Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP AntiMalware 2010


  • This topic is locked This topic is locked
30 replies to this topic

#1 lautreamax

lautreamax

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 06 April 2010 - 05:21 PM

Hello everyone.

Last night my computer became infested with the "XP AntiMalware 2010" virus. I followed instructions on this site about downloading Malwarebytes' Anti-Malware and scanning the computer to remove the virus. This fixed most of the problems I was experiencing and seems to indeed have removed that particular virus. I no longer get fake alerts or prompts to download fake anti-virus software.

However, a few problems persist.

1. No matter how many times I do a full scan using MBAM and remove all reported items, some of them reappear immediately after I reboot my computer. I've run a full scan about 5 times and haven't managed to get a clean report yet.

2. There are several processes that keep appearing in task manager that I've never seen before and that I'd like to get rid of. For example: S0q6.exe.

3. I can no longer use Google Chrome as a browser. Internet Explorer and Firefox are both working, but since the virus, Google Chrome doesn't load any pages - not even ones HTML pages saved on my hard drive (like my exported bookmarks, for example). The page remains blank and tries to load forever. I have tried reinstalling Chrome, clearing cookies, etc. I've also searched the Google help forums, and while there were a few threads with people seemingly experiencing the same problem, nobody has a solution.

4. Every once in a while, apparently randomly, I get redirected (while browsing the Internet with Firefox) to a spam page. This never used to happen to me before.

5. Finally, I followed the instructions in the "Preparation Guide for Use Before Using Malware Removal Tools and Requesting Help" and managed to create DDS logs. However, when trying to scan using gmer, my computer spontaneously reboots halfway through the scan. After this happened a few times, I was able to manually abort the scan before the reboot and save an incomplete log file. I am attaching this log to this post and hope that it will be of some use, but please be aware that it may be incomplete.

Thank you in advance for your help. I'm a freelancer who works from home and I need this computer to be functional ASAP so that I can continue to work (and make a living!).

Here is the DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Yan at 17:24:56.20 on Tue 04/06/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.317 [GMT -4:00]

AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\8593516.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe
C:\WINDOWS\system32\PereSvc.exe
C:\WINDOWS\TEMP\s0q6.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\regsvr32.exe
E:\Documents and Settings\Yan\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: profitmuse: {2de82840-de2c-e64b-5275-b3f46420eb5a} - c:\windows\system32\cf7c0882.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: profitizeme browser enhancer: {b5302e09-7c22-738c-9343-dbf8539b15b2} - c:\windows\system32\drrnvmcsnsjqw.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [Vregemawixori] rundll32.exe "c:\windows\ecomoyesic.dll",Startup
mRun: [uxvefl] RUNDLL32.EXE c:\windows\system32\mssapsmr.dll,w
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [gyhwswkjhgjku] c:\windows\system32\regsvr32.exe /s "c:\windows\system32\drrnvmcsnsjqw.dll"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mExplorerRun: [vrna] c:\windows\temp\s0q6.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: bydeluxe.com\snl
Trusted Zone: dgmusa.com\iweb
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232250776906
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232250722078
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A86A4C7C-6911-42D3-B898-52A199AB41CB} - hxxp://sol.softitler.com/downloads/SoftLink.exe
DPF: {A86FEA6F-95C0-4190-A622-C5C02739CBE3} - hxxp://snl.bydeluxe.com/SOLASP/(S(pav5man34j41uz55r4nzzuyx))/FileUD/WebTranU.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {AB534152-54EC-4192-A569-C28C87D83C62} = 206.248.154.22 206.248.154.170
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: geBSJDSi - geBSJDSi.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\yan\applic~1\mozilla\firefox\profiles\jdbdlud3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.imdb.com/
FF - plugin: c:\documents and settings\yan\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\yan\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\yan\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: XUL Cache: {C85F7695-6C3D-4251-B65A-27F28112465E} - c:\windows\system32\config\systemprofile\local settings\application data\{c85f7695-6c3d-4251-b65a-27f28112465e}\
FF - HiddenExtension: XULRunner: {0BE009DD-A0F2-4AFB-B2FE-5772C7DABAFF} - c:\documents and settings\yan\local settings\application data\{0BE009DD-A0F2-4AFB-B2FE-5772C7DABAFF}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: z: No Registry Reference - c:\program files\mozilla firefox\extensions\{63b5b511-aa88-b3a9-1ce3-f5a3cbfab7c5}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 BtwSvc;BtwSvc;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 peresvc;peresvc Service;c:\windows\system32\PereSvc.exe [2004-8-4 68608]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2010-1-9 14976]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-11-9 205328]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-11-9 36368]
R2 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\drivers\atinttxx.sys [2007-12-7 13824]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-3-8 364544]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-3-15 659456]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-3-15 311296]

