Jump to content

Anti Malware Programs Won't Run


steve12
 Share

Recommended Posts

Hi All,

Superantispyware Pro found many viruses and trojans. After reboot,I can no longer access the internent , and programs such as Spybot, HJT, SAS will not run. Some of the programs start to run and then go blank. Others such as MBAM give the error message:

"Windows cannot access the specified device, path, or file. You may not have permisios to access the item."

I tried Gmer, it scans for a few hours and then quits. It does highlight in red a globalroot/Device entry.

Any help would be greatly appreciated.

Thanks

_____________________

Dell Inspiron 6400

Windows XP Media Edition

SP 2

Link to post
Share on other sites

  • Root Admin

Download and run Win32kDiag:

  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

[*]Double-click Win32kDiag.exe to run Win32kDiag and let it finish.

[*]When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.

[*]Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic, please do not attach the file.

Link to post
Share on other sites

AdvancedSetup, I want to thank you beforehand for your help!

Log file is located at: C:\Documents and Settings\Beatrice\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP19E.tmp\ZAP19E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP334.tmp\ZAP334.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP351.tmp\ZAP351.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP91.tmp\ZAP91.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\root\root

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-940598694-1099632659-3521341844-1006\S-1-5-21-940598694-1099632659-3521341844-1006

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch1\ch1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch2\ch2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch3\ch3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch4\ch4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch5\ch5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch6\ch6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\instch_gdql_d_cache\instch_gdql_d_cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\{4E3254D7-522A-412A-9296-3F4767B3A2CB}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield\ISEngine12.0\ISEngine12.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-940598694-1099632659-3521341844-500\S-1-5-21-940598694-1099632659-3521341844-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-940598694-1099632659-3521341844-500\S-1-5-21-940598694-1099632659-3521341844-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\402170af2572\402170af2572

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\4394c732cf62\4394c732cf62

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MediaDirect\IEPG\IEPG

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-940598694-1099632659-3521341844-500\S-1-5-21-940598694-1099632659-3521341844-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Yahoo\YMP\YMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\My Yahoo! Music\My Yahoo! Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-10 07:00:00 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-10 07:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-10 07:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\SDDLLS\SDDLLS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

  • Root Admin

Go to start > run and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

This should restore permissions on locked files and remove mountpoints.

Then try to run the following:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

  • Root Admin

Okay, try deleting your current copy of CF and download a new fresh copy and run it again please.

Make sure all screen savers are turned off and sleep modes, as well as your Anti-Virus.

DO NOT use the computer while CF is running.

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

Link to post
Share on other sites

ComboFix 09-09-09.04 - Beatrice 09/09/2009 21:27.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.496 [GMT -4:00]

Running from: c:\documents and settings\Beatrice\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\fyblb.exe

C:\hpbyv.exe

C:\pvewnn.exe

c:\windows\kb913800.exe

c:\windows\system32\1.tmp

c:\windows\system32\2.tmp

c:\windows\system32\3.tmp

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_MEMSWEEP2

-------\Service_MEMSWEEP2

((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))

.

2009-09-08 22:36 . 2009-09-08 22:34 388608 ----a-w- c:\windows\system32\CF7034.exe

2009-09-08 02:33 . 2009-09-08 02:33 -------- d-----w- c:\program files\SanityCheck

2009-09-08 02:33 . 2009-03-02 15:24 30136 ----a-w- c:\windows\system32\drivers\rspSanity32.sys

2009-09-08 02:16 . 2009-09-08 02:17 -------- d-----w- C:\RootKit

2009-09-08 01:58 . 2009-09-08 01:58 -------- d-----w- C:\!KillBox

2009-09-08 00:00 . 2009-09-08 00:00 -------- d-----w- c:\documents and settings\Shari\outlook express contact

2009-09-07 22:18 . 2009-09-07 22:18 -------- d-----w- c:\documents and settings\Shari\Local Settings\Application Data\Apple

2009-09-07 19:51 . 2009-09-07 19:51 -------- d-----w- c:\documents and settings\Shari\log

2009-09-07 19:51 . 2009-09-07 19:51 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-09-07 17:42 . 2009-09-07 17:42 -------- d-----w- c:\program files\Sophos

2009-09-07 03:27 . 2009-09-07 03:27 0 ----a-w- c:\documents and settings\Beatrice\settings.dat

2009-09-07 03:26 . 2009-09-07 03:28 -------- d-----w- C:\RootRepeal

2009-09-06 15:23 . 2009-09-06 15:23 -------- d-----w- c:\documents and settings\Beatrice\Local Settings\Application Data\Mozilla

