Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

a.exe b.exe cleaned but still problems


  • This topic is locked This topic is locked
27 replies to this topic

#1 deewar25

deewar25

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 21 October 2009 - 10:03 PM

Not sure what I may have left from the very nasty rootkit relating to a.exe b.exe c.exe - basically was blocking all my spyware and virus scanners. I went through the proper removal process and it seemed to clean it - was able to get everything working. Was ok for a few days, but now, for 1, I have strange issues with yahoo pages where if I try to hit the back button, it duplicates the page I'm on several times and I can't easily go back to my original page. This does only happen in chrome though - really unsure what is happening there. Last few days though, I have seemed to get serious memory issues. Will get to the point that if I open a chrome window, only the top bar and address bar of the browser shows up and none of the content is accessible. Also, outlook express dies on me and the messages will not open - I get out of memory errors if I try to double click. Reboot the system and its ok, but seems to take less and less time to bog down. Usually gets nasty around 1 gig of PF usage (I do only have 1 gig ram as it is...ram was never issue before though as I mostly just browse internet on this computer).

I have run virus scan (avira) and malwarebytes, adaware, IO bit and all come up clean.

Any chance someone can take a look through this log and see if anything sticks out. I'll run anything else you recommend as well.

Thanks


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:25 PM, on 21/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1235261348379
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235261381191
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe

--
End of file - 10865 bytes

BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:02:56 AM

Posted 31 October 2009 - 09:24 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 deewar25

deewar25
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 31 October 2009 - 05:40 PM

Thanks very much for your response. No, issue hasn't fixed itself - infact does seem worse now - mostly relates to video viewing it seems - I will get locked up during a video - the whole video runs, but I am frozen otherwise - cntl alt del doesn't work (loads but is frozen and then can't be removed from screen) - basically have to do a reset reboot every time. Also odd in that hitting the calculator key on my keyboard locks up the computer as well (never used to). I have tried running video in both chrome and mozilla - dies on both (ie, as simple as youtube). Here is the log as advised, and the zipped file. Don't think I missed anything (didn't mention I had used the combo-fix routine to flush out the first malware).

DDS (Ver_09-10-26.01) - NTFSx86
Run by User at 13:59:13.21 on 31/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.1023.424 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\User\My Documents\Downloads\dds (1).scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ATI Launchpad] "c:\program files\ati multimedia\main\launchpd.exe"
uRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [PC Pitstop Optimize Scheduler] c:\program files\pcpitstop\optimize\PCPOptimize.exe -boot
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [IObit Security 360] c:\program files\iobit\iobit security 360\IS360tray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [sysmgr] c:\windows\system32:diskchk.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\iepro\iepro.dll
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\dtv\EXPLBAR.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235261348379
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235261381191
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
mASetup: {7BC0D3D8-3EC7-8793-9D17-6285E39FE77D} - c:\windows\system32:diskchk.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\rm37o42v.default\
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-11 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-9-30 108289]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-9-30 309008]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-7-13 16512]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-5-26 33176]
S3 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 s3m;s3m;c:\windows\system32\drivers\s3m.sys [2009-2-27 166720]

=============== Created Last 30 ================

2009-10-26 05:08:41 110922 ----a-w- C:\Titan_Howard_260283_004[1]_1024x768.jpg
2009-10-26 05:06:25 594173 ----a-w- C:\Titan_Howard_260283_004[1].JPG
2009-10-26 05:00:57 602444 ----a-w- C:\Titan_Howard_260283_001[1].JPG
2009-10-25 20:45:50 16546 ----a-w- c:\windows\system32\UpdateNow!.exe
2009-10-25 03:42:00 2531652 ----a-w- C:\Gradekeeper.v6.5.Incl.Keygen-Lz0.rar
2009-10-25 03:33:41 0 d-----w- c:\program files\Gradekeeper
2009-10-23 02:22:02 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-20 23:44:03 0 d-----w- c:\windows\system32\Adobe
2009-10-17 04:43:41 0 d-----w- c:\docume~1\user\applic~1\ChaosPro
2009-10-17 04:42:15 0 d-----w- c:\program files\ChaosPro3.3
2009-10-10 04:08:54 0 d-----w- C:\Career Manager
2009-10-10 01:50:50 0 d-----w- c:\program files\Audacity 1.3 Beta (Unicode)

==================== Find3M ====================

2009-10-01 17:04:13 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-01 05:42:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 21:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 02:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:44:46 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-05 02:52:22 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 14:20:08 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2008-04-14 14:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 14:00:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 14:00:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 14:00:00 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 14:00:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 14:00:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 14:00:00 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 14:00:00 11776 --sh--w- c:\windows\system32\regsvr32.exe

============= FINISH: 13:59:58.10 ===============

Attached Files



#4 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:02:56 AM

Posted 01 November 2009 - 08:18 AM

Hello deewar25 and Welcome to BleepingComputer.

