Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ntoskrnl-hook - generic rootkit.d!rootkit 5


  • This topic is locked This topic is locked
11 replies to this topic

#1 ripesyrup

ripesyrup

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 18 August 2009 - 09:14 PM

Currently system shows to have ntoskrnl-hook - generic rootkit.d!rootkit 5. The only AV that seems to detect it is Mcafee. It states that it has removed it and it keeps coming back. System restore is off. The different scans I have ran have seemed to taken most of it out but it just starts over and infects more. Below are the reports. Thanks for any and all help in advance. Below is DDS and I have attached the other DDS "Attach" and the RootRepeal report "ark".


DDS (Ver_09-07-30.01) - NTFSx86
Run by Bryan Miller at 20:30:32.37 on Tue 08/18/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.399 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\Bryan Miller\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - h:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - h:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\sandisk\sandisk transfermate\SD Monitor.exe
IE: Append to existing PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {15589FA1-C456-11CE-BF01-00AA0055595A}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188870342468
DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - hxxps://accounting.quickbooks.com/c5/v20.119/qboax10.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bryanm~1\applic~1\mozilla\firefox\profiles\pgnb3qxy.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\webclient\np_orfc.dll
FF - plugin: c:\webclient\NPOFF12.DLL
FF - plugin: c:\webclient\npqtplugin.dll
FF - plugin: c:\webclient\npqtplugin2.dll
FF - plugin: c:\webclient\npqtplugin3.dll
FF - plugin: c:\webclient\npqtplugin4.dll
FF - plugin: c:\webclient\npqtplugin5.dll
FF - plugin: c:\webclient\npqtplugin6.dll
FF - plugin: c:\webclient\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-9-3 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-4 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-11-8 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-9-3 144704]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2002-9-3 14336]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-9-3 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-9-3 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-9-3 34216]
RUnknown posg;posg; [x]
S2 gupdate1c9e3957dced760;Google Update Service (gupdate1c9e3957dced760);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104]
S3 DzlUsb;Dazzle DVC USB Device;c:\windows\system32\drivers\DzlUsb.sys [2005-4-3 61469]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2007-1-26 68954]
S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\drivers\maxidemo.sys --> c:\windows\system32\drivers\maxidemo.sys [?]
S3 mbr;mbr;\??\c:\docume~1\bryanm~1\locals~1\temp\mbr.sys --> c:\docume~1\bryanm~1\locals~1\temp\mbr.sys [?]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-9-3 40552]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S4 Fdcsnnum;Fdcsnnum;c:\windows\system32\drivers\dxapi.sys [2002-9-3 10496]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-9-3 606736]

=============== Created Last 30 ================

2009-08-18 19:48 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-18 19:48 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-18 15:43 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-18 15:18 <DIR> --d----- c:\program files\ESET
2009-08-15 00:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-08-15 00:13 <DIR> --d----- c:\docume~1\bryanm~1\applic~1\Symantec
2009-08-14 21:23 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-08-14 11:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-14 11:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-13 23:58 161,792 a------- c:\windows\SWREG.exe
2009-08-13 23:58 98,816 a------- c:\windows\sed.exe
2009-08-13 22:05 68 a------- c:\windows\system32\kbiwkmpuxvbwqw.dat
2009-08-13 21:55 50,104 a------- c:\windows\system32\kbiwkmvxntpwrp.dat
2009-08-13 21:55 20,480 a------- c:\windows\system32\kbiwkmpadlvmvx.dll
2009-08-13 21:54 44,544 a------- c:\windows\system32\kbiwkmyabuwswe.dll
2009-08-13 21:09 <DIR> -cd----- C:\B42B4FF3
2009-08-13 17:42 <DIR> --d----- c:\windows\QS
2009-08-13 14:24 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-08-13 14:10 <DIR> --d----- c:\windows\ERUNT
2009-08-13 13:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 11:36 216,064 a------- c:\windows\PEV.exe
2009-08-13 10:28 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-13 00:38 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-13 00:38 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-12 23:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-12 23:02 <DIR> --d----- c:\docume~1\bryanm~1\applic~1\SUPERAntiSpyware.com
2009-08-12 22:48 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 08:52 664 a------- c:\windows\system32\d3d9caps.dat
2009-08-12 08:26 76,288 -------- c:\windows\system32\drivers\kbiwkmdelbqjlk.sys
2009-08-11 21:39 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-11 20:39 <DIR> -cd----- C:\cmdcons
2009-08-10 09:11 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-09 13:59 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-05 04:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-15 22:59 96,384 a------- c:\windows\system32\drivers\sptd7917.sys
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 11:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 06:18 92,928 a------- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 14:50 327,924 a---h--- c:\windows\system32\mlfcache.dat
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-03-23 20:59 256 a------- c:\documents and settings\bryan miller\pool.bin
2005-11-13 11:39 164 ac--h--- c:\documents and settings\all users\hpothb07.dat
2005-11-13 11:39 364 ac--h--- c:\documents and settings\bryan miller\hpothb07.dat
2005-11-13 11:39 559 ac--h--- c:\docume~1\bryanm~1\applic~1\hpothb07.dat
2005-07-03 17:33 8,224 ac------ c:\docume~1\bryanm~1\applic~1\GDIPFONTCACHEV1.DAT
2002-12-10 09:17 131,072 a------- c:\windows\inf\F306com.bin
2008-09-04 13:24 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 20:32:56.68 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 AM

Posted 19 August 2009 - 09:41 PM

Hello.

