Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't run Antivirus & Antimalware


  • Please log in to reply
21 replies to this topic

#1 Larry013

Larry013

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 12 August 2009 - 12:03 AM

The other night, I noticed a program in my start menu called "AV Care." I didn't know what it was, so I uninstalled it, and asked the wife why she was installing software on my PC. Of course, she didn't know anything about it. After that, every time I'd log on, I'd hear "commercials" through my speakers. Also, there would be 2 instances of iexplore.exe processes. That's about where the extent of my knowledge ends. So I call up a friend to come over a look at it. He mentioned UAC & SKYNET. Apart from the obvious terminator reference, I was still clueless. He ran a few programs, but lo and behold, made no progress. I know come to you, with hat in hand, begging for help.

If I try to run antivirus or antispyware software, it just sits there. I had been getting browser redirects and "Unable to display webpage" errors, but those seem to have stopped. I can now also use google searchs again. The main problem is the slownees of my system. Everything seems to lag. Also, again, the inability to use antimalware software is a problem. Although I can't run a scan, BitDefender still seems to be reporting "Trojan.TDss.vs" ADD-ON: I changed the name of the EXE for Malwarebytes and its returning: uacinit.dll and HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace). It says it has fixed the registry entry and will delete the dll on reboot, but it does not.

Thanks in advance for any help you can provide!

Here's my DDS Log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by User at 0:46:18.47 on Wed 08/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3582.2521 [GMT -4:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
SP: BitDefender Antispyware *enabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\runservice.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\User\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MediaManager]
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
uPolicies-explorer: TaskbarNoNotification = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
Trusted Zone: antimalwareguard.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\lbs558ts.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.com/
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\programdata\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\users\user\appdata\roaming\mozilla\plugins\npoctoshape.dll

============= SERVICES / DRIVERS ===============

R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-10-6 82696]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-4-8 2560]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-2-3 104328]
RUnknown erhxkuut;erhxkuut; [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-5-21 1153368]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2009-4-29 0]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra professional home 2009.sp2\RpcAgentSrv.exe [2009-3-29 98488]

=============== Created Last 30 ================

2009-08-11 21:08 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-11 21:07 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-11 21:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-27 22:37 189,480 a------- c:\windows\system32\PnkBstrB.xtr
2009-07-27 22:31 137,544 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-27 22:30 189,480 a------- c:\windows\system32\PnkBstrB.exe
2009-07-27 22:30 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-07-27 22:00 <DIR> --d----- c:\program files\common files\Steam
2009-07-27 22:00 <DIR> --d----- c:\program files\Steam
2009-07-18 00:58 794,408 a------- c:\windows\system32\pbsvc.exe
2009-07-16 23:36 <DIR> --d----- c:\users\user\appdata\roaming\Out of the Park Developments
2009-07-16 23:36 <DIR> --d----- c:\programdata\Out of the Park Developments
2009-07-16 23:36 <DIR> --d----- c:\program files\ootp10setup
2009-07-16 23:36 <DIR> --d----- c:\progra~2\Out of the Park Developments
2009-07-16 21:25 <DIR> --d----- c:\programdata\AA3DeployClient
2009-07-16 21:25 <DIR> --d----- c:\progra~2\AA3DeployClient

==================== Find3M ====================

2009-08-12 00:34 2,145 a--sh--- c:\windows\system32\mmf.sys
2009-08-12 00:33 81,984 a------- c:\windows\system32\bdod.bin
2009-07-27 22:31 139,152 a------- c:\users\user\appdata\roaming\PnkBstrK.sys
2009-07-16 23:42 48,640 a------- c:\windows\mmfs.dll
2009-07-15 02:00 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-07-01 22:43 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-01 22:43 86,016 a------- c:\windows\inf\infstor.dat
2009-07-01 22:43 51,200 a------- c:\windows\inf\infpub.dat
2009-05-28 22:28 116,843 a------- c:\windows\hpqins00.dat
2009-05-26 23:47 130,835 a------- c:\windows\hpoins18.dat
2008-12-28 23:38 691 a------- c:\users\user\appdata\roaming\GetValue.vbs
2008-12-28 23:38 35 a------- c:\users\user\appdata\roaming\SetValue.bat
2008-06-11 10:14 665,600 a------- c:\windows\inf\drvindex.dat
2008-04-25 22:58 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-04-03 09:16 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-04-03 09:16 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-04-03 09:16 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-04-03 09:16 245,760 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-03-30 01:33 88 ---shr-- c:\windows\system32\E52462BF5E.sys

============= FINISH: 0:47:52.29 ===============

Attached Files


Edited by Larry013, 12 August 2009 - 09:20 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:24 PM

Posted 14 August 2009 - 12:41 PM

Hello Larry013,

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans.
This can make helping you impossible
.



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Please download Java Version 6 Update 15
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    J2SE Runtime Environment 5.0 Update 6

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.
******************

We Need to check for Rootkits with
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
******************


Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.


******************

Please post the malwarebytes log, so I can see what it is removing.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply.

Edited by SifuMike, 14 August 2009 - 12:51 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Larry013

Larry013
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 14 August 2009 - 11:43 PM

SifuMike,

Thanks for your assistance.

I have been unable to run RootRepeal. It either just locks up the system or returns a BSOD each and every time I try to run it. And I'm not just being impatient. To make sure it was locking up, I allowed it to sit for two hours with (Not Responding) in the title bar. Are there any other rootkit checkers I can attempt to use? I ran Security Check, as you said, and here is the log:


Results of screen317's Security Check version 0.98.7
Windows Vista Service Pack 1
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
BitDefender Internet Security 2009


Antivirus up to date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Out of date HijackThis installed!
Spybot - Search & Destroy
Malwarebytes' Anti-Malware
HijackThis 1.99.1
EasyCleaner
Java™ 6 Update 15
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.6
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!


``````````````````````````````
DNS Vulnerability Check:


`````````End of Log```````````






Also, here is the MBAM report you wanted:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6001 Service Pack 1

8/12/2009 00:32:26
mbam-log-2009-08-12 (00-32-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 274826
Time elapsed: 55 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:24 PM

Posted 15 August 2009 - 12:56 AM

Hi Larry013,

See if you can run Rooter.

