11 12:30 <DIR> --ds---- C:\Combo-Fix
2009-08-11 12:27 <DIR> --d----- C:\cmdcons
2009-08-11 12:26 216,064 a------- c:\windows\PEV.exe
2009-08-11 12:26 161,792 a------- c:\windows\SWREG.exe
2009-08-11 12:26 98,816 a------- c:\windows\sed.exe
2009-08-11 10:48 <DIR> --d----- c:\docume~1\dad\applic~1\Malwarebytes
2009-08-11 10:25 19,263 a------- c:\program files\common files\evygyvi.scr
2009-08-11 10:25 18,847 a------- c:\windows\zyfabiti.dll
2009-08-11 10:25 18,724 a------- c:\docume~1\dad\applic~1\sive.dat
2009-08-11 10:25 18,543 a------- c:\windows\qonoxaliji.lib
2009-08-11 10:25 17,707 a------- c:\docume~1\dad\applic~1\etohufi.scr
2009-08-11 10:25 17,665 a------- c:\docume~1\dad\applic~1\qupeviz.vbs
2009-08-11 10:25 17,127 a------- c:\windows\system32\gyko.dll
2009-08-11 10:25 16,967 a------- c:\docume~1\alluse~1\applic~1\kipu.reg
2009-08-11 10:25 16,404 a------- c:\windows\cysasul.inf
2009-08-11 10:25 15,806 a------- c:\windows\kubo.com
2009-08-11 10:25 12,824 a------- c:\windows\vajypage.bat
2009-08-11 10:25 11,710 a------- c:\docume~1\alluse~1\applic~1\ogagisi.bin
2009-08-11 10:25 11,043 a------- c:\windows\ramuk.lib
2009-08-11 10:25 10,314 a------- c:\docume~1\dad\applic~1\agexami.vbs
2009-08-11 10:00 10,752 a------- c:\windows\DCEBoot.exe
2009-08-11 04:28 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-11 04:28 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-11 04:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 04:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-11 04:05 <DIR> --d----- c:\docume~1\dad\applic~1\Logs
2009-08-10 01:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Age of Empires 3
2009-08-10 00:48 <DIR> --d----- c:\program files\Microsoft Games
2009-08-10 00:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-08-10 00:43 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-08-10 00:40 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-08-10 00:40 <DIR> --d----- c:\docume~1\dad\applic~1\DAEMON Tools Lite
2009-08-09 17:20 32,738 a------- c:\windows\scunin.dat
2009-08-09 17:20 94,208 a------- c:\windows\ScUnin.exe
2009-08-09 17:20 967 a------- c:\windows\ScUnin.pif
2009-08-09 17:19 <DIR> --d----- c:\program files\Starcraft
2009-07-19 16:20 36,576 a---h--- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2009-08-11 12:25 24,944 a------- c:\windows\system32\drivers\GVTDrv.sys
2009-08-10 20:44 138,784 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-10 20:44 202,008 a------- c:\windows\system32\PnkBstrB.exe
2009-05-02 20:21 22,328 a------- c:\docume~1\dad\applic~1\PnkBstrK.sys

============= FINISH: 12:48:38.70 ===============


the browser redirection is no longer an issue; everything appears to be in working order

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:47 PM

Posted 11 August 2009 - 12:07 PM

Hi,

Both logs are confusing since they don't make sense and don't match...
No need to post the DDS log afterwards, I only need the Combofix log since that already lists the same (and avoids confusion).

We're not finished yet though..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\program files\common files\evygyvi.scr
c:\windows\zyfabiti.dll
c:\docume~1\dad\applic~1\sive.dat
c:\windows\qonoxaliji.lib
c:\docume~1\dad\applic~1\etohufi.scr
c:\docume~1\dad\applic~1\qupeviz.vbs
c:\windows\system32\gyko.dll
c:\docume~1\alluse~1\applic~1\kipu.reg
c:\windows\cysasul.inf
c:\windows\kubo.com
c:\windows\vajypage.bat
c:\docume~1\alluse~1\applic~1\ogagisi.bin
c:\windows\ramuk.lib
c:\docume~1\dad\applic~1\agexami.vbs
C:\windows\system32\drivers\SKYNETmwwwxnye.sys
C:\Windows\system32\drivers\SKYNETursuwndy.sys
Driver::
SKYNETijjrxbrq
SKYNETltvgtqoh
REGLOCKDEL::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETltvgtqoh]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETijjrxbrq]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 oh ok