=============== Created Last 30 ================

2010-04-06 20:01:03 96709 ----a-w- c:\windows\system32\49b11869.exe
2010-04-06 20:00:54 48287 ----a-w- c:\windows\system32\mgfeodfggrwlggxq.exe
2010-04-06 18:02:25 54016 ----a-w- c:\windows\system32\drivers\hpninam.sys
2010-04-06 17:51:55 238920 ----a-w- c:\windows\system32\8593516.exe
2010-04-06 17:51:49 36864 ----a-w- c:\windows\system32\d.bin
2010-04-06 17:51:48 167554 ----a-w- c:\windows\system32\7467768.exe
2010-04-06 16:50:12 238920 ----a-w- c:\windows\system32\183845.exe
2010-04-06 16:50:08 167554 ----a-w- c:\windows\system32\1702082.exe
2010-04-06 16:34:25 238920 ----a-w- c:\windows\system32\3503489.exe
2010-04-06 16:34:16 167554 ----a-w- c:\windows\system32\2129938.exe
2010-04-06 16:11:11 238920 ----a-w- c:\windows\system32\8861488.exe
2010-04-06 16:11:06 167554 ----a-w- c:\windows\system32\3115481.exe
2010-04-06 15:56:25 238920 ----a-w- c:\windows\system32\2889933.exe
2010-04-06 15:56:20 167554 ----a-w- c:\windows\system32\8200952.exe
2010-04-06 14:47:19 0 d-----w- c:\windows\system32\GroupPolicy
2010-04-06 14:47:04 238920 ----a-w- c:\windows\system32\8247599.exe
2010-04-06 14:46:58 36865 ----a-w- c:\windows\system32\mssapsmr.dll
2010-04-06 14:46:53 44032 ----a-w- c:\windows\system32\so.bin
2010-04-06 14:46:53 35840 ----a-w- c:\windows\system32\ms.bin
2010-04-06 14:46:53 169289 ----a-w- c:\windows\system32\8016626.exe
2010-04-06 14:46:41 0 ----a-w- c:\windows\SC.INS
2010-04-06 14:39:24 0 d-----w- c:\docume~1\yan\applic~1\Malwarebytes
2010-04-06 14:39:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-06 14:39:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-06 14:39:03 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-06 14:39:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 03:52:48 0 d-----w- c:\program files\Your Protection
2010-04-06 03:45:07 702464 ----a-w- c:\windows\system32\OLD1DF.tmp
2010-04-06 03:45:07 702464 ----a-w- c:\windows\system32\mstsc.exe
2010-04-06 03:44:59 103424 ----a-w- c:\windows\system32\OLD1D7.tmp
2010-04-06 03:44:59 103424 ----a-w- c:\windows\system32\msiexec.exe
2010-04-06 03:44:56 171520 ----a-w- c:\windows\regedit.exe
2010-04-06 03:44:56 171520 ----a-w- c:\windows\OLD1D4.tmp
2010-04-06 03:44:53 53760 ----a-w- c:\windows\system32\OLD1CF.tmp
2010-04-06 03:44:53 53760 ----a-w- c:\windows\system32\mshta.exe
2010-04-06 03:44:51 127488 ----a-w- c:\windows\system32\OLD1CC.tmp
2010-04-06 03:44:51 127488 ----a-w- c:\windows\system32\clipbrd.exe
2010-04-06 03:44:50 208896 ----a-w- c:\windows\system32\OLD1C9.tmp
2010-04-06 03:44:50 208896 ----a-w- c:\windows\system32\accwiz.exe
2010-04-06 03:40:08 120 ----a-w- c:\windows\Hpixogolo.dat
2010-04-06 03:40:08 0 ----a-w- c:\windows\Mkodoze.bin
2010-04-06 03:38:18 35328 ----a-w- c:\windows\OLD1BC.tmp
2010-04-06 03:38:18 35328 ----a-w- c:\windows\hh.exe
2010-04-06 03:38:12 60416 ----a-w- c:\windows\system32\rcimlby.exe
2010-04-06 03:38:12 60416 ----a-w- c:\windows\system32\OLD1B9.tmp
2010-04-06 03:36:32 0 d-sh--w- c:\documents and settings\yan\.COMMgr
2010-04-06 03:36:11 204800 ----a-w- c:\windows\system32\OLD1B2.tmp
2010-04-06 03:36:11 204800 ----a-w- c:\windows\system32\dwwin.exe
2010-04-02 11:43:32 1440256 ----a-w- c:\windows\system32\cf7c0882.dll
2010-03-30 22:01:00 369542 ----a-w- c:\windows\system32\MetrePlus.dll
2010-03-26 16:33:26 89565 ----a-w- c:\documents and settings\yan\.recently-used.xbel
2010-03-25 15:43:06 531968 ----a-w- c:\windows\system32\drrnvmcsnsjqw.dll
2010-03-10 19:11:11 3558912 -c--a-w- c:\windows\system32\dllcache\moviemk.exe
2010-03-10 04:33:38 1025024 -c----w- c:\windows\system32\dllcache\browseui.dll

==================== Find3M ====================

2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-09 19:31:00 352256 ----a-w- c:\windows\system32\GlebeU.dll
2010-01-23 17:58:41 57068 ---ha-w- c:\windows\system32\mlfcache.dat
2004-10-01 19:00:16 65536 ----a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 17:25:46.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:55 AM

Posted 09 April 2010 - 07:40 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 lautreamax

lautreamax
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 09 April 2010 - 08:21 PM

Hello, M0le. Yes, I'm still around.

Since I posted, the problems seemed to get worse and it got to a point where the malware/whatever wasn't letting me access any site that requires a Google account, which I can't really live without. So I followed a friend's recommendation and ran another scan called ComboFix. He claimed that it would fix all my problems.

It fixed some, but not all.

I'm going to rescan with gmer and dds and post updated logs in a few minutes. Please disregard the ones I posted in my first post.

Thanks.

#4 lautreamax

lautreamax
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 09 April 2010 - 09:10 PM

Here are the new logs.

Once again, gmer causes my computer to reboot before the scan is complete, so I'm attaching an incomplete log.

Problems I'm having now are:

1. Pop-up ads inside browser in the lower right corner. These appear in both Explorer and Firefox, on any website. Sometimes they include sound, which is particularly annoying.

2. Occasionally a new tab opens and loads a spam page.

3. When using Google or other search engines, clicking on search results usually redirect to spam. I have to right click, copy the link location, then paste the URL in the address bar.