Please download Rooter.exe and save to your desktop.
alternate download link
  • Double-click on Rooter.exe to start the tool. If using Vista, right-click and Run as Administrator...
  • Click the Scan button to begin.
  • Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
  • A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
  • Rooter will automatically close. If it doesn't, just press the Close button.
  • Copy and paste the contents of Rooter_#.txt in your next reply.
Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Larry013

Larry013
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 16 August 2009 - 01:47 AM

Ok, just to let you know, I'm getting the browser redirects again and am again unable to use any search engines. Here's the Rooter log you asked for:

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows Vista Home Edition (6.0.6001) Service Pack 1
[32_bits] - x86 Family 6 Model 15 Stepping 11, GenuineIntel
.
[wscsvc] STOPPED (state:1) : Security Center -> Disabled !
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Disabled !
Windows Defender -> Disabled !
User Account Control (UAC) -> Disabled !
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.0.8 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:465 Go - Free:350 Go )
D:\ [CD_Rom]
E:\ [CD_Rom]
.
Scan : 02:42.58
Path : C:\Users\User\Desktop\Rooter.exe
User : User ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ \SystemRoot\System32\smss.exe (444)
______ C:\Windows\system32\csrss.exe (520)
______ C:\Windows\system32\wininit.exe (580)
______ C:\Windows\system32\csrss.exe (588)
______ C:\Windows\system32\services.exe (628)
______ C:\Windows\system32\lsass.exe (644)
______ C:\Windows\system32\lsm.exe (656)
______ C:\Windows\system32\winlogon.exe (692)
______ C:\Windows\system32\svchost.exe (840)
______ C:\Windows\system32\svchost.exe (932)
______ C:\Windows\system32\svchost.exe (1008)
______ C:\Windows\System32\svchost.exe (1060)
______ C:\Windows\system32\nvvsvc.exe (1108)
______ C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe (1188)
______ C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe (1200)
______ C:\Windows\System32\svchost.exe (1272)
______ C:\Windows\System32\svchost.exe (1368)
______ C:\Windows\system32\svchost.exe (1404)
Locked audiodg.exe (1456)
______ C:\Windows\system32\svchost.exe (1588)
______ C:\Windows\system32\SLsvc.exe (1644)
______ C:\Windows\system32\rundll32.exe (1700)
______ C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (252)
______ C:\Windows\system32\Dwm.exe (292)
______ C:\Windows\Explorer.EXE (512)
______ C:\Windows\RtHDVCpl.exe (1416)
______ C:\Program Files\Microsoft IntelliPoint\ipoint.exe (1620)
______ C:\Windows\System32\rundll32.exe (1484)
______ C:\Program Files\iTunes\iTunesHelper.exe (1504)
______ C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe (1084)
______ C:\Program Files\Java\jre6\bin\jusched.exe (1584)
______ C:\Program Files\Windows Sidebar\sidebar.exe (2072)
______ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (2080)
______ C:\Program Files\Windows Media Player\wmpnscfg.exe (2088)
______ C:\Program Files\Windows Sidebar\sidebar.exe (2160)
______ C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe (2244)
______ C:\Windows\System32\spoolsv.exe (2540)
______ C:\Windows\system32\taskeng.exe (2548)
______ C:\Windows\system32\svchost.exe (2580)
______ C:\Windows\system32\taskeng.exe (2844)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (3004)
______ C:\Program Files\Bonjour\mDNSResponder.exe (3032)
______ C:\Windows\system32\svchost.exe (3064)
______ C:\Windows\runservice.exe (3236)
______ C:\Windows\System32\svchost.exe (3360)
______ C:\Windows\System32\svchost.exe (3476)
______ C:\Windows\system32\PnkBstrA.exe (3544)
______ C:\Windows\system32\svchost.exe (3556)
______ C:\Windows\system32\PSIService.exe (3580)
______ C:\Program Files\CyberLink\Shared Files\RichVideo.exe (3612)
______ C:\Windows\system32\svchost.exe (3636)
______ C:\Windows\System32\svchost.exe (3704)
______ C:\Program Files\Windows Media Player\wmpnetwk.exe (1488)
______ C:\Program Files\iPod\bin\iPodService.exe (452)
______ C:\Windows\system32\wbem\unsecapp.exe (4976)
______ C:\Windows\system32\wbem\wmiprvse.exe (5008)
______ C:\Program Files\Internet Explorer\Iexplore.exe (4636)
______ C:\Program Files\Internet Explorer\Iexplore.exe (5152)
______ C:\Windows\system32\msfeedssync.exe (5524)
______ C:\Users\User\Desktop\Rooter.exe (980)
______ C:\Windows\system32\DllHost.exe (5692)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:500105217024)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
C:\Windows\Tasks\User_Feed_Synchronization-{78BD12F9-47D2-4A53-A52C-D656464B2BBE}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 02:43.04
.
C:\Rooter$\Rooter_3.txt - (16/08/2009 | 02:43.04)

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:24 PM

Posted 16 August 2009 - 10:32 AM

Hi Larry013,

You have several rootkits, so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your BitDefender Antivirus, Windows Defender and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable BITDEFENDER
Double click on the system icon for BitDefender.
When the Bit Defender window appears, click on the button at the top of the screen labeled Switch to advanced view.
Click on the Shield tab switch to the Virus shield screen.
Uncheck the checkbox labeled Real-time protection is enabled.
When it asks how long you want to disable it, select Permanently.
BitDefender is now inactive.
To enable BitDefender, do the same steps except you should put a checkmark in the checkbox labeled Real-time protection is enabled.

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Larry013

Larry013
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 17 August 2009 - 06:48 AM

As soon as I get home from work I will run ComboFix. The only problem I foresee is that I can't run Bitdefender or Spybot in order to disable them. Would it be okay if I went into the Task Manager/Processes and ended all processes related to those two programs?