oh ok
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 11 August 2009 - 12:33 PM

i added the script to combofix and after scanning and rebooting the computer, internet explorer no longer runs. it shows a 'sorry for the inconvience' message with the option of ssending a report. the report is EventType : InPageError P1: c000026e P2: 00000000. the techical data gives the following: C:\DOCUME~1\Dad\LOCALS~1\Temp\WERdcea.dir00\iexplore.exe.mdmp

no combo fix log file was made

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:47 PM

Posted 11 August 2009 - 12:38 PM

Can you run Combofix once again without the script?
Because it looks like you've probably done something wrong here...

Then post the log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 oh ok

oh ok
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 11 August 2009 - 01:02 PM

combofix would not run. i attempted to restart the computer but as soon as i touched the shut down button the screen would go black for a few seconds and the desktop would appear as though i had just booted. after manually turning the machine off then on, chkdsk ran during the next bootcycle. this time around internet explorer was functional again.

ComboFix 09-08-10.06 - Dad 08/11/2009 13:51.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1547 [GMT -4:00]
Running from: c:\documents and settings\Dad\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\docume~1\alluse~1\applic~1\kipu.reg
c:\docume~1\alluse~1\applic~1\ogagisi.bin
c:\docume~1\dad\applic~1\agexami.vbs
c:\docume~1\dad\applic~1\etohufi.scr
c:\docume~1\dad\applic~1\qupeviz.vbs
c:\docume~1\dad\applic~1\sive.dat
c:\program files\common files\evygyvi.scr
c:\windows\cysasul.inf
c:\windows\Installer\38219.msi
c:\windows\kubo.com
c:\windows\qonoxaliji.lib
c:\windows\ramuk.lib
c:\windows\system32\gyko.dll
c:\windows\vajypage.bat
c:\windows\zyfabiti.dll



.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SKYNETijjrxbrq
-------\Legacy_SKYNETltvgtqoh
-------\Service_SKYNETltvgtqoh


((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-11 17:50 . 2008-10-09 01:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-08-11 17:49 . 2009-01-08 00:52 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2009-08-11 17:03 . 2007-09-21 19:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-11 14:48 . 2009-08-11 14:48 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2009-08-11 14:48 . 2009-08-11 08:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 14:39 . 2009-08-11 14:00 10752 ----a-w- c:\windows\DCEBoot.exe
2009-08-11 14:25 . 2009-08-11 14:25 11968 ----a-w- c:\documents and settings\Dad\Local Settings\Application Data\ucyhyd.pif
2009-08-11 08:45 . 2009-08-11 08:45 -------- d-----w- c:\program files\Alwil Software
2009-08-11 08:28 . 2009-08-11 08:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-11 08:05 . 2009-08-11 08:05 -------- d-----w- c:\documents and settings\Dad\Application Data\Logs
2009-08-11 00:44 . 2007-09-21 21:47 138784 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-11 00:44 . 2007-09-21 21:46 202008 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-10 05:13 . 2009-08-10 05:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Age of Empires 3
2009-08-10 04:48 . 2009-08-10 04:48 -------- d-----w- c:\program files\Microsoft Games
2009-08-10 04:46 . 2009-08-10 04:40 -------- d-----w- c:\documents and settings\Dad\Application Data\DAEMON Tools Lite
2009-08-10 04:44 . 2009-08-10 04:44 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\DAEMON Tools Lite
2009-08-10 04:43 . 2009-08-10 04:43 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-08-10 04:43 . 2009-08-09 21:19 -------- d-----w- c:\program files\Starcraft
2009-08-10 04:40 . 2009-08-10 04:40 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-10 03:07 . 2007-11-12 20:43 -------- d-----w- c:\documents and settings\Dad\Application Data\Azureus
2009-08-09 21:28 . 2009-08-09 21:20 32738 ----a-w- c:\windows\scunin.dat
2009-08-09 21:28 . 2009-08-09 21:20 967 ----a-w- c:\windows\ScUnin.pif
2009-08-09 21:28 . 2009-08-09 21:20 94208 ----a-w- c:\windows\ScUnin.exe
2009-08-09 11:30 . 2007-11-11 17:11 -------- d-----w- c:\documents and settings\Dad\Application Data\dvdcss
2009-08-06 17:57 . 2009-03-14 20:23 -------- d-----w- c:\documents and settings\Dad\Application Data\vlc
2009-08-03 17:36 . 2009-08-11 08:28 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-08-11 08:28 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 20:20 . 2009-07-19 20:20 36576 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-02 23:59 . 2009-06-02 23:59 10134 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}\ARPPRODUCTICON.exe
2007-12-26 00:21 . 2007-12-26 00:20 24 --sha-w- c:\windows\SFA96A780.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-08-11_16.45.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-11 17:49 . 2009-08-11 17:49 16384 c:\windows\Temp\Perflib_Perfdata_508.dat
+ 2009-08-11 17:49 . 2009-08-11 17:49 16384 c:\windows\Temp\Perflib_Perfdata_4cc.dat
+ 2009-08-11 17:20 . 2009-08-11 17:20 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-11 17:20 . 2009-08-11 17:20 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-11 17:20 . 2009-08-11 17:20 167936 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-11 17:20 . 2009-08-11 17:20 229376 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-11 17:20 . 2009-08-11 17:20 229376 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-11 17:20 . 2009-08-11 17:20 9596928 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8523776]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"EasyTuneVPro"="c:\program files\Gigabyte\ET5Pro\ETcall.exe" [2007-07-26 20480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-12 16132608]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-11-07 1626112]