I'm DocSatan and I will be helping you with your "Malware" related computer problems. Please give me some time to research your Log and I will get back to you ASAP. :(

In the meantime:

1. Please TRACK this Topic

  • At the top-right of this thread, click on the Posted Image button.
  • In the list that drops down, click on Posted Image
  • Place a tick-mark next to Immediate E-Mail Notification
  • Then click on Posted Image
  • You will now receive an e-mail as soon as a Reply is made to this Topic. :(
2. Do Not Make Any Changes to the "Infected" Computer.
  • Once you have posted a NEW DDS Log, Do Not make any changes to the computer. I will be researching the DDS Log that you post and any changes made to the system might interfere with the FIX that I prepare for you. Examples of "Changes":
  • Deleting Files/Folders
  • Installing/Uninstalling Programs
  • Running Anti-Virus, Anti-Malware, Anti-Spyware, etc., Programs
3. Please do not seek Help with this issue at another Computer Help Forum
  • While we are working together I must insist that you do not seek help with this matter at any other Help Forum.
  • Having multiple (more than one) Forums provide help for the same computer issue will result in confusion with preparing a Fix.
  • It is also not fair to the Volunteer who is helping you, as her/his time will be wasted trying to fix a computer that someone else is also trying to fix.
  • So, if you have posted at another Computer Help Forum for this same issue I would ask that you choose which Forum that you wish to stay with and inform the other Forum(s) that you no longer require their assistance.
4. Throughout the course of us working together, I will be posting step-by-step procedures for you to follow on your computer.
  • If at any time you do not fully understand what I have said, or you are not exactly sure what you are supposed to do, then please stop there and Post back to this topic and ask your questions. That way I will be able to more clearly explain the step/procedure and we won't have to worry about any steps being done incorrectly. :)

Doc.

#5 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:02:56 AM

Posted 03 November 2009 - 10:11 AM

Hello deewar25,

The issue you are having may be due to not having enough RAM. But we will look deeper to be sure.

1. KeyGens

The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

http://www.trendmicro.com/vinfo/grayware/v...=CRCK_KEYGEN.BB

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

http://blog.trendmicro.com/crack-sites-dis...rux-and-fakeav/


When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a lot of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

If you still need assistance please remove all cracked software from your system. Namely the:
  • Gradekeeper.v6.5.Incl.Keygen-Lz0.rar
.

2. Peer-to-Peer Programs

Before we get started on fixing your computer, I'd like to caution you about the use of Peer2Peer programs. In your case: uTorrent
Although the actual P2P program may not contain malicious programs, the files that you are downloading and sharing within the P2P community may have. It is very easy for someone to attach some BadGuys onto a legitimate file that you may be downloading without your knowledge, thereby infecting your machine. The decision to keep the P2P program or uninstall it is up to you. Here is some information regarding P2P programs:


3. Two AntiVirus Programs

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either IObit Security 360 or Avira AntiVir Personal - Free Antivirus. I would recommend keeping Avira.


4. Perform a scan with MalwareByte's AntiMalware (MBAM)
  • Double-Click on the MBAM Icon
  • Click on the tab Update
  • Then click on Check For Updates button
  • When MBAM has finished updating, click OK on the window that pops-up.
    • If MBAM has to close to complete the update, then allow it.
  • Now Click on the Scanner tab
  • Put a tick-mark next to Perform Quick Scan
  • Now click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

5. Run another scan with DDS
  • Paste the results in your next reply
6. What I need in your next reply:
  • MBAM Log
  • New DDS Log
Doc.

#6 deewar25

deewar25
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 03 November 2009 - 09:11 PM

1. Hi there - regarding the keygen - that was a desperate attempt when my wife needed her report cards done over the weekend and the gradekeeper types are only available Monday to Friday. She already purchased a license, but it was on our old computer...since we couldn't contact them for the password, we gave this route a shot. As it was, avira blocked it and refused to open the files - I had deleted the directories extracted, but not the extractable. Since your email, I removed that as well. FYI - the initial problem was well before I downloaded that - was already having problems (I believe directly related to a fake flash player upgrade link with trojan attached).

