Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop still having issues


  • This topic is locked This topic is locked
10 replies to this topic

#1 ZerosReign

ZerosReign

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 05 February 2010 - 06:46 PM

So I uninstalled this fake 'Malware Defender' program, but I keeping finding new infections over and over. There aren't many symptoms, but my custom internet icons keep resetting, all my passwords got cleared, etc. I've always kept my computer pretty spotless virus-wise, but something seems to still be amiss. The Malware Defense at the start of my DDS log, unless that is Malwarebyte's Anti-Malware, seems suspicious to me...

Below are my DDS and Attach logs. I tried running RootRepeal, but it becomes unresponsive during initialization.




DDS (Ver_09-12-01.01) - NTFSx86
Run by Adam at 18:39:10.01 on Fri 02/05/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.735 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: avast! antivirus 4.8.1368 [VPS 100202-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Iomega\REV System Software\imiconxp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\Program Files\Iomega\REV System Software\RevUDF.exe
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Adam\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: SuperAdBlockerBHO Class: {00000000-6c30-11d8-9363-000ae6309654} - c:\program files\superadblocker.com\super ad blocker\SABBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\1.2.1128.5462\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Super Ad Blocker Toolbar: {b4b3001e-0f56-4e51-8250-bde11547ec55} - c:\program files\superadblocker.com\super ad blocker\sabtb.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [SuperAdBlocker] c:\program files\superadblocker.com\super ad blocker\SAdBlock.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [<NO NAME>]
mRun: [Iomega ImIconXP] c:\program files\iomega\rev system software\imiconxp.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Omnipage] c:\program files\scansoft\omnipagepro11.0\opware32.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Yzakizoqosihol] rundll32.exe "c:\windows\icocokuvo.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: google.com\images
DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151804219906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by144fd.bay144.hotmail.msn.com/activex/HMAtchmt.ocx
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SABWinLogon - c:\program files\superadblocker.com\super ad blocker\SABWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000d7} - c:\program files\superadblocker.com\super ad blocker\SABSEHB.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\adam\applic~1\mozilla\firefox\profiles\v3tjo552.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - plugin: c:\documents and settings\adam\application data\mozilla\firefox\profiles\v3tjo552.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {B854453A-F5E2-494C-92CA-22141CD4AE67} - c:\documents and settings\adam\local settings\application data\{B854453A-F5E2-494C-92CA-22141CD4AE67}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 imdrvfsf;Iomega File System Filter Driver;c:\windows\system32\drivers\imdrvfsf.sys [2004-3-5 15942]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-15 114768]
R1 SABDIFSV;SABDIFSV;c:\program files\superadblocker.com\super ad blocker\sabdifsv.sys [2005-9-21 5632]
R1 SABKUTIL;SABKUTIL;c:\program files\superadblocker.com\super ad blocker\SABKUTIL.SYS [2007-2-20 32256]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-15 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-15 138680]
R2 NProtectService;Norton Unerase Protection;c:\progra~1\norton~3\norton~1\NPROTECT.EXE [2003-11-24 81920]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-5-29 585728]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-30 24652]
R3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]

=============== Created Last 30 ================

2010-01-22 04:09:13 0 ----a-w- c:\windows\Qkefogodob.bin
2010-01-22 04:09:12 120 ----a-w- c:\windows\Dsemunajazetij.dat
2010-01-13 16:01:05 0 d-----w- c:\docume~1\adam\applic~1\BSplayer Pro
2010-01-11 10:00:56 0 d-----w- c:\windows\Freecorder
2010-01-11 10:00:21 0 d-----w- c:\windows\Applian FLV Player

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 04:50:41 737280 ----a-w- c:\windows\iun6002.exe
2007-03-09 08:12:32 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2005-06-22 05:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2008-02-10 03:56:44 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-02-10 03:56:44 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-02-10 03:56:44 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 18:41:44.56 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 7/1/2006 9:33:44 PM
System Uptime: 2/5/2010 6:09:45 PM (0 hours ago)

