Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Microsoft Updates/Rootkit?


  • Please log in to reply
7 replies to this topic

#1 MyBlack94GST

MyBlack94GST

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 12 April 2010 - 11:17 PM

Hey folks,

I'm running XP Home Edition (SP3). I just used Malwarebytes a couple of times to get rid of an AVE.exe fake virus scanner deal. I had to do it again because Google was redirecting, and when I got redireced I'd contract AVE again.

After AVE.exe, I have been dragging Google links into the address bar, which seems to work against being redirected. Also added NoScript to Firefox (not sure if this helps).

Anyway, after that I noticed that my MSE wasn't updating manually. It gives error 0x80072EFE. I can't get to the Windows Update site either.

I ran TDSSkiller which found a problem with atapi.sys. Upon rebooting, I tried to update MSE manually and noticed I could, but only soon after reboot. After some time passes I can't anymore, same error (0x80072EFE). I can run it again and it finds the same problem, which leads me to believe that it's not actually fixing it.

Hitman Pro isn't finding anything, and MSE deems my system clean as well.

Can someone help me get my updates back and get rid of what appears to be a rootkit?

Thanks!

Edited by Pandy, 13 April 2010 - 12:06 AM.
Moved from Windows Xp Home and Pro to a more appropriate forum ~Pandy


BC AdBot (Login to Remove)

 


#2 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:09:07 AM

Posted 13 April 2010 - 12:04 AM

It is possible, I believe your HOSTS file has been affected as well, which is why you can't connect to certain web sites related to virus definition updates, your HOSTS file is set up to block those sites.

To check your HOSTS file navagate to C:\Windows\System32\Drivers\ect

Look for a file called HOSTS, right click it and open it with notepad and check what is listed below the wording with the # directions.

All you should see there is

127.0.0.1 localhost


If you see anything else like websites related to microsoft's WU your HOSTS file has been altered by the virus to block windows update.

Edited by MrBruce1959, 13 April 2010 - 12:07 AM.

Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#3 MyBlack94GST

MyBlack94GST
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 13 April 2010 - 12:13 AM

That line is in there... along with some other stuff. See below...

# Copyright 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com

EDIT: (There is a huge list here inserted by Spybot)

127.0.0.1 www.rebuild4kids.net
127.0.0.1 rebuild4kids.net
127.0.0.1 www.rebuildplaygrounds.net
127.0.0.1 rebuildplaygrounds.net
# End of entries inserted by Spybot - Search & Destroy

EDIT: There doesn't appear to be anything Windows Update related in here.

Edited by MyBlack94GST, 13 April 2010 - 12:15 AM.


#4 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:09:07 AM

Posted 13 April 2010 - 12:20 AM

Ok from I can see your HOSTS file has been altered by Spy Bot Search & Destroy to block known bad web sites from loading.

Your post has been moved to the AII forum where a specialist will assist you from here.

Good luck and help will be with you shortly, just be patient :thumbsup:
Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#5 MyBlack94GST

MyBlack94GST
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 13 April 2010 - 09:54 AM

Hi,

I've just started getting this:

"Generic Host Process for Win32 Services has encountered a problem and needs to close."

Upon closing, I lose stuff like sound ("There are no active mixer devices available") when clicking on the speaker icon in the lower right-hand corner.

Is this related to the update problem?

Thanks!

#6 MyBlack94GST

MyBlack94GST
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 13 April 2010 - 11:54 PM

Update -

AVE.exe came back without the redirect.

Killed it with Malwarebytes, which required a reboot.

Upon rebooting, Windows updated automatically for the first time in many days.

I tried to manually update MSE, and it failed (0x80072EFE), but then it kept going by itself after I acknowledged the failure and ended up installing the updated definitions.

I can't access the Windows Update website with IE (0x80072EFF).

Any ideas?

Thanks!

#7 MyBlack94GST

MyBlack94GST
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 14 April 2010 - 10:34 AM

I switched to Avast! last night and downloaded the Rogue Removal kit at http://www.elitekiller.com/files/rogueremoval.zip. Ran CCleaner and ComboFix.

Edited by MyBlack94GST, 14 April 2010 - 10:35 AM.


