Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I believe I have the Vundo Trojan


  • This topic is locked This topic is locked
19 replies to this topic

#1 Chase1204

Chase1204

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia
  • Local time:04:15 AM

Posted 03 November 2009 - 10:28 PM

Okay, I just came from the majorgeeks website with no help there and I asked them to close the topic over there. My logs are clean according to the people over at majorgeeks, but I know something is wrong with my computer. I ran malwarebytes, Superantispyware and various other scans many times and I have come back with nothing. My computer is running very slow, my desktop has been changed and it has a warning message on it asking me to download something to fix my computer because of a codec failure. I know that that is a symptom of vundo where it asks you to download something to fix a nonexistent problem. I also have lost all sound, however when I stop the process of the virus my sound works perfectly. I Installed rkill.exe and I was able to change my desktop but It still wouldn't allow me to open up task manager. I also went into my HKEY root things and removed the microsoft policies that were prohibiting me from changing my desktop however, every time I reboot my computer the virus reboots. Could the free version of Malwarebyte have missed the trojan? Here are my logs.

Attached Files

  • Attached File  ark.txt   28.4KB   3 downloads
  • Attached File  DDS.txt   11.71KB   10 downloads


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:15 AM

Posted 04 November 2009 - 08:10 AM

Hi,

* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

c:\program files\java\jre6\bin\dejusched.exe
c:\documents and settings\chase\deusched.gif
c:\documents and settings\chase\deusched.htm


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

Then, once you've done this, let me know in this thread.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Chase1204

Chase1204
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia
  • Local time:04:15 AM

Posted 04 November 2009 - 04:07 PM

Okay, I have sent the file.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:15 AM

Posted 04 November 2009 - 04:13 PM

Thank you. It's the one causing your problems..

Malwarebytes should detect this one though, so not sure if your malwarebytes is up to date..


First of all, please update MalwareBytes, because the databaseversion may be outdated.
  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Chase1204

Chase1204
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia
  • Local time:04:15 AM

Posted 04 November 2009 - 11:55 PM

Here is MBAM log....

Malwarebytes' Anti-Malware 1.41
Database version: 3101
Windows 5.1.2600 Service Pack 2

11/4/2009 5:42:41 PM
mbam-log-2009-11-04 (17-42-41).txt

Scan type: Quick Scan
Objects scanned: 105102
Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Program Files\Java\jre6\bin\dejusched.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dejusched (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deusched (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Java\jre6\bin\dejusched.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#6 Chase1204

Chase1204
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia
  • Local time:04:15 AM

Posted 05 November 2009 - 12:03 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:55 AM, on 11/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\Notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://today.ask.com/frostwire?o=101676&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chase\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9193 bytes


Well, everything seems to be just fine except that my sound still is not working. Could this be related to the malware?

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:15 AM

Posted 05 November 2009 - 02:59 AM

Hi,

Have you rebooted already?

Also, for the sound, click on the speaker icon in your taskbar and go to properties. Look under the volume tab if nothing is set to mute there.
Also, Under the audio tab, click volume for the default device for sound playback and see if anything is set to "mute" and uncheck. Also check the sliders, because some sliders may be turned down there.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Chase1204

Chase1204
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia
  • Local time:04:15 AM

Posted 05 November 2009 - 05:29 PM

Nope :/ nothing is on mute and the sliders are fine. Could it be codec or something??

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:15 AM

Posted 06 November 2009 - 02:18 AM

Hi,

The malware you were dealing with "hooks" your sound, but when the malware is gone, you should have sound again though.. That's why it is strange.

Let's have a look again and do the following...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Chase1204

Chase1204
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia
  • Local time:04:15 AM