One of the infection is a rootkit.

Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

If you wish to continue follow the steps below:

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 ripesyrup

ripesyrup
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 19 August 2009 - 10:42 PM

ComboFix 09-08-19.01 - Bryan Miller 08/19/2009 21:50.15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.727 [GMT -5:00]
Running from: c:\documents and settings\Bryan Miller\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))
.

2009-08-19 00:48 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 00:48 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-19 00:14 . 2009-08-19 00:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-08-18 20:43 . 2009-08-18 20:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-18 20:18 . 2009-08-18 20:18 -------- d-----w- c:\program files\ESET
2009-08-15 05:20 . 2009-08-16 03:32 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2009-08-15 05:20 . 2009-08-15 05:20 -------- d-----w- c:\documents and settings\Bryan Miller\Application Data\Yahoo!
2009-08-15 05:20 . 2009-08-15 05:20 -------- d-----w- c:\docume~1\BRYANM~1\APPLIC~1\Yahoo!
2009-08-15 05:13 . 2009-08-15 05:13 -------- d-----w- c:\documents and settings\Bryan Miller\Local Settings\Application Data\Symantec
2009-08-15 05:13 . 2009-08-15 05:13 -------- d-----w- c:\docume~1\BRYANM~1\LOCALS~1\APPLIC~1\Symantec
2009-08-15 05:13 . 2009-08-15 05:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec
2009-08-15 05:13 . 2009-08-15 05:13 -------- d-----w- c:\documents and settings\Bryan Miller\Application Data\Symantec
2009-08-15 05:13 . 2009-08-15 05:13 -------- d-----w- c:\docume~1\BRYANM~1\APPLIC~1\Symantec
2009-08-15 02:23 . 2009-08-16 23:40 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-14 16:52 . 2009-08-17 15:16 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-14 16:52 . 2009-08-14 18:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 02:09 . 2009-08-14 05:19 -------- dc----w- C:\B42B4FF3
2009-08-13 22:42 . 2009-08-13 22:42 -------- d-----w- c:\windows\QS
2009-08-13 19:24 . 2009-08-13 19:24 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-13 19:10 . 2009-08-13 19:10 -------- d-----w- c:\windows\ERUNT
2009-08-13 18:10 . 2009-08-19 00:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 15:28 . 2009-08-18 21:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-13 05:38 . 2009-08-13 05:38 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-13 04:02 . 2009-08-13 04:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-08-13 04:02 . 2009-08-18 20:43 -------- d-----w- c:\documents and settings\Bryan Miller\Application Data\SUPERAntiSpyware.com
2009-08-13 04:02 . 2009-08-18 20:43 -------- d-----w- c:\docume~1\BRYANM~1\APPLIC~1\SUPERAntiSpyware.com
2009-08-12 13:52 . 2009-08-12 13:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-11 22:05 . 2009-08-11 22:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-09 18:59 . 2009-08-09 19:17 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 15:33 . 2008-06-07 02:43 -------- d-----w- c:\documents and settings\Bryan Miller\Application Data\FileZilla
2009-08-19 15:33 . 2008-06-07 02:43 -------- d-----w- c:\docume~1\BRYANM~1\APPLIC~1\FileZilla
2009-08-17 03:40 . 2005-04-05 05:35 162112 -c--a-w- c:\documents and settings\Bryan Miller\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 03:40 . 2005-04-05 05:35 162112 -c--a-w- c:\docume~1\BRYANM~1\LOCALS~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2009-08-16 22:45 . 2005-04-03 15:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-16 22:28 . 2008-06-26 22:23 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-08-16 22:23 . 2008-06-26 22:30 -------- d-----w- c:\program files\Microsoft Works
2009-08-15 05:20 . 2005-11-11 15:41 -------- d-----w- c:\program files\Yahoo!
2009-08-13 18:01 . 2008-02-17 22:31 -------- d-----w- c:\documents and settings\Bryan Miller\Application Data\DNA
2009-08-13 18:01 . 2008-02-17 22:31 -------- d-----w- c:\docume~1\BRYANM~1\APPLIC~1\DNA
2009-08-13 17:27 . 2007-07-12 00:18 -------- d-----w- c:\program files\Easy Adder
2009-08-13 17:16 . 2008-02-17 22:31 -------- d-----w- c:\program files\BitTorrent
2009-08-13 17:03 . 2008-02-17 22:31 -------- d-----w- c:\program files\DNA
2009-08-13 05:37 . 2005-08-16 19:21 -------- d-----w- c:\program files\Java
2009-08-11 21:59 . 2009-05-13 23:36 -------- d-----w- c:\documents and settings\Bryan Miller\Application Data\Orbit
2009-08-11 21:59 . 2009-05-13 23:36 -------- d-----w- c:\docume~1\BRYANM~1\APPLIC~1\Orbit
2009-08-11 13:02 . 2009-08-11 12:44 -------- d-----w- c:\windows\Fonts\animeace2bb_tt
2009-08-11 13:02 . 2009-08-11 13:02 -------- d-----w- c:\windows\Fonts\animeace2bb_ot
2009-08-07 20:47 . 2009-08-07 20:47 -------- d-----w- c:\windows\Fonts\NON COMMERCIAL USE ONLY
2009-08-05 17:56 . 2006-02-07 19:53 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-05 09:01 . 2005-04-03 17:43 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-21 17:48 . 2009-07-21 17:48 130252 ----a-w- c:\windows\Fonts\NON COMMERCIAL USE ONLY\AngelicWar.ttf
2009-07-18 16:56 . 2009-07-18 16:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\{1C6FDDD8-FC9E-4C12-9FA5-1AAD377097B3}
2009-07-18 00:30 . 2005-12-28 02:48 -------- d-----w- c:\program files\Google
2009-07-17 20:26 . 2009-07-17 20:26 193592 ----a-w- c:\windows\Fonts\REBOARD FONT.ttf
2009-07-17 19:01 . 2002-09-03 16:27 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 17:34 . 2009-07-16 17:33 -------- d-----w- c:\program files\iTunes
2009-07-16 17:34 . 2006-05-06 16:13 -------- d-----w- c:\program files\iPod
2009-07-16 17:34 . 2007-12-15 21:37 -------- d-----w- c:\program files\Common Files\Apple