2. P2P - will use torrentz on occasion if we forgot to tape a tv show...I always run scan before I open it, but will use more vigilence there.

3. Thought iobit was actually another malware scanner - have removed it....

4. Nothing came up on scan (as usually is the case).

Malwarebytes' Anti-Malware 1.41
Database version: 3097
Windows 5.1.2600 Service Pack 3

03/11/2009 5:57:49 PM
mbam-log-2009-11-03 (17-57-48).txt

Scan type: Quick Scan
Objects scanned: 115103
Time elapsed: 9 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

5.

DDS (Ver_09-10-26.01) - NTFSx86
Run by User at 18:05:53.56 on 03/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.1023.465 [GMT -8:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\My Documents\Downloads\dds (2).scr
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ATI Launchpad] "c:\program files\ati multimedia\main\launchpd.exe"
uRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [PC Pitstop Optimize Scheduler] c:\program files\pcpitstop\optimize\PCPOptimize.exe -boot
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [sysmgr] c:\windows\system32:diskchk.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\iepro\iepro.dll
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\dtv\EXPLBAR.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235261348379
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235261381191
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
mASetup: {7BC0D3D8-3EC7-8793-9D17-6285E39FE77D} - c:\windows\system32:diskchk.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\rm37o42v.default\
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-11 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-9-30 108289]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-7-13 16512]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-5-26 33176]
S3 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 s3m;s3m;c:\windows\system32\drivers\s3m.sys [2009-2-27 166720]

=============== Created Last 30 ================

2009-11-02 04:56:22 37376 ----a-w- C:\A Naturopathic Perspective on the 2009 H1N1 Vaccine.doc
2009-10-26 05:08:41 110922 ----a-w- C:\Titan_Howard_260283_004[1]_1024x768.jpg
2009-10-26 05:06:25 594173 ----a-w- C:\Titan_Howard_260283_004[1].JPG
2009-10-26 05:00:57 602444 ----a-w- C:\Titan_Howard_260283_001[1].JPG
2009-10-25 03:33:41 0 d-----w- c:\program files\Gradekeeper
2009-10-23 02:22:02 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-20 23:44:03 0 d-----w- c:\windows\system32\Adobe
2009-10-17 04:43:41 0 d-----w- c:\docume~1\user\applic~1\ChaosPro
2009-10-17 04:42:15 0 d-----w- c:\program files\ChaosPro3.3
2009-10-10 04:08:54 0 d-----w- C:\Career Manager
2009-10-10 01:50:50 0 d-----w- c:\program files\Audacity 1.3 Beta (Unicode)

==================== Find3M ====================

2009-10-01 17:04:13 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-01 05:42:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 21:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 02:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2008-04-14 14:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 14:00:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 14:00:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 14:00:00 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 14:00:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 14:00:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 14:00:00 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 14:00:00 11776 --sh--w- c:\windows\system32\regsvr32.exe

============= FINISH: 18:06:16.13 ===============

Attached Files



#7 deewar25

deewar25
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 05 November 2009 - 12:21 AM

followup here - wasn't even on the computer and poss virus alert popped up - dr/delphi.gen(dropper) in C:\System Volume Information\_restore{928319BF-4D4C-4312-BCAF-D1C5724A1DBC}\RP296\A0041706.exe.
Action performed: Deny Access

Also had one yesterday: Virus or unwanted program 'DR/Delphi.Gen [dropper]'
detected in file 'C:\WINDOWS\system32\UpdateNow!.exe
Action performed: Move file to quarantine

and
Virus or unwanted program 'DR/Delphi.Gen [dropper]'
detected in file 'C:\WINDOWS\system32:diskchk.exe.
Action performed: Move file to quarantine

#8 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:02:56 AM

Posted 05 November 2009 - 05:21 AM

OK, since Antivir (I assume that's what gave you the warnings) appears to have performed some actions on these, post another DDS so I can see what exactly got Quarantined.

The one in the System Restore can't cause a problem unless you use system restore, which we won't.

Doc.