2009-09-05 18:34 . 2009-09-05 16:48 3942048 ----a-w- C:\xxxx.bat.exe

2009-09-05 17:30 . 2009-09-05 17:30 -------- d-----w- c:\windows\ERUNT

2009-09-05 17:11 . 2009-09-05 17:31 -------- d-----w- C:\SDFix

2009-09-05 16:41 . 2009-09-08 22:43 -------- d--h--w- c:\windows\PIF

2009-09-05 16:28 . 2009-09-05 16:28 -------- d-----w- c:\documents and settings\beach.BEA\Local Settings\Application Data\Apple Computer

2009-09-05 15:12 . 2009-09-05 15:12 -------- d-----w- c:\documents and settings\beach\Application Data\Corel

2009-09-05 14:48 . 2009-09-05 14:48 -------- d-----w- c:\documents and settings\beach\Application Data\Memeo

2009-08-17 03:44 . 2009-08-17 03:44 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-17 03:44 . 2009-08-17 03:44 -------- d-----w- c:\program files\MSBuild

2009-08-17 03:43 . 2009-08-17 03:43 -------- d-----w- c:\program files\Reference Assemblies

2009-08-17 03:43 . 2009-08-17 03:43 -------- d-----w- C:\3a1043039eb9ea25486c58

2009-08-17 03:43 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-17 03:43 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-17 03:43 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-17 03:43 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-17 03:43 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-17 03:43 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-17 03:43 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-17 03:39 . 2009-08-17 03:39 -------- d-----w- c:\program files\MSXML 6.0

2009-08-13 02:39 . 2009-08-13 02:39 -------- d-----w- c:\windows\ServicePackFiles

2009-08-13 02:29 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-06 16:26 . 2009-06-04 00:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-05 17:29 . 2005-08-17 02:54 -------- d-----w- c:\program files\DIGStream

2009-09-05 16:35 . 2009-06-04 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-05 16:27 . 2009-09-05 16:27 -------- d-----w- c:\documents and settings\beach.BEA\Application Data\Memeo

2009-09-05 15:17 . 2009-09-05 14:47 -------- d-----w- c:\documents and settings\beach\Application Data\Gtek

2009-09-05 03:23 . 2009-07-26 03:11 -------- d-----w- c:\documents and settings\Beatrice\Application Data\Orbit

2009-08-30 03:07 . 2006-12-14 06:16 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-08-30 03:07 . 2006-12-14 06:16 -------- d-----w- c:\documents and settings\Beatrice\Application Data\Corel

2009-08-30 03:07 . 2006-12-14 06:16 88 --sh--r- c:\windows\system32\631BAEDA2E.sys

2009-08-28 22:42 . 2009-07-26 03:43 -------- d-----w- c:\documents and settings\Beatrice\Application Data\vlc

2009-08-18 03:17 . 2006-12-09 15:03 73472 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-05 09:11 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-26 03:45 . 2009-07-26 03:45 -------- d-----w- c:\documents and settings\Beatrice\Application Data\Red Kawa

2009-07-26 03:42 . 2009-07-26 03:42 -------- d-----w- c:\program files\VideoLAN

2009-07-26 03:41 . 2009-07-26 03:11 -------- d-----w- c:\program files\Orbitdownloader

2009-07-26 03:37 . 2009-07-26 03:37 -------- d-----w- c:\documents and settings\Beatrice\Application Data\Memeo

2009-07-26 03:37 . 2009-07-26 03:37 -------- d-----w- c:\program files\Common Files\Memeo

2009-07-26 03:37 . 2009-07-26 03:37 -------- d-----w- c:\program files\Memeo

2009-07-26 03:36 . 2009-07-26 03:36 -------- d-----w- c:\documents and settings\Beatrice\Application Data\OpenCandy

2009-07-26 03:35 . 2009-07-26 03:35 -------- d-----w- c:\program files\Regensoft

2009-07-26 03:35 . 2009-07-26 03:35 -------- d-----w- c:\program files\AviSynth 2.5

2009-07-26 03:35 . 2009-07-26 03:35 -------- d-----w- c:\program files\Red Kawa

2009-07-26 03:11 . 2009-07-26 03:11 -------- d-----w- c:\documents and settings\Beatrice\Application Data\GrabPro

2009-07-17 18:55 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 14:08 . 2005-08-16 10:19 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2005-08-16 10:18 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-25 18:36 . 2005-08-16 10:18 471552 ----a-w- c:\windows\system32\mqutil.dll