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:24 PM

Posted 17 August 2009 - 09:04 AM

Would it be okay if I went into the Task Manager/Processes and ended all processes related to those two programs


That may not work.


Follow the directions for disabling them that I posted.

If you cant disable them, it would be safer to uninstall both Spybot and Bitdefender (if you cant disable them). Then you can reinstall them after we are done using ComboFix.

If you uninstall BitDefender antivirus, then do not surf the internet as you have no antivirus protection.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Larry013

Larry013
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 18 August 2009 - 01:25 AM

I was able to disable Spybot, BitDefender and Windows Defender. So here's the ComboFix log:

ComboFix 09-08-10.06 - User 08/18/2009 1:29.3.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3582.2739 [GMT -4:00]
Running from: c:\users\User\Desktop\Combo-Fix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\windows\Installer\95a8b6.msi
c:\windows\Installer\9f6d4d.msi
c:\windows\Installer\d5056.msi
c:\windows\run.log
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\UACoubwctpnpx.sys
c:\windows\system32\lfoadauf.ini
c:\windows\system32\Packet.dll
c:\windows\system32\UACcuwrnqhbnt.dll
c:\windows\system32\UACdiqqhcamom.db
c:\windows\system32\UACepwxsocfld.dll
c:\windows\system32\UACiivpqdipxn.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACrkixeubhly.dat
c:\windows\system32\UACtbsccrtykg.dll
c:\windows\system32\UACyipvxvdtqu.dll
c:\windows\system32\wpcap.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-18 05:41 . 2009-08-18 05:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-16 06:41 . 2009-08-16 06:43 -------- d-----w- C:\Rooter$
2009-08-12 01:08 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 01:07 . 2009-08-15 04:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 01:07 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 02:31 . 2009-07-29 02:35 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-28 02:30 . 2009-07-29 02:35 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-28 02:30 . 2009-07-28 02:30 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-28 02:00 . 2009-07-29 02:06 -------- d-----w- c:\program files\Common Files\Steam
2009-07-28 02:00 . 2009-07-29 02:35 -------- d-----w- c:\program files\Steam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 05:43 . 2008-04-09 02:33 2145 --sha-w- c:\windows\system32\mmf.sys
2009-08-18 05:41 . 2008-07-04 03:42 81984 ----a-w- c:\windows\system32\bdod.bin
2009-08-15 03:25 . 2008-10-27 04:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-15 03:25 . 2009-03-10 02:07 -------- d-----w- c:\program files\Java
2009-08-11 14:03 . 2008-03-29 20:17 -------- d-----w- c:\users\User\AppData\Roaming\uTorrent
2009-08-05 02:54 . 2008-05-22 03:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 02:31 . 2008-03-30 23:01 139152 ----a-w- c:\users\User\AppData\Roaming\PnkBstrK.sys
2009-07-28 02:31 . 2008-03-30 23:01 139152 ----a-w- c:\users\User\AppData\Roaming\PnkBstrK.sys
2009-07-28 02:30 . 2009-07-18 04:58 794408 ----a-w- c:\windows\system32\pbsvc.exe
2009-07-28 01:01 . 2008-09-26 00:30 -------- d-----w- c:\program files\Ubisoft
2009-07-17 03:42 . 2008-04-09 02:33 48640 ----a-w- c:\windows\mmfs.dll
2009-07-17 03:36 . 2009-07-17 03:36 -------- d-----w- c:\users\User\AppData\Roaming\Out of the Park Developments
2009-07-17 03:36 . 2009-07-17 03:36 -------- d-----w- c:\program files\ootp10setup
2009-07-17 03:36 . 2009-07-17 03:36 -------- d-----w- c:\progra~2\Out of the Park Developments
2009-07-17 03:36 . 2008-06-21 01:51 -------- d-----w- c:\program files\Out of the Park Developments
2009-07-17 02:09 . 2009-07-17 01:25 -------- d-----w- c:\progra~2\AA3DeployClient
2009-07-15 06:00 . 2008-03-30 05:23 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-05 03:43 . 2008-02-18 21:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-05 03:42 . 2009-07-05 03:42 -------- d-----w- c:\program files\SEGA
2009-07-02 02:48 . 2009-05-27 03:38 -------- d-----w- c:\program files\HP
2009-07-02 02:41 . 2009-05-27 04:27 -------- d-----w- c:\program files\Real Deal Live
2009-06-29 02:15 . 2009-06-29 02:15 -------- d-----w- c:\program files\Atari
2009-06-28 01:48 . 2009-06-28 01:48 -------- d-----w- c:\program files\Activision
2009-06-27 03:18 . 2008-04-03 16:28 -------- d-----w- c:\program files\ArtMoney
2009-06-27 01:48 . 2009-03-05 03:46 -------- d-----w- c:\users\User\AppData\Roaming\2K Sports
2009-06-26 03:26 . 2009-03-29 04:07 2095 ----a-w- c:\progra~2\xml7956.tmp
2009-06-26 03:26 . 2009-03-29 04:07 13525 ----a-w- c:\progra~2\xml77A0.tmp
2009-06-26 03:26 . 2009-03-29 04:07 8858 ----a-w- c:\progra~2\xml67E6.tmp
2009-06-25 06:15 . 2009-06-25 06:15 -------- d-----w- c:\users\User\AppData\Roaming\BlackBean
2009-05-29 02:28 . 2009-05-29 02:25 116843 ----a-w- c:\windows\hpqins00.dat
2009-05-27 03:47 . 2008-03-29 21:51 130835 ----a-w- c:\windows\hpoins18.dat
2009-04-01 22:44 . 2009-04-14 05:53 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2008-03-30 05:33 . 2008-03-30 05:33 88 --sh--r- c:\windows\System32\E52462BF5E.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 92704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-04-29 778240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-01 69632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-15 149280]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-12-01 4186112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\CCleaner.exe]
path=CCleaner.exe
backup=c:\windows\pss\CCleaner.exe.Startup