4. Firefox is much slower than it was before.

5. A few weird processes in Task Manager.

6. Google Chrome doesn't work. (Starts, but won't load any pages. Reinstalling doesn't help.)



DDS (Ver_10-03-17.01) - NTFSx86
Run by Yan at 21:52:45.06 on Fri 04/09/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.627 [GMT -4:00]

AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PereSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\TEMP\VRT2.tmp
C:\WINDOWS\System32\Rundll32.exe
e:\Documents and Settings\Yan\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uWindows: load=c:\windows\fonts\services.exe
uWindows: run=c:\windows\fonts\services.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [fzwkht] RUNDLL32.EXE c:\windows\system32\msuqddft.dll,w
mRun: [aholbs] RUNDLL32.EXE c:\windows\system32\msepdlkp.dll,w
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mExplorerRun: [exec] c:\windows\fonts\services.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: bydeluxe.com\snl
Trusted Zone: dgmusa.com\iweb
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232250776906
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232250722078
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A86A4C7C-6911-42D3-B898-52A199AB41CB} - hxxp://sol.softitler.com/downloads/SoftLink.exe
DPF: {A86FEA6F-95C0-4190-A622-C5C02739CBE3} - hxxp://snl.bydeluxe.com/SOLASP/(S(pav5man34j41uz55r4nzzuyx))/FileUD/WebTranU.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {AB534152-54EC-4192-A569-C28C87D83C62} = 206.248.154.22 206.248.154.170
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: gport_ - gport_.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\yan\applic~1\mozilla\firefox\profiles\jdbdlud3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.imdb.com/
FF - component: c:\program files\mozilla firefox\extensions\{63b5b511-aa88-b3a9-1ce3-f5a3cbfab7c5}\components\34bafcfc.dll
FF - plugin: c:\documents and settings\yan\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\yan\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\yan\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: XUL Cache: {C85F7695-6C3D-4251-B65A-27F28112465E} - c:\windows\system32\config\systemprofile\local settings\application data\{c85f7695-6c3d-4251-b65a-27f28112465e}\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: z: No Registry Reference - c:\program files\mozilla firefox\extensions\{63b5b511-aa88-b3a9-1ce3-f5a3cbfab7c5}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 BtwSvc;BtwSvc;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 peresvc;peresvc Service;c:\windows\system32\PereSvc.exe [2004-8-4 70656]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2010-1-9 14976]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-11-9 205328]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-11-9 36368]
R2 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\drivers\atinttxx.sys [2007-12-7 13824]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-3-8 364544]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-3-15 659456]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-3-15 311296]

=============== Created Last 30 ================

2010-04-10 01:52:25 169563 ----a-w- c:\windows\system32\9173242.exe
2010-04-10 01:25:32 62496 ----a-w- c:\windows\system32\MSWINSCK.OCX
2010-04-10 01:25:30 200704 ----a-w- c:\windows\system32\7908701.exe
2010-04-10 01:25:25 36865 ----a-w- c:\windows\system32\msepdlkp.dll
2010-04-10 01:25:22 169563 ----a-w- c:\windows\system32\8910639.exe
2010-04-10 01:25:05 0 d-----w- c:\program files\Protection System
2010-04-10 01:25:05 0 ----a-w- c:\windows\SC.INS
2010-04-10 01:25:05 0 ----a-w- c:\windows\sc.exe
2010-04-08 04:25:00 94208 ----a-w- c:\windows\system32\w.exe
2010-04-08 04:25:00 36864 ----a-w- c:\windows\system32\d.bin
2010-04-08 04:25:00 168651 ----a-w- c:\windows\system32\9564783.exe
2010-04-08 02:15:13 36865 ----a-w- c:\windows\system32\msuqddft.dll
2010-04-08 02:15:10 45568 ----a-w- c:\windows\system32\so.bin
2010-04-08 02:15:10 35840 ----a-w- c:\windows\system32\ms.bin
2010-04-08 02:15:09 168786 ----a-w- c:\windows\system32\6503717.exe
2010-04-08 01:21:43 0 d-sha-r- C:\cmdcons
2010-04-08 01:19:56 286208 ----a-w- c:\windows\PEV.exe
2010-04-08 01:19:56 186880 ----a-w- c:\windows\SWREG.exe
2010-04-08 01:19:56 123392 ----a-w- c:\windows\sed.exe
2010-04-08 01:19:56 105472 ----a-w- c:\windows\MBR.exe
2010-04-08 01:02:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 15:09:41 5136 ----a-w- c:\windows\system32\gport_.dll
2010-04-06 22:26:08 0 ----a-w- c:\documents and settings\yan\defogger_reenable
2010-04-06 21:46:00 369733 ----a-w- c:\windows\system32\MetrePlus.dll
2010-04-06 14:47:19 0 d-----w- c:\windows\system32\GroupPolicy
2010-04-06 14:39:24 0 d-----w- c:\docume~1\yan\applic~1\Malwarebytes
2010-04-06 14:39:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-06 14:39:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-06 14:39:03 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-06 14:39:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 03:52:48 0 d-----w- c:\program files\Your Protection
2010-04-06 03:45:07 702464 ----a-w- c:\windows\system32\OLD1DF.tmp
2010-04-06 03:45:07 702464 ----a-w- c:\windows\system32\mstsc.exe
2010-04-06 03:44:59 103424 ----a-w- c:\windows\system32\OLD1D7.tmp
2010-04-06 03:44:59 103424 ----a-w- c:\windows\system32\msiexec.exe
2010-04-06 03:44:56 171520 ----a-w- c:\windows\regedit.exe
2010-04-06 03:44:56 171520 ----a-w- c:\windows\OLD1D4.tmp
2010-04-06 03:44:53 53760 ----a-w- c:\windows\system32\OLD1CF.tmp
2010-04-06 03:44:53 53760 ----a-w- c:\windows\system32\mshta.exe
2010-04-06 03:44:51 127488 ----a-w- c:\windows\system32\OLD1CC.tmp
2010-04-06 03:44:51 127488 ----a-w- c:\windows\system32\clipbrd.exe
2010-04-06 03:44:50 208896 ----a-w- c:\windows\system32\OLD1C9.tmp
2010-04-06 03:44:50 208896 ----a-w- c:\windows\system32\accwiz.exe
2010-04-06 03:40:08 120 ----a-w- c:\windows\Hpixogolo.dat
2010-04-06 03:40:08 0 ----a-w- c:\windows\Mkodoze.bin
2010-04-06 03:38:18 35328 ----a-w- c:\windows\OLD1BC.tmp
2010-04-06 03:38:18 35328 ----a-w- c:\windows\hh.exe
2010-04-06 03:38:12 60416 ----a-w- c:\windows\system32\rcimlby.exe
2010-04-06 03:38:12 60416 ----a-w- c:\windows\system32\OLD1B9.tmp
2010-04-06 03:36:32 0 d-sh--w- c:\documents and settings\yan\.COMMgr
2010-04-06 03:36:11 204800 ----a-w- c:\windows\system32\OLD1B2.tmp
2010-04-06 03:36:11 204800 ----a-w- c:\windows\system32\dwwin.exe
2010-03-26 16:33:26 89565 ----a-w- c:\documents and settings\yan\.recently-used.xbel

