Jump to content

SYSTEM SECURITY 2009: cannot run hijackthis/MWB


Recommended Posts

Hi there.. hoping you can help me. I have been infected by the System Security 2009 virus and have done as much cleanup of things as I can. I have removed the 19######.exe from my system including cleaning up all registry items (currentversion/run, etc).

I can download and install hijackthis and malwarebytes without a problem - however, whenever I attempt to run them, they stop after about 4 seconds and I cannot get a scan.

I've tried renaming the exe's, installing them to a different foldername and drive, safe mode, etc... and it still blocks it from running after 4 seconds. the files then become unusuable with a windows permission type error message and I must uninstall the application.

Also, I've noticed some programs crashing that ran solid as a rock in the past.. directory opus for one.

I have even tried running Hiren's boot cd but malwarebytes and hijackthis both give me a 50006 error message so no dice there either!

Sounds like I have the virus or some rootkit still on my system.. but since I cannot run any virus software nor malwarebytes - I'm not sure how to correct.

Would love some help! I'm at my wits end as this has been going on for about 2 weeks now and I'm a pretty experienced user who has done just about everything listed on sites via Google.. Thx!

Link to post
Share on other sites

  • Staff

Hi,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

Link to post
Share on other sites

I ran it again... didn't seem to clean anything this time but here is the log...

ComboFix 09-08-07.07 - User 08/07/2009 21:16.2.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2222 [GMT -4:00]

Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((( Files Created from 2009-07-08 to 2009-08-08 )))))))))))))))))))))))))))))))

.

2009-08-08 00:36 . 2009-08-08 00:36 -------- d-----w- c:\windows\LastGood

2009-08-06 03:16 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-06 03:16 . 2009-08-06 03:19 -------- d-----w- C:\ahba

2009-08-06 03:16 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-05 21:53 . 2009-08-05 21:53 -------- d-----w- c:\program files\Realtek AC97

2009-08-05 21:38 . 2006-10-18 06:53 147456 ----a-w- c:\windows\system32\RTLCPAPI.dll

2009-08-05 21:20 . 2008-09-24 14:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys

2009-08-05 21:20 . 2006-12-08 19:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe

2009-08-05 21:20 . 2006-07-31 15:27 217088 ----a-w- c:\windows\alcrmv.exe

2009-08-05 21:20 . 2006-07-31 15:19 315392 ----a-w- c:\windows\alcupd.exe

2009-08-05 21:09 . 2001-08-17 23:06 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys

2009-08-05 21:08 . 2008-04-14 02:42 64000 ----a-w- c:\windows\system32\dllcache\nwapi32.dll

2009-08-05 21:08 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\dllcache\nwapi16.dll

2009-08-05 21:08 . 2008-04-14 02:41 36921 ----a-w- c:\windows\system32\dllcache\imeshare.dll

2009-08-05 20:41 . 2008-04-14 02:42 389120 ----a-w- c:\windows\system32\dllcache\cmd.exe

2009-08-05 20:41 . 2008-04-14 02:42 389120 ----a-w- c:\windows\system32\cmd.exe

2009-08-05 02:35 . 2009-08-05 02:43 -------- d-----w- c:\program files\OpenedFilesView

2009-08-05 02:35 . 2009-08-05 02:35 39424 ----a-w- c:\windows\zipinst.exe

2009-08-03 21:17 . 2009-08-03 21:17 -------- d-----w- c:\program files\Trend Micro

2009-08-03 04:03 . 2009-08-03 14:33 -------- d-----w- c:\program files\Enigma Software Group

2009-08-03 03:45 . 2009-08-03 14:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-03 02:28 . 2009-08-03 02:28 -------- d-----w- c:\documents and settings\Administrator.JINGO\Application Data\Talkback

2009-08-03 02:28 . 2009-08-03 02:28 -------- d-----w- c:\documents and settings\Administrator.JINGO\Local Settings\Application Data\Mozilla

2009-08-01 14:08 . 2009-08-01 14:08 11264 ----a-w- c:\windows\system32\drivers\uze3nda2.sys

2009-08-01 13:34 . 2009-08-01 13:34 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys

2009-08-01 13:34 . 2009-08-01 13:34 32480 ----a-w- c:\windows\system32\Partizan.exe

2009-08-01 13:22 . 2009-08-01 13:22 2 --shatr- c:\windows\winstart.bat

2009-08-01 12:33 . 2009-08-01 12:33 -------- d-----w- c:\windows\system32\wbem\snmp

2009-08-01 12:33 . 2009-08-01 12:33 -------- d-----w- c:\windows\system32\xircom

2009-08-01 12:33 . 2009-08-01 12:33 -------- d-----w- c:\windows\srchasst

2009-08-01 12:33 . 2009-08-01 12:33 -------- d-----w- c:\program files\microsoft frontpage

2009-07-30 12:55 . 2009-07-30 12:54 512096 ----a-w- c:\windows\system32\drivers\amon.sys

2009-07-30 12:55 . 2009-07-30 12:54 298104 ----a-w- c:\windows\system32\imon.dll

2009-07-30 12:55 . 2009-07-30 12:54 15424 ----a-w- c:\windows\system32\drivers\nod32drv.sys

2009-07-30 12:54 . 2009-08-03 02:21 -------- d-----w- c:\program files\ESET

2009-07-30 12:46 . 2009-08-03 02:21 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-07-30 03:15 . 2009-08-03 02:35 -------- d-s---w- c:\documents and settings\Administrator.JINGO

2009-07-30 03:15 . 2009-07-30 13:10 -------- d-----w- c:\documents and settings\Administrator.JINGO\Local Settings\Application Data\Microsoft

2009-07-30 02:40 . 2009-07-30 02:40 36 ----a-w- c:\windows\system32\sysnet.dat

2009-07-26 00:46 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2009-07-26 00:46 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2009-07-26 00:46 . 2009-07-26 00:46 -------- d-----w- c:\program files\iPod