backupExtension=.Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1624991561-835181475-2958330362-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C45A771C-DB00-4F27-B5B9-09F1259CF0D9}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{C0604F7B-9C2C-4EA4-8838-0468A1E880FC}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C5945A61-3770-4DDE-BCF0-F4DC5967ED5E}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2F696645-AC03-4710-8294-7E65BDC61A09}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{AD54F38F-31D7-4BAE-8A8F-742C8271E689}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{CE0B9549-321C-4A0D-A303-4D2BC67ED67D}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{FE5DDB65-95C4-4C99-BE89-6F424FBBC97C}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{C885FEEC-F40B-4B13-B20D-0E9ACDC93B57}"= UDP:44445:torrent
"{BB0B1B22-2B03-48AD-8123-94A23685599A}"= Disabled:UDP:c:\users\User\AppData\Local\Temp\7zSFE72.tmp\setup\HPZnui01.exe:hpznui01.exe
"{E8E5F7C9-E2C2-4C00-9F7E-9F86CDDF0B5C}"= Disabled:TCP:c:\users\User\AppData\Local\Temp\7zSFE72.tmp\setup\HPZnui01.exe:hpznui01.exe
"TCP Query User{FD01C99C-6763-4E39-A504-8ED13C4321AA}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{B80120BE-21B5-4E04-B897-2684084AC3A7}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{D9D56E45-69F7-454E-A449-CE11511FEFA0}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{7B4E641F-C7ED-4406-BE8C-0E2E96485EC8}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{B4978F66-CE7B-427F-B999-38D793A67612}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{993E5CA0-63E8-43DB-96F8-20ED4A209532}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{AFB31877-58A2-46A1-BB7D-8B0D1AF67B32}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{4F7BE7A9-25C0-4040-A581-B1BA40F267C4}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{386A8E92-6696-4E29-BF39-090261396F2E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{196396CD-D34D-49C7-9199-02C15BB3364F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B6D997D1-CA2B-4C6D-A464-C2DDE57FAF2D}"= Disabled:UDP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{AA82D919-331A-49B6-A8DA-2EAFC461E109}"= Disabled:TCP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{FCA3F0C8-1196-4BBF-97AD-30D815012F9E}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{FC63A2B8-9A50-486D-8A30-E692FF335B3C}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8C53D1D0-3BE1-46CE-B451-14E0C7EF2F9A}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{DFFDD273-FC29-4972-A35F-F99592E30329}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{C1283BD0-C600-4181-BF4F-546890225A02}"= Disabled:UDP:c:\users\User\AppData\Local\Temp\7zSFC96.tmp\setup\HPZnui01.exe:hpznui01.exe
"{750B0187-98EB-4548-802D-5F6D9BE792C1}"= Disabled:TCP:c:\users\User\AppData\Local\Temp\7zSFC96.tmp\setup\HPZnui01.exe:hpznui01.exe
"{55906408-49DD-4483-880E-9324B11A0D58}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{65EC54D1-4BC0-40F3-9716-0348958496C9}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{5EEF0699-8776-426E-A6A8-C336A0E2DEC1}"= UDP:c:\program files\Capcom\MotoGP 08\Launcher.exe:MotoGP 08
"{5357561C-9B56-488F-84A4-90AEB640DC33}"= TCP:c:\program files\Capcom\MotoGP 08\Launcher.exe:MotoGP 08
"{166A0B82-51A0-4625-A274-1A3CE28E4624}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{FE52BD08-76F4-44EC-BC4F-8205C9B4081B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E8C3C676-671C-4D72-8209-EB514D46501B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A46DF1FB-510D-49A5-8AE7-C066516AB4E6}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{3EFF796D-D67F-4A06-B991-8CE823817A20}"= Disabled:UDP:c:\users\User\AppData\Local\Temp\7zSEB48.tmp\setup\HPZnui01.exe:hpznui01.exe
"{3EDC0538-F163-4596-A871-12E23E3912F3}"= Disabled:TCP:c:\users\User\AppData\Local\Temp\7zSEB48.tmp\setup\HPZnui01.exe:hpznui01.exe
"{130C17BE-F294-4D81-9A3E-40A0A336CC0B}"= Disabled:UDP:c:\users\User\AppData\Local\Temp\7zS4069.tmp\setup\HPZnui01.exe:hpznui01.exe
"{2EFCDCF5-94F4-43C7-85A3-EA1C6E653D7B}"= Disabled:TCP:c:\users\User\AppData\Local\Temp\7zS4069.tmp\setup\HPZnui01.exe:hpznui01.exe
"{B3A94EE7-ABD1-4C4A-864D-B058737D6818}"= UDP:c:\program files\Steam\steamapps\common\america's army 3\Binaries\AA3Game.exe:America's Army 3
"{4034042D-AFDD-47D7-896D-89C04F74CB3C}"= TCP:c:\program files\Steam\steamapps\common\america's army 3\Binaries\AA3Game.exe:America's Army 3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 05:16 PM 82696]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [4/8/2008 10:33 PM 2560]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [5/21/2008 11:31 PM 1153368]
R3 bdfm;BDFM;c:\windows\System32\drivers\bdfm.sys [9/18/2008 11:09 AM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\System32\drivers\bdfndisf.sys [2/3/2009 05:03 PM 104328]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [7/17/2008 12:06 PM 118784]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Professional Home 2009.SP2\RpcAgentSrv.exe [3/29/2009 12:06 AM 98488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
bdx REG_MULTI_SZ scan
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MediaManager - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\lbs558ts.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.com/
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\programdata\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\users\User\AppData\Roaming\Mozilla\plugins\npoctoshape.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 01:44
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETyqifxxrm]
"imagepath"="\systemroot\system32\drivers\SKYNEThdesvpni.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1624991561-835181475-2958330362-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:01,df,81,21,13,d6,88,e6,39,e3,5b,1a,8b,aa,53,78,72,2a,23,93,cb,b8,c2,
f9,18,37,5f,ab,e0,22,f5,54,50,bb,f0,e9,01,b4,cf,5b,e7,69,13,59,49,fa,a5,65,\
"??"=hex:d6,36,9b,91,2f,07,d6,19,2e,83,36,b5,63,09,76,c9