==================== Find3M ====================

2010-04-10 01:51:58 4651 ---h--w- c:\windows\fonts\mlog
2010-02-26 05:43:57 667136 ------w- c:\windows\system32\wininet.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-09 19:31:00 352256 ----a-w- c:\windows\system32\GlebeU.dll
2010-01-23 17:58:41 57068 ---ha-w- c:\windows\system32\mlfcache.dat
2004-10-01 19:00:16 65536 ----a-w- c:\program files\Uninstall_CDS.exe
2010-01-10 00:54:22 11 --sha-r- c:\windows\system32\grouppolicy\user\scripts\logon\autorun.bat

============= FINISH: 21:53:38.53 ===============

Attached Files


Edited by lautreamax, 09 April 2010 - 09:11 PM.


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:55 AM

Posted 09 April 2010 - 11:14 PM

Gmer has found the TDSS rootkit. We'll remove that before we go back and clear the other malware showing on the DDS log
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to leave the file alone
    .
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here (or attach it).

Posted Image
m0le is a proud member of UNITE

#6 lautreamax

lautreamax
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 10 April 2010 - 12:00 AM

I don't know if the server is just down or if something is blocking my access to it, but I can't download the file. I get this error message:


Server not found

Firefox can't find the server at http://support.kaspersky.com/downloads/utils/tdsskiller.zip.


I tried with Explorer too.

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:55 AM

Posted 10 April 2010 - 12:08 AM

It's being blocked by the malware - I can still access it.


Run these two programs to kill these malicious processes


Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Now try the link to TDSSKiller again
Posted Image
m0le is a proud member of UNITE

#8 lautreamax

lautreamax
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 10 April 2010 - 12:21 AM

First log:

exeHelper by Raktor
Build 20100329
Run at 01:14:54 on 04/10/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\fonts\services.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Second log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Yan on 04/10/2010 at 1:18:53.


Processes terminated by Rkill or while it was running:


C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Documents and Settings\Yan\Desktop\rkill.com


Rkill completed on 04/10/2010 at 1:18:56.


*

Still unable to download TDSSKiller, though.

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:55 AM

Posted 10 April 2010 - 07:28 AM

That does confirm the infection. Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#10 lautreamax

lautreamax
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 10 April 2010 - 08:23 AM

I got the following message after double clicking on ComboFix:

It is not safe to continue
The contents of the ComboFix package has been compromised. Please download a fresh copy from:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: You may be infected with a file patching virus 'Virut'



#11 lautreamax

lautreamax
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 10 April 2010 - 09:03 AM

Oh, never mind. I just re-downloaded ComboFix and this time was able to run it without problem.

Here's the log:

ComboFix 10-04-09.06 - Yan 04/10/2010 9:42.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.651 [GMT -4:00]
Running from: c:\documents and settings\Yan\Desktop\ComFix.exe
AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
The following files were disabled during the run:
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\vyuvij.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\vyuvij.dll
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\vyuvij.dll.vir
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\vyuvij.dll
c:\documents and settings\Yan\.COMMgr
c:\documents and settings\Yan\Local Settings\Application Data\Windows Server
c:\documents and settings\Yan\Local Settings\Application Data\Windows Server\vyuvij.dll
c:\program files\Windows NT\Accessories\svchost.exe
c:\windows\Fonts\mlog
c:\windows\Fonts\services.exe
c:\windows\Install.txt
c:\windows\sc.exe
c:\windows\SC.INS
c:\windows\system32\1013102.exe
c:\windows\system32\2212335.exe
c:\windows\system32\2874827.exe
c:\windows\system32\351221.exe
c:\windows\system32\3673.exe
c:\windows\system32\4198877.exe
c:\windows\system32\5767176.exe
c:\windows\system32\626597.exe
c:\windows\system32\6503717.exe
c:\windows\system32\6624109.exe
c:\windows\system32\7373118.exe
c:\windows\system32\739921.exe
c:\windows\system32\7908701.exe
c:\windows\system32\8910639.exe
c:\windows\system32\9173242.exe
c:\windows\system32\9293481.exe
c:\windows\system32\9564783.exe
c:\windows\system32\BtwSvc.dll
c:\windows\system32\cthelper.exe
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\ms.bin
c:\windows\system32\msepdlkp.dll
c:\windows\system32\msuqddft.dll
c:\windows\system32\opear.exe
c:\windows\system32\PereSvc.exe
c:\windows\system32\PowerDes.exe
c:\windows\system32\so.bin
c:\windows\system32\w.exe
c:\windows\TEMP\mta13187.dll

c:\windows\system32\userinit.exe . . . is infected!!

Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\spoolsv.exe

c:\windows\explorer.exe . . . is infected!!

c:\windows\system32\clipsrv.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BTWSVC
-------\Service_BtwSvc
-------\Legacy_peresvc
-------\Service_peresvc


((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))
.