2009-06-25 18:36 . 2005-08-16 10:18 95744 ----a-w- c:\windows\system32\mqsec.dll

2009-06-25 18:36 . 2005-08-16 10:18 661504 ----a-w- c:\windows\system32\mqqm.dll

2009-06-25 18:36 . 2005-08-16 10:18 517120 ----a-w- c:\windows\system32\mqsnap.dll

2009-06-25 18:36 . 2005-08-16 10:18 48640 ----a-w- c:\windows\system32\mqupgrd.dll

2009-06-25 18:36 . 2005-08-16 10:18 186880 ----a-w- c:\windows\system32\mqtrig.dll

2009-06-25 18:36 . 2005-08-16 10:18 177152 ----a-w- c:\windows\system32\mqrt.dll

2009-06-25 18:36 . 2005-08-16 10:18 123392 ----a-w- c:\windows\system32\mqrtdep.dll

2009-06-25 18:36 . 2005-08-16 10:18 47104 ----a-w- c:\windows\system32\mqdscli.dll

2009-06-25 18:36 . 2005-08-16 10:18 225280 ----a-w- c:\windows\system32\mqoa.dll

2009-06-25 18:36 . 2005-08-16 10:18 16896 ----a-w- c:\windows\system32\mqise.dll

2009-06-25 18:36 . 2005-08-16 10:18 138240 ----a-w- c:\windows\system32\mqad.dll

2009-06-22 11:49 . 2005-08-16 10:18 117248 ----a-w- c:\windows\system32\mqtgsvc.exe

2009-06-22 11:49 . 2005-08-16 10:18 19968 ----a-w- c:\windows\system32\mqbkup.exe

2009-06-22 11:49 . 2005-08-16 10:18 4608 ----a-w- c:\windows\system32\mqsvc.exe

2009-06-22 11:48 . 2005-08-16 10:18 91776 ----a-w- c:\windows\system32\drivers\mqac.sys

2009-06-16 14:55 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:55 . 2005-08-16 10:18 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 11:50 . 2005-08-16 10:18 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 11:50 . 2005-08-16 10:18 76288 ----a-w- c:\windows\system32\telnet.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-12-09 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-02 29744]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]

"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-23 1392640]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"V0500Mon.exe"="c:\windows\V0500Mon.exe" [2007-11-03 32768]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-27 169984]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-9 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-4 81920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)

"MSSQLServerADHelper"=3 (0x3)

"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)

"MDM"=2 (0x2)

"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\ooVoo\\ooVoo.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"443:UDP"= 443:UDP:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

"37676:TCP"= 37676:TCP:ooVoo TCP port 37676

"37676:UDP"= 37676:UDP:ooVoo UDP port 37676

"37677:UDP"= 37677:UDP:ooVoo UDP port 37677

"443:TCP"= 443:TCP:ooVoo TCP port 443

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/31/2008 10:00 PM 24652]

S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\Beatrice\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\Beatrice\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/9/2006 10:48 AM 29744]

S3 IBNKON;IBNKON;c:\docume~1\Beatrice\LOCALS~1\Temp\IBNKON.exe --> c:\docume~1\Beatrice\LOCALS~1\Temp\IBNKON.exe [?]

S3 ISCQNQWIZYDP;ISCQNQWIZYDP;c:\docume~1\Beatrice\LOCALS~1\Temp\ISCQNQWIZYDP.exe --> c:\docume~1\Beatrice\LOCALS~1\Temp\ISCQNQWIZYDP.exe [?]

S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [9/7/2009 10:33 PM 30136]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

S3 V0500Dev;Dynex 1.3MP Webcam Driver;c:\windows\system32\drivers\V0500Vid.sys [12/27/2008 11:51 PM 251264]

.

Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.optonline.net/

uInternet Settings,ProxyOverride = *.local

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Beatrice\Application Data\Mozilla\Firefox\Profiles\ox7h0uws.default\

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-09 21:51

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2808)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\WLTRYSVC.EXE

c:\windows\system32\BCMWLTRY.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\wscntfy.exe

c:\windows\ehome\ehmsas.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-09-10 21:56 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-10 01:55

Pre-Run: 78,153,261,056 bytes free

Post-Run: 78,071,529,472 bytes free

270 --- E O F --- 2009-09-02 03:55

Link to post
Share on other sites

  • Root Admin

STEP 00

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH FIREWALL RESET

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH int ip reset c:\resetlog.txt

Click on START - RUN and type in MSCONFIG

Set the SERVICE to all enabled and restart the computer.