#9 deewar25

deewar25
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 05 November 2009 - 09:27 AM

As requested - windows update has been asking for reboot as well - been ignoring to this point so as to not change anything, but now it is giving me the 'automatic reboot' in x minutes message - I assume its out of my hands now and it will just update (fyi)

DDS (Ver_09-10-26.01) - NTFSx86
Run by User at 6:22:32.17 on 05/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.1023.273 [GMT -8:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TD Waterhouse\Active Trader\viewer.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\User\My Documents\Downloads\dds (3).scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ATI Launchpad] "c:\program files\ati multimedia\main\launchpd.exe"
uRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [PC Pitstop Optimize Scheduler] c:\program files\pcpitstop\optimize\PCPOptimize.exe -boot
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [sysmgr] c:\windows\system32:diskchk.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\iepro\iepro.dll
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\dtv\EXPLBAR.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235261348379
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235261381191
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
mASetup: {7BC0D3D8-3EC7-8793-9D17-6285E39FE77D} - c:\windows\system32:diskchk.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\rm37o42v.default\
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-11 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-9-30 108289]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-7-13 16512]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-5-26 33176]
S3 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 s3m;s3m;c:\windows\system32\drivers\s3m.sys [2009-2-27 166720]

=============== Created Last 30 ================

2009-11-02 04:56:22 37376 ----a-w- C:\A Naturopathic Perspective on the 2009 H1N1 Vaccine.doc
2009-10-26 05:08:41 110922 ----a-w- C:\Titan_Howard_260283_004[1]_1024x768.jpg
2009-10-26 05:06:25 594173 ----a-w- C:\Titan_Howard_260283_004[1].JPG
2009-10-26 05:00:57 602444 ----a-w- C:\Titan_Howard_260283_001[1].JPG
2009-10-25 03:33:41 0 d-----w- c:\program files\Gradekeeper
2009-10-23 02:22:02 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\SETB77.tmp
2009-10-20 23:44:03 0 d-----w- c:\windows\system32\Adobe
2009-10-17 04:43:41 0 d-----w- c:\docume~1\user\applic~1\ChaosPro
2009-10-17 04:42:15 0 d-----w- c:\program files\ChaosPro3.3
2009-10-10 04:08:54 0 d-----w- C:\Career Manager
2009-10-10 01:50:50 0 d-----w- c:\program files\Audacity 1.3 Beta (Unicode)

==================== Find3M ====================

2009-10-01 17:04:13 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-01 05:42:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 21:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-04-14 14:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 14:00:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 14:00:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 14:00:00 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 14:00:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 14:00:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 14:00:00 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 14:00:00 11776 --sh--w- c:\windows\system32\regsvr32.exe

============= FINISH: 6:22:54.09 ===============

Attached Files



#10 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:02:56 AM

Posted 06 November 2009 - 09:12 AM

Hi deewar25,

1. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
  • Here is an alternative link to download ComboFix, if the above one is not working for you:Link 1
2. Disable Your AntiVirus and AntiSpyware Programs
  • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
  • These programs may interfere with our fix. We will re-enable them when we are done.
3. Double click on ComboFix.exe that you just saved to your Desktop
  • Follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Posted Image

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
4. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.

5. What I need in Your Next Reply:
  • ComboFix.txt


#11 deewar25

deewar25
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 06 November 2009 - 08:27 PM

as requested:

mboFix 09-11-05.05 - User 06/11/2009 17:07.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.1023.361 [GMT -8:00]
Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
ADS - system32: deleted 85375 bytes in 1 streams.