2009-07-16 03:59 . 2006-02-12 02:01 96384 ----a-w- c:\windows\system32\drivers\sptd7917.sys
2009-07-16 00:02 . 2007-06-24 05:49 -------- d-----w- c:\program files\MySpace
2009-07-15 23:57 . 2008-01-13 16:47 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Knowledge Adventure
2009-07-15 23:56 . 2007-08-26 17:21 -------- d-----w- c:\program files\JumpStart
2009-07-14 04:43 . 2005-04-03 19:58 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 01:57 . 2009-07-13 15:25 -------- d-----w- c:\program files\Ahead DVD Copy
2009-07-13 15:28 . 2009-07-13 15:26 -------- d-----w- c:\program files\Ahead DVD Ripper
2009-07-12 23:40 . 2005-07-10 19:01 -------- d-----w- c:\documents and settings\Bryan Miller\Application Data\Shareaza
2009-07-12 23:40 . 2005-07-10 19:01 -------- d-----w- c:\docume~1\BRYANM~1\APPLIC~1\Shareaza
2009-07-11 15:59 . 2007-12-15 21:37 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple
2009-07-10 04:17 . 2007-09-03 20:47 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-07-10 04:09 . 2007-09-03 20:48 -------- d-----w- c:\program files\McAfee
2009-07-09 18:09 . 2006-10-27 02:00 -------- d-----w- c:\program files\QuickTime
2009-06-30 01:21 . 2005-04-07 05:28 -------- d-----w- c:\program files\Samsung
2009-06-29 16:12 . 2004-12-07 23:37 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2002-09-03 16:29 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2002-09-03 17:11 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2002-09-03 16:58 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2002-09-03 16:58 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2002-09-03 16:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2002-09-03 16:39 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2002-09-03 16:39 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2002-09-03 16:39 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-23 18:49 . 2009-06-23 18:49 56148 ----a-w- c:\windows\Fonts\Quickie.ttf
2009-06-21 23:43 . 2009-06-21 23:43 16652 ----a-w- c:\windows\Fonts\delfinah.otf
2009-06-16 14:36 . 2002-09-03 17:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2002-09-03 16:33 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 16:03 . 2009-06-14 16:03 9700 ----a-w- c:\windows\Fonts\DeLarge.ttf
2009-06-12 18:01 . 2009-06-12 18:01 34156 ----a-w- c:\windows\Fonts\CaviarDreams_Bold.ttf
2009-06-12 18:01 . 2009-06-12 18:01 35124 ----a-w- c:\windows\Fonts\CaviarDreams.ttf
2009-06-12 12:31 . 2002-09-03 17:06 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 19:50 . 2009-06-10 19:50 327924 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-10 14:19 . 2005-04-03 10:12 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2002-09-03 16:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2002-09-03 17:12 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-09 13:44 . 2009-08-01 18:46 26292 ----a-w- c:\windows\Fonts\bedtime_stories.ttf
2009-06-05 16:42 . 2009-03-26 20:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 16:42 . 2007-12-15 21:38 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2005-04-03 17:43 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-08-16_23.42.30 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-08-12 06:14 . 2009-08-16 23:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-12 06:14 . 2009-08-20 02:29 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-04-03 10:16 . 2009-08-20 02:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-04-03 10:16 . 2009-08-16 23:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-04-03 10:16 . 2009-08-20 02:29 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-04-03 10:16 . 2009-08-16 23:04 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-08-18 20:44 . 2009-08-18 20:44 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-08-18 20:44 . 2009-08-18 20:44 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-10-30 23:21 . 2009-08-18 22:28 23558 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
- 2008-10-30 23:21 . 2008-10-30 23:21 23558 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
- 2008-10-30 23:21 . 2008-10-30 23:21 25214 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Distiller.exe
+ 2008-10-30 23:21 . 2009-08-18 22:28 25214 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Distiller.exe
- 2008-10-30 23:21 . 2008-10-30 23:21 7278 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_ELEMENTS_DT.exe
+ 2008-10-30 23:21 . 2009-08-18 22:28 7278 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_ELEMENTS_DT.exe
+ 2008-10-30 23:21 . 2009-08-18 22:28 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_Standard.exe
- 2008-10-30 23:21 . 2008-10-30 23:21 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_Standard.exe
+ 2008-10-30 23:21 . 2009-08-18 22:28 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_3D.exe
- 2008-10-30 23:21 . 2008-10-30 23:21 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_3D.exe
- 2008-10-30 23:21 . 2008-10-30 23:21 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
+ 2008-10-30 23:21 . 2009-08-18 22:28 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
+ 2009-08-18 20:44 . 2009-08-18 20:44 1516544 c:\windows\Installer\278fa2.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-13 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-10-22 86016]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Monitor.lnk - c:\program files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2006-10-8 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxLiveShare9"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\PQDVD\\Free Video Zilla\\FVZilla.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Sony\\ACID Music Studio 5.0\\acid50.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3689:TCP"= 3689:TCP:itunesTCP
"5353:UDP"= 5353:UDP:ItunesUDP