2009-07-26 00:46 . 2009-07-26 00:46 -------- d-----w- c:\program files\iTunes

2009-07-26 00:46 . 2009-07-26 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-26 00:45 . 2009-07-26 00:45 -------- d-----w- c:\program files\QuickTime

2009-07-26 00:45 . 2009-07-26 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-07-26 00:44 . 2009-07-26 00:44 -------- d-----w- c:\program files\Apple Software Update

2009-07-26 00:44 . 2009-07-09 16:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-26 00:44 . 2009-07-09 16:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-26 00:44 . 2009-07-26 00:46 -------- d-----w- c:\program files\Common Files\Apple

2009-07-26 00:43 . 2009-07-26 00:43 687104 ----a-w- c:\windows\is-5CKNT.exe

2009-07-23 12:19 . 2009-07-23 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2009-07-21 23:42 . 2009-08-05 03:01 -------- d-----w- c:\program files\World of Warcraft

2009-07-21 23:36 . 2009-07-21 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard

2009-07-21 23:34 . 2009-07-21 23:42 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-07-15 01:49 . 2009-07-15 01:56 -------- d-----w- c:\documents and settings\User\Application Data\GeoSetter

2009-07-15 01:48 . 2009-07-15 01:48 -------- d-----w- c:\program files\GeoSetter

2009-07-13 18:22 . 2009-07-13 18:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-08 01:09 . 2008-06-25 01:03 168864 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\hbg9lxa5.default\FlashGot.exe

2009-08-08 00:34 . 2008-07-14 19:54 -------- d-----w- c:\program files\Flashget

2009-08-08 00:29 . 2008-04-13 21:42 407040 ----a-w- c:\windows\system32\netlogon.dll

2009-08-08 00:24 . 2008-04-13 16:50 182656 ----a-w- c:\windows\system32\drivers\ndis.sys

2009-08-06 12:03 . 2008-07-14 19:43 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-08-05 22:24 . 2009-05-31 00:31 25 ----a-w- c:\windows\popcinfot.dat

2009-08-05 21:20 . 2008-06-03 21:01 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-05 06:06 . 2009-02-12 05:12 1109 ----a-w- c:\documents and settings\User\Application Data\Genie-soft\GBMPro8\Jobs\Incremental Job\00000000\maindata.sys

2009-08-04 19:23 . 2008-12-29 22:13 -------- d-----w- c:\program files\PowerISO

2009-08-04 16:58 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP65be.tmp

2009-08-04 02:54 . 2008-06-15 01:22 -------- d-----w- c:\documents and settings\User\Application Data\IDimager

2009-08-04 02:48 . 2008-08-28 16:07 -------- d-----w- c:\program files\Qimage

2009-08-03 18:17 . 2008-08-19 19:37 -------- d-----w- c:\documents and settings\User\Application Data\LumaPix

2009-08-03 14:34 . 2009-03-20 02:24 -------- d-----w- c:\program files\TeamViewer

2009-08-03 03:52 . 2009-05-21 22:24 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-08-01 12:41 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP593b.tmp

2009-08-01 12:39 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP5d62.tmp

2009-08-01 12:37 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP6292.tmp

2009-08-01 12:35 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP5c49.tmp

2009-07-29 01:36 . 2009-01-31 03:42 -------- d-----w- c:\documents and settings\User\Application Data\Apple Computer

2009-07-26 00:50 . 2008-08-12 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-07-26 00:45 . 2008-06-29 01:45 -------- d-----w- c:\program files\Bonjour

2009-07-20 22:29 . 2008-12-29 23:22 2310 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys

2009-07-16 20:37 . 2009-07-02 22:42 -------- d-----w- c:\documents and settings\User\Application Data\The Bat!

2009-07-15 15:28 . 2009-01-19 16:12 -------- d-----w- c:\program files\Black Hawk Down Server Manager

2009-07-15 15:28 . 2009-01-13 19:59 -------- d-----w- c:\program files\Bhawk

2009-07-08 16:06 . 2009-07-08 16:05 -------- d-----w- c:\program files\BookSmart 2.01

2009-07-02 21:40 . 2009-07-02 21:40 -------- d-----w- c:\program files\The Bat!

2009-07-01 20:27 . 2009-07-01 14:40 -------- d-----w- c:\program files\Replay Media Catcher

2009-07-01 14:42 . 2009-07-01 14:42 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2009-07-01 14:42 . 2009-07-01 14:42 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2009-07-01 14:42 . 2009-07-01 14:40 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL

2009-06-17 22:03 . 2009-06-17 22:03 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes

2009-06-17 22:03 . 2009-06-17 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-17 21:46 . 2009-06-02 23:30 -------- d-----w- c:\program files\BookSmart 2.0

2009-06-17 21:45 . 2009-06-17 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira(2)

2009-06-17 21:44 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP6755.tmp

2009-06-17 21:41 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP54a7.tmp

2009-06-17 21:17 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP4db2.tmp

2009-06-17 13:02 . 2009-06-17 13:02 -------- d-----w- c:\program files\Avira

2009-06-16 02:35 . 2008-07-29 17:46 -------- d-----w- c:\documents and settings\User\Application Data\Thinstall

2009-05-27 11:27 . 2008-06-03 21:07 85448 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-21 22:27 . 2009-05-21 22:28 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys

2009-05-21 22:27 . 2009-05-21 22:28 205328 ----a-w- c:\windows\system32\drivers\tmxpflt.sys

2009-05-21 22:27 . 2009-05-21 22:28 1195512 ----a-w- c:\windows\system32\drivers\vsapint.sys

2009-05-21 21:46 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP6486.tmp

2009-05-15 10:45 . 2007-03-21 21:04 10017 ----a-w- c:\documents and settings\User\Application Data\Thinstall\Blaze Video Magic 2.0\%Common AppData%\BlazeVideo\VideoMagic2\BlazeVideoMagic.dll

2009-05-15 03:43 . 2009-05-15 03:43 8704 ----a-w- c:\documents and settings\User\Application Data\Thinstall\Blaze Video Magic 2.0\40000093000003h\encoder.exe