c:\documents and settings\Dad\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-6-2 333088]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-9-28 692224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\Dad\\Games\\Return to Castle Wolfenstein on Snowwhite\\WolfMP.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Documents and Settings\\Dad\\Desktop\\Wolf 2\\Wolf2MP.exe"=
"c:\\Documents and Settings\\Dad\\Desktop\\Wolf 2\\Wolf2MPLite.exe"=

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 5:42 PM 156968]
S3 OMNUSB;Omnikey AG CardMan 2020 USB Smart Card Reader;c:\windows\system32\drivers\sccmusbm.sys [10/17/2007 7:18 PM 23936]
SUnknown GVTDrv;GVTDrv; [x]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 13:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1647877149-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e1,75,c9,13,c7,f1,cc,4f,fa,94,8d,cf,63,bc,d9,a9,fb,05,d3,6c,2b,b3,0f,
6c,26,7d,33,f3,88,a2,c2,bc,7e,b3,5b,3b,f2,b5,d5,d2,bd,51,f0,3e,98,19,ef,62,\
"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1,2f,38

[HKEY_USERS\S-1-5-21-1390067357-1647877149-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:d8,82,90,44,20,2f,61,70,d4,df,87,28,73,0c,cb,28,a4,f5,d7,54,63,
f1,58,24,1b,1b,ce,62,5e,04,14,3f,4e,9d,c1,d4,ac,6a,a6,b5,2d,ea,2b,41,c6,01,\
"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2096)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2009-08-11 14:01
ComboFix-quarantined-files.txt 2009-08-11 18:01
ComboFix2.txt 2009-08-11 16:46

Pre-Run: 60,383,260,672 bytes free
Post-Run: 60,337,926,144 bytes free

171 --- E O F --- 2009-05-17 04:43

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:47 PM

Posted 11 August 2009 - 01:08 PM

Strange.
Could be because of the malware previously still present, because after all, this rootkit you were dealing with caused a lot of system issues in general.
In anyway, the second log shows that Combofix was able to deal with it properly and removed what had to be removed.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:47 PM

Posted 11 August 2009 - 01:10 PM

Extra note..

I see I forgot this one in the script previously for Combofix to delete:

c:\documents and settings\Dad\Local Settings\Application Data\ucyhyd.pif

Don't worry, you can delete that file manually, so browse to the c:\documents and settings\Dad\Local Settings\Application Data folder and delete the file ucyhyd.pif in there. It should get deleted without any problem. :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 oh ok

oh ok
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 11 August 2009 - 01:17 PM

everything is operating smoothly. i gave it a reboot just to be certain, and i think i even got a performance boost out of this mess.

much gratitude and admiration for you.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:47 PM

Posted 11 August 2009 - 01:20 PM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:47 PM

Posted 05 September 2009 - 05:46 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users