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/4/2008 8:35 PM 210216]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [9/3/2002 12:05 PM 14336]
S2 gupdate1c9e3957dced760;Google Update Service (gupdate1c9e3957dced760);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2009 10:19 AM 133104]
S3 DzlUsb;Dazzle DVC USB Device;c:\windows\system32\drivers\DzlUsb.sys [4/3/2005 10:14 AM 61469]
S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\DRIVERS\maxidemo.sys --> c:\windows\system32\DRIVERS\maxidemo.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S4 Fdcsnnum;Fdcsnnum;c:\windows\system32\drivers\dxapi.sys [9/3/2002 11:32 AM 10496]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Append to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\docume~1\BRYANM~1\APPLIC~1\Mozilla\Firefox\Profiles\pgnb3qxy.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\webclient\np_orfc.dll
FF - plugin: c:\webclient\NPOFF12.DLL
FF - plugin: c:\webclient\npqtplugin.dll
FF - plugin: c:\webclient\npqtplugin2.dll
FF - plugin: c:\webclient\npqtplugin3.dll
FF - plugin: c:\webclient\npqtplugin4.dll
FF - plugin: c:\webclient\npqtplugin5.dll
FF - plugin: c:\webclient\npqtplugin6.dll
FF - plugin: c:\webclient\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 22:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(740)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1772)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-08-20 22:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-20 03:18
ComboFix2.txt 2009-08-19 00:08
ComboFix3.txt 2009-08-18 17:33
ComboFix4.txt 2009-08-18 01:07
ComboFix5.txt 2009-08-20 02:48

Pre-Run: 49,596,014,592 bytes free
Post-Run: 49,607,606,272 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
308 --- E O F --- 2009-08-13 08:23

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 AM

Posted 20 August 2009 - 10:54 AM

Hello.

Combofix was ran 15 times!

I want to see the first Combofix run log. Please navigate to your C:\Qoobox folder.

In that folder, you should see several Combofix logs. Post back with the Combofix5.txt.

--

Run a scan with Malwarebytes, followed by re-scanning with RootRepeal. RootRepeal was the Anti-rootkit scan you attached in your previous reply.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with:
-Combofix5.txt log file
-Malwarebytes log
-RootRepeal log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 ripesyrup

ripesyrup
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 20 August 2009 - 11:50 AM

Yes, I didn't tackle this problem the right way. I was desperate. Thank you so much for your assistant. Attached is the combofix5.txt report and below are the malwarebytes and root repeal reports. Thanks again.

Malwarebytes' Anti-Malware 1.40
Database version: 2665
Windows 5.1.2600 Service Pack 3

8/20/2009 11:14:21 AM
mbam-log-2009-08-20 (11-14-21).txt

Scan type: Quick Scan
Objects scanned: 112394
Time elapsed: 10 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

------------------------------------------------------------

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/20 11:20
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 00000055
Image Path: \Driver\00000055
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3BF1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A9B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9C72000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\kbiwkmpadlvmvx.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmpuxvbwqw.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmvxntpwrp.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmyabuwswe.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\kbiwkmwivpdibiqr.tmp
Status: Invisible to the Windows API!

Path: c:\windows\temp\mcmsc_xi8rbytqhbfp3gq
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_4oqjjpia9ppyopp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_b0yekvbnlrgctbd
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_bwetudvcu78onjn
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_dacboa55pasbiyq
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_rhsufdcrjpwdyvi
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\system32\drivers\kbiwkmdelbqjlk.sys
Status: Invisible to the Windows API!

Path: h:\aitemp\aao02744
Status: Allocation size mismatch (API: 1081344, Raw: 65536)

Stealth Objects
-------------------
Object: Hidden Module [Name: kbiwkmyabuwswe.dll]
Process: svchost.exe (PID: 904) Address: 0x10000000 Size: 53248

Object: Hidden Module [Name: kbiwkmpadlvmvx.dll]
Process: Explorer.EXE (PID: 1372) Address: 0x10000000 Size: 32768