#8 MyBlack94GST

MyBlack94GST
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 14 April 2010 - 10:36 AM

ComboFix 10-04-13.03 - Mahesh 04/14/2010 1:28.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.126 [GMT -7:00]
Running from: c:\rogue removal\Fixes\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\PRE45
C:\Thumbs.db
c:\windows\system32\11478.exe
c:\windows\system32\11538.exe
c:\windows\system32\11942.exe
c:\windows\system32\12316.exe
c:\windows\system32\12382.exe
c:\windows\system32\12859.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\15141.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\15890.exe
c:\windows\system32\16827.exe
c:\windows\system32\17035.exe
c:\windows\system32\17421.exe
c:\windows\system32\17673.exe
c:\windows\system32\1842.exe
c:\windows\system32\18467.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\19264.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\20037.exe
c:\windows\system32\21726.exe
c:\windows\system32\22190.exe
c:\windows\system32\22648.exe
c:\windows\system32\23281.exe
c:\windows\system32\23805.exe
c:\windows\system32\23811.exe
c:\windows\system32\24464.exe
c:\windows\system32\25547.exe
c:\windows\system32\25667.exe
c:\windows\system32\26299.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\27446.exe
c:\windows\system32\27529.exe
c:\windows\system32\27644.exe
c:\windows\system32\28145.exe
c:\windows\system32\28253.exe
c:\windows\system32\28703.exe
c:\windows\system32\288.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\30106.exe
c:\windows\system32\30333.exe
c:\windows\system32\3035.exe
c:\windows\system32\31322.exe
c:\windows\system32\32391.exe
c:\windows\system32\32662.exe
c:\windows\system32\32757.exe
c:\windows\system32\3902.exe
c:\windows\system32\4664.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\6868.exe
c:\windows\system32\7711.exe
c:\windows\system32\778.exe
c:\windows\system32\8723.exe
c:\windows\system32\8942.exe
c:\windows\system32\9040.exe
c:\windows\system32\9741.exe
c:\windows\system32\9894.exe
c:\windows\system32\9961.exe
c:\windows\system32\Data
c:\windows\system32\sX3i19
c:\windows\Tasks\ywjjbick.job

.
((((((((((((((((((((((((( Files Created from 2010-03-14 to 2010-04-14 )))))))))))))))))))))))))))))))
.

2010-04-14 07:34 . 2010-04-14 07:34 -------- d-----w- c:\program files\CCleaner
2010-04-14 07:32 . 2010-04-14 08:24 -------- d-----w- C:\Rogue Removal
2010-04-14 05:15 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 05:15 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 05:15 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 05:15 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 05:15 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-14 05:15 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-14 05:15 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-14 05:14 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 05:14 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 05:14 . 2010-04-14 05:14 -------- d-----w- c:\program files\Alwil Software
2010-04-14 05:14 . 2010-04-14 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-13 00:17 . 2010-04-13 00:17 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-04-09 08:55 . 2010-04-09 08:55 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-04-09 03:15 . 2010-04-09 03:35 -------- d-----w- c:\documents and settings\Mahesh\Local Settings\Application Data\avG
2010-04-08 15:43 . 2010-04-08 15:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 06:14 . 2010-03-29 22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-06 06:14 . 2010-03-29 22:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-06 06:14 . 2010-04-06 06:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 05:45 . 2010-04-06 05:45 52224 ----a-w- c:\documents and settings\Mahesh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-06 05:45 . 2010-02-11 22:49 117760 ----a-w- c:\documents and settings\Mahesh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-06 05:44 . 2010-04-06 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-06 05:44 . 2010-04-06 05:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-06 05:44 . 2010-04-06 05:44 -------- d-----w- c:\documents and settings\Mahesh\Application Data\SUPERAntiSpyware.com
2010-04-06 05:43 . 2010-04-06 05:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-06 04:50 . 2010-04-06 04:50 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-06 04:29 . 2010-04-06 06:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2010-03-22 23:04 . 2010-03-22 23:04 255472 ----a-w- c:\documents and settings\Mahesh\Application Data\Mozilla\plugins\npgoogletalk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-14 07:48 . 1980-01-01 06:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-14 07:41 . 2007-01-03 04:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-14 07:41 . 2007-01-03 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-14 07:40 . 2007-01-03 04:03 -------- d-----w- c:\program files\Lavasoft
2010-04-14 07:40 . 2008-11-17 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-14 03:11 . 2008-09-29 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-13 05:43 . 2010-01-29 00:31 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-06 04:16 . 2010-04-06 04:16 699904 ----a-w- c:\windows\isRS-000.tmp
2010-03-09 11:09 . 2004-08-04 11:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 06:30 . 2005-02-04 06:58 -------- d-----w- c:\program files\Cool2000
2010-02-28 18:32 . 2005-02-04 06:31 -------- d-----w- c:\program files\palmOne
2010-02-26 05:43 . 2004-08-04 11:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2010-01-10 20:35 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 17:16 . 2009-10-03 01:00 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-04 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 16:10 . 2004-08-04 11:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 11:00 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 18:56 . 2010-02-15 18:56 -------- d-----w- c:\program files\MSConfig CleanUp
2010-02-15 18:56 . 2010-02-15 18:17 -------- d-----w- c:\program files\Startup Optimizer
2010-02-12 04:33 . 2004-08-04 11:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 11:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-01-29 01:01 . 2010-01-29 01:01 503808 ----a-w- c:\documents and settings\Mahesh\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5c7babbc-n\msvcp71.dll
2010-01-29 01:01 . 2010-01-29 01:01 499712 ----a-w- c:\documents and settings\Mahesh\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5c7babbc-n\jmc.dll
2010-01-29 01:01 . 2010-01-29 01:01 348160 ----a-w- c:\documents and settings\Mahesh\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5c7babbc-n\msvcr71.dll
2010-01-29 01:01 . 2010-01-29 01:01 61440 ----a-w- c:\documents and settings\Mahesh\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-420a446e-n\decora-sse.dll
2010-01-29 01:01 . 2010-01-29 01:01 12800 ----a-w- c:\documents and settings\Mahesh\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-420a446e-n\decora-d3d.dll
2010-01-29 01:00 . 2010-01-29 01:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-29 00:59 . 2010-01-29 00:59 79488 ----a-w- c:\documents and settings\Mahesh\Application Data\Sun\Java\jre1.6.0_18\gtapi.dll
2010-01-29 00:59 . 2010-01-29 00:59 152576 ----a-w- c:\documents and settings\Mahesh\Application Data\Sun\Java\jre1.6.0_18\lzma.dll
2010-01-29 00:40 . 2010-01-29 00:40 26112 ----a-w- c:\windows\system32\userinit.vir
2010-01-28 18:20 . 2004-08-04 11:00 26112 ----a-w- c:\windows\system32\userinit.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Mahesh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-13 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-05-25 155648]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-05-25 126976]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-05-25 126976]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2005-11-09 91136]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\Mahesh\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Mahesh\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\helpsvc.exe"=
"c:\\WINDOWS\\SYSTEM32\\WBEM\\UNSECAPP.EXE"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=