((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-10-25 03:33 . 2009-10-25 20:52 -------- d-----w- c:\program files\Gradekeeper
2009-10-23 02:22 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-20 23:44 . 2009-10-20 23:44 -------- d-----w- c:\windows\system32\Adobe
2009-10-17 04:43 . 2009-10-17 04:43 -------- d-----w- c:\documents and settings\User\Application Data\ChaosPro
2009-10-17 04:42 . 2009-10-17 04:44 -------- d-----w- c:\program files\ChaosPro3.3
2009-10-10 04:08 . 2009-11-05 16:23 -------- d-----w- C:\Career Manager
2009-10-10 01:51 . 2009-10-15 02:17 -------- d-----w- c:\documents and settings\User\Application Data\Audacity
2009-10-10 01:50 . 2009-10-10 01:51 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-07 01:16 . 2009-07-24 01:56 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2009-11-07 00:04 . 2009-07-24 01:57 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2009-10-29 17:04 . 2009-10-01 17:04 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-10-29 17:04 . 2009-10-01 17:04 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-10-25 15:21 . 2009-03-24 00:40 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent
2009-10-01 17:33 . 2009-09-30 06:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-01 17:03 . 2009-10-01 17:03 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-10-01 17:03 . 2009-10-01 17:03 -------- d-----w- c:\program files\Lavasoft
2009-10-01 17:03 . 2009-04-12 05:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-01 05:54 . 2009-10-01 05:54 -------- d-----w- c:\program files\Avira
2009-10-01 05:54 . 2009-10-01 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-01 05:42 . 2009-03-09 01:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 05:41 . 2009-10-01 05:39 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-01 05:26 . 2009-10-01 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-10-01 05:15 . 2009-10-01 00:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 04:37 . 2009-02-22 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-01 00:25 . 2009-10-01 00:25 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-10-01 00:25 . 2009-10-01 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-30 13:17 . 2009-09-30 03:03 54 ----a-w- c:\windows\system32\rp_stats.dat
2009-09-30 13:17 . 2009-09-30 03:03 39 ----a-w- c:\windows\system32\rp_rules.dat
2009-09-30 06:08 . 2009-09-30 06:08 117760 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-30 06:07 . 2009-09-30 06:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-30 06:07 . 2009-09-30 06:07 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-09-30 05:52 . 2009-09-30 05:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-30 03:01 . 2009-09-30 03:01 -------- d--h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-09-30 03:01 . 2009-09-30 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-30 03:01 . 2009-09-30 02:46 -------- d-----w- c:\program files\UnHackMe
2009-09-30 01:18 . 2009-03-08 07:14 -------- d-----w- c:\program files\RegistryFix6
2009-09-29 14:12 . 2009-09-29 14:12 -------- d-----w- c:\documents and settings\User\Application Data\Ahead
2009-09-29 01:20 . 2009-09-29 01:20 -------- d-----w- c:\program files\IObit
2009-09-25 05:04 . 2009-07-14 00:34 -------- d-----w- c:\documents and settings\User\Application Data\Apple Computer
2009-09-25 05:00 . 2009-09-25 04:59 -------- d-----w- c:\program files\iTunes
2009-09-25 05:00 . 2009-09-25 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-25 04:59 . 2009-09-25 04:59 -------- d-----w- c:\program files\iPod
2009-09-25 04:59 . 2009-07-14 00:30 -------- d-----w- c:\program files\Common Files\Apple
2009-09-25 04:56 . 2009-09-25 04:55 -------- d-----w- c:\program files\QuickTime
2009-09-24 05:51 . 2009-09-24 05:50 -------- d-----w- c:\program files\Flash Slideshow Maker Professional
2009-09-22 00:09 . 2009-09-22 00:09 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-11 14:18 . 2008-04-14 14:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 21:54 . 2009-10-01 00:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-10-01 00:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 22:57 . 2009-02-22 03:34 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2008-04-14 14:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2008-04-14 14:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2008-04-14 14:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2008-04-14 14:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2008-04-14 14:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-04-14 14:00 . 2008-04-14 14:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 14:00 . 2008-04-14 14:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 14:00 . 2008-04-14 14:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 14:00 . 2008-04-14 14:00 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 14:00 . 2008-04-14 14:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 14:00 . 2008-04-14 14:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 14:00 . 2008-04-14 14:00 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 14:00 . 2008-04-14 14:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

------- Sigcheck -------

[-] 2008-07-17 . 5223357CDF638BFEBF9F3A87C7C562F7 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [2006-04-06 102400]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2006-04-06 57344]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-09 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-28 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"PC Pitstop Optimize Scheduler"="c:\program files\PCPitstop\Optimize\PCPOptimize.exe" [2009-03-08 1700864]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-25 196608]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 270336]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-01 149280]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\User\\My Documents\\Downloads\\utorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/04/2009 9:56 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/09/2009 9:54 PM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 6:49 AM 1028432]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 7:19 PM 13592]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [13/07/2009 7:09 AM 16512]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 s3m;s3m;c:\windows\system32\drivers\s3m.sys [27/02/2009 12:51 AM 166720]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7BC0D3D8-3EC7-8793-9D17-6285E39FE77D}]
c:\windows\system32:diskchk.exe
.
Contents of the 'Scheduled Tasks' folder

2009-10-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 17:04]