Motherboard: CP | | 865A01
Processor: Intel® Pentium® 4 CPU 3.00GHz | Socket 478 | 2994/200mhz
Processor: Intel® Pentium® 4 CPU 3.00GHz | Socket 478 | 2994/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 76 GiB total, 0.968 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is CDROM ()
I: is CDROM ()
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: RADEON 9800 PRO - Secondary
Device ID: PCI\VEN_1002&DEV_4E68&SUBSYS_00031002&REV_00\4&299CCBFA&0&0108
Manufacturer: ATI Technologies Inc.
Name: RADEON 9800 PRO - Secondary
PNP Device ID: PCI\VEN_1002&DEV_4E68&SUBSYS_00031002&REV_00\4&299CCBFA&0&0108
Service: ati2mtag

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_0C07105B&REV_02\3&13C0B0C5&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_0C07105B&REV_02\3&13C0B0C5&0&FD
Service:

==== System Restore Points ===================

RP1283: 11/6/2009 6:57:37 AM - System Checkpoint
RP1284: 11/7/2009 3:36:45 PM - System Checkpoint
RP1285: 11/8/2009 3:46:04 PM - System Checkpoint
RP1286: 11/9/2009 6:24:22 PM - System Checkpoint
RP1287: 11/10/2009 10:18:52 PM - System Checkpoint
RP1288: 11/12/2009 7:53:59 PM - System Checkpoint
RP1289: 11/13/2009 11:05:41 PM - System Checkpoint
RP1290: 11/14/2009 11:08:40 PM - System Checkpoint
RP1291: 11/17/2009 3:56:35 AM - System Checkpoint
RP1292: 11/18/2009 5:47:54 AM - System Checkpoint
RP1293: 11/19/2009 6:15:30 AM - System Checkpoint
RP1294: 11/20/2009 6:31:28 AM - System Checkpoint
RP1295: 11/21/2009 8:09:29 AM - System Checkpoint
RP1296: 11/22/2009 8:46:06 PM - System Checkpoint
RP1297: 11/30/2009 1:17:19 AM - System Checkpoint
RP1298: 12/1/2009 4:26:41 AM - Software Distribution Service 3.0
RP1299: 12/2/2009 6:22:56 AM - System Checkpoint
RP1300: 12/3/2009 7:52:46 AM - System Checkpoint
RP1301: 12/4/2009 11:05:57 AM - System Checkpoint
RP1302: 12/5/2009 3:43:37 PM - System Checkpoint
RP1303: 12/6/2009 7:58:42 PM - System Checkpoint
RP1304: 12/7/2009 8:11:22 PM - System Checkpoint
RP1305: 12/10/2009 6:16:15 AM - System Checkpoint
RP1306: 12/11/2009 6:20:16 AM - System Checkpoint
RP1307: 12/12/2009 7:15:02 AM - System Checkpoint
RP1308: 12/12/2009 7:21:37 PM - Software Distribution Service 3.0
RP1309: 12/14/2009 7:24:23 AM - System Checkpoint
RP1310: 12/15/2009 8:30:58 AM - System Checkpoint
RP1311: 12/16/2009 9:18:57 AM - System Checkpoint
RP1312: 12/18/2009 5:23:14 AM - System Checkpoint
RP1313: 12/19/2009 6:21:24 AM - System Checkpoint
RP1314: 12/19/2009 11:28:03 PM - Software Distribution Service 3.0
RP1315: 12/21/2009 1:49:54 PM - System Checkpoint
RP1316: 12/22/2009 2:14:32 PM - System Checkpoint
RP1317: 12/23/2009 3:02:39 PM - System Checkpoint
RP1318: 12/25/2009 2:16:22 AM - System Checkpoint
RP1319: 12/26/2009 3:06:58 AM - System Checkpoint
RP1320: 12/27/2009 8:17:59 PM - System Checkpoint
RP1321: 12/29/2009 12:52:58 AM - System Checkpoint
RP1322: 12/30/2009 1:22:45 AM - System Checkpoint
RP1323: 12/31/2009 7:41:42 AM - System Checkpoint
RP1324: 1/3/2010 6:57:37 PM - System Checkpoint
RP1325: 1/4/2010 7:19:04 PM - System Checkpoint
RP1326: 1/5/2010 9:04:52 PM - System Checkpoint
RP1327: 1/6/2010 9:06:31 PM - System Checkpoint
RP1328: 1/8/2010 3:17:16 AM - System Checkpoint
RP1329: 1/9/2010 8:04:12 AM - System Checkpoint
RP1330: 1/10/2010 8:12:04 AM - System Checkpoint
RP1331: 1/12/2010 1:54:57 AM - System Checkpoint
RP1332: 1/13/2010 2:41:15 AM - System Checkpoint
RP1333: 1/14/2010 3:10:23 AM - Software Distribution Service 3.0
RP1334: 1/15/2010 4:32:22 AM - System Checkpoint
RP1335: 1/16/2010 5:02:24 AM - System Checkpoint
RP1336: 1/17/2010 5:50:32 AM - System Checkpoint
RP1337: 1/18/2010 6:26:20 AM - System Checkpoint
RP1338: 1/19/2010 9:31:39 AM - Installed Java™ 6 Update 17
RP1339: 1/20/2010 9:50:56 AM - System Checkpoint
RP1340: 1/21/2010 7:50:43 PM - System Checkpoint
RP1341: 1/23/2010 12:30:06 AM - System Checkpoint
RP1342: 1/24/2010 1:19:08 AM - System Checkpoint
RP1343: 1/25/2010 11:07:04 PM - System Checkpoint
RP1344: 1/27/2010 12:36:26 AM - System Checkpoint
RP1345: 1/28/2010 7:23:28 PM - System Checkpoint
RP1346: 1/29/2010 8:28:03 PM - System Checkpoint
RP1347: 1/30/2010 9:18:51 PM - System Checkpoint
RP1348: 1/31/2010 10:15:19 PM - System Checkpoint
RP1349: 2/2/2010 1:08:04 AM - System Checkpoint
RP1350: 2/3/2010 1:33:25 AM - System Checkpoint