2009-05-15 03:43 . 2009-05-15 03:43 8704 ----a-w- c:\documents and settings\User\Application Data\Thinstall\Blaze Video Magic 2.0\4000008b500003h\fplayer.exe

2008-12-19 13:38 . 2008-06-03 20:51 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2008-12-19 13:38 . 2008-06-03 20:51 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2008-12-19 13:38 . 2008-06-03 20:51 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2008-12-19 13:38 . 2008-06-03 20:51 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2008-12-19 13:38 . 2008-06-03 20:51 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

2007-11-09 20:10 . 2007-11-09 20:10 30288 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2007-11-09 20:10 . 2007-11-09 20:10 79440 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2007-11-09 20:10 . 2007-11-09 20:10 75344 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2007-11-09 20:10 . 2007-11-09 20:10 140880 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2007-11-09 20:10 . 2007-11-09 20:10 42576 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2007-11-09 20:10 . 2007-11-09 20:10 50768 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2007-11-09 20:10 . 2007-11-09 20:10 34384 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll

2007-11-09 20:11 . 2007-11-09 20:11 685648 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2007-11-09 20:11 . 2007-11-09 20:11 30288 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

------- Sigcheck -------

[-] 2008-04-13 21:42 57856 DA907634A6932211F297697043E72639 c:\windows\system32\spoolsv.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-08-08_00.35.37 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-08 00:36 . 2006-10-18 06:53 147456 c:\windows\LastGood\system32\RTLCPAPI.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DOpus"="e:\program files\Portable Apps Backup\File Management" [X]

"Directory Opus Desktop Dblclk"="e:\program files\Portable Apps Backup\File Management" [X]

"Executor"="c:\program files\Executor\executor.exe" [2009-05-19 1108992]

"GBMPro8Agent"="c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-07-28 189056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]

"Flashget"="c:\program files\Flashget\flashget.exe" [2007-09-25 2007088]

"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-10-23 573440]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]

"GBMPro8Agent"="c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-07-28 189056]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-03-26 16859136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-25 218496]

"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-04-13 99840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

C2CMonitor.lnk - c:\program files\ClickToConvert\C2CMonitor.exe [2009-3-24 412160]

MonacoGamma.lnk - c:\program files\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe [2009-1-21 102400]

MonacoReminder.lnk - c:\program files\Monaco Systems\MonacoOPTIX 2.0\Monaco Reminder.exe [2009-1-21 176128]

UltraMon.lnk - c:\windows\Installer\{CC15A5FC-B6D3-4A2D-8A26-D8F2702A3C00}\IcoUltraMon.ico [2009-1-31 29310]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoStartMenuSubFolders"= 0 (0x0)

"NoCommonGroups"= 0 (0x0)

"NoPrinters"= 0 (0x0)

"NoRecentDocsNetHood"= 0 (0x0)

"NoChangeAnimation"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\drivers\snman380.sys [12/25/2008 11:29 AM 134272]

R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [12/4/2008 6:12 PM 971232]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [7/30/2009 8:55 AM 15424]

R1 uze3nda2;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uze3nda2.sys [8/1/2009 10:08 AM 11264]

R2 HF30Sys;HF30Sys;c:\program files\Everstrike Software\Hide Folder 3.1\HF30XP.sys [3/26/2009 2:21 PM 67888]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]

R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/14/2008 6:32 PM 10496]

R3 HF30Kbd;HF30Kbd;c:\program files\Everstrike Software\Hide Folder 3.1\HF30Kbd2K.sys [3/26/2009 2:21 PM 9856]

S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe --> c:\windows\system32\Pen_Tablet.exe [?]

S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\docume~1\User\LOCALS~1\Temp\RarSFX13\kerneld.wnt --> c:\docume~1\User\LOCALS~1\Temp\RarSFX13\kerneld.wnt [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [8/1/2009 9:34 AM 34760]

S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [1/25/2008 5:12 AM 25088]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [10/27/2008 4:13 PM 15144]

S3 X-Rite;X-Rite USB Service;c:\windows\system32\drivers\XrUsb.sys [1/29/2007 6:01 AM 18168]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HELPSVC

.

Contents of the 'Scheduled Tasks' folder

2009-08-05 c:\windows\Tasks\GBM - Incremental Job-Full.job

- c:\program files\Genie-Soft\GBMPro8\GBM8.exe [2009-02-12 15:04]

.

.

------- Supplementary Scan -------

.

uStart Page =

uInternet Settings,ProxyOverride = *.local

IE: &Download All with FlashGet - c:\program files\Flashget\jc_all.htm

IE: &Download with FlashGet - c:\program files\Flashget\jc_link.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

LSP: c:\windows\system32\imon.dll

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\hbg9lxa5.default\

FF - prefs.js: browser.startup.homepage - google.com

FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\hbg9lxa5.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-07 21:19

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\EverestDriver]

"ImagePath"="\??\c:\docume~1\User\LOCALS~1\Temp\RarSFX13\kerneld.wnt"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2025429265-1123561945-1801674531-1001\Software\SecuROM\License information*]

"datasecu"=hex:57,7c,d8,61,02,a5,62,43,e2,e2,e6,df,00,c0,44,f7,98,fb,47,4d,db,

7e,9b,f2,f7,8a,09,73,f7,3b,e8,c5,5e,13,45,c0,bc,84,90,f6,4e,b6,e4,e0,cd,9e,\

"rkeysecu"=hex:9f,ca,16,75,83,0a,d6,fd,d2,a5,ab,cb,c1,0d,12,f7

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1580)

c:\windows\system32\relog_ap.dll

c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(20028)

c:\program files\UltraMon\RTSUltraMonHook.dll

.