2009-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1343024091-1644491937-1004Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-09 00:47]

2009-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1343024091-1644491937-1004UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-09 00:47]

2009-10-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\rm37o42v.default\
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-sysmgr - c:\windows\system32:diskchk.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 17:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
sysmgr = c:\windows\system32:diskchk.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3796)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2009-11-07 17:20
ComboFix-quarantined-files.txt 2009-11-07 01:20

Pre-Run: 60,050,759,680 bytes free
Post-Run: 60,210,401,280 bytes free

- - End Of File - - 5EB4B1853DD2E58F13B99C1C9605379E

#12 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:02:56 AM

Posted 09 November 2009 - 08:17 AM

Sorry for the delay deewar25, got tied up in the real world. Will be posting here shortly.

Doc.

#13 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:02:56 AM

Posted 11 November 2009 - 01:43 PM

Hello deewar25,

1. Run this CFScirpt
Warning: This CFScript has been tailored to deewar25's particular system and should not be run on any other system
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    ADS::
    c:\windows\system32

    Folder::
    c:\program files\IObit

    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000

    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7BC0D3D8-3EC7-8793-9D17-6285E39FE77D}]

    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\sfcfiles.dll | c:\windows\system32\sfcfiles.dll

  • Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
2. Did you install this program yourself?
  • RegistryFix6
  • If you did not install this program, or if you are not sure, please uninstall this program through Add/Remove Programs.
    • Click "start" on the taskbar and then click on the "Control Panel" icon.
    • Please doubleclick the "Add or Remove Programs" icon
    • A list of programs installed will be "populated" this may take a bit of time.
    • If they exist, uninstall the following by clicking on the following entries and selecting "remove":RegistryFix6
  • Additional instructions can be found here if needed.
3. What I need in your next Reply:
  • ComboFix.txt
Doc.

#14 deewar25

deewar25
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 11 November 2009 - 08:26 PM

As requested - one oddity when it first started running the test was an error in the program pev.cfxxe - box came up and told me to shut down - I did as such and the combofix still ran fine. Just FYI! I removed the regchk program after - wasn't in the add/remove area - had to go through programs-uninstall in the pulldowns.


ComboFix 09-11-11.02 - User 11/11/2009 17:00.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.1023.609 [GMT -8:00]
Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\User\My Documents\Downloads\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\IObit
c:\program files\IObit\IObit Security 360\IS360DataBase.db
c:\program files\IObit\IObit Security 360\license.dat
c:\program files\IObit\IObit Security 360\log\Scan\2009-09-28 18-33-8.log
c:\program files\IObit\IObit Security 360\log\Scan\2009-09-29 18-19-3.log
c:\program files\IObit\IObit Security 360\log\Scan\2009-09-29 19-11-22.log
c:\program files\IObit\IObit Security 360\log\Scan\2009-09-29 19-41-18.log
c:\program files\IObit\IObit Security 360\Quarantine Zone\info.db
c:\program files\IObit\IObit Security 360\UpdateLog.txt