R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [4/13/2010 10:15 PM 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [4/13/2010 10:15 PM 19024]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 ldhikjof;ldhikjof;c:\windows\system32\drivers\lbawpqdu.sys --> c:\windows\system32\drivers\lbawpqdu.sys [?]
S1 MpKsl49344472;MpKsl49344472;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0E8CA842-A95F-4E6D-9AC1-38F6E742FFD1}\MpKsl49344472.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0E8CA842-A95F-4E6D-9AC1-38F6E742FFD1}\MpKsl49344472.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/11/2010 12:35 PM 135664]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 sbext;Sound Blaster Extigy Audio Driver;c:\windows\SYSTEM32\DRIVERS\sbext.sys [3/1/2005 9:22 PM 1127573]
.
Contents of the 'Scheduled Tasks' folder

2010-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2010-04-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-19 15:59]

2010-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-11 19:35]

2010-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-11 19:35]

2010-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2088211963-2211036737-3311118530-1006Core.job
- c:\documents and settings\Mahesh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 07:54]

2010-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2088211963-2211036737-3311118530-1006UA.job
- c:\documents and settings\Mahesh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 07:54]

2010-04-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell4me.com/mywaybiz
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com \windowsupdate
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Mahesh\Application Data\Mozilla\Firefox\Profiles\9aejl8ij.Default User\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\Mahesh\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Mahesh\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
SharedTaskScheduler-{8ffbae45-41fd-4d78-b189-ff1c0dcf855e} - (no file)
SSODL-bimowolur-{8ffbae45-41fd-4d78-b189-ff1c0dcf855e} - (no file)
SafeBoot-klmdb.sys
SafeBoot-Lavasoft Ad-Aware Service
SafeBoot-MsMpSvc
AddRemove-Creative News - c:\program files\Creative\News\CTNews.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-14 01:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82AF8AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf85fff28
\Driver\ACPI -> ACPI.sys @ 0xf84f2cb8
\Driver\atapi -> atapi.sys @ 0xf8492852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf8344bb0
PacketIndicateHandler -> NDIS.sys @ 0xf8351a21
SendHandler -> NDIS.sys @ 0xf832f87b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2652)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\M-Audio\MobilePre\Install\MPInst.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-14 01:57:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-14 08:57

Pre-Run: 3,671,900,160 bytes free
Post-Run: 3,613,941,760 bytes free

- - End Of File - - 3414D6776C5D93ADB91C13F11D676BF0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users