Completion time: 2009-08-08 21:21

ComboFix-quarantined-files.txt 2009-08-08 01:21

ComboFix2.txt 2009-08-08 00:44

Pre-Run: 511,354,613,760 bytes free

Post-Run: 511,339,601,920 bytes free

Current=5 Default=5 Failed=1 LastKnownGood=6 Sets=1,2,3,4,5,6

263 --- E O F --- 2008-10-24 07:00

Link to post
Share on other sites

Wow... I was now able to run Hijackthis and MalwareBytes. MWB found a couple of issues and cleared them.. Hijackthis log as follows:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:52:04 PM, on 8/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Flashget\flashget.exe

C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Executor\executor.exe

E:\Program Files\Portable Apps Backup\File Management, FTP-Torrent, Emu Programs\Portable Directory Opus 9\Appdata\dopus.exe

C:\Program Files\ClickToConvert\C2CMonitor.exe

C:\Program Files\UltraMon\UltraMon.exe

C:\Program Files\UltraMon\UltraMonTaskbar.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\astsrv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Everstrike Software\Hide Folder 3.1\HF30Service.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\efghi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\Flashget\jccatch.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Flashget] C:\Program Files\Flashget\flashget.exe /min

O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup

O4 - HKLM\..\Run: [GBMPro8Agent] C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s

O4 - HKCU\..\Run: [GBMPro8Agent] C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe

O4 - HKCU\..\Run: [DOpus] E:\Program Files\Portable Apps Backup\File Management, FTP-Torrent, Emu Programs\Portable Directory Opus 9\Appdata\dopus.exe

O4 - HKCU\..\Run: [Directory Opus Desktop Dblclk] "E:\Program Files\Portable Apps Backup\File Management, FTP-Torrent, Emu Programs\Portable Directory Opus 9\Appdata\dopusrt.exe" /dblclk

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Global Startup: C2CMonitor.lnk = C:\Program Files\ClickToConvert\C2CMonitor.exe

O4 - Global Startup: MonacoGamma.lnk = C:\Program Files\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe

O4 - Global Startup: MonacoReminder.lnk = ?

O4 - Global Startup: UltraMon.lnk = ?

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\Flashget\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\Flashget\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\Flashget\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\Flashget\FlashGet.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\astsrv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: HF30Service - Unknown owner - C:\Program Files\Everstrike Software\Hide Folder 3.1\HF30Service.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - E:\Program Files\Portable Apps Backup\System Utilities, Virus Scan & Zip-RAR Programs\SiSoftware Sandra Professional Business XI\RpcSandraSrv.exe

O23 - Service: TabletServicePen - Unknown owner - C:\WINDOWS\system32\Pen_Tablet.exe (file missing)

O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

O23 - Service: UPS - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--

End of file - 8588 bytes

I'm hopeful that combofix actually cleaned the machine...? Thx again for the advice and help.. and here I was giving up!! :):)

Link to post
Share on other sites

Oh.. found these 2 files in c:\qoobox.. looks like the original scan log?

Combofix - quarantined-files.txt

2009-08-08 00:44:26 . 2009-08-08 00:44:26 429 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}.reg.dat

2009-08-08 00:44:23 . 2009-08-08 00:44:23 163 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SunJavaUpdateSched.reg.dat

2009-08-08 00:44:22 . 2009-08-08 00:44:22 163 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-AdobeMMP.reg.dat

2009-08-08 00:29:56 . 2009-08-08 00:29:56 60,416 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\netlogon.dll.vir

2009-08-08 00:27:44 . 2009-08-08 00:27:44 1,398 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}.reg.dat

2009-08-08 00:27:44 . 2009-08-08 00:27:44 1,398 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}.reg.dat

2009-08-08 00:27:37 . 2009-08-08 01:18:45 9,398 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2009-08-08 00:17:37 . 2009-08-08 01:16:19 512 ----a-w- C:\Qoobox\Quarantine\catchme.log

2009-05-21 22:27:08 . 2009-05-21 22:27:08 2,845,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\5486d.msi.vir

2009-05-21 17:57:53 . 2009-05-21 17:57:53 3,573,248 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\47c989e0.msi.vir

2009-05-21 17:57:28 . 2009-05-21 17:57:28 3,085,824 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\47c989d8.msi.vir

2009-05-21 17:57:16 . 2009-05-21 17:57:16 4,915,200 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\47c989cf.msi.vir

2009-05-21 17:57:07 . 2009-05-21 17:57:07 3,076,608 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\47c989bf.msi.vir

2009-05-21 17:56:59 . 2009-05-21 17:56:59 3,073,024 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\47c989b7.msi.vir

2009-05-21 17:56:52 . 2009-05-21 17:56:52 3,073,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\47c989af.msi.vir

2009-05-21 17:52:42 . 2009-05-21 17:52:42 3,174,400 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\47c9899f.msi.vir

2009-05-21 03:44:57 . 2009-05-21 03:44:57 268,800 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\44c1db15.msi.vir

2009-05-20 19:19:34 . 2009-05-20 19:19:34 3,304,448 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf7cf.msi.vir

2009-05-20 19:19:10 . 2009-05-20 19:19:10 3,285,504 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf7c6.msi.vir

2009-05-20 19:18:52 . 2009-05-20 19:18:52 3,075,072 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf7be.msi.vir

2009-05-20 19:18:45 . 2009-05-20 19:18:45 3,096,064 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf7b6.msi.vir

2009-05-20 19:18:29 . 2009-05-20 19:18:29 3,078,656 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf799.msi.vir

2009-05-20 19:18:22 . 2009-05-20 19:18:22 4,908,544 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf791.msi.vir

2009-05-20 19:18:02 . 2009-05-20 19:18:02 3,076,608 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf77e.msi.vir

2009-05-20 19:17:55 . 2009-05-20 19:17:55 3,076,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf776.msi.vir

2009-05-20 19:17:48 . 2009-05-20 19:17:48 3,079,680 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf76e.msi.vir

2009-05-20 19:17:41 . 2009-05-20 19:17:41 3,078,656 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf766.msi.vir

2009-05-20 19:17:33 . 2009-05-20 19:17:33 3,070,976 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf75e.msi.vir

2009-05-20 19:17:27 . 2009-05-20 19:17:27 3,117,056 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf755.msi.vir

2009-05-20 19:17:18 . 2009-05-20 19:17:18 3,091,968 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf74d.msi.vir