==== Installed Programs ======================

Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 7.0
Adobe Reader 8.1.6
AIM 6
Alinco Decal Plugin
Alinco Filter
Applian FLV Player
Asheron's Call: Throne of Destiny
ATI Display Driver
avast! Antivirus
Avidemux 2.4
Azureus
Combined Community Codec Pack 2008-09-21 16:18
Critical Update for Windows Media Player 11 (KB959772)
DAEMON Tools Toolbar
DCS
Decal 3.0 (Alpha 8: 2.9.6.0)
Diablo II
FaceMorpher Lite 2.5
Find It!
FLV Player 2.0 (build 25)
FotoMorph
Fraps
Freecorder 4.0 Application
GoldWave v5.06
Google Toolbar for Internet Explorer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HTML Executable IERuntime
Iomega REV System Software
iTunes
Japanese Language Support
Java™ 6 Update 17
Karen's Alarm Clock
Lernout & Hauspie TruVoice American English TTS Engine
LifeTank XI
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Logitech Desktop Messenger
Logitech MouseWare 9.80
Mah Jongg - The REAL Game!
Make It!
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
MiniMap
Mozilla Firefox (3.5.5)
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
MSXML4 Parser
Mule Trade It!
MUSICMATCH Jukebox
Norton CleanSweep
Norton SystemWorks 2004
Norton SystemWorks 2004 (Symantec Corporation)
Norton Utilities
Norton WMI Update
NSW_DRM_COLLECTION
OmniPage Pro 11.0
Python 2.1
Python 2.1 combined Win32 extensions
QuickTime
Radar Add-on
Real Alternative 1.8.2
Replay AV 8
Replay Converter 2.8
Replay Radio and Replay A/V 7
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Sound Blaster Live!
Super Ad Blocker
Symantec Technical Support Web Controls
Ultra MP4 Video Converter 5.2.0603
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VideoLAN VLC media player 0.8.6
Viewpoint Media Player
Vuze
WebFldrs XP
Winamp (remove only)
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinPcap 3.1
WinRAR archiver
YouTube Downloader 2.5.3