2010-04-10 13:50 . 2010-04-10 13:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
2010-04-10 13:50 . 2010-04-10 13:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
2010-04-10 01:44 . 2010-04-10 01:44 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-04-10 01:43 . 2010-04-10 01:43 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-04-10 01:43 . 2010-04-10 01:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-04-08 04:25 . 2010-04-10 13:55 36864 ----a-w- c:\windows\system32\d.bin
2010-04-08 01:02 . 2010-04-08 01:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 15:09 . 2010-04-07 15:09 5136 ----a-w- c:\windows\system32\gport_.dll
2010-04-06 21:46 . 2010-04-06 21:46 369733 ----a-w- c:\windows\system32\MetrePlus.dll
2010-04-06 14:48 . 2010-04-06 14:48 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-06 14:48 . 2010-04-06 14:48 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-04-06 14:48 . 2010-04-06 14:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 14:47 . 2010-04-06 14:47 -------- d-----w- c:\windows\system32\GroupPolicy
2010-04-06 14:39 . 2010-04-06 14:39 -------- d-----w- c:\documents and settings\Yan\Application Data\Malwarebytes
2010-04-06 14:39 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-06 14:39 . 2010-04-06 14:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-06 14:39 . 2010-04-06 14:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 14:39 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-06 04:14 . 2010-04-06 04:14 70408 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-06 03:52 . 2010-04-06 03:52 -------- d-----w- c:\program files\Your Protection
2010-04-06 03:45 . 2008-04-14 00:12 702464 ----a-w- c:\windows\system32\mstsc.exe
2010-04-06 03:44 . 2008-04-14 00:12 103424 ----a-w- c:\windows\system32\msiexec.exe
2010-04-06 03:44 . 2008-04-14 00:12 171520 ----a-w- c:\windows\regedit.exe
2010-04-06 03:44 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\mshta.exe
2010-04-06 03:44 . 2008-04-14 00:12 127488 ----a-w- c:\windows\system32\clipbrd.exe
2010-04-06 03:44 . 2008-04-14 00:12 208896 ----a-w- c:\windows\system32\accwiz.exe
2010-04-06 03:40 . 2010-04-07 12:59 0 ----a-w- c:\windows\Mkodoze.bin
2010-04-06 03:40 . 2010-04-06 13:01 120 ----a-w- c:\windows\Hpixogolo.dat
2010-04-06 03:38 . 2008-04-14 00:12 35328 ----a-w- c:\windows\hh.exe
2010-04-06 03:38 . 2008-04-14 00:12 60416 ----a-w- c:\windows\system32\rcimlby.exe
2010-04-06 03:36 . 2008-04-14 00:12 204800 ----a-w- c:\windows\system32\dwwin.exe
2010-03-31 04:40 . 2010-03-31 04:40 231920 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-08 15:14 . 2008-01-03 14:57 -------- d-----w- c:\documents and settings\Yan\Application Data\FileZilla
2010-04-06 04:24 . 2008-08-28 03:48 -------- d-----w- c:\documents and settings\Yan\Application Data\DNA
2010-04-06 04:18 . 2008-08-28 03:48 -------- d-----w- c:\program files\DNA
2010-03-26 16:32 . 2008-06-29 18:18 -------- d-----w- c:\documents and settings\Yan\Application Data\gtk-2.0
2010-03-11 07:04 . 2007-12-07 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-08 16:53 . 2010-02-05 14:55 50354 ----a-w- c:\documents and settings\Yan\Application Data\Facebook\uninstall.exe
2010-03-08 16:52 . 2010-02-05 14:55 -------- d-----w- c:\documents and settings\Yan\Application Data\Facebook
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Yan\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-26 17:09 . 2008-11-27 07:34 -------- d-----w- c:\program files\DivX
2010-02-26 17:09 . 2010-02-26 17:09 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-02-26 05:43 . 2004-08-04 12:00 667136 ------w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 14:16 . 2009-10-02 21:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-22 01:44 . 2008-06-29 14:33 -------- d-----w- c:\documents and settings\Yan\Application Data\Apple Computer
2010-02-22 01:42 . 2010-02-22 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-22 01:42 . 2010-02-22 01:41 -------- d-----w- c:\program files\iTunes
2010-02-22 01:41 . 2010-02-22 01:41 -------- d-----w- c:\program files\iPod
2010-02-22 01:41 . 2010-02-22 01:37 -------- d-----w- c:\program files\Common Files\Apple
2010-02-22 01:41 . 2010-02-22 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-22 01:40 . 2010-02-22 01:40 -------- d-----w- c:\program files\Bonjour
2010-02-22 01:40 . 2010-02-22 01:40 -------- d-----w- c:\program files\QuickTime
2010-02-22 01:38 . 2010-02-22 01:38 -------- d-----w- c:\program files\Apple Software Update
2010-02-20 16:51 . 2009-11-16 01:53 -------- d-----w- c:\program files\Flickr Uploadr
2010-02-15 23:41 . 2010-02-15 23:41 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-10 14:43 . 2007-12-18 01:17 -------- d-----w- c:\program files\Softitler
2010-02-09 19:31 . 2010-02-09 19:31 352256 ----a-w- c:\windows\system32\GlebeU.dll
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Yan\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Yan\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-23 17:58 . 2010-01-23 17:58 57068 ---ha-w- c:\windows\system32\mlfcache.dat
2004-10-01 19:00 . 2007-12-07 19:26 65536 ----a-w- c:\program files\Uninstall_CDS.exe
2010-01-10 00:54 . 2010-01-10 00:54 11 --sha-r- c:\windows\system32\GroupPolicy\User\Scripts\Logon\autorun.bat
.