[HKEY_USERS\S-1-5-21-1624991561-835181475-2958330362-1000\Software\SecuROM\License information*]
"datasecu"=hex:3d,66,a0,39,df,a3,33,3e,0b,05,04,66,10,2e,64,06,39,bc,6d,ed,36,
7a,b8,d6,8a,2f,3d,68,7c,58,00,4d,0d,65,34,7b,87,43,7c,0b,2c,c4,86,c1,fe,98,\
"rkeysecu"=hex:41,31,29,d6,41,17,01,f0,4f,1d,9f,49,eb,94,9d,61

[HKEY_LOCAL_MACHINE\SOFTWARE\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847]
"1"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,86,2b,9b,9b,f3,96,a9,
e9
"2"=hex:05,83,26,a9,dc,b6,17,45,de,2e,f0,41,a5,95,91,56,fe,07,ca,23,63,6c,c8,
df,a0,cb,29,a7,07,62,23,54
"3"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,39,39,6a,6e,1d,99,29,
0e,9a,9e,61,33,16,37,68,38,ee,25,f6,f1,91,9f,21,a9,58,ec,19,f6,96,30,78,09

[HKEY_LOCAL_MACHINE\SOFTWARE\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847\6356076A6F83BB1BBBE6B14F244E53BE]
"1"=hex:7e,63,ed,e4,ff,c6,da,b0,00,85,ab,7b,99,1c,f6,df,8b,3c,15,1f,e9,72,d8,
8c
"2"=hex:51,f1,0b,2b,54,76,7d,bf
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,5c,6c,8a,b0,95,8d,88,
02,e9,37,15,54,28,a1,4d,91,f4,19,4f,4b,df,bd,95,c2,74,9c,18,d8,b7,e1,e6,9e,\
"8"=hex:63,5a,d7,1b,b1,d4,18,46,9d,8a,b3,da,f7,a8,9d,ab,aa,34,84,9b,a5,e8,0f,
1b,f4,74,ab,89,33,17,64,ff,96,82,57,99,f5,97,2b,58
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\SOFTWARE\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
d5,42,54,3b,7e,24,3e,19,f8
"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,
5e,d2,5e,7f,21,14,b5,b2,29
"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\

[HKEY_LOCAL_MACHINE\SOFTWARE\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\3323E31CCF524E1933A08EFC0405BBBB]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,ce,d6,da,a0,ab,80,e1,24
"2"=hex:70,52,20,b5,8f,72,73,3d
"3"=hex:0e,c8,b3,11,17,f1,cd,32,57,27,d9,1d,f7,6c,f5,81,58,48,4b,c7,9b,79,7e,
e5,d3,0c,e4,98,c7,bb,4a,99,c1,df,05,d8,bd,f8,23,9d,1d,03,e2,a1,b9,ba,f4,68,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,6a,83,7f,d6,71,af,86,e0,98,8d,dd,2e,7a,95,cd,1a,9e,2d,5f,ec,63,7f,c9,e5,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,29,7c,70,46,35,dc,d7,79
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:e8,94,1d,35,c0,7b,8b,9e,09,e7,d5,e6,60,e5,60,dd,2a,d5,95,83,09,54,33,
19,b6,33,d7,4f,57,a1,ae,b5,d8,21,44,8c,ec,d8,b2,c9,4f,e0,23,b3,f1,a6,03,4a,\
"13"=hex:8d,fe,b5,5e,67,8f,11,16,ab,cc,97,79,25,c6,df,95,fa,d2,98,81,ae,f7,1a,
92
"14"=hex:4e,63,05,ff,92,a2,5b,c8
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:b2,82,72,15,07,b4,61,e4,12,9e,50,25,cc,48,0e,4d
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:ca,f4,24,38,fd,2e,98,be,03,09,97,19,31,8a,e2,eb,47,95,7c,15,88,49,3e,
90,0a,0f,d6,82,0b,c5,92,26,f1,35,dc,63,cf,58,9d,d6,a7,88,55,dd,b0,55,c5,03,\

[HKEY_LOCAL_MACHINE\SOFTWARE\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\58BBB2CAA762B86BF8228F8849EB5144]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,50,94,16,01,b2,17,1a,42
"2"=hex:84,00,a2,e9,a5,84,bc,35
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,53,74,ea,24,5b,d9,02,83
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETyqifxxrm]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\SKYNEThdesvpni.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\System32\rundll32.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\PnkBstrA.exe
c:\windows\System32\PSIService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-08-18 1:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 05:53

Pre-Run: 377,074,491,392 bytes free
Post-Run: 377,061,142,528 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,5
378 --- E O F --- 2009-04-18 02:50

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:24 PM

Posted 18 August 2009 - 10:09 AM

Hi Larry013,


You need to disable your BitDefender Antivirus, Windows Defender and Spybot Teatimer before running ComboFix, as they will prevent it from running.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Larry013

Larry013
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 18 August 2009 - 11:20 PM

OK. Here's the latest ComboFix log after running it with that script.

ComboFix 09-08-10.06 - User 08/18/2009 23:15.4.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3582.2740 [GMT -4:00]
Running from: c:\users\User\Desktop\ComboFix.exe
Command switches used :: c:\users\User\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\SKYNEThdesvpni.sys
c:\windows\system32\SKYNETicojjebb.dat
c:\windows\system32\SKYNETmmplbcxr.dat
c:\windows\system32\SKYNETwvruivpp.dll
c:\windows\system32\SKYNETxoykruwr.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETyqifxxrm
-------\Legacy_SKYNETyqifxxrm