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
Driver::
fsbl-standalone
ISCQNQWIZYDP
IBNKON
File::
c:\docume~1\Beatrice\LOCALS~1\Temp\ISCQNQWIZYDP.exe
c:\windows\system32\CF7034.exe
C:\xxxx.bat.exe
c:\docume~1\Beatrice\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys
c:\docume~1\Beatrice\LOCALS~1\Temp\IBNKON.exe
Folder::
C:\3a1043039eb9ea25486c58
DDS::
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log on your next reply.

STEP 03

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

STEP 04

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup223_slim.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts
    RESTART THE COMPUTER NOW

STEP 05

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 16.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java SE Runtime Environment (JRE) - JRE 6 Update 16 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u16-windows-i586.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

STEP 06

Please temporarily disable your current Anti-Virus in order to run this Online AV scanner.

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Link to post
Share on other sites

Here are my logs. One issue is that Eset did not create a log, not sure if it's because I checked uninstall application at the end.

Anyway, I did create a text file of what it found, I hope that will work.

________________________________________________________________________________

____________________________

________________________________________________________________________________

____________________________

ComboFix 09-09-09.07 - Beatrice 09/10/2009 9:27.3.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.595 [GMT -4:00]

Running from: c:\documents and settings\Beatrice\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Beatrice\Desktop\CFscript.txt

FILE ::

"c:\docume~1\Beatrice\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys"

"c:\docume~1\Beatrice\LOCALS~1\Temp\IBNKON.exe"

"c:\docume~1\Beatrice\LOCALS~1\Temp\ISCQNQWIZYDP.exe"

"c:\windows\system32\CF7034.exe"

"C:\xxxx.bat.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\3a1043039eb9ea25486c58

c:\3a1043039eb9ea25486c58\amd64\filterpipelineprintproc.dll

c:\3a1043039eb9ea25486c58\amd64\msxpsdrv.cat

c:\3a1043039eb9ea25486c58\amd64\msxpsdrv.inf

c:\3a1043039eb9ea25486c58\amd64\msxpsinc.gpd

c:\3a1043039eb9ea25486c58\amd64\msxpsinc.ppd

c:\3a1043039eb9ea25486c58\amd64\mxdwdrv.dll

c:\3a1043039eb9ea25486c58\amd64\xpssvcs.dll

c:\3a1043039eb9ea25486c58\i386\filterpipelineprintproc.dll

c:\3a1043039eb9ea25486c58\i386\msxpsdrv.cat

c:\3a1043039eb9ea25486c58\i386\msxpsdrv.inf

c:\3a1043039eb9ea25486c58\i386\msxpsinc.gpd

c:\3a1043039eb9ea25486c58\i386\msxpsinc.ppd

c:\3a1043039eb9ea25486c58\i386\mxdwdrv.dll

c:\3a1043039eb9ea25486c58\i386\xpssvcs.dll

c:\windows\system32\CF7034.exe

C:\xxxx.bat.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FSBL-STANDALONE

-------\Legacy_IBNKON

-------\Legacy_ISCQNQWIZYDP

-------\Service_fsbl-standalone

-------\Service_IBNKON

-------\Service_ISCQNQWIZYDP

((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))

.

2009-09-10 01:40 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2009-09-08 02:33 . 2009-09-08 02:33 -------- d-----w- c:\program files\SanityCheck

2009-09-08 02:33 . 2009-03-02 15:24 30136 ----a-w- c:\windows\system32\drivers\rspSanity32.sys

2009-09-08 02:16 . 2009-09-08 02:17 -------- d-----w- C:\RootKit

2009-09-08 01:58 . 2009-09-08 01:58 -------- d-----w- C:\!KillBox

2009-09-08 00:00 . 2009-09-08 00:00 -------- d-----w- c:\documents and settings\Shari\outlook express contact

2009-09-07 22:18 . 2009-09-07 22:18 -------- d-----w- c:\documents and settings\Shari\Local Settings\Application Data\Apple

2009-09-07 19:51 . 2009-09-07 19:51 -------- d-----w- c:\documents and settings\Shari\log

2009-09-07 19:51 . 2009-09-07 19:51 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-09-07 17:42 . 2009-09-07 17:42 -------- d-----w- c:\program files\Sophos

2009-09-07 03:27 . 2009-09-07 03:27 0 ----a-w- c:\documents and settings\Beatrice\settings.dat

2009-09-07 03:26 . 2009-09-07 03:28 -------- d-----w- C:\RootRepeal

2009-09-06 15:23 . 2009-09-06 15:23 -------- d-----w- c:\documents and settings\Beatrice\Local Settings\Application Data\Mozilla