------- Sigcheck -------

[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\spoolsv.exe
[-] 2008-04-14 . B4EF419A91973C821FEF9E44F8ABC285 . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 . 122F3FFE1779BFDE0A5A2A74F78CF16E . 82432 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe
[-] 2005-06-11 . 4804D0086CCF2FC02D6CBD8A268C810E . 82432 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . 5719BCF07C1C6ADC2FB9EF073747418B . 82432 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2004-08-04 . 2886C7B54F58271DD50585967F09B53E . 82432 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[-] 2008-04-14 . 7127F9B111C8AAA19AF6E7FE7F35D80B . 50688 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 . AEF134FA89A59D9B56B8BC1A540B4A0F . 50688 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2004-08-04 . 48E7A6DA0B5FFE65C02D4D66F079CC54 . 49664 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2008-04-14 . CCEFB017A4ECEC4CFA9E67EFB061E63F . 1058304 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 74BB616E09AEF29FEEAC5D11953932FA . 1058304 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 10CAE609316A2282B8C75AE10F42FF2D . 1057792 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . A512AF2E763464A3C52719E2A53494F9 . 1057792 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 . 0306576CB2674C840171F10889244FA1 . 1056768 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2008-04-14 . B0D99906A1F8D1567B8B6CC5C85ACADF . 38400 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2008-04-14 . 4A15D1D6EF47AD3336F11FDC105C2E99 . 38400 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
[-] 2004-08-04 . 1C786E8EA7666AFAFF8CD8E09C3EC635 . 38400 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe

[-] 2008-04-14 . 0ECF9A8D7BD82B74441D5134A6505604 . 39936 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 . 313534EE27FBA23639F1FABC07F5523A . 39936 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2004-08-04 . 7BB967C91A9F0879C003EC37FBA19E78 . 39936 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 442368]
"fzwkht"="c:\windows\system32\msuqddft.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gport_]
2010-04-07 15:09 5136 ----a-w- c:\windows\system32\gport_.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Yan^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Yan\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Yan^Start Menu^Programs^Startup^Psi.lnk]
path=c:\documents and settings\Yan\Start Menu\Programs\Startup\Psi.lnk
backup=c:\windows\pss\Psi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
2001-03-26 20:15 102400 ------w- c:\program files\ATI Multimedia\main\LaunchPd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2010-01-11 03:10 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
2003-08-12 18:48 159744 ----a-w- c:\program files\Creative\MediaSource\Go\CTCMSGo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 06:00 69632 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 39936 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2003-09-17 15:43 81920 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2007-04-09 17:32 44544 ----a-w- c:\windows\system32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-07 02:26 135664 ----atw- c:\documents and settings\Yan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-07-08 14:25 1422336 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1719808 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 442368 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 22:35 57344 ------w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
2002-12-03 23:06 69632 ----a-w- c:\program files\Creative\SB Drive Det\SBDrvDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2007-04-09 17:19 53248 ----a-w- c:\windows\system32\MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 114688 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\vyuvij.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [1/9/2010 5:51 PM 14976]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [11/9/2005 9:34 PM 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [3/8/2006 2:42 PM 364544]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [3/15/2006 8:38 PM 659456]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/9/2005 9:34 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [3/15/2006 8:41 PM 311296]
R2 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\drivers\atinttxx.sys [12/7/2007 4:48 PM 13824]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-688789844-682003330-1004Core.job
- c:\documents and settings\Yan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-07 02:26]

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-688789844-682003330-1004UA.job
- c:\documents and settings\Yan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-07 02:26]

2010-04-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: bydeluxe.com\snl
Trusted Zone: dgmusa.com\iweb
DPF: {A86A4C7C-6911-42D3-B898-52A199AB41CB} - hxxp://sol.softitler.com/downloads/SoftLink.exe
DPF: {A86FEA6F-95C0-4190-A622-C5C02739CBE3} - hxxp://snl.bydeluxe.com/SOLASP/(S(pav5man34j41uz55r4nzzuyx))/FileUD/WebTranU.cab
FF - ProfilePath - c:\documents and settings\Yan\Application Data\Mozilla\Firefox\Profiles\jdbdlud3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.imdb.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{63b5b511-aa88-b3a9-1ce3-f5a3cbfab7c5}\components\34bafcfc.dll
FF - plugin: c:\documents and settings\Yan\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Yan\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Yan\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: XUL Cache: {C85F7695-6C3D-4251-B65A-27F28112465E} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{C85F7695-6C3D-4251-B65A-27F28112465E}\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-aholbs - c:\windows\system32\msepdlkp.dll
HKLM-Explorer_Run-mslivemsn - c:\program files\Windows NT\Accessories\svchost.exe
MSConfigStartUp-CTHelper - CTHELPER.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 09:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85E94AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf77a0f28
\Driver\ACPI -> ACPI.sys @ 0xf7713cb8
\Driver\atapi -> atapi.sys @ 0xf76cb852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(508)
c:\windows\system32\gport_.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3984)
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\MsPMSPSv.exe
c:\progra~1\TRENDM~1\INTERN~1\PccGuide.exe
.
**************************************************************************
.
Completion time: 2010-04-10 10:00:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-10 14:00
ComboFix2.txt 2010-04-08 01:40

Pre-Run: 16,478,916,608 bytes free
Post-Run: 16,460,558,336 bytes free

- - End Of File - - B527B2D097ACD640990F5D0142FC911C


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:55 AM

Posted 10 April 2010 - 04:48 PM

A few things still there

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\system32\d.bin
c:\windows\Mkodoze.bin
c:\windows\Hpixogolo.dat
c:\windows\hh.exe
c:\windows\system32\rcimlby.exe
c:\windows\system32\msuqddft.dll
c:\windows\system32\gport_.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fzwkht"=-
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#13 lautreamax

lautreamax
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 10 April 2010 - 05:18 PM

As requested...


ComboFix 10-04-09.06 - Yan 04/10/2010 18:00:30.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.630 [GMT -4:00]
Running from: c:\documents and settings\Yan\Desktop\ComFix.exe
Command switches used :: c:\documents and settings\Yan\Desktop\CFScript.txt
AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\windows\hh.exe"
"c:\windows\Hpixogolo.dat"
"c:\windows\Mkodoze.bin"
"c:\windows\system32\d.bin"
"c:\windows\system32\gport_.dll"
"c:\windows\system32\msuqddft.dll"
"c:\windows\system32\rcimlby.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\program files\Windows NT\Accessories\svchost.exe
c:\windows\Fonts\mlog
c:\windows\Fonts\services.exe
c:\windows\hh.exe
c:\windows\Hpixogolo.dat
c:\windows\Mkodoze.bin
c:\windows\system32\6176.exe
c:\windows\system32\6361765.exe
c:\windows\system32\7689478.exe
c:\windows\system32\BtwSvc.dll
c:\windows\system32\d.bin
c:\windows\system32\FInstall.sys
c:\windows\system32\gport_.dll
c:\windows\system32\Install.txt
c:\windows\system32\ms.bin
c:\windows\system32\msepdlkp.dll
c:\windows\system32\opear.exe
c:\windows\system32\PereSvc.exe
c:\windows\system32\PowerDes.exe
c:\windows\system32\rcimlby.exe
c:\windows\system32\so.bin
c:\windows\system32\w.exe
c:\windows\TEMP\mta13187.dll

c:\windows\system32\userinit.exe . . . is infected!!

Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\spoolsv.exe

c:\windows\explorer.exe . . . is infected!!

c:\windows\system32\clipsrv.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BTWSVC
-------\Service_BtwSvc
-------\Legacy_peresvc
-------\Service_peresvc


((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))
.

2010-04-10 13:40 . 2010-04-10 14:00 -------- d-----w- C:\ComFix
2010-04-10 01:44 . 2010-04-10 01:44 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-04-10 01:43 . 2010-04-10 01:43 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-04-10 01:43 . 2010-04-10 01:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-04-08 01:02 . 2010-04-08 01:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-06 21:46 . 2010-04-06 21:46 369733 ----a-w- c:\windows\system32\MetrePlus.dll
2010-04-06 14:48 . 2010-04-06 14:48 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-06 14:48 . 2010-04-06 14:48 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-04-06 14:48 . 2010-04-06 14:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 14:47 . 2010-04-06 14:47 -------- d-----w- c:\windows\system32\GroupPolicy
2010-04-06 14:39 . 2010-04-06 14:39 -------- d-----w- c:\documents and settings\Yan\Application Data\Malwarebytes
2010-04-06 14:39 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-06 14:39 . 2010-04-06 14:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-06 14:39 . 2010-04-06 14:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 14:39 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-06 04:14 . 2010-04-06 04:14 70408 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-06 03:52 . 2010-04-06 03:52 -------- d-----w- c:\program files\Your Protection
2010-04-06 03:45 . 2008-04-14 00:12 702464 ----a-w- c:\windows\system32\mstsc.exe
2010-04-06 03:44 . 2008-04-14 00:12 103424 ----a-w- c:\windows\system32\msiexec.exe
2010-04-06 03:44 . 2008-04-14 00:12 171520 ----a-w- c:\windows\regedit.exe
2010-04-06 03:44 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\mshta.exe
2010-04-06 03:44 . 2008-04-14 00:12 127488 ----a-w- c:\windows\system32\clipbrd.exe
2010-04-06 03:44 . 2008-04-14 00:12 208896 ----a-w- c:\windows\system32\accwiz.exe
2010-04-06 03:36 . 2008-04-14 00:12 204800 ----a-w- c:\windows\system32\dwwin.exe
2010-03-31 04:40 . 2010-03-31 04:40 231920 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-08 15:14 . 2008-01-03 14:57 -------- d-----w- c:\documents and settings\Yan\Application Data\FileZilla
2010-04-06 04:24 . 2008-08-28 03:48 -------- d-----w- c:\documents and settings\Yan\Application Data\DNA
2010-04-06 04:18 . 2008-08-28 03:48 -------- d-----w- c:\program files\DNA
2010-03-26 16:32 . 2008-06-29 18:18 -------- d-----w- c:\documents and settings\Yan\Application Data\gtk-2.0
2010-03-11 07:04 . 2007-12-07 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-08 16:53 . 2010-02-05 14:55 50354 ----a-w- c:\documents and settings\Yan\Application Data\Facebook\uninstall.exe
2010-03-08 16:52 . 2010-02-05 14:55 -------- d-----w- c:\documents and settings\Yan\Application Data\Facebook
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Yan\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-26 17:09 . 2008-11-27 07:34 -------- d-----w- c:\program files\DivX
2010-02-26 17:09 . 2010-02-26 17:09 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-02-26 05:43 . 2004-08-04 12:00 667136 ------w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 14:16 . 2009-10-02 21:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-22 01:44 . 2008-06-29 14:33 -------- d-----w- c:\documents and settings\Yan\Application Data\Apple Computer
2010-02-22 01:42 . 2010-02-22 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-22 01:42 . 2010-02-22 01:41 -------- d-----w- c:\program files\iTunes
2010-02-22 01:41 . 2010-02-22 01:41 -------- d-----w- c:\program files\iPod
2010-02-22 01:41 . 2010-02-22 01:37 -------- d-----w- c:\program files\Common Files\Apple
2010-02-22 01:41 . 2010-02-22 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-22 01:40 . 2010-02-22 01:40 -------- d-----w- c:\program files\Bonjour
2010-02-22 01:40 . 2010-02-22 01:40 -------- d-----w- c:\program files\QuickTime
2010-02-22 01:38 . 2010-02-22 01:38 -------- d-----w- c:\program files\Apple Software Update
2010-02-20 16:51 . 2009-11-16 01:53 -------- d-----w- c:\program files\Flickr Uploadr
2010-02-15 23:41 . 2010-02-15 23:41 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-10 14:43 . 2007-12-18 01:17 -------- d-----w- c:\program files\Softitler
2010-02-09 19:31 . 2010-02-09 19:31 352256 ----a-w- c:\windows\system32\GlebeU.dll
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Yan\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Yan\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-23 17:58 . 2010-01-23 17:58 57068 ---ha-w- c:\windows\system32\mlfcache.dat
2004-10-01 19:00 . 2007-12-07 19:26 65536 ----a-w- c:\program files\Uninstall_CDS.exe
2010-01-10 00:54 . 2010-01-10 00:54 11 --sha-r- c:\windows\system32\GroupPolicy\User\Scripts\Logon\autorun.bat
.