2009-05-20 19:17:11 . 2009-05-20 19:17:12 3,095,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf745.msi.vir

2009-05-20 19:16:57 . 2009-05-20 19:16:57 3,073,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf736.msi.vir

2009-05-20 19:16:47 . 2009-05-20 19:16:47 3,074,048 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf726.msi.vir

2009-05-20 19:16:39 . 2009-05-20 19:16:39 3,073,024 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf716.msi.vir

2009-05-20 19:16:30 . 2009-05-20 19:16:30 3,089,408 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf706.msi.vir

2009-05-20 19:16:22 . 2009-05-20 19:16:22 3,146,240 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf6fe.msi.vir

2009-05-20 19:16:12 . 2009-05-20 19:16:12 3,150,848 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf6f6.msi.vir

2009-05-20 19:16:05 . 2009-05-20 19:16:05 3,083,776 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf6ee.msi.vir

2009-05-20 19:15:56 . 2009-05-20 19:15:56 3,094,016 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf6de.msi.vir

2009-05-20 19:15:48 . 2009-05-20 19:15:48 3,273,216 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf6d6.msi.vir

2009-05-20 19:15:33 . 2009-05-20 19:15:33 3,186,176 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf6ce.msi.vir

2009-05-20 19:15:23 . 2009-05-20 19:15:23 3,073,024 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf6c6.msi.vir

2009-05-20 19:15:15 . 2009-05-20 19:15:15 3,072,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf6b5.msi.vir

2009-05-20 19:15:09 . 2009-05-20 19:15:09 3,069,952 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf6ad.msi.vir

2009-05-20 19:15:01 . 2009-05-20 19:15:01 3,178,496 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf6a4.msi.vir

2009-05-20 19:14:43 . 2009-05-20 19:14:43 3,228,160 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf69c.msi.vir

2009-05-20 19:14:30 . 2009-05-20 19:14:30 3,087,360 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf694.msi.vir

2009-05-20 19:14:14 . 2009-05-20 19:14:14 3,110,912 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf644.msi.vir

2009-05-20 19:13:53 . 2009-05-20 19:13:53 3,070,976 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf634.msi.vir

2009-05-20 19:12:52 . 2009-05-20 19:12:52 3,174,400 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ecf62c.msi.vir

2009-03-24 18:41:26 . 2009-03-24 18:41:26 1,648,640 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\553a511.msi.vir

2008-06-25 00:58:13 . 2006-08-22 20:28:30 489,400 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\User\LOCALS~1\Temp\RarSFX0\dopuslib.dll.vir

2008-06-04 02:00:47 . 2009-07-07 20:44:28 10,170 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir

2008-06-04 02:00:47 . 2009-07-20 21:37:30 9,180 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir

2008-04-13 21:42:28 . 2008-04-13 21:42:28 169,984 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\msconfig.exe.vir

2008-04-13 21:42:10 . 2008-04-13 21:42:10 7,780 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wgyjnt.dll.vir

2008-04-13 16:50:38 . 2009-05-21 17:53:15 212,224 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ndis.sys.vir

2008-02-23 05:44:44 . 2008-02-23 05:44:44 140,747,264 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\c8f99.msi.vir

2007-06-16 22:56:34 . 2007-06-16 22:56:34 10,575,872 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Temp\Vista Ultimate\Vista Ultimate.msstyles.vir

ComboFix2.txt

ComboFix 09-08-07.07 - User 08/07/2009 20:24.1.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2296 [GMT -4:00]

Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\$recycle.bin\S-1-5-21-1001024165-1592044758-227848348-1000

c:\docume~1\User\LOCALS~1\Temp\RarSFX0\dopuslib.dll

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\User\Local Settings\Temp\RarSFX0\dopuslib.dll

c:\recycler\S-1-5-21-2038342736-2666472726-347816577-6302

c:\windows\Installer\42ecf62c.msi

c:\windows\Installer\42ecf634.msi

c:\windows\Installer\42ecf644.msi

c:\windows\Installer\42ecf694.msi

c:\windows\Installer\42ecf69c.msi

c:\windows\Installer\42ecf6a4.msi

c:\windows\Installer\42ecf6ad.msi

c:\windows\Installer\42ecf6b5.msi

c:\windows\Installer\42ecf6c6.msi

c:\windows\Installer\42ecf6ce.msi

c:\windows\Installer\42ecf6d6.msi

c:\windows\Installer\42ecf6de.msi

c:\windows\Installer\42ecf6ee.msi

c:\windows\Installer\42ecf6f6.msi

c:\windows\Installer\42ecf6fe.msi

c:\windows\Installer\42ecf706.msi

c:\windows\Installer\42ecf716.msi

c:\windows\Installer\42ecf726.msi

c:\windows\Installer\42ecf736.msi

c:\windows\Installer\42ecf745.msi

c:\windows\Installer\42ecf74d.msi

c:\windows\Installer\42ecf755.msi

c:\windows\Installer\42ecf75e.msi

c:\windows\Installer\42ecf766.msi

c:\windows\Installer\42ecf76e.msi

c:\windows\Installer\42ecf776.msi

c:\windows\Installer\42ecf77e.msi

c:\windows\Installer\42ecf791.msi

c:\windows\Installer\42ecf799.msi

c:\windows\Installer\42ecf7b6.msi

c:\windows\Installer\42ecf7be.msi

c:\windows\Installer\42ecf7c6.msi

c:\windows\Installer\42ecf7cf.msi

c:\windows\Installer\44c1db15.msi

c:\windows\Installer\47c9899f.msi

c:\windows\Installer\47c989af.msi

c:\windows\Installer\47c989b7.msi

c:\windows\Installer\47c989bf.msi

c:\windows\Installer\47c989cf.msi

c:\windows\Installer\47c989d8.msi

c:\windows\Installer\47c989e0.msi

c:\windows\Installer\5486d.msi

c:\windows\Installer\553a511.msi

c:\windows\Installer\c8f99.msi

c:\windows\system32\lowsec

c:\windows\system32\msconfig.exe

c:\windows\system32\wgyjnt.dll

c:\windows\TEMP\Vista Ultimate\Vista Ultimate.msstyles

----- BITS: Possible infected sites -----

hxxp://78.157.143.163

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected

Restored copy from - The cat ate it :)

Infected copy of c:\windows\system32\netlogon.dll was found and disinfected

Restored copy from - c:\windows\system32\ntelogon.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-08 to 2009-08-08 )))))))))))))))))))))))))))))))

.