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x871a00e8 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CREATE]
Process: System Address: 0x871f47b0 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CLOSE]
Process: System Address: 0x871f47b0 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x871f47b0 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x871f47b0 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_POWER]
Process: System Address: 0x871f47b0 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x871f47b0 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_PNP]
Process: System Address: 0x871f47b0 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x870f5640 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x870f5640 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x870f5640 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x870f5640 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x870f5640 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x870f5640 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x870f5640 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x870f5640 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x870f5640 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x870f5640 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x870f5640 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_CREATE]
Process: System Address: 0x873d53d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_CLOSE]
Process: System Address: 0x873d53d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_READ]
Process: System Address: 0x873d53d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_WRITE]
Process: System Address: 0x873d53d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d53d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d53d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d53d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d53d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_POWER]
Process: System Address: 0x873d53d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d53d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_PNP]
Process: System Address: 0x873d53d8 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x8691aeb0 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x8691aeb0 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x8691aeb0 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x8691aeb0 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8691aeb0 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8691aeb0 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x8691aeb0 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8691aeb0 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x8691aeb0 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x873d5948 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x873d5948 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x873d5948 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d5948 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d5948 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d5948 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d5948 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x873d5948 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x873d5948 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d5948 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x873d5948 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x868b38b8 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x868b38b8 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x868b38b8 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x868b38b8 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x868b38b8 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x868b38b8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLOSE]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_WRITE]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_EA]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_EA]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SHUTDOWN]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLEANUP]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_SECURITY]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_POWER]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_QUOTA]
Process: System Address: 0x868ad970 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x868afb60 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ剒敬랼, IRP_MJ_CREATE]
Process: System Address: 0x86e05658 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ剒敬랼, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86e05658 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ剒敬랼, IRP_MJ_CLOSE]
Process: System Address: 0x86e05658 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ剒敬랼, IRP_MJ_READ]
Process: System Address: 0x86e05658 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ剒敬랼, IRP_MJ_WRITE]
Process: System Address: 0x86e05658 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ剒敬랼, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86e05658 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ剒敬랼, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86e05658 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ剒敬랼, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86e05658 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ剒敬랼, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86e05658 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ剒敬랼, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86e05658 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ剒敬랼, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86e05658 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ剒敬랼, IRP_MJ_CLEANUP]
Process: System Address: 0x86e05658 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ剒敬랼, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86e05658 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ剒敬랼, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86e05658 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩^, IRP_MJ_CREATE]
Process: System Address: 0x869220e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩^, IRP_MJ_CLOSE]
Process: System Address: 0x869220e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩^, IRP_MJ_READ]
Process: System Address: 0x869220e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩^, IRP_MJ_WRITE]
Process: System Address: 0x869220e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩^, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x869220e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩^, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x869220e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩^, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x869220e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩^, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x869220e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩^, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x869220e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩^, IRP_MJ_CLEANUP]
Process: System Address: 0x869220e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩^, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x869220e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩^, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x869220e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩^, IRP_MJ_SET_SECURITY]
Process: System Address: 0x869220e8 Size: 15

Object: Hidden Code [Driver: MA, IRP_MJ_CREATE]
Process: System Address: 0x873670e8 Size: 15

Object: Hidden Code [Driver: MA, IRP_MJ_CLOSE]
Process: System Address: 0x873670e8 Size: 15

Object: Hidden Code [Driver: MA, IRP_MJ_READ]
Process: System Address: 0x873670e8 Size: 15

Object: Hidden Code [Driver: MA, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x873670e8 Size: 15

Object: Hidden Code [Driver: MA, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x873670e8 Size: 15

Object: Hidden Code [Driver: MA, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x873670e8 Size: 15

Object: Hidden Code [Driver: MA, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x873670e8 Size: 15

Object: Hidden Code [Driver: MA, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x873670e8 Size: 15

Object: Hidden Code [Driver: MA, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873670e8 Size: 15

Object: Hidden Code [Driver: MA, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873670e8 Size: 15

Object: Hidden Code [Driver: MA, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x873670e8 Size: 15

Object: Hidden Code [Driver: MA, IRP_MJ_CLEANUP]
Process: System Address: 0x873670e8 Size: 15

Object: Hidden Code [Driver: MA, IRP_MJ_PNP]
Process: System Address: 0x873670e8 Size: 15

Hidden Services
-------------------
Service Name: kbiwkmwilxwkos
Image Path: C:\WINDOWS\system32\drivers\kbiwkmdelbqjlk.sys

==EOF==

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 AM

Posted 20 August 2009 - 11:53 AM

Hello.

The Combofix you ran was outdated.

Please delete Combofix.exe that you currently have.

Please re-download it from one of the links below and save it to your desktop:

Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Post back with the new Combofix report once it's done.

With Regards,
Extremeboy

Edited by extremeboy, 20 August 2009 - 11:53 AM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 ripesyrup

ripesyrup
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 20 August 2009 - 01:12 PM

ComboFix 09-08-19.0C - Bryan Miller 08/20/2009 12:39.16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.581 [GMT -5:00]
Running from: c:\documents and settings\Bryan Miller\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\kbiwkmdelbqjlk.sys
c:\windows\system32\kbiwkmpadlvmvx.dll
c:\windows\system32\kbiwkmpuxvbwqw.dat
c:\windows\system32\kbiwkmvxntpwrp.dat
c:\windows\system32\kbiwkmyabuwswe.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmwilxwkos
-------\Legacy_kbiwkmwilxwkos


((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))
.