==== Event Viewer Messages From Past Week ========

2/1/2010 5:47:47 PM, error: Service Control Manager [7000] - The Creative Service for CDROM Access service failed to start due to the following error: The system cannot find the file specified.
2/1/2010 10:39:22 PM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service gusvc with arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}

==== End Of File ===========================


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:23 PM

Posted 12 February 2010 - 07:49 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 ZerosReign

ZerosReign
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 12 February 2010 - 08:23 PM

Tag. You're it =)

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:23 PM

Posted 12 February 2010 - 08:42 PM

That "Malware Defense" on the DDS log is a rogue and there are also traces of infection on the log.

Can you try and run Gmer for me. This is a rootkit scanner like RootRepeal.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


Can you also run RSIT, a straight scan which will cover some of the areas that I need to take a look at.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<
Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 ZerosReign

ZerosReign
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 13 February 2010 - 06:33 PM

Bleh, new issue now with this fake "Must re-register Windows within 3 days because your hardware has changed" BS. Especially since this comp hasn't changed in 7 years, lol.

I had to attach the logs because they were too long to post otherwise. Thanks in advance for all the work you put into helping with stuff like this. I'm sure you feel underappreciated with it sometimes, but I assure you I am extremely grateful =)

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:23 PM

Posted 13 February 2010 - 07:09 PM

You're quite infected. Though you probably guessed this already tongue.gif

We need to use a powerful program to remove the malware in this case. If this won't run then let me know.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Edited by m0le, 13 February 2010 - 07:10 PM.

Posted Image
m0le is a proud member of UNITE

#7 ZerosReign

ZerosReign
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 13 February 2010 - 09:04 PM

Haha, yeah, I figured as much ;) It appears the fake 'Windows Registration' thing is still running.

---------------------------------

ComboFix 10-02-12.01 - Adam 02/13/2010 20:51:01.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.1107 [GMT -5:00]
Running from: c:\documents and settings\Adam\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100202-1] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Adam\Local Settings\Application Data\{B854453A-F5E2-494C-92CA-22141CD4AE67}
c:\documents and settings\Adam\Local Settings\Application Data\{B854453A-F5E2-494C-92CA-22141CD4AE67}\chrome.manifest
c:\documents and settings\Adam\Local Settings\Application Data\{B854453A-F5E2-494C-92CA-22141CD4AE67}\chrome\content\_cfg.js
c:\documents and settings\Adam\Local Settings\Application Data\{B854453A-F5E2-494C-92CA-22141CD4AE67}\chrome\content\overlay.xul
c:\documents and settings\Adam\Local Settings\Application Data\{B854453A-F5E2-494C-92CA-22141CD4AE67}\install.rdf
c:\windows\icocokuvo.dll
c:\windows\system32\Data
c:\windows\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))
.