((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 03:21 . 2009-08-19 03:25 -------- d-----w- c:\users\User\AppData\Local\temp
2009-08-19 03:21 . 2009-08-19 03:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-08-19 03:21 . 2009-08-19 03:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-19 03:07 . 2009-08-19 03:07 -------- d-sh--w- C:\found.000
2009-08-16 06:41 . 2009-08-16 06:43 -------- d-----w- C:\Rooter$
2009-08-12 01:08 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 01:07 . 2009-08-15 04:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 01:07 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 02:31 . 2009-07-29 02:35 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-28 02:30 . 2009-07-29 02:35 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-28 02:30 . 2009-07-28 02:30 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-28 02:00 . 2009-07-29 02:06 -------- d-----w- c:\program files\Common Files\Steam
2009-07-28 02:00 . 2009-07-29 02:35 -------- d-----w- c:\program files\Steam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 03:23 . 2008-04-09 02:33 2145 --sha-w- c:\windows\system32\mmf.sys
2009-08-19 03:22 . 2008-07-04 03:42 81984 ----a-w- c:\windows\system32\bdod.bin
2009-08-15 03:25 . 2008-10-27 04:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-15 03:25 . 2009-03-10 02:07 -------- d-----w- c:\program files\Java
2009-08-11 14:03 . 2008-03-29 20:17 -------- d-----w- c:\users\User\AppData\Roaming\uTorrent
2009-08-05 02:54 . 2008-05-22 03:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 02:31 . 2008-03-30 23:01 139152 ----a-w- c:\users\User\AppData\Roaming\PnkBstrK.sys
2009-07-28 02:31 . 2008-03-30 23:01 139152 ----a-w- c:\users\User\AppData\Roaming\PnkBstrK.sys
2009-07-28 02:30 . 2009-07-18 04:58 794408 ----a-w- c:\windows\system32\pbsvc.exe
2009-07-28 01:01 . 2008-09-26 00:30 -------- d-----w- c:\program files\Ubisoft
2009-07-17 03:42 . 2008-04-09 02:33 48640 ----a-w- c:\windows\mmfs.dll
2009-07-17 03:36 . 2009-07-17 03:36 -------- d-----w- c:\users\User\AppData\Roaming\Out of the Park Developments
2009-07-17 03:36 . 2009-07-17 03:36 -------- d-----w- c:\program files\ootp10setup
2009-07-17 03:36 . 2009-07-17 03:36 -------- d-----w- c:\progra~2\Out of the Park Developments
2009-07-17 03:36 . 2008-06-21 01:51 -------- d-----w- c:\program files\Out of the Park Developments
2009-07-17 02:09 . 2009-07-17 01:25 -------- d-----w- c:\progra~2\AA3DeployClient
2009-07-15 06:00 . 2008-03-30 05:23 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-05 03:43 . 2008-02-18 21:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-05 03:42 . 2009-07-05 03:42 -------- d-----w- c:\program files\SEGA
2009-07-02 02:48 . 2009-05-27 03:38 -------- d-----w- c:\program files\HP
2009-07-02 02:41 . 2009-05-27 04:27 -------- d-----w- c:\program files\Real Deal Live
2009-06-29 02:15 . 2009-06-29 02:15 -------- d-----w- c:\program files\Atari
2009-06-28 01:48 . 2009-06-28 01:48 -------- d-----w- c:\program files\Activision
2009-06-27 03:18 . 2008-04-03 16:28 -------- d-----w- c:\program files\ArtMoney
2009-06-27 01:48 . 2009-03-05 03:46 -------- d-----w- c:\users\User\AppData\Roaming\2K Sports
2009-06-26 03:26 . 2009-03-29 04:07 2095 ----a-w- c:\progra~2\xml7956.tmp
2009-06-26 03:26 . 2009-03-29 04:07 13525 ----a-w- c:\progra~2\xml77A0.tmp
2009-06-26 03:26 . 2009-03-29 04:07 8858 ----a-w- c:\progra~2\xml67E6.tmp
2009-06-25 06:15 . 2009-06-25 06:15 -------- d-----w- c:\users\User\AppData\Roaming\BlackBean
2009-05-29 02:28 . 2009-05-29 02:25 116843 ----a-w- c:\windows\hpqins00.dat
2009-05-27 03:47 . 2008-03-29 21:51 130835 ----a-w- c:\windows\hpoins18.dat
2009-04-01 22:44 . 2009-04-14 05:53 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2008-03-30 05:33 . 2008-03-30 05:33 88 --sh--r- c:\windows\System32\E52462BF5E.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-18_05.45.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-18 19:53 . 2009-08-19 03:12 50434 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-19 03:12 63632 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-02-18 19:51 . 2009-08-19 03:12 13024 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1624991561-835181475-2958330362-1000_UserData.bin
- 2006-11-02 13:02 . 2009-08-18 05:42 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-08-19 03:11 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2009-08-18 05:42 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-08-19 03:11 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-08-19 03:11 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2009-08-18 05:42 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-19 03:23 . 2009-08-19 03:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-08-18 05:42 . 2009-08-18 05:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-08-19 03:23 . 2009-08-19 03:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-08-18 05:42 . 2009-08-18 05:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-04-01 04:05 . 2009-08-18 05:42 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-04-01 04:05 . 2009-08-19 03:11 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-08-19 03:21 . 2009-08-19 03:21 151552 c:\windows\erdnt\subs\Users\00000002\NTUSER.DAT
- 2009-08-18 05:41 . 2009-08-18 05:41 151552 c:\windows\erdnt\subs\Users\00000002\NTUSER.DAT
+ 2009-08-19 03:21 . 2009-08-19 03:21 155648 c:\windows\erdnt\subs\Users\00000001\NTUSER.DAT
- 2009-08-18 05:41 . 2009-08-18 05:41 155648 c:\windows\erdnt\subs\Users\00000001\NTUSER.DAT
+ 2009-08-19 03:21 . 2009-08-19 03:21 6041600 c:\windows\erdnt\subs\Users\00000004\UsrClass.dat
- 2009-08-18 05:41 . 2009-08-18 05:41 6041600 c:\windows\erdnt\subs\Users\00000004\UsrClass.dat
- 2009-08-18 05:41 . 2009-08-18 05:41 7270400 c:\windows\erdnt\subs\Users\00000003\NTUSER.DAT