2009-08-19 00:48 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 00:48 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-19 00:15 . 2009-08-19 00:15 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-19 00:14 . 2009-08-19 00:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-08-18 20:49 . 2009-08-18 23:05 117760 ----a-w- c:\documents and settings\Bryan Miller\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-18 20:43 . 2009-08-18 20:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-18 20:18 . 2009-08-18 20:18 -------- d-----w- c:\program files\ESET
2009-08-15 05:20 . 2009-08-16 03:32 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2009-08-15 05:20 . 2009-08-15 05:20 -------- d-----w- c:\documents and settings\Bryan Miller\Application Data\Yahoo!
2009-08-15 05:13 . 2009-08-15 05:13 -------- d-----w- c:\documents and settings\Bryan Miller\Local Settings\Application Data\Symantec
2009-08-15 05:13 . 2009-08-15 05:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec
2009-08-15 05:13 . 2009-08-15 05:13 -------- d-----w- c:\documents and settings\Bryan Miller\Application Data\Symantec
2009-08-15 02:23 . 2009-08-16 23:40 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-14 16:52 . 2009-08-17 15:16 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-14 16:52 . 2009-08-14 18:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 02:09 . 2009-08-14 05:19 -------- dc----w- C:\B42B4FF3
2009-08-13 22:42 . 2009-08-13 22:42 -------- d-----w- c:\windows\QS
2009-08-13 19:24 . 2009-08-13 19:24 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-13 19:10 . 2009-08-13 19:10 -------- d-----w- c:\windows\ERUNT
2009-08-13 18:10 . 2009-08-20 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 15:28 . 2009-08-18 21:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-13 05:38 . 2009-08-13 05:38 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-13 05:37 . 2009-08-13 05:37 152576 ----a-w- c:\documents and settings\Bryan Miller\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-13 04:02 . 2009-08-13 04:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-08-13 04:02 . 2009-08-18 20:43 -------- d-----w- c:\documents and settings\Bryan Miller\Application Data\SUPERAntiSpyware.com
2009-08-12 13:52 . 2009-08-12 13:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-11 22:05 . 2009-08-11 22:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-09 18:59 . 2009-08-09 19:17 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 15:33 . 2008-06-07 02:43 -------- d-----w- c:\documents and settings\Bryan Miller\Application Data\FileZilla
2009-08-17 03:40 . 2005-04-05 05:35 162112 -c--a-w- c:\documents and settings\Bryan Miller\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 22:45 . 2005-04-03 15:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-16 22:28 . 2008-06-26 22:23 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-08-16 22:23 . 2008-06-26 22:30 -------- d-----w- c:\program files\Microsoft Works
2009-08-15 05:20 . 2005-11-11 15:41 -------- d-----w- c:\program files\Yahoo!
2009-08-13 18:01 . 2008-02-17 22:31 -------- d-----w- c:\documents and settings\Bryan Miller\Application Data\DNA
2009-08-13 17:27 . 2007-07-12 00:18 -------- d-----w- c:\program files\Easy Adder
2009-08-13 17:16 . 2008-02-17 22:31 -------- d-----w- c:\program files\BitTorrent
2009-08-13 17:03 . 2008-02-17 22:31 -------- d-----w- c:\program files\DNA
2009-08-13 05:37 . 2005-08-16 19:21 -------- d-----w- c:\program files\Java
2009-08-11 21:59 . 2009-05-13 23:36 -------- d-----w- c:\documents and settings\Bryan Miller\Application Data\Orbit
2009-08-11 13:02 . 2009-08-11 12:44 -------- d-----w- c:\windows\Fonts\animeace2bb_tt
2009-08-11 13:02 . 2009-08-11 13:02 -------- d-----w- c:\windows\Fonts\animeace2bb_ot
2009-08-07 20:47 . 2009-08-07 20:47 -------- d-----w- c:\windows\Fonts\NON COMMERCIAL USE ONLY
2009-08-05 17:56 . 2006-02-07 19:53 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-05 09:01 . 2005-04-03 17:43 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-18 16:56 . 2009-07-18 16:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\{1C6FDDD8-FC9E-4C12-9FA5-1AAD377097B3}
2009-07-18 00:30 . 2005-12-28 02:48 -------- d-----w- c:\program files\Google
2009-07-17 19:01 . 2002-09-03 16:27 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 17:34 . 2009-07-16 17:33 -------- d-----w- c:\program files\iTunes
2009-07-16 17:34 . 2006-05-06 16:13 -------- d-----w- c:\program files\iPod
2009-07-16 17:34 . 2007-12-15 21:37 -------- d-----w- c:\program files\Common Files\Apple
2009-07-16 03:59 . 2006-02-12 02:01 96384 ----a-w- c:\windows\system32\drivers\sptd7917.sys
2009-07-16 00:02 . 2007-06-24 05:49 -------- d-----w- c:\program files\MySpace
2009-07-15 23:57 . 2008-01-13 16:47 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Knowledge Adventure
2009-07-15 23:56 . 2007-08-26 17:21 -------- d-----w- c:\program files\JumpStart
2009-07-14 04:43 . 2005-04-03 19:58 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 01:57 . 2009-07-13 15:25 -------- d-----w- c:\program files\Ahead DVD Copy
2009-07-13 15:28 . 2009-07-13 15:26 -------- d-----w- c:\program files\Ahead DVD Ripper
2009-07-12 23:40 . 2005-07-10 19:01 -------- d-----w- c:\documents and settings\Bryan Miller\Application Data\Shareaza
2009-07-11 15:59 . 2007-12-15 21:37 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple
2009-07-10 04:17 . 2007-09-03 20:47 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-07-10 04:09 . 2007-09-03 20:48 -------- d-----w- c:\program files\McAfee
2009-07-09 18:09 . 2006-10-27 02:00 -------- d-----w- c:\program files\QuickTime
2009-06-30 01:21 . 2005-04-07 05:28 -------- d-----w- c:\program files\Samsung
2009-06-29 16:12 . 2004-12-07 23:37 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2002-09-03 16:29 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2002-09-03 17:11 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2002-09-03 16:58 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2002-09-03 16:58 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2002-09-03 16:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2002-09-03 16:39 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2002-09-03 16:39 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2002-09-03 16:39 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2002-09-03 17:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2002-09-03 16:33 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2002-09-03 17:06 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 19:50 . 2009-06-10 19:50 327924 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-10 14:19 . 2005-04-03 10:12 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2002-09-03 16:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2002-09-03 17:12 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 16:42 . 2009-03-26 20:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 16:42 . 2007-12-15 21:38 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2005-04-03 17:43 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-08-16_23.42.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-04-03 10:16 . 2009-08-20 16:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-04-03 10:16 . 2009-08-16 23:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-04-03 10:16 . 2009-08-20 16:17 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-04-03 10:16 . 2009-08-16 23:04 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-08-18 20:44 . 2009-08-18 20:44 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-08-18 20:44 . 2009-08-18 20:44 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-10-30 23:21 . 2009-08-18 22:28 23558 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
- 2008-10-30 23:21 . 2008-10-30 23:21 23558 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
+ 2008-10-30 23:21 . 2009-08-18 22:28 25214 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Distiller.exe
- 2008-10-30 23:21 . 2008-10-30 23:21 25214 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Distiller.exe
+ 2008-10-30 23:21 . 2009-08-18 22:28 7278 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_ELEMENTS_DT.exe
- 2008-10-30 23:21 . 2008-10-30 23:21 7278 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_ELEMENTS_DT.exe
+ 2008-10-30 23:21 . 2009-08-18 22:28 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_Standard.exe
- 2008-10-30 23:21 . 2008-10-30 23:21 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_Standard.exe
+ 2008-10-30 23:21 . 2009-08-18 22:28 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_3D.exe
- 2008-10-30 23:21 . 2008-10-30 23:21 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_3D.exe
+ 2008-10-30 23:21 . 2009-08-18 22:28 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
- 2008-10-30 23:21 . 2008-10-30 23:21 295606 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
+ 2009-08-18 20:44 . 2009-08-18 20:44 1516544 c:\windows\Installer\278fa2.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-13 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-10-22 86016]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Monitor.lnk - c:\program files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2006-10-8 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxLiveShare9"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\PQDVD\\Free Video Zilla\\FVZilla.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Sony\\ACID Music Studio 5.0\\acid50.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3689:TCP"= 3689:TCP:itunesTCP
"5353:UDP"= 5353:UDP:ItunesUDP