2010-02-13 19:35 . 2010-02-13 23:25 -------- d-----w- c:\program files\trend micro
2010-02-13 19:35 . 2010-02-13 19:58 -------- d-----w- C:\rsit
2010-02-03 05:51 . 2010-02-03 05:51 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-22 04:09 . 2010-02-13 23:24 0 ----a-w- c:\windows\Qkefogodob.bin
2010-01-22 04:09 . 2010-02-14 01:39 120 ----a-w- c:\windows\Dsemunajazetij.dat
2010-01-19 14:31 . 2010-01-19 14:31 152576 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-19 14:30 . 2010-01-19 14:30 79488 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 00:43 . 2007-09-21 19:17 -------- d-----w- c:\documents and settings\Adam\Application Data\gtk-2.0
2010-02-13 23:41 . 2006-07-05 03:40 -------- d-----w- c:\documents and settings\Adam\Application Data\Azureus
2010-02-03 05:51 . 2010-01-06 04:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-28 00:29 . 2007-09-21 19:16 -------- d-----w- c:\program files\Avidemux 2.4
2010-01-24 01:34 . 2007-05-29 10:18 -------- d-----w- c:\program files\Norton SystemWorks
2010-01-19 14:32 . 2006-07-05 03:39 -------- d-----w- c:\program files\Java
2010-01-13 16:01 . 2010-01-13 16:01 -------- d-----w- c:\documents and settings\Adam\Application Data\BSplayer Pro
2010-01-11 10:16 . 2010-01-11 10:00 -------- d-----w- c:\program files\FLV Player
2010-01-11 05:29 . 2008-05-30 18:27 -------- d-----w- c:\program files\Replay AV 8
2010-01-07 21:07 . 2010-01-06 04:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2010-01-06 04:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 04:05 . 2010-01-06 04:05 -------- d-----w- c:\documents and settings\Adam\Application Data\Malwarebytes
2010-01-06 04:05 . 2010-01-06 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-24 23:54 . 2009-11-15 21:57 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-11-15 21:58 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:47 . 2009-11-15 21:58 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-11-15 21:58 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 16:36 . 2003-03-31 12:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2008-06-01 02:39 . 2008-06-01 02:37 48 --sh--w- c:\windows\S0AF2A5C9.tmp
2007-03-09 08:12 . 2007-03-09 08:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2005-06-22 05:37 . 2006-05-24 17:37 45568 --sha-r- c:\windows\system32\cygz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperAdBlocker"="c:\program files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe" [2007-06-05 1564672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 20992]
"Iomega ImIconXP"="c:\program files\Iomega\REV System Software\imiconxp.exe" [2004-05-03 77914]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Omnipage"="c:\program files\ScanSoft\OmniPagePro11.0\opware32.exe" [2001-06-21 49152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-7-2 169472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= "c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL" [2006-11-07 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
2007-05-14 17:20 176128 ----a-w- c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Turbine\\Asheron's Call - Throne of Destiny\\aclauncher.exe"=
"c:\\Program Files\\Turbine\\Asheron's Call - Throne of Destiny\\acclient.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

R0 imdrvfsf;Iomega File System Filter Driver;c:\windows\system32\drivers\imdrvfsf.sys [3/5/2004 12:41 PM 15942]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/15/2009 4:58 PM 114768]
R1 SABDIFSV;SABDIFSV;c:\program files\SuperAdBlocker.com\Super Ad Blocker\sabdifsv.sys [9/21/2005 10:17 AM 5632]
R1 SABKUTIL;SABKUTIL;c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.SYS [2/20/2007 3:02 PM 32256]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/15/2009 4:58 PM 20560]
R2 NProtectService;Norton Unerase Protection;c:\progra~1\NORTON~3\NORTON~1\NPROTECT.EXE [11/24/2003 11:49 AM 81920]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/30/2007 4:45 PM 24652]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/17/2009 3:18 AM 721904]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]

--- Other Services/Drivers In Memory ---

*Deregistered* - revfs

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-13 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 08:48]

2007-05-31 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-05-25 22:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: google.com\images
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
FF - ProfilePath - c:\documents and settings\Adam\Application Data\Mozilla\Firefox\Profiles\v3tjo552.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - plugin: c:\documents and settings\Adam\Application Data\Mozilla\Firefox\Profiles\v3tjo552.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-Freecorder FLV Service - c:\program files\Freecorder\FLVSrvc.exe
HKLM-Run-Yzakizoqosihol - c:\windows\icocokuvo.dll
AddRemove-MUSICMATCH Jukebox - c:\program files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-13 20:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-1757981266-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-02-13 21:02:13
ComboFix-quarantined-files.txt 2010-02-14 02:01

Pre-Run: 1,013,850,112 bytes free
Post-Run: 2,448,396,288 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - DD279F3F00780A8DCCD9F42FCAB78875


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:23 PM

Posted 13 February 2010 - 09:27 PM

Peer to peer websites...