Posted 06 November 2009 - 11:01 PM

ComboFix 09-11-06.01 - Chase 11/06/2009 22:44.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.476 [GMT -5:00]
Running from: c:\documents and settings\Chase\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-05 22:31 . 2009-11-05 22:31 -------- d-----w- c:\documents and settings\Chase\Application Data\Blitware
2009-11-05 22:31 . 2009-11-05 22:31 -------- d-----w- c:\program files\Ask.com
2009-11-05 05:00 . 2009-11-05 05:00 -------- d-----w- c:\program files\Trend Micro
2009-11-04 22:37 . 2009-11-04 22:37 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-04 01:51 . 2009-11-04 02:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-04 01:51 . 2009-11-04 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-24 14:25 . 2009-10-24 14:25 -------- d-----w- C:\4b3f7ccf8b0c3473f9a5a594
2009-10-21 21:30 . 2009-10-21 21:30 -------- d-----w- C:\e87551a14702b2985b
2009-10-19 22:19 . 2009-10-19 22:19 -------- d-----w- c:\documents and settings\Chase\Local Settings\Application Data\PCHealth
2009-10-13 03:37 . 2009-11-04 03:41 117760 ----a-w- c:\documents and settings\Chase\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-13 03:26 . 2009-10-13 03:26 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-13 03:24 . 2009-10-13 03:25 -------- d-----w- c:\windows\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 03:26 . 2007-02-12 22:49 -------- d-----w- c:\program files\Starcraft
2009-11-06 03:12 . 2006-02-26 16:42 -------- d-----w- c:\program files\FlashGet
2009-11-05 05:07 . 2006-02-26 17:04 -------- d-----w- c:\program files\Google
2009-11-05 05:06 . 2006-02-26 17:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-04 22:37 . 2009-08-29 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-13 03:36 . 2009-07-07 01:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-13 03:36 . 2009-07-07 01:33 -------- d-----w- c:\documents and settings\Chase\Application Data\SUPERAntiSpyware.com
2009-10-13 03:36 . 2008-11-22 22:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-01 00:44 . 2007-08-18 23:52 -------- d-----w- c:\documents and settings\Chase\Application Data\Skype
2009-09-30 23:51 . 2009-09-06 08:20 -------- d-----w- c:\documents and settings\Chase\Application Data\skypePM
2009-09-14 07:10 . 2008-03-22 04:44 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-14 04:48 . 2006-12-19 03:44 -------- d-----w- c:\documents and settings\Chase\Application Data\Apple Computer
2009-09-14 04:39 . 2009-09-14 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-14 04:39 . 2007-03-12 00:25 -------- d-----w- c:\program files\iTunes
2009-09-14 04:38 . 2009-09-14 04:38 -------- d-----w- c:\program files\iPod
2009-09-14 04:38 . 2008-06-18 06:11 -------- d-----w- c:\program files\Common Files\Apple
2009-09-14 04:38 . 2007-07-21 22:42 -------- d-----w- c:\program files\Bonjour
2009-09-14 04:37 . 2009-09-14 04:36 -------- d-----w- c:\program files\QuickTime
2009-09-14 04:34 . 2007-03-11 16:31 -------- d-----w- c:\program files\Apple Software Update
2009-09-14 04:32 . 2009-09-14 04:26 93107496 ----a-w- c:\program files\iTunesSetup.exe
2009-09-14 04:22 . 2009-07-07 03:11 -------- d-----w- c:\program files\CCleaner
2009-09-11 14:33 . 2003-07-16 20:36 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-08-29 17:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-08-29 17:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 01:43 . 2009-09-09 01:43 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-06 08:20 . 2009-09-06 08:20 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-06 00:10 . 2007-04-13 02:51 189672 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-06 00:01 . 2007-04-13 23:58 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-04 20:45 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 03:32 . 2009-09-04 03:32 139152 ----a-w- c:\documents and settings\Chase\Application Data\PnkBstrK.sys
2009-09-04 03:32 . 2009-09-04 03:32 139152 ----a-w- c:\documents and settings\Chase\Application Data\PnkBstrK.sys
2009-09-04 03:31 . 2009-09-04 03:31 794408 ----a-w- c:\windows\system32\pbsvc.exe
2009-09-03 22:04 . 2009-09-03 22:04 207872 ----a-w- c:\documents and settings\Chase\Application Data\SystemRequirementsLab\SRLProxy_srl_4.dll
2009-09-03 22:04 . 2009-09-03 22:04 207872 ----a-w- c:\documents and settings\Chase\Application Data\SystemRequirementsLab\SRLProxy_srl_3.dll
2009-09-03 22:04 . 2009-09-03 22:04 207872 ----a-w- c:\documents and settings\Chase\Application Data\SystemRequirementsLab\SRLProxy_srl_2.dll
2009-09-03 22:04 . 2009-09-03 22:04 207872 ----a-w- c:\documents and settings\Chase\Application Data\SystemRequirementsLab\SRLProxy_srl_1.dll
2009-09-03 05:14 . 2009-09-03 05:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-30 01:29 . 2008-06-03 02:13 16992 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-08-29 07:36 . 2003-07-16 20:51 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 15:10 . 2008-01-28 05:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-26 08:16 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 07:04 . 2009-08-17 07:04 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-08-17 07:04 . 2009-08-17 07:04 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-08-17 07:03 . 2009-08-17 07:03 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-08-17 07:03 . 2009-08-17 07:03 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-08-17 07:03 . 2009-08-17 07:03 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-08-17 07:03 . 2009-08-17 07:03 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-08-17 07:03 . 2009-08-17 07:03 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-08-17 07:03 . 2009-08-17 07:03 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-08-17 07:03 . 2009-08-17 07:03 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-08-17 07:03 . 2009-08-17 07:03 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-08-17 07:03 . 2009-08-17 07:03 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-08-17 07:03 . 2009-08-17 07:03 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-08-17 07:02 . 2009-08-17 07:02 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-08-17 04:57 . 2009-08-17 04:57 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-08-17 04:57 . 2009-08-17 04:57 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-08-17 04:57 . 2009-08-17 04:57 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-08-17 04:57 . 2009-08-17 04:57 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-08-17 04:57 . 2006-12-18 22:27 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-08-17 04:57 . 2006-10-22 20:22 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-08-17 04:57 . 2006-10-22 20:22 7729568 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-08-17 04:57 . 2006-10-22 20:22 5845760 ----a-w- c:\windows\system32\nv4_disp.dll
2009-08-17 04:57 . 2006-10-22 20:22 155648 ----a-w- c:\windows\system32\nvcodins.dll
2009-08-17 04:57 . 2006-10-22 20:22 155648 ----a-w- c:\windows\system32\nvcod.dll
2009-08-17 04:57 . 2006-10-22 20:22 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-08-13 19:53 . 2009-08-13 19:53 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-08-11 16:35 . 2006-12-18 22:27 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2006-11-28 00:35 . 2006-11-28 00:35 5900416 ----a-w- c:\program files\Firefox Setup 2.0.exe
1999-07-07 00:00 . 1999-07-07 00:00 6 --sh--r- c:\windows\@@desktop.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-10-27 1196936]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-10-27 18:48 1196936 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-10-27 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-04-27 50736]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-03 149280]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-09-09 2356088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Broadband Networking.lnk - c:\windows\Installer\{06B2B442-19FE-4398-BD4B-F5C00928DD8E}\_18be6784.exe [2006-11-27 25214]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingsPage"= 1 (0x1)
"NoDispAppearancePage"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Chase^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Chase\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Chase^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Chase\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Chase^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Chase\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\toocoolforyou\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\toocoolforyou\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\toocoolforyou\\source sdk base\\hl2.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Half-Life\\Base\\hl.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\america's army 3\\Binaries\\AA3Game.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 10:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 10:42 AM 74480]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [5/29/2008 2:42 PM 33792]
R3 NvnUsbAudio;NvnUsbAudio;c:\windows\system32\drivers\nvnusbaudio.sys [12/25/2007 11:27 AM 25600]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 10:42 AM 7408]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [8/24/2007 2:44 PM 21920]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [3/23/2009 8:25 PM 23096]
S3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [3/23/2009 8:25 PM 3768]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-11-07 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-10-27 18:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://today.ask.com/frostwire?o=101676&l=dis
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\progra~1\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\progra~1\FlashGet\jc_link.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Chase\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Chase\Application Data\Mozilla\Firefox\Profiles\csuqnn33.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=15557&l=dis
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=BLT&o=15554&locale=en_US&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 22:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Chase\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xF78E9000]<< >>UNKNOWN [0xF75A1000]<< >>UNKNOWN [0xF7591000]<< >>UNKNOWN [0x82F6F1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x82f6f1f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1482476501-1935655697-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F756EFE-19A5-FF6B-8C1D-5B94DC41F40E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jamlbdbiioencpmebhoj"=hex:6a,61,6e,6d,6b,65,69,6f,64,64,67,61,64,67,6a,6c,70,
62,6d,70,00,f2
"iagndaifbjbnnlbglf"=hex:6a,61,6e,6d,6b,65,69,6f,64,64,67,61,64,67,6a,6c,70,62,
6d,70,00,f2
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1320)
c:\windows\system32\WININET.dll
c:\program files\TortoiseSVN\bin\tortoisesvn.dll
c:\program files\TortoiseSVN\bin\intl3_svn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-07 22:58
ComboFix-quarantined-files.txt 2009-11-07 03:58