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/4/2008 8:35 PM 210216]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [9/3/2002 12:05 PM 14336]
S2 gupdate1c9e3957dced760;Google Update Service (gupdate1c9e3957dced760);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2009 10:19 AM 133104]
S3 DzlUsb;Dazzle DVC USB Device;c:\windows\system32\drivers\DzlUsb.sys [4/3/2005 10:14 AM 61469]
S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\DRIVERS\maxidemo.sys --> c:\windows\system32\DRIVERS\maxidemo.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S4 Fdcsnnum;Fdcsnnum;c:\windows\system32\drivers\dxapi.sys [9/3/2002 11:32 AM 10496]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Append to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\docume~1\BRYANM~1\APPLIC~1\Mozilla\Firefox\Profiles\pgnb3qxy.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\webclient\np_orfc.dll
FF - plugin: c:\webclient\NPOFF12.DLL
FF - plugin: c:\webclient\npqtplugin.dll
FF - plugin: c:\webclient\npqtplugin2.dll
FF - plugin: c:\webclient\npqtplugin3.dll
FF - plugin: c:\webclient\npqtplugin4.dll
FF - plugin: c:\webclient\npqtplugin5.dll
FF - plugin: c:\webclient\npqtplugin6.dll
FF - plugin: c:\webclient\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 12:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-08-20 13:08
ComboFix-quarantined-files.txt 2009-08-20 18:07
ComboFix2.txt 2009-08-20 03:18
ComboFix3.txt 2009-08-19 00:08
ComboFix4.txt 2009-08-18 17:33
ComboFix5.txt 2009-08-20 17:02

Pre-Run: 49,466,216,448 bytes free
Post-Run: 49,461,075,968 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
268 --- E O F --- 2009-08-13 08:23

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 AM

Posted 20 August 2009 - 08:44 PM

Hello.

Let's run an online scan and see what's left.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run and then let me know the condition of your machine.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 ripesyrup

ripesyrup
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 21 August 2009 - 03:33 PM