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case Azureus). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Back to the fix

Hmmm, the good news is that the infection has already been hit hard so Combofix hasn't found a great deal of it.

The (relatively) bad news is that the reactivation message is a real message caused, probably, by a dying battery.

QUOTE
The battery that keeps the configuration data in the BIOS active even when the PC is switched off has died or is weak. Consequently, the configuration data has had to be rediscovered from the CMOS chip that contains the BIOS data. The BIOS has had to 're-enumerate' its hardware at boot-up. Several things, including an errant keystroke or an ageing BIOS battery, can trigger this re-enumeration. Windows keeps its Product Activation information on board, so it may have reacted to the hardware being redetected and reconfigured. Replacing the BIOS battery will probably fix the problem. The battery is cheap. Just remove it and take it into a PC shop to obtain a replacement. If you aren't comfortable with doing this then call ahead as they will take in the whole PC if necessary.


Instructions for removal

Source of reactivation information


Okay, let's run Combofix again to sweep up the rest

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.bleepingcomputer.com/forums/top...ml#entry1629505

Collect::
c:\windows\Qkefogodob.bin
c:\windows\Dsemunajazetij.dat
c:\windows\S0AF2A5C9.tmp


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then we can run a sweep of the system with an online scanner, ESET is my choice.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Thanks smile.gif

Edited by m0le, 13 February 2010 - 09:28 PM.

Posted Image
m0le is a proud member of UNITE

#9 ZerosReign

ZerosReign
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 14 February 2010 - 12:27 AM

Ah, so should I go ahead and re-register Windows and hope it was a one-time glitch then? I use Azureus for legal anime subs, btw, hehe ;)

Here are the ComboFix #2 and ESET logs. ComboFix did say something about reporting files for further inspection via upload to the server this time...

---------------------------------------------------------------------------------------

ComboFix 10-02-12.01 - Adam 02/13/2010 22:07:42.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.1106 [GMT -5:00]
Running from: c:\documents and settings\Adam\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Adam\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100202-1] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\windows\Dsemunajazetij.dat
file zipped: c:\windows\Qkefogodob.bin
file zipped: c:\windows\S0AF2A5C9.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Dsemunajazetij.dat
c:\windows\Qkefogodob.bin
c:\windows\S0AF2A5C9.tmp

.
((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))
.

2010-02-13 19:35 . 2010-02-13 23:25 -------- d-----w- c:\program files\trend micro
2010-02-13 19:35 . 2010-02-13 19:58 -------- d-----w- C:\rsit
2010-02-03 05:51 . 2010-02-03 05:51 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-19 14:31 . 2010-01-19 14:31 152576 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-19 14:30 . 2010-01-19 14:30 79488 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 00:43 . 2007-09-21 19:17 -------- d-----w- c:\documents and settings\Adam\Application Data\gtk-2.0
2010-02-13 23:41 . 2006-07-05 03:40 -------- d-----w- c:\documents and settings\Adam\Application Data\Azureus
2010-02-03 05:51 . 2010-01-06 04:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-28 00:29 . 2007-09-21 19:16 -------- d-----w- c:\program files\Avidemux 2.4
2010-01-24 01:34 . 2007-05-29 10:18 -------- d-----w- c:\program files\Norton SystemWorks
2010-01-19 14:32 . 2006-07-05 03:39 -------- d-----w- c:\program files\Java
2010-01-13 16:01 . 2010-01-13 16:01 -------- d-----w- c:\documents and settings\Adam\Application Data\BSplayer Pro
2010-01-11 10:16 . 2010-01-11 10:00 -------- d-----w- c:\program files\FLV Player
2010-01-11 05:29 . 2008-05-30 18:27 -------- d-----w- c:\program files\Replay AV 8
2010-01-07 21:07 . 2010-01-06 04:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2010-01-06 04:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 04:05 . 2010-01-06 04:05 -------- d-----w- c:\documents and settings\Adam\Application Data\Malwarebytes
2010-01-06 04:05 . 2010-01-06 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-24 23:54 . 2009-11-15 21:57 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-11-15 21:58 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:47 . 2009-11-15 21:58 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-11-15 21:58 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 16:36 . 2003-03-31 12:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-03-09 08:12 . 2007-03-09 08:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2005-06-22 05:37 . 2006-05-24 17:37 45568 --sha-r- c:\windows\system32\cygz.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-14_01.59.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-14 03:05 . 2010-02-14 03:05 16384 c:\windows\Temp\Perflib_Perfdata_7a8.dat
+ 2010-02-14 03:05 . 2010-02-14 03:05 16384 c:\windows\Temp\Perflib_Perfdata_4d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperAdBlocker"="c:\program files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe" [2007-06-05 1564672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 20992]
"Iomega ImIconXP"="c:\program files\Iomega\REV System Software\imiconxp.exe" [2004-05-03 77914]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Omnipage"="c:\program files\ScanSoft\OmniPagePro11.0\opware32.exe" [2001-06-21 49152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-7-2 169472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= "c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL" [2006-11-07 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
2007-05-14 17:20 176128 ----a-w- c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Turbine\\Asheron's Call - Throne of Destiny\\aclauncher.exe"=
"c:\\Program Files\\Turbine\\Asheron's Call - Throne of Destiny\\acclient.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