2009-09-05 17:30 . 2009-09-05 17:30 -------- d-----w- c:\windows\ERUNT

2009-09-05 17:11 . 2009-09-05 17:31 -------- d-----w- C:\SDFix

2009-09-05 16:41 . 2009-09-08 22:43 -------- d--h--w- c:\windows\PIF

2009-09-05 16:28 . 2009-09-05 16:28 -------- d-----w- c:\documents and settings\beach.BEA\Local Settings\Application Data\Apple Computer

2009-09-05 15:12 . 2009-09-05 15:12 -------- d-----w- c:\documents and settings\beach\Application Data\Corel

2009-09-05 14:48 . 2009-09-05 14:48 -------- d-----w- c:\documents and settings\beach\Application Data\Memeo

2009-08-17 03:44 . 2009-08-17 03:44 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-17 03:44 . 2009-08-17 03:44 -------- d-----w- c:\program files\MSBuild

2009-08-17 03:43 . 2009-08-17 03:43 -------- d-----w- c:\program files\Reference Assemblies

2009-08-17 03:43 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-17 03:43 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-17 03:43 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-17 03:43 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-17 03:43 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-17 03:43 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-17 03:43 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-17 03:39 . 2009-08-17 03:39 -------- d-----w- c:\program files\MSXML 6.0

2009-08-13 02:39 . 2009-08-13 02:39 -------- d-----w- c:\windows\ServicePackFiles

2009-08-13 02:29 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-06 16:26 . 2009-06-04 00:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-05 17:29 . 2005-08-17 02:54 -------- d-----w- c:\program files\DIGStream

2009-09-05 16:35 . 2009-06-04 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-05 16:27 . 2009-09-05 16:27 -------- d-----w- c:\documents and settings\beach.BEA\Application Data\Memeo

2009-09-05 15:17 . 2009-09-05 14:47 -------- d-----w- c:\documents and settings\beach\Application Data\Gtek

2009-09-05 03:23 . 2009-07-26 03:11 -------- d-----w- c:\documents and settings\Beatrice\Application Data\Orbit

2009-08-30 03:07 . 2006-12-14 06:16 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-08-30 03:07 . 2006-12-14 06:16 -------- d-----w- c:\documents and settings\Beatrice\Application Data\Corel

2009-08-30 03:07 . 2006-12-14 06:16 88 --sh--r- c:\windows\system32\631BAEDA2E.sys

2009-08-28 22:42 . 2009-07-26 03:43 -------- d-----w- c:\documents and settings\Beatrice\Application Data\vlc

2009-08-18 03:17 . 2006-12-09 15:03 73472 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-05 09:11 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-26 03:45 . 2009-07-26 03:45 -------- d-----w- c:\documents and settings\Beatrice\Application Data\Red Kawa

2009-07-26 03:42 . 2009-07-26 03:42 -------- d-----w- c:\program files\VideoLAN

2009-07-26 03:41 . 2009-07-26 03:11 -------- d-----w- c:\program files\Orbitdownloader

2009-07-26 03:37 . 2009-07-26 03:37 -------- d-----w- c:\documents and settings\Beatrice\Application Data\Memeo

2009-07-26 03:37 . 2009-07-26 03:37 -------- d-----w- c:\program files\Common Files\Memeo

2009-07-26 03:37 . 2009-07-26 03:37 -------- d-----w- c:\program files\Memeo

2009-07-26 03:36 . 2009-07-26 03:36 -------- d-----w- c:\documents and settings\Beatrice\Application Data\OpenCandy

2009-07-26 03:35 . 2009-07-26 03:35 -------- d-----w- c:\program files\Regensoft

2009-07-26 03:35 . 2009-07-26 03:35 -------- d-----w- c:\program files\AviSynth 2.5

2009-07-26 03:35 . 2009-07-26 03:35 -------- d-----w- c:\program files\Red Kawa

2009-07-26 03:11 . 2009-07-26 03:11 -------- d-----w- c:\documents and settings\Beatrice\Application Data\GrabPro

2009-07-17 18:55 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 14:08 . 2005-08-16 10:19 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2005-08-16 10:18 827392 ------w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-25 18:36 . 2005-08-16 10:18 471552 ----a-w- c:\windows\system32\mqutil.dll

2009-06-25 18:36 . 2005-08-16 10:18 95744 ----a-w- c:\windows\system32\mqsec.dll

2009-06-25 18:36 . 2005-08-16 10:18 661504 ----a-w- c:\windows\system32\mqqm.dll

2009-06-25 18:36 . 2005-08-16 10:18 517120 ----a-w- c:\windows\system32\mqsnap.dll

2009-06-25 18:36 . 2005-08-16 10:18 48640 ----a-w- c:\windows\system32\mqupgrd.dll