Here are the reports. Computer seems a lot better. I can actually search google with out the redirect. Kaspersky did flag two things. Not sure what I need to do to get rid of them.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Bryan Miller at 14:55:14.14 on Fri 08/21/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.725 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Bryan Miller\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - h:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - h:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\sandisk\sandisk transfermate\SD Monitor.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Append to existing PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188870342468
DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - hxxps://accounting.quickbooks.com/c5/v20.119/qboax10.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bryanm~1\applic~1\mozilla\firefox\profiles\pgnb3qxy.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\webclient\np_orfc.dll
FF - plugin: c:\webclient\NPOFF12.DLL
FF - plugin: c:\webclient\npqtplugin.dll
FF - plugin: c:\webclient\npqtplugin2.dll
FF - plugin: c:\webclient\npqtplugin3.dll
FF - plugin: c:\webclient\npqtplugin4.dll
FF - plugin: c:\webclient\npqtplugin5.dll
FF - plugin: c:\webclient\npqtplugin6.dll
FF - plugin: c:\webclient\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-9-3 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-4 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-11-8 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-9-3 144704]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2002-9-3 14336]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-9-3 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-9-3 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-9-3 34216]
S2 0185251250869004mcinstcleanup;McAfee Application Installer Cleanup (0185251250869004);c:\windows\temp\018525~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\018525~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c9e3957dced760;Google Update Service (gupdate1c9e3957dced760);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104]
S3 DzlUsb;Dazzle DVC USB Device;c:\windows\system32\drivers\DzlUsb.sys [2005-4-3 61469]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2007-1-26 68954]
S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\drivers\maxidemo.sys --> c:\windows\system32\drivers\maxidemo.sys [?]
S3 mbr;mbr;\??\c:\docume~1\bryanm~1\locals~1\temp\mbr.sys --> c:\docume~1\bryanm~1\locals~1\temp\mbr.sys [?]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-9-3 40552]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S4 Fdcsnnum;Fdcsnnum;c:\windows\system32\drivers\dxapi.sys [2002-9-3 10496]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-9-3 606736]

=============== Created Last 30 ================

2009-08-21 01:01 <DIR> --d----- c:\program files\Orbitdownloader
2009-08-18 19:48 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-18 19:48 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-18 15:43 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-18 15:18 <DIR> --d----- c:\program files\ESET
2009-08-15 00:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-08-15 00:13 <DIR> --d----- c:\docume~1\bryanm~1\applic~1\Symantec
2009-08-14 21:23 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-08-14 11:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-14 11:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-13 23:58 161,792 a------- c:\windows\SWREG.exe
2009-08-13 23:58 98,816 a------- c:\windows\sed.exe
2009-08-13 21:09 <DIR> -cd----- C:\B42B4FF3
2009-08-13 17:42 <DIR> --d----- c:\windows\QS
2009-08-13 14:24 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-08-13 14:10 <DIR> --d----- c:\windows\ERUNT
2009-08-13 13:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 11:36 228,864 a------- c:\windows\PEV.exe
2009-08-13 10:28 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-13 00:38 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-13 00:38 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-12 23:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-12 23:02 <DIR> --d----- c:\docume~1\bryanm~1\applic~1\SUPERAntiSpyware.com
2009-08-12 22:48 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 08:52 664 a------- c:\windows\system32\d3d9caps.dat
2009-08-11 21:39 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-11 20:39 <DIR> -cd----- C:\cmdcons
2009-08-10 09:11 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-09 13:59 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-05 04:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-15 22:59 96,384 a------- c:\windows\system32\drivers\sptd7917.sys
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 11:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 06:18 92,928 a------- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 14:50 327,924 a---h--- c:\windows\system32\mlfcache.dat
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-03-23 20:59 256 a------- c:\documents and settings\bryan miller\pool.bin
2005-11-13 11:39 164 ac--h--- c:\documents and settings\all users\hpothb07.dat
2005-11-13 11:39 364 ac--h--- c:\documents and settings\bryan miller\hpothb07.dat
2005-11-13 11:39 559 ac--h--- c:\docume~1\bryanm~1\applic~1\hpothb07.dat
2005-07-03 17:33 8,224 ac------ c:\docume~1\bryanm~1\applic~1\GDIPFONTCACHEV1.DAT
2002-12-10 09:17 131,072 a------- c:\windows\inf\F306com.bin
2008-09-04 13:24 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 14:57:26.81 ===============




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, August 21, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, August 21, 2009 09:59:45
Records in database: 2669597
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan statistics:
Objects scanned: 262672
Threats found: 1
Infected objects found: 0
Suspicious objects found: 2
Scan duration: 05:54:16


File name / Threat / Threats count
C:\Documents and Settings\Bryan Miller\Application Data\Thunderbird\Profiles\dej16iex.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Bryan Miller\Application Data\Thunderbird\Profiles\dej16iex.default\Mail\Local Folders\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1

Selected area has been scanned.

Attached Files



#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 AM

Posted 21 August 2009 - 04:04 PM

Hello.

That looks good.

Please empty or at least to try empty if not most of the mails you have in your ThunderBird profile for both the Inbox and Trash folders.

I can not tell which individual mail that is infected so you will need to do it yourself manually. Deleting that file would cause you to loose every mail, so I can't help you too much on that but just manually deleting them.

Be careful with any mails from unknown senders and ones that have attachments as kaspersky detected one or more mail as infected.

Once you are done that, we can cleanup


Please follow/read the steps below to remove the tools we used and for some more information. :)

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • You will then recieve a message letting you know that Combofix was uninstalled Successfully.
This will remove files/folders assoicated with combofix and uninstall it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! :cool: :) :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :)


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 ripesyrup

ripesyrup
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 21 August 2009 - 05:18 PM

I just wanted to say thanks for all the help. You were awesome. I am going to do some reading up on all the info you provided and try out some of the software suggested. Thanks.

Everything looks good from here.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 AM

Posted 22 August 2009 - 10:10 AM

You're welcome.

Thanks for the kind words. :thumbup2:

--
Since the problem appears to be resolved, this topic is now Closed. Glad we could help :)
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users