+ 2009-08-19 03:21 . 2009-08-19 03:21 7270400 c:\windows\erdnt\subs\Users\00000003\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 92704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-04-29 778240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-01 69632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-15 149280]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-12-01 4186112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\CCleaner.exe]
path=CCleaner.exe
backup=c:\windows\pss\CCleaner.exe.Startup
backupExtension=.Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1624991561-835181475-2958330362-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C45A771C-DB00-4F27-B5B9-09F1259CF0D9}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{C0604F7B-9C2C-4EA4-8838-0468A1E880FC}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C5945A61-3770-4DDE-BCF0-F4DC5967ED5E}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2F696645-AC03-4710-8294-7E65BDC61A09}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{AD54F38F-31D7-4BAE-8A8F-742C8271E689}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{CE0B9549-321C-4A0D-A303-4D2BC67ED67D}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{FE5DDB65-95C4-4C99-BE89-6F424FBBC97C}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{C885FEEC-F40B-4B13-B20D-0E9ACDC93B57}"= UDP:44445:torrent
"{BB0B1B22-2B03-48AD-8123-94A23685599A}"= Disabled:UDP:c:\users\User\AppData\Local\Temp\7zSFE72.tmp\setup\HPZnui01.exe:hpznui01.exe
"{E8E5F7C9-E2C2-4C00-9F7E-9F86CDDF0B5C}"= Disabled:TCP:c:\users\User\AppData\Local\Temp\7zSFE72.tmp\setup\HPZnui01.exe:hpznui01.exe
"TCP Query User{FD01C99C-6763-4E39-A504-8ED13C4321AA}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{B80120BE-21B5-4E04-B897-2684084AC3A7}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{D9D56E45-69F7-454E-A449-CE11511FEFA0}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{7B4E641F-C7ED-4406-BE8C-0E2E96485EC8}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{B4978F66-CE7B-427F-B999-38D793A67612}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{993E5CA0-63E8-43DB-96F8-20ED4A209532}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{AFB31877-58A2-46A1-BB7D-8B0D1AF67B32}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{4F7BE7A9-25C0-4040-A581-B1BA40F267C4}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{386A8E92-6696-4E29-BF39-090261396F2E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{196396CD-D34D-49C7-9199-02C15BB3364F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B6D997D1-CA2B-4C6D-A464-C2DDE57FAF2D}"= Disabled:UDP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{AA82D919-331A-49B6-A8DA-2EAFC461E109}"= Disabled:TCP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{FCA3F0C8-1196-4BBF-97AD-30D815012F9E}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{FC63A2B8-9A50-486D-8A30-E692FF335B3C}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8C53D1D0-3BE1-46CE-B451-14E0C7EF2F9A}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{DFFDD273-FC29-4972-A35F-F99592E30329}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{C1283BD0-C600-4181-BF4F-546890225A02}"= Disabled:UDP:c:\users\User\AppData\Local\Temp\7zSFC96.tmp\setup\HPZnui01.exe:hpznui01.exe
"{750B0187-98EB-4548-802D-5F6D9BE792C1}"= Disabled:TCP:c:\users\User\AppData\Local\Temp\7zSFC96.tmp\setup\HPZnui01.exe:hpznui01.exe
"{55906408-49DD-4483-880E-9324B11A0D58}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{65EC54D1-4BC0-40F3-9716-0348958496C9}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{5EEF0699-8776-426E-A6A8-C336A0E2DEC1}"= UDP:c:\program files\Capcom\MotoGP 08\Launcher.exe:MotoGP 08
"{5357561C-9B56-488F-84A4-90AEB640DC33}"= TCP:c:\program files\Capcom\MotoGP 08\Launcher.exe:MotoGP 08
"{166A0B82-51A0-4625-A274-1A3CE28E4624}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{FE52BD08-76F4-44EC-BC4F-8205C9B4081B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E8C3C676-671C-4D72-8209-EB514D46501B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A46DF1FB-510D-49A5-8AE7-C066516AB4E6}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{3EFF796D-D67F-4A06-B991-8CE823817A20}"= Disabled:UDP:c:\users\User\AppData\Local\Temp\7zSEB48.tmp\setup\HPZnui01.exe:hpznui01.exe
"{3EDC0538-F163-4596-A871-12E23E3912F3}"= Disabled:TCP:c:\users\User\AppData\Local\Temp\7zSEB48.tmp\setup\HPZnui01.exe:hpznui01.exe
"{130C17BE-F294-4D81-9A3E-40A0A336CC0B}"= Disabled:UDP:c:\users\User\AppData\Local\Temp\7zS4069.tmp\setup\HPZnui01.exe:hpznui01.exe
"{2EFCDCF5-94F4-43C7-85A3-EA1C6E653D7B}"= Disabled:TCP:c:\users\User\AppData\Local\Temp\7zS4069.tmp\setup\HPZnui01.exe:hpznui01.exe
"{B3A94EE7-ABD1-4C4A-864D-B058737D6818}"= UDP:c:\program files\Steam\steamapps\common\america's army 3\Binaries\AA3Game.exe:America's Army 3
"{4034042D-AFDD-47D7-896D-89C04F74CB3C}"= TCP:c:\program files\Steam\steamapps\common\america's army 3\Binaries\AA3Game.exe:America's Army 3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 05:16 PM 82696]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [4/8/2008 10:33 PM 2560]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [5/21/2008 11:31 PM 1153368]
R3 bdfm;BDFM;c:\windows\System32\drivers\bdfm.sys [9/18/2008 11:09 AM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\System32\drivers\bdfndisf.sys [2/3/2009 05:03 PM 104328]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [7/17/2008 12:06 PM 118784]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Professional Home 2009.SP2\RpcAgentSrv.exe [3/29/2009 12:06 AM 98488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
bdx REG_MULTI_SZ scan
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\lbs558ts.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.com/
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 23:25
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1624991561-835181475-2958330362-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:01,df,81,21,13,d6,88,e6,39,e3,5b,1a,8b,aa,53,78,72,2a,23,93,cb,b8,c2,
f9,18,37,5f,ab,e0,22,f5,54,50,bb,f0,e9,01,b4,cf,5b,e7,69,13,59,49,fa,a5,65,\
"??"=hex:d6,36,9b,91,2f,07,d6,19,2e,83,36,b5,63,09,76,c9