2009-06-25 18:36 . 2005-08-16 10:18 186880 ----a-w- c:\windows\system32\mqtrig.dll

2009-06-25 18:36 . 2005-08-16 10:18 177152 ----a-w- c:\windows\system32\mqrt.dll

2009-06-25 18:36 . 2005-08-16 10:18 123392 ----a-w- c:\windows\system32\mqrtdep.dll

2009-06-25 18:36 . 2005-08-16 10:18 47104 ----a-w- c:\windows\system32\mqdscli.dll

2009-06-25 18:36 . 2005-08-16 10:18 225280 ----a-w- c:\windows\system32\mqoa.dll

2009-06-25 18:36 . 2005-08-16 10:18 16896 ----a-w- c:\windows\system32\mqise.dll

2009-06-25 18:36 . 2005-08-16 10:18 138240 ----a-w- c:\windows\system32\mqad.dll

2009-06-22 11:49 . 2005-08-16 10:18 117248 ----a-w- c:\windows\system32\mqtgsvc.exe

2009-06-22 11:49 . 2005-08-16 10:18 19968 ----a-w- c:\windows\system32\mqbkup.exe

2009-06-22 11:49 . 2005-08-16 10:18 4608 ----a-w- c:\windows\system32\mqsvc.exe

2009-06-22 11:48 . 2005-08-16 10:18 91776 ----a-w- c:\windows\system32\drivers\mqac.sys

2009-06-16 14:55 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:55 . 2005-08-16 10:18 82432 ----a-w- c:\windows\system32\fontsub.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-10_01.51.34 )))))))))))))))))))))))))))))))))))))))))

.

- 2005-08-17 03:06 . 2007-11-30 11:18 26488 c:\windows\system32\spupdsvc.exe

+ 2005-08-17 03:06 . 2008-05-06 20:16 26488 c:\windows\system32\spupdsvc.exe

- 2006-12-09 14:38 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll

+ 2006-12-09 14:38 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 77824 c:\windows\assembly\GAC\SonicMCEBurnEngine\0.9.0.0__17c52700e9a64fd0\SonicMCEBurnEngine.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 77824 c:\windows\assembly\GAC\SonicMCEBurnEngine\0.9.0.0__17c52700e9a64fd0\SonicMCEBurnEngine.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 45056 c:\windows\assembly\GAC\Microsoft.MediaCenter\6.0.3100.0__31bf3856ad364e35\Microsoft.MediaCenter.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 45056 c:\windows\assembly\GAC\Microsoft.MediaCenter\6.0.3100.0__31bf3856ad364e35\Microsoft.MediaCenter.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 53248 c:\windows\assembly\GAC\ehiWUapi\6.0.3000.0__31bf3856ad364e35\ehiWUapi.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 53248 c:\windows\assembly\GAC\ehiWUapi\6.0.3000.0__31bf3856ad364e35\ehiWUapi.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 18944 c:\windows\assembly\GAC\ehiUserXp\6.0.3000.0__31bf3856ad364e35\ehiuserxp.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 18944 c:\windows\assembly\GAC\ehiUserXp\6.0.3000.0__31bf3856ad364e35\ehiuserxp.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 73728 c:\windows\assembly\GAC\ehiExtens\6.0.3000.0__31bf3856ad364e35\ehiExtens.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 73728 c:\windows\assembly\GAC\ehiExtens\6.0.3000.0__31bf3856ad364e35\ehiExtens.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 8192 c:\windows\assembly\GAC\ehiExtCOM\6.0.3000.0__31bf3856ad364e35\ehiExtCOM.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 8192 c:\windows\assembly\GAC\ehiExtCOM\6.0.3000.0__31bf3856ad364e35\ehiExtCOM.dll

+ 2005-08-16 10:18 . 2009-08-13 15:16 512000 c:\windows\system32\jscript.dll

+ 2006-12-09 14:30 . 2009-08-13 15:16 512000 c:\windows\system32\dllcache\jscript.dll