2009-08-06 03:16 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-06 03:16 . 2009-08-06 03:19 -------- d-----w- C:\ahba

2009-08-06 03:16 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-05 21:53 . 2009-08-05 21:53 -------- d-----w- c:\program files\Realtek AC97

2009-08-05 21:38 . 2006-10-18 06:53 147456 ----a-w- c:\windows\system32\RTLCPAPI.dll

2009-08-05 21:20 . 2008-09-24 14:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys

2009-08-05 21:20 . 2006-12-08 19:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe

2009-08-05 21:20 . 2006-07-31 15:27 217088 ----a-w- c:\windows\alcrmv.exe

2009-08-05 21:20 . 2006-07-31 15:19 315392 ----a-w- c:\windows\alcupd.exe

2009-08-05 21:09 . 2001-08-17 23:06 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys

2009-08-05 21:08 . 2008-04-14 02:42 64000 ----a-w- c:\windows\system32\dllcache\nwapi32.dll

2009-08-05 21:08 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\dllcache\nwapi16.dll

2009-08-05 21:08 . 2008-04-14 02:41 36921 ----a-w- c:\windows\system32\dllcache\imeshare.dll

2009-08-05 20:41 . 2008-04-14 02:42 389120 ----a-w- c:\windows\system32\dllcache\cmd.exe

2009-08-05 20:41 . 2008-04-14 02:42 389120 ----a-w- c:\windows\system32\cmd.exe

2009-08-05 02:35 . 2009-08-05 02:43 -------- d-----w- c:\program files\OpenedFilesView

2009-08-05 02:35 . 2009-08-05 02:35 39424 ----a-w- c:\windows\zipinst.exe

2009-08-03 21:17 . 2009-08-03 21:17 -------- d-----w- c:\program files\Trend Micro

2009-08-03 04:03 . 2009-08-03 14:33 -------- d-----w- c:\program files\Enigma Software Group

2009-08-03 03:45 . 2009-08-03 14:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-03 02:28 . 2009-08-03 02:28 -------- d-----w- c:\documents and settings\Administrator.JINGO\Application Data\Talkback

2009-08-03 02:28 . 2009-08-03 02:28 -------- d-----w- c:\documents and settings\Administrator.JINGO\Local Settings\Application Data\Mozilla

2009-08-01 14:08 . 2009-08-01 14:08 11264 ----a-w- c:\windows\system32\drivers\uze3nda2.sys

2009-08-01 13:34 . 2009-08-01 13:34 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys

2009-08-01 13:34 . 2009-08-01 13:34 32480 ----a-w- c:\windows\system32\Partizan.exe

2009-08-01 13:22 . 2009-08-01 13:22 2 --shatr- c:\windows\winstart.bat

2009-08-01 12:33 . 2009-08-01 12:33 -------- d-----w- c:\windows\system32\wbem\snmp

2009-08-01 12:33 . 2009-08-01 12:33 -------- d-----w- c:\windows\system32\xircom

2009-08-01 12:33 . 2009-08-01 12:33 -------- d-----w- c:\windows\srchasst

2009-08-01 12:33 . 2009-08-01 12:33 -------- d-----w- c:\program files\microsoft frontpage

2009-07-30 12:55 . 2009-07-30 12:54 512096 ----a-w- c:\windows\system32\drivers\amon.sys

2009-07-30 12:55 . 2009-07-30 12:54 298104 ----a-w- c:\windows\system32\imon.dll

2009-07-30 12:55 . 2009-07-30 12:54 15424 ----a-w- c:\windows\system32\drivers\nod32drv.sys

2009-07-30 12:54 . 2009-08-03 02:21 -------- d-----w- c:\program files\ESET

2009-07-30 12:46 . 2009-08-03 02:21 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-07-30 03:15 . 2009-08-03 02:35 -------- d-s---w- c:\documents and settings\Administrator.JINGO

2009-07-30 03:15 . 2009-07-30 13:10 -------- d-----w- c:\documents and settings\Administrator.JINGO\Local Settings\Application Data\Microsoft

2009-07-30 02:40 . 2009-07-30 02:40 36 ----a-w- c:\windows\system32\sysnet.dat

2009-07-26 00:46 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2009-07-26 00:46 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2009-07-26 00:46 . 2009-07-26 00:46 -------- d-----w- c:\program files\iPod

2009-07-26 00:46 . 2009-07-26 00:46 -------- d-----w- c:\program files\iTunes

2009-07-26 00:46 . 2009-07-26 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-26 00:45 . 2009-07-26 00:45 -------- d-----w- c:\program files\QuickTime

2009-07-26 00:45 . 2009-07-26 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-07-26 00:44 . 2009-07-26 00:44 -------- d-----w- c:\program files\Apple Software Update

2009-07-26 00:44 . 2009-07-09 16:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-26 00:44 . 2009-07-09 16:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-26 00:44 . 2009-07-26 00:46 -------- d-----w- c:\program files\Common Files\Apple

2009-07-26 00:43 . 2009-07-26 00:43 687104 ----a-w- c:\windows\is-5CKNT.exe

2009-07-23 12:19 . 2009-07-23 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2009-07-21 23:42 . 2009-08-05 03:01 -------- d-----w- c:\program files\World of Warcraft

2009-07-21 23:36 . 2009-07-21 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard

2009-07-21 23:34 . 2009-07-21 23:42 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-07-15 01:49 . 2009-07-15 01:56 -------- d-----w- c:\documents and settings\User\Application Data\GeoSetter