R0 imdrvfsf;Iomega File System Filter Driver;c:\windows\system32\drivers\imdrvfsf.sys [3/5/2004 12:41 PM 15942]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/15/2009 4:58 PM 114768]
R1 SABDIFSV;SABDIFSV;c:\program files\SuperAdBlocker.com\Super Ad Blocker\sabdifsv.sys [9/21/2005 10:17 AM 5632]
R1 SABKUTIL;SABKUTIL;c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.SYS [2/20/2007 3:02 PM 32256]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/15/2009 4:58 PM 20560]
R2 NProtectService;Norton Unerase Protection;c:\progra~1\NORTON~3\NORTON~1\NPROTECT.EXE [11/24/2003 11:49 AM 81920]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/30/2007 4:45 PM 24652]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/17/2009 3:18 AM 721904]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]

--- Other Services/Drivers In Memory ---

*Deregistered* - revfs

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-13 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 08:48]

2007-05-31 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-05-25 22:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: google.com\images
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
FF - ProfilePath - c:\documents and settings\Adam\Application Data\Mozilla\Firefox\Profiles\v3tjo552.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - plugin: c:\documents and settings\Adam\Application Data\Mozilla\Firefox\Profiles\v3tjo552.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-13 22:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-1757981266-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-02-13 22:17:56
ComboFix-quarantined-files.txt 2010-02-14 03:17
ComboFix2.txt 2010-02-14 02:18
ComboFix3.txt 2010-02-14 02:02

Pre-Run: 2,486,579,200 bytes free
Post-Run: 2,408,898,560 bytes free

- - End Of File - - 39A8C3BB70E1899140EC182C151678C8
Upload was successful


-------------------------------------------------------------------------------------------



C:\Documents and Settings\Adam\Desktop\My Briefcase\Install_AIM.exe Win32/Adware.WBug.A application deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\icocokuvo.dll.vir a variant of Win32/Cimag.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{AB04A726-9B65-4FF7-8252-1C5D92CFDE77}\RP1356\A0187231.dll a variant of Win32/Cimag.BO trojan cleaned by deleting - quarantined


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:23 PM

Posted 14 February 2010 - 06:01 AM

QUOTE
C:\Documents and Settings\Adam\Desktop\My Briefcase\Install_AIM.exe Win32/Adware.WBug.A application deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\icocokuvo.dll.vir a variant of Win32/Cimag.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{AB04A726-9B65-4FF7-8252-1C5D92CFDE77}\RP1356\A0187231.dll a variant of Win32/Cimag.BO trojan cleaned by deleting - quarantined


This is the last of the malware. Only the top one is live malware, the other two are removable at the final instructions which is where we are now...


You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it ZerosReign, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:23 PM

Posted 19 February 2010 - 05:01 AM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users