------- Sigcheck -------

[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\spoolsv.exe
[-] 2008-04-14 . B4EF419A91973C821FEF9E44F8ABC285 . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 . 038E5A74FEADBFD49EACEB2F907D4D5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe
[-] 2005-06-11 . 4804D0086CCF2FC02D6CBD8A268C810E . 82432 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . 5719BCF07C1C6ADC2FB9EF073747418B . 82432 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2004-08-04 . 2886C7B54F58271DD50585967F09B53E . 82432 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[-] 2008-04-14 . 7127F9B111C8AAA19AF6E7FE7F35D80B . 50688 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 . AEF134FA89A59D9B56B8BC1A540B4A0F . 50688 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2004-08-04 . 48E7A6DA0B5FFE65C02D4D66F079CC54 . 49664 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2008-04-14 . CCEFB017A4ECEC4CFA9E67EFB061E63F . 1058304 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 74BB616E09AEF29FEEAC5D11953932FA . 1058304 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 10CAE609316A2282B8C75AE10F42FF2D . 1057792 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . A512AF2E763464A3C52719E2A53494F9 . 1057792 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 . 0306576CB2674C840171F10889244FA1 . 1056768 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2008-04-14 . B0D99906A1F8D1567B8B6CC5C85ACADF . 38400 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2008-04-14 . 4A15D1D6EF47AD3336F11FDC105C2E99 . 38400 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
[-] 2004-08-04 . 1C786E8EA7666AFAFF8CD8E09C3EC635 . 38400 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe

[-] 2008-04-14 . 0ECF9A8D7BD82B74441D5134A6505604 . 39936 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 . 313534EE27FBA23639F1FABC07F5523A . 39936 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2004-08-04 . 7BB967C91A9F0879C003EC37FBA19E78 . 39936 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 442368]
"aholbs"="c:\windows\system32\msepdlkp.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"mslivemsn"="c:\program files\Windows NT\Accessories\svchost.exe" [BU]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Yan^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Yan\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Yan^Start Menu^Programs^Startup^Psi.lnk]
path=c:\documents and settings\Yan\Start Menu\Programs\Startup\Psi.lnk
backup=c:\windows\pss\Psi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
2001-03-26 20:15 102400 ------w- c:\program files\ATI Multimedia\main\LaunchPd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2010-01-11 03:10 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
2003-08-12 18:48 159744 ----a-w- c:\program files\Creative\MediaSource\Go\CTCMSGo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 06:00 69632 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 39936 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2003-09-17 15:43 81920 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2007-04-09 17:32 44544 ----a-w- c:\windows\system32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-07 02:26 135664 ----atw- c:\documents and settings\Yan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-07-08 14:25 1422336 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1719808 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 442368 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 22:35 57344 ------w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
2002-12-03 23:06 69632 ----a-w- c:\program files\Creative\SB Drive Det\SBDrvDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2007-04-09 17:19 53248 ----a-w- c:\windows\system32\MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 114688 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [1/9/2010 5:51 PM 14976]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [11/9/2005 9:34 PM 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [3/8/2006 2:42 PM 364544]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [3/15/2006 8:38 PM 659456]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/9/2005 9:34 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [3/15/2006 8:41 PM 311296]
R2 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\drivers\atinttxx.sys [12/7/2007 4:48 PM 13824]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-688789844-682003330-1004Core.job
- c:\documents and settings\Yan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-07 02:26]

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-688789844-682003330-1004UA.job
- c:\documents and settings\Yan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-07 02:26]

2010-04-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: bydeluxe.com\snl
Trusted Zone: dgmusa.com\iweb
DPF: {A86A4C7C-6911-42D3-B898-52A199AB41CB} - hxxp://sol.softitler.com/downloads/SoftLink.exe
DPF: {A86FEA6F-95C0-4190-A622-C5C02739CBE3} - hxxp://snl.bydeluxe.com/SOLASP/(S(pav5man34j41uz55r4nzzuyx))/FileUD/WebTranU.cab
FF - ProfilePath - c:\documents and settings\Yan\Application Data\Mozilla\Firefox\Profiles\jdbdlud3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.imdb.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{63b5b511-aa88-b3a9-1ce3-f5a3cbfab7c5}\components\34bafcfc.dll
FF - plugin: c:\documents and settings\Yan\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Yan\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Yan\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: XUL Cache: {C85F7695-6C3D-4251-B65A-27F28112465E} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{C85F7695-6C3D-4251-B65A-27F28112465E}\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-gport_ - gport_.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 18:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85E9AAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf77a1f28
\Driver\ACPI -> ACPI.sys @ 0xf7714cb8
\Driver\atapi -> atapi.sys @ 0xf76cc852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(508)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(1456)
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\MsPMSPSv.exe
c:\progra~1\TRENDM~1\INTERN~1\PccGuide.exe
.
**************************************************************************
.
Completion time: 2010-04-10 18:17:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-10 22:17
ComboFix2.txt 2010-04-10 14:00
ComboFix3.txt 2010-04-08 01:40

Pre-Run: 16,481,722,368 bytes free
Post-Run: 16,456,716,288 bytes free

- - End Of File - - E9ACBCC3B7C3A28367756D65BD7BA5BF


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:55 AM

Posted 10 April 2010 - 06:14 PM

Some files are showing as infected. I discounted this before but please run this file through Jotti's file scanner

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\clipsrv.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal
Posted Image
m0le is a proud member of UNITE

#15 lautreamax

lautreamax
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 10 April 2010 - 07:12 PM

I cannot access Jotti, nor VirusTotal, just like I still can't access TDSSKiller I was trying to download earlier. All of those links give me a "problem loading page" error in Firefox.

sad.gif

Regarding the TDSSKiller thing, I can try downloading it from another computer if there's no other way around this. I don't have access to another computer that has internet access right now, but I could possibly find one tomorrow.

Or what if I tried downloading it in Safe Mode or something?

I'll wait for further instructions before I do either. Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users