+ 2005-08-16 10:37 . 2009-08-18 14:55 179712 c:\windows\ehome\ehkeyctl.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 389120 c:\windows\assembly\GAC\ehRecObj\6.0.3000.0__31bf3856ad364e35\ehRecObj.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 389120 c:\windows\assembly\GAC\ehRecObj\6.0.3000.0__31bf3856ad364e35\ehRecObj.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 122880 c:\windows\assembly\GAC\ehiwmp\6.0.3000.0__31bf3856ad364e35\ehiwmp.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 122880 c:\windows\assembly\GAC\ehiwmp\6.0.3000.0__31bf3856ad364e35\ehiwmp.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 278528 c:\windows\assembly\GAC\ehiVidCtl\6.0.3000.0__31bf3856ad364e35\ehiVidCtl.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 278528 c:\windows\assembly\GAC\ehiVidCtl\6.0.3000.0__31bf3856ad364e35\ehiVidCtl.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 389120 c:\windows\assembly\GAC\ehiProxy\6.0.3000.0__31bf3856ad364e35\ehiProxy.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 389120 c:\windows\assembly\GAC\ehiProxy\6.0.3000.0__31bf3856ad364e35\ehiProxy.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 204800 c:\windows\assembly\GAC\ehiPlay\6.0.3000.0__31bf3856ad364e35\ehiPlay.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 204800 c:\windows\assembly\GAC\ehiPlay\6.0.3000.0__31bf3856ad364e35\ehiPlay.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 167936 c:\windows\assembly\GAC\ehiMsgr\6.0.3000.0__31bf3856ad364e35\ehiMsgr.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 167936 c:\windows\assembly\GAC\ehiMsgr\6.0.3000.0__31bf3856ad364e35\ehiMsgr.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 110592 c:\windows\assembly\GAC\ehExtCOM\6.0.3000.0__31bf3856ad364e35\ehExtCOM.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 110592 c:\windows\assembly\GAC\ehExtCOM\6.0.3000.0__31bf3856ad364e35\ehExtCOM.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 126976 c:\windows\assembly\GAC\ehepgdat\6.0.3000.0__31bf3856ad364e35\ehepgdat.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 126976 c:\windows\assembly\GAC\ehepgdat\6.0.3000.0__31bf3856ad364e35\ehepgdat.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 864256 c:\windows\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll

- 2006-12-18 01:18 . 2006-12-18 01:18 864256 c:\windows\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 192512 c:\windows\assembly\GAC\ehcommon\6.0.3000.0__31bf3856ad364e35\ehcommon.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 192512 c:\windows\assembly\GAC\ehcommon\6.0.3000.0__31bf3856ad364e35\ehcommon.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 102400 c:\windows\assembly\GAC\ehCIR\6.0.3000.0__31bf3856ad364e35\ehCIR.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 102400 c:\windows\assembly\GAC\ehCIR\6.0.3000.0__31bf3856ad364e35\ehCIR.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 117248 c:\windows\assembly\GAC\BDATunePIA\6.0.3000.0__31bf3856ad364e35\bdatunepia.dll

- 2006-12-09 14:36 . 2006-12-09 14:36 117248 c:\windows\assembly\GAC\BDATunePIA\6.0.3000.0__31bf3856ad364e35\bdatunepia.dll

+ 2005-08-16 10:19 . 2009-06-09 02:24 2330624 c:\windows\system32\WMVCore.dll

- 2005-08-16 10:19 . 2008-06-11 07:58 2330624 c:\windows\system32\WMVCore.dll

- 2006-12-17 04:57 . 2008-06-11 07:58 2330624 c:\windows\system32\dllcache\WMVCore.dll

+ 2006-12-17 04:57 . 2009-06-09 02:24 2330624 c:\windows\system32\dllcache\WMVCore.dll

- 2006-12-18 01:18 . 2006-12-18 01:18 1863680 c:\windows\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\ehcm.dll

+ 2009-09-10 13:02 . 2009-09-10 13:02 1863680 c:\windows\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\EhCM.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-12-09 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-02 29744]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]

"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-23 1392640]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"V0500Mon.exe"="c:\windows\V0500Mon.exe" [2007-11-03 32768]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-27 169984]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-9 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-4 81920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)

"MSSQLServerADHelper"=3 (0x3)

"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)

"MDM"=2 (0x2)

"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/31/2008 10:00 PM 24652]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/9/2006 10:48 AM 29744]

S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [9/7/2009 10:33 PM 30136]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

S3 V0500Dev;Dynex 1.3MP Webcam Driver;c:\windows\system32\drivers\V0500Vid.sys [12/27/2008 11:51 PM 251264]

.

Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.optonline.net/

uInternet Settings,ProxyOverride = *.local

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Beatrice\Application Data\Mozilla\Firefox\Profiles\ox7h0uws.default\

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-10 09:36

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3956)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\WLTRYSVC.EXE

c:\windows\system32\BCMWLTRY.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\wscntfy.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\windows\ehome\ehmsas.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-09-10 9:43 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-10 13:42

ComboFix2.txt 2009-09-10 01:56

Pre-Run: 78,009,683,968 bytes free

Post-Run: 77,964,591,104 bytes free

317 --- E O F --- 2009-09-10 13:01

________________________________________________________________________________

_____________________

________________________________________________________________________________

_____________________

Malwarebytes' Anti-Malware 1.40

Database version: 2771

Windows 5.1.2600 Service Pack 2

9/10/2009 9:58:17 AM

mbam-log-2009-09-10 (09-58-17).txt

Scan type: Quick Scan

Objects scanned: 128619

Time elapsed: 6 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

________________________________________________________________________________

___________________________

________________________________________________________________________________

___________________________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:21:11 AM, on 9/10/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Dell\MediaDirect\PCMService.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\V0500Mon.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061209

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [V0500Mon.exe] C:\WINDOWS\V0500Mon.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 10112 bytes

________________________________________________________________________________

_______________________

________________________________________________________________________________

_______________________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:21:11 AM, on 9/10/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Dell\MediaDirect\PCMService.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\V0500Mon.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061209

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [V0500Mon.exe] C:\WINDOWS\V0500Mon.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 10112 bytes

________________________________________________________________________________

_____________________________

________________________________________________________________________________

_____________________________

C:\Qoobox\Quarantine\C\fyblb.exe.vir a variant of Win32/Kryptik.AJT trojan

C:\Qoobox\Quarantine\C\hpbyv.exe.vir a variant of Win32/Kryptik.JJ trojan

C:\Qoobox\Quarantine\C\pvewnn.exe.vir a variant of Win32/Kryptik.ACC trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir Win32/Agent.PYI trojan

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000126.exe a variant of Win32/Kryptik.AJT trojan

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000127.exe a variant of Win32/Kryptik.JJ trojan

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000128.exe a variant of Win32/Kryptik.ACC trojan

Link to post
Share on other sites

Sorry about the double copy of HJT. Here is the Java log that was supposed to be there...also, the last entry was the what Eset found. Thanks!

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Sep 10 10:08:30 2009

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_06\

------------------------------------

Finished reporting.

Link to post
Share on other sites

  • Root Admin

Please check for update from within MBAM as it's been updated to version 1.41 with a new engine.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

It didn't find anythin.......

Malwarebytes' Anti-Malware 1.40

Database version: 2771

Windows 5.1.2600 Service Pack 2

9/10/2009 9:58:17 AM

mbam-log-2009-09-10 (09-58-17).txt

Scan type: Quick Scan

Objects scanned: 128619

Time elapsed: 6 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:10:24 PM, on 9/10/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\V0500Mon.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061209

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [V0500Mon.exe] C:\WINDOWS\V0500Mon.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 10005 bytes

Link to post
Share on other sites

  • Root Admin

That log still shows version 1.40 for MBAM but we're now on 1.41 Please go to the UPDATE tab and check for updates which should download and install the new 1.41

Please post back a new log for it.

How is the computer running now?

Are there still any signs of infection?

Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.

STEP A

Uninstall ComboFix.exe

  • Click
    START
    then
    RUN

  • Now type
    Combofix /u
    (if you renamed Combofix.exe use that name instead)
    in the runbox and click OK. Note the
    space
    between the
    X
    and the
    /U
    , it needs to be there.

  • CF_Cleanup.png


  • When shown the disclaimer, Select "2"

Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe AND check your system time and reset if needed

Link to post
Share on other sites

Hmm, I updated it before I ran it last time. Guess it didn't take? Anyway, below is the new log.

This stuff that Eset found I gather was just what ComboFix fixed?

C:\Qoobox\Quarantine\C\fyblb.exe.vir a variant of Win32/Kryptik.AJT trojan

C:\Qoobox\Quarantine\C\hpbyv.exe.vir a variant of Win32/Kryptik.JJ trojan

C:\Qoobox\Quarantine\C\pvewnn.exe.vir a variant of Win32/Kryptik.ACC trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir Win32/Agent.PYI trojan

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000126.exe a variant of Win32/Kryptik.AJT trojan

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000127.exe a variant of Win32/Kryptik.JJ trojan

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000128.exe a variant of Win32/Kryptik.ACC trojan

Computer seems fine, with the exception that Superantispyware still can't open and gives the error message:

" Windows cannot access the specified device,path, or file. You may not have the appropriate permissions to access the item."

Malwarebytes' Anti-Malware 1.41

Database version: 2784

Windows 5.1.2600 Service Pack 2

9/12/2009 12:47:49 PM

mbam-log-2009-09-12 (12-47-49).txt

Scan type: Quick Scan

Objects scanned: 131225

Time elapsed: 9 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Please download and run the following fix from Microsoft How do I restore security settings to the default settings?

When completed please reboot your computer.

If you're still having issues running SAS then you might have to physically take back ownership of the files.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.