2009-07-15 01:48 . 2009-07-15 01:48 -------- d-----w- c:\program files\GeoSetter

2009-07-13 18:22 . 2009-07-13 18:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-08 00:34 . 2008-07-14 19:54 -------- d-----w- c:\program files\Flashget

2009-08-08 00:29 . 2008-04-13 21:42 407040 ----a-w- c:\windows\system32\netlogon.dll

2009-08-08 00:24 . 2008-04-13 16:50 182656 ----a-w- c:\windows\system32\drivers\ndis.sys

2009-08-08 00:04 . 2008-06-25 01:03 168864 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\hbg9lxa5.default\FlashGot.exe

2009-08-06 12:03 . 2008-07-14 19:43 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-08-05 22:24 . 2009-05-31 00:31 25 ----a-w- c:\windows\popcinfot.dat

2009-08-05 21:20 . 2008-06-03 21:01 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-05 06:06 . 2009-02-12 05:12 1109 ----a-w- c:\documents and settings\User\Application Data\Genie-soft\GBMPro8\Jobs\Incremental Job\00000000\maindata.sys

2009-08-04 19:23 . 2008-12-29 22:13 -------- d-----w- c:\program files\PowerISO

2009-08-04 16:58 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP65be.tmp

2009-08-04 02:54 . 2008-06-15 01:22 -------- d-----w- c:\documents and settings\User\Application Data\IDimager

2009-08-04 02:48 . 2008-08-28 16:07 -------- d-----w- c:\program files\Qimage

2009-08-03 18:17 . 2008-08-19 19:37 -------- d-----w- c:\documents and settings\User\Application Data\LumaPix

2009-08-03 14:34 . 2009-03-20 02:24 -------- d-----w- c:\program files\TeamViewer

2009-08-03 03:52 . 2009-05-21 22:24 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-08-01 12:41 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP593b.tmp

2009-08-01 12:39 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP5d62.tmp

2009-08-01 12:37 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP6292.tmp

2009-08-01 12:35 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP5c49.tmp

2009-07-29 01:36 . 2009-01-31 03:42 -------- d-----w- c:\documents and settings\User\Application Data\Apple Computer

2009-07-26 00:50 . 2008-08-12 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-07-26 00:45 . 2008-06-29 01:45 -------- d-----w- c:\program files\Bonjour

2009-07-20 22:29 . 2008-12-29 23:22 2310 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys

2009-07-16 20:37 . 2009-07-02 22:42 -------- d-----w- c:\documents and settings\User\Application Data\The Bat!

2009-07-15 15:28 . 2009-01-19 16:12 -------- d-----w- c:\program files\Black Hawk Down Server Manager

2009-07-15 15:28 . 2009-01-13 19:59 -------- d-----w- c:\program files\Bhawk

2009-07-08 16:06 . 2009-07-08 16:05 -------- d-----w- c:\program files\BookSmart 2.01

2009-07-02 21:40 . 2009-07-02 21:40 -------- d-----w- c:\program files\The Bat!

2009-07-01 20:27 . 2009-07-01 14:40 -------- d-----w- c:\program files\Replay Media Catcher

2009-07-01 14:42 . 2009-07-01 14:42 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2009-07-01 14:42 . 2009-07-01 14:42 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2009-07-01 14:42 . 2009-07-01 14:40 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL

2009-06-17 22:03 . 2009-06-17 22:03 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes

2009-06-17 22:03 . 2009-06-17 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-17 21:46 . 2009-06-02 23:30 -------- d-----w- c:\program files\BookSmart 2.0

2009-06-17 21:45 . 2009-06-17 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira(2)

2009-06-17 21:44 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP6755.tmp

2009-06-17 21:41 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP54a7.tmp

2009-06-17 21:17 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP4db2.tmp

2009-06-17 13:02 . 2009-06-17 13:02 -------- d-----w- c:\program files\Avira

2009-06-16 02:35 . 2008-07-29 17:46 -------- d-----w- c:\documents and settings\User\Application Data\Thinstall

2009-05-27 11:27 . 2008-06-03 21:07 85448 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-21 22:27 . 2009-05-21 22:28 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys

2009-05-21 22:27 . 2009-05-21 22:28 205328 ----a-w- c:\windows\system32\drivers\tmxpflt.sys

2009-05-21 22:27 . 2009-05-21 22:28 1195512 ----a-w- c:\windows\system32\drivers\vsapint.sys

2009-05-21 21:46 . 2008-06-04 04:35 98304 ----a-w- c:\windows\DUMP6486.tmp

2009-05-15 10:45 . 2007-03-21 21:04 10017 ----a-w- c:\documents and settings\User\Application Data\Thinstall\Blaze Video Magic 2.0\%Common AppData%\BlazeVideo\VideoMagic2\BlazeVideoMagic.dll

2009-05-15 03:43 . 2009-05-15 03:43 8704 ----a-w- c:\documents and settings\User\Application Data\Thinstall\Blaze Video Magic 2.0\40000093000003h\encoder.exe

2009-05-15 03:43 . 2009-05-15 03:43 8704 ----a-w- c:\documents and settings\User\Application Data\Thinstall\Blaze Video Magic 2.0\4000008b500003h\fplayer.exe

2008-12-19 13:38 . 2008-06-03 20:51 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2008-12-19 13:38 . 2008-06-03 20:51 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2008-12-19 13:38 . 2008-06-03 20:51 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2008-12-19 13:38 . 2008-06-03 20:51 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2008-12-19 13:38 . 2008-06-03 20:51 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

2007-11-09 20:10 . 2007-11-09 20:10 30288 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2007-11-09 20:10 . 2007-11-09 20:10 79440 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2007-11-09 20:10 . 2007-11-09 20:10 75344 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2007-11-09 20:10 . 2007-11-09 20:10 140880 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2007-11-09 20:10 . 2007-11-09 20:10 42576 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2007-11-09 20:10 . 2007-11-09 20:10 50768 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2007-11-09 20:10 . 2007-11-09 20:10 34384 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll

2007-11-09 20:11 . 2007-11-09 20:11 685648 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2007-11-09 20:11 . 2007-11-09 20:11 30288 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

------- Sigcheck -------

[-] 2008-04-13 21:42 57856 DA907634A6932211F297697043E72639 c:\windows\system32\spoolsv.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DOpus"="e:\program files\Portable Apps Backup\File Management" [X]

"Directory Opus Desktop Dblclk"="e:\program files\Portable Apps Backup\File Management" [X]

"Executor"="c:\program files\Executor\executor.exe" [2009-05-19 1108992]

"GBMPro8Agent"="c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-07-28 189056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]

"Flashget"="c:\program files\Flashget\flashget.exe" [2007-09-25 2007088]

"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-10-23 573440]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]

"GBMPro8Agent"="c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-07-28 189056]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-03-26 16859136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-25 218496]

"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-04-13 99840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

C2CMonitor.lnk - c:\program files\ClickToConvert\C2CMonitor.exe [2009-3-24 412160]

MonacoGamma.lnk - c:\program files\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe [2009-1-21 102400]

MonacoReminder.lnk - c:\program files\Monaco Systems\MonacoOPTIX 2.0\Monaco Reminder.exe [2009-1-21 176128]

UltraMon.lnk - c:\windows\Installer\{CC15A5FC-B6D3-4A2D-8A26-D8F2702A3C00}\IcoUltraMon.ico [2009-1-31 29310]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoStartMenuSubFolders"= 0 (0x0)

"NoCommonGroups"= 0 (0x0)

"NoPrinters"= 0 (0x0)

"NoRecentDocsNetHood"= 0 (0x0)

"NoChangeAnimation"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\drivers\snman380.sys [12/25/2008 11:29 AM 134272]

R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [12/4/2008 6:12 PM 971232]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [7/30/2009 8:55 AM 15424]

R1 uze3nda2;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uze3nda2.sys [8/1/2009 10:08 AM 11264]

R2 HF30Sys;HF30Sys;c:\program files\Everstrike Software\Hide Folder 3.1\HF30XP.sys [3/26/2009 2:21 PM 67888]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]

R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/14/2008 6:32 PM 10496]

R3 HF30Kbd;HF30Kbd;c:\program files\Everstrike Software\Hide Folder 3.1\HF30Kbd2K.sys [3/26/2009 2:21 PM 9856]

S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe --> c:\windows\system32\Pen_Tablet.exe [?]

S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\docume~1\User\LOCALS~1\Temp\RarSFX13\kerneld.wnt --> c:\docume~1\User\LOCALS~1\Temp\RarSFX13\kerneld.wnt [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [8/1/2009 9:34 AM 34760]

S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [1/25/2008 5:12 AM 25088]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [10/27/2008 4:13 PM 15144]

S3 X-Rite;X-Rite USB Service;c:\windows\system32\drivers\XrUsb.sys [1/29/2007 6:01 AM 18168]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HELPSVC

.

Contents of the 'Scheduled Tasks' folder

2009-08-05 c:\windows\Tasks\GBM - Incremental Job-Full.job

- c:\program files\Genie-Soft\GBMPro8\GBM8.exe [2009-02-12 15:04]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeMMP - c:\documents and settings\User\Application Data\Adobe\Player.exe

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe

ShellExecuteHooks-{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE} - c:\docume~1\User\LOCALS~1\Temp\RarSFX0\dopuslib.dll

.

------- Supplementary Scan -------

.

uStart Page =

uInternet Settings,ProxyOverride = *.local

IE: &Download All with FlashGet - c:\program files\Flashget\jc_all.htm

IE: &Download with FlashGet - c:\program files\Flashget\jc_link.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

LSP: c:\windows\system32\imon.dll

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\hbg9lxa5.default\

FF - prefs.js: browser.startup.homepage - google.com

FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\hbg9lxa5.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-07 20:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\EverestDriver]

"ImagePath"="\??\c:\docume~1\User\LOCALS~1\Temp\RarSFX13\kerneld.wnt"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2025429265-1123561945-1801674531-1001\Software\SecuROM\License information*]

"datasecu"=hex:57,7c,d8,61,02,a5,62,43,e2,e2,e6,df,00,c0,44,f7,98,fb,47,4d,db,

7e,9b,f2,f7,8a,09,73,f7,3b,e8,c5,5e,13,45,c0,bc,84,90,f6,4e,b6,e4,e0,cd,9e,\

"rkeysecu"=hex:9f,ca,16,75,83,0a,d6,fd,d2,a5,ab,cb,c1,0d,12,f7

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1580)

c:\windows\system32\relog_ap.dll

c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(4248)

c:\program files\UltraMon\RTSUltraMonHook.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\rundll32.exe

e:\program files\Portable Apps Backup\File Management, FTP-Torrent, Emu Programs\Portable Directory Opus 9\Appdata\dopus.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\UltraMon\UltraMon.exe

c:\windows\system32\ASTSRV.EXE

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Everstrike Software\Hide Folder 3.1\HF30Service.exe

c:\program files\UltraMon\UltraMonTaskbar.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-08-08 20:44 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-08 00:44

Pre-Run: 508,313,530,368 bytes free

Post-Run: 511,343,439,872 bytes free

Current=5 Default=5 Failed=1 LastKnownGood=6 Sets=1,2,3,4,5,6

345 --- E O F --- 2008-10-24 07:00

Link to post
Share on other sites

  • Staff

Hi,

It looks like Combofix cleaned it here. The malware you were dealing with locked Malwarebytes. Mbam will have a workaround for that in next version :)

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Perfection... I can't express my gratitude enough for your help!! Now, if only I could get my VSS reinstalled so I can do a ghost image.. for some reason VSS is not listed as a service. I have all the files in windows\system32 but don't know how to get it listed in the services.msc panel.. registering the dll's don't seem to do the trick.

Anyway.. thx so much... you are wonderful!

Link to post
Share on other sites

  • Staff

What's VSS? In anyway, it may be a good idea to reinstall it if it doesn't run now.

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.