Jump to content

need help removing virus that kills HJT, MBAM and S&D


Recommended Posts

I downloaded a file and Its scary, right clicking on it and scanning with MBAM, mbam pops up on the start bar then closes with no notification. The next time I try to open MBAM I get "Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access them." After reinstalling MBAM and updating and running a quick scan it closes without warning and no messages and then it blocks MBAM from opening agian, must be reinstalled did this at least 7 time reinstalled and tried scanning.

Symantec full scan finds nothing, and symantec single file scan on that file comes up with nothing.

Ran HJT and it closes midway through, and now that program is blocked untill the next reinstall.

No Logs are generated, the only odd processes i see are msa.exe, msb.exe, msc.exe and b.exe... i know those are all bad, but i would normally use mbam to remove them...

Im also unable to run Spybot S&D or MBAM or HJT even in safe mode getting the same permission messages. After reboot AV 2010 is installed evil...

With safe mode with networking, im unable to visit panda scan or kaspersky for online scans, it either redirrects to a different site or crashes IE. Do the online scans work with FF or Opera? I have neither installed at the moment. What do you guys suggest for the next step, thanks much for your help.

Crazybrker

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Thanks for the quick reply, I ran combo fix, it notified me that i had a root kit installed so it rebooted and ran.

I didnt have my network connections configured since im doing this at work and cant simply plug in i wasnt able to install windows recovery console.

it ran anyways and here are the results:

ComboFix 09-09-22.03 - Loren 09/23/2009 11:27.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.546 [GMT -7:00]

Running from: c:\documents and settings\Loren\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\akijif.reg

c:\documents and settings\All Users\Documents\bori.com

c:\documents and settings\All Users\Documents\ifej.com

c:\documents and settings\All Users\Documents\osonamuxus.dll

c:\documents and settings\All Users\Documents\pokamit.bin

c:\documents and settings\All Users\Documents\zazuh.com

c:\documents and settings\Loren\Application Data\anaqiz.ban

c:\documents and settings\Loren\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk

c:\documents and settings\Loren\Cookies\opibyfobox.reg

c:\documents and settings\Loren\Cookies\ymelegaga.bat

c:\documents and settings\Loren\Desktop\AntivirusPro_2010.lnk

c:\documents and settings\Loren\Local Settings\Application Data\laluqy.ban

c:\documents and settings\Loren\Local Settings\Application Data\osice.exe

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\evawes.dll

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\olodyvo._dl

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\uzonigik.scr

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\yvuzup.pif

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\ywawys.dat

C:\kqjopjiq.exe

c:\program files\Common Files\yficarew.pif

c:\program files\Common Files\yqakegyj.bin

C:\rhjdpc.exe

c:\windows\dopodepasu.dl

c:\windows\igitogyq._dl

c:\windows\msa.exe

c:\windows\msb.exe

c:\windows\msc.exe

c:\windows\soparopin.bat

c:\windows\system32\~.exe

c:\windows\system32\braviax.exe

c:\windows\system32\ecawaje.dl

c:\windows\system32\wbem\proquota.exe

c:\windows\system32\wisdstr.exe

c:\windows\xarico._dl

c:\windows\xener.dl

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\system volume information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP9\A0005454.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))

.

2009-09-23 18:32 . 2008-04-14 12:00 50176 ----a-w- c:\windows\system32\proquota.exe

2009-09-22 01:23 . 2009-09-22 01:27 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-22 01:23 . 2009-09-22 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-22 01:22 . 2009-09-22 01:22 16409960 ----a-w- C:\spybotsd162.exe

2009-09-22 00:54 . 2009-09-22 00:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-22 00:37 . 2009-09-22 00:37 49152 ----a-w- C:\hwdgqmcw.exe

2009-09-22 00:37 . 2009-09-22 00:37 22016 ----a-w- C:\ruptbvv.exe

2009-09-22 00:37 . 2009-09-22 00:37 111104 ----a-w- C:\joxa.exe

2009-09-22 00:37 . 2009-09-22 00:37 157696 ----a-w- C:\ddbpu.exe

2009-09-21 05:33 . 2009-09-21 05:33 -------- d-----w- C:\HJT

2009-09-21 05:16 . 2009-09-21 05:16 -------- d-----w- c:\program files\Trend Micro

2009-09-21 04:27 . 2009-09-21 05:16 -------- d--h--w- c:\windows\PIF

2009-09-21 04:15 . 2009-09-23 18:17 0 ----a-r- c:\windows\win32k.sys

2009-09-17 07:11 . 2009-09-17 07:11 -------- d-----w- c:\windows\system32\XPSViewer

2009-09-17 07:10 . 2009-09-17 07:10 -------- d-----w- c:\program files\Reference Assemblies

2009-09-17 07:10 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-09-17 07:10 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-09-17 07:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-09-17 07:10 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-09-17 07:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-09-17 07:10 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-09-17 07:10 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-09-17 07:10 . 2009-09-17 07:10 -------- d-----w- C:\90857e8426706124a8

2009-09-17 07:04 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll

2009-09-15 23:10 . 2009-09-15 23:10 -------- d-----w- c:\windows\Sun

2009-09-13 15:53 . 2009-09-14 06:53 -------- d-----w- c:\documents and settings\Loren\Application Data\FrostWire

2009-09-13 15:53 . 2009-09-13 15:53 -------- d-----w- c:\program files\FrostWire

2009-09