.
((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-11 14:18 . 2009-11-11 14:18 -------- d-----w- c:\windows\LastGood
2009-10-25 03:33 . 2009-10-25 20:52 -------- d-----w- c:\program files\Gradekeeper
2009-10-23 02:22 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-20 23:44 . 2009-10-20 23:44 -------- d-----w- c:\windows\system32\Adobe
2009-10-17 04:43 . 2009-10-17 04:43 -------- d-----w- c:\documents and settings\User\Application Data\ChaosPro
2009-10-17 04:42 . 2009-10-17 04:44 -------- d-----w- c:\program files\ChaosPro3.3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 01:10 . 2009-07-24 01:56 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2009-11-12 00:05 . 2009-07-24 01:57 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2009-10-29 17:04 . 2009-10-01 17:04 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-10-29 17:04 . 2009-10-01 17:04 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-10-25 15:21 . 2009-03-24 00:40 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent
2009-10-15 02:17 . 2009-10-10 01:51 -------- d-----w- c:\documents and settings\User\Application Data\Audacity
2009-10-10 01:51 . 2009-10-10 01:50 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2009-10-01 17:33 . 2009-09-30 06:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-01 17:03 . 2009-10-01 17:03 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-10-01 17:03 . 2009-10-01 17:03 -------- d-----w- c:\program files\Lavasoft
2009-10-01 17:03 . 2009-04-12 05:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-01 05:54 . 2009-10-01 05:54 -------- d-----w- c:\program files\Avira
2009-10-01 05:54 . 2009-10-01 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-01 05:42 . 2009-03-09 01:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 05:41 . 2009-10-01 05:39 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-01 05:26 . 2009-10-01 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-10-01 05:15 . 2009-10-01 00:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 04:37 . 2009-02-22 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-01 00:25 . 2009-10-01 00:25 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-10-01 00:25 . 2009-10-01 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-30 13:17 . 2009-09-30 03:03 54 ----a-w- c:\windows\system32\rp_stats.dat
2009-09-30 13:17 . 2009-09-30 03:03 39 ----a-w- c:\windows\system32\rp_rules.dat
2009-09-30 06:08 . 2009-09-30 06:08 117760 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-30 06:07 . 2009-09-30 06:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-30 06:07 . 2009-09-30 06:07 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-09-30 05:52 . 2009-09-30 05:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-30 03:01 . 2009-09-30 03:01 -------- d--h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-09-30 03:01 . 2009-09-30 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-30 03:01 . 2009-09-30 02:46 -------- d-----w- c:\program files\UnHackMe
2009-09-30 01:18 . 2009-03-08 07:14 -------- d-----w- c:\program files\RegistryFix6
2009-09-29 14:12 . 2009-09-29 14:12 -------- d-----w- c:\documents and settings\User\Application Data\Ahead
2009-09-25 05:04 . 2009-07-14 00:34 -------- d-----w- c:\documents and settings\User\Application Data\Apple Computer
2009-09-25 05:00 . 2009-09-25 04:59 -------- d-----w- c:\program files\iTunes
2009-09-25 05:00 . 2009-09-25 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-25 04:59 . 2009-09-25 04:59 -------- d-----w- c:\program files\iPod
2009-09-25 04:59 . 2009-07-14 00:30 -------- d-----w- c:\program files\Common Files\Apple
2009-09-25 04:56 . 2009-09-25 04:55 -------- d-----w- c:\program files\QuickTime
2009-09-24 05:51 . 2009-09-24 05:50 -------- d-----w- c:\program files\Flash Slideshow Maker Professional
2009-09-22 00:09 . 2009-09-22 00:09 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-11 14:18 . 2008-04-14 14:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 21:54 . 2009-10-01 00:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-10-01 00:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2008-04-14 14:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2008-04-14 14:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2008-04-14 14:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2008-04-14 14:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2008-04-14 14:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-04-14 14:00 . 2008-04-14 14:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 14:00 . 2008-04-14 14:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 14:00 . 2008-04-14 14:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 14:00 . 2008-04-14 14:00 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 14:00 . 2008-04-14 14:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 14:00 . 2008-04-14 14:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 14:00 . 2008-04-14 14:00 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 14:00 . 2008-04-14 14:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

------- Sigcheck -------

[-] 2008-07-17 . 5223357CDF638BFEBF9F3A87C7C562F7 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-07_01.17.44 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [2006-04-06 102400]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2006-04-06 57344]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-09 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-28 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"PC Pitstop Optimize Scheduler"="c:\program files\PCPitstop\Optimize\PCPOptimize.exe" [2009-03-08 1700864]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-25 196608]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 270336]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-01 149280]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\User\\My Documents\\Downloads\\utorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/04/2009 9:56 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/09/2009 9:54 PM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 6:49 AM 1028432]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 7:19 PM 13592]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [13/07/2009 7:09 AM 16512]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 s3m;s3m;c:\windows\system32\drivers\s3m.sys [27/02/2009 12:51 AM 166720]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-10-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 17:04]

2009-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1343024091-1644491937-1004Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-09 00:47]

2009-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1343024091-1644491937-1004UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-09 00:47]

2009-10-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\rm37o42v.default\
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-11 17:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-12 17:12
ComboFix-quarantined-files.txt 2009-11-12 01:12
ComboFix2.txt 2009-11-07 01:20

Pre-Run: 59,961,774,080 bytes free
Post-Run: 59,923,517,440 bytes free

- - End Of File - - 357F8D72571279C2679BC27240DB6472

#15 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:02:56 AM

Posted 13 November 2009 - 11:40 AM

Hey deewar25,

Having trouble finding a legitimate sfcfiles.dll on your computer to replace the one that is failing the SigCheck in Combofix. Let's try this:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    sfcfiles.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Doc.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users