[HKEY_USERS\S-1-5-21-1624991561-835181475-2958330362-1000\Software\SecuROM\License information*]
"datasecu"=hex:3d,66,a0,39,df,a3,33,3e,0b,05,04,66,10,2e,64,06,39,bc,6d,ed,36,
7a,b8,d6,8a,2f,3d,68,7c,58,00,4d,0d,65,34,7b,87,43,7c,0b,2c,c4,86,c1,fe,98,\
"rkeysecu"=hex:41,31,29,d6,41,17,01,f0,4f,1d,9f,49,eb,94,9d,61

[HKEY_LOCAL_MACHINE\SOFTWARE\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847]
"1"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,86,2b,9b,9b,f3,96,a9,
e9
"2"=hex:05,83,26,a9,dc,b6,17,45,de,2e,f0,41,a5,95,91,56,fe,07,ca,23,63,6c,c8,
df,a0,cb,29,a7,07,62,23,54
"3"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,39,39,6a,6e,1d,99,29,
0e,9a,9e,61,33,16,37,68,38,ee,25,f6,f1,91,9f,21,a9,58,ec,19,f6,96,30,78,09

[HKEY_LOCAL_MACHINE\SOFTWARE\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847\6356076A6F83BB1BBBE6B14F244E53BE]
"1"=hex:7e,63,ed,e4,ff,c6,da,b0,00,85,ab,7b,99,1c,f6,df,8b,3c,15,1f,e9,72,d8,
8c
"2"=hex:51,f1,0b,2b,54,76,7d,bf
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,5c,6c,8a,b0,95,8d,88,
02,e9,37,15,54,28,a1,4d,91,f4,19,4f,4b,df,bd,95,c2,74,9c,18,d8,b7,e1,e6,9e,\
"8"=hex:63,5a,d7,1b,b1,d4,18,46,9d,8a,b3,da,f7,a8,9d,ab,aa,34,84,9b,a5,e8,0f,
1b,f4,74,ab,89,33,17,64,ff,96,82,57,99,f5,97,2b,58
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\SOFTWARE\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
d5,42,54,3b,7e,24,3e,19,f8
"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,
5e,d2,5e,7f,21,14,b5,b2,29
"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\

[HKEY_LOCAL_MACHINE\SOFTWARE\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\3323E31CCF524E1933A08EFC0405BBBB]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,ce,d6,da,a0,ab,80,e1,24
"2"=hex:70,52,20,b5,8f,72,73,3d
"3"=hex:0e,c8,b3,11,17,f1,cd,32,57,27,d9,1d,f7,6c,f5,81,58,48,4b,c7,9b,79,7e,
e5,d3,0c,e4,98,c7,bb,4a,99,c1,df,05,d8,bd,f8,23,9d,1d,03,e2,a1,b9,ba,f4,68,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,6a,83,7f,d6,71,af,86,e0,98,8d,dd,2e,7a,95,cd,1a,9e,2d,5f,ec,63,7f,c9,e5,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,29,7c,70,46,35,dc,d7,79
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:e8,94,1d,35,c0,7b,8b,9e,09,e7,d5,e6,60,e5,60,dd,2a,d5,95,83,09,54,33,
19,b6,33,d7,4f,57,a1,ae,b5,d8,21,44,8c,ec,d8,b2,c9,4f,e0,23,b3,f1,a6,03,4a,\
"13"=hex:8d,fe,b5,5e,67,8f,11,16,ab,cc,97,79,25,c6,df,95,fa,d2,98,81,ae,f7,1a,
92
"14"=hex:4e,63,05,ff,92,a2,5b,c8
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:b2,82,72,15,07,b4,61,e4,12,9e,50,25,cc,48,0e,4d
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:ca,f4,24,38,fd,2e,98,be,03,09,97,19,31,8a,e2,eb,47,95,7c,15,88,49,3e,
90,0a,0f,d6,82,0b,c5,92,26,f1,35,dc,63,cf,58,9d,d6,a7,88,55,dd,b0,55,c5,03,\

[HKEY_LOCAL_MACHINE\SOFTWARE\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\58BBB2CAA762B86BF8228F8849EB5144]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,50,94,16,01,b2,17,1a,42
"2"=hex:84,00,a2,e9,a5,84,bc,35
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,53,74,ea,24,5b,d9,02,83
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\System32\rundll32.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\PnkBstrA.exe
c:\windows\System32\PSIService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-08-19 23:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 03:32
ComboFix2.txt 2009-08-18 05:53

Pre-Run: 377,116,987,392 bytes free
Post-Run: 377,645,244,416 bytes free

375 --- E O F --- 2009-04-18 02:50

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:24 PM

Posted 18 August 2009 - 11:40 PM

Hi Larry013,

Now lets look for stragglers. :thumbup2:


Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Larry013

Larry013
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 19 August 2009 - 10:10 PM

Try as I might, i cannot get Kapersky Online to run. The Java icon appears but I get his error: "Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program." Now, I KNOW I have an uninterrupted connection. Anything else you can suggest?

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:24 PM

Posted 19 August 2009 - 11:02 PM

Hi Larry013,

Sure, we have alternate online virus scanners.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Larry013

Larry013
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 20 August 2009 - 06:35 AM

I will run Eset as soon as I get home from work tonight. The problem with running Kapersky is that since I had to reinstall Java JRE, I see now that I cannot run any Java applets. Nor can I open the Java console or Java Control Panel. I have reinstalled Java 1.6u15 which didn't help, nor did uninstalling then trying to install Java 1.6u16. Running the tests at Java.com leaves a blank space where the applet should be. Other online tests show that I have Java installed, but even then none of the applets will run.

My question is: could this be as a result of our efforts to clean my pc, or could it be a victim of some other maliciousness?

Thanks,
Larry




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users