Pre-Run: 3,577,049,088 bytes free
Post-Run: 3,761,381,376 bytes free

- - End Of File - - 3E5B60855F3FB52CF254AFC1D3F10838

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:15 AM

Posted 07 November 2009 - 02:14 AM

Hi,

Please uninstall the Ask.com Toolbar since this one is not recommended.

Then, I notice that there's a possible MBR infection present. What I suggest here is, before proceeding with my steps is to backup any important data from your pc. This because a MBR infection causes a computer extremely instable and may cause it unbootable. That's why it's better safe than sorry and backup important data first, just in case..

Then, Go to start > run and copy and paste next command in the field:

mbr.exe -f

Hit enter.

Then go to your c:\documents and settings\Chase folder and copy and paste the contents of mbr.log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Chase1204

Chase1204
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia
  • Local time:04:15 AM

Posted 08 November 2009 - 01:26 AM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#13 Chase1204

Chase1204
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia
  • Local time:04:15 AM

Posted 08 November 2009 - 01:27 AM

Hi, and thanks for all your work here.
I uninstalled the ask toolbar and posted the mbr log.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:15 AM

Posted 08 November 2009 - 02:34 AM

Hi,

This looks OK again.

How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Chase1204

Chase1204
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia
  • Local time:04:15 AM

Posted 08 November 2009 - 10:28 AM

I'm wondering could it be drivers or codec? This is really frustrating me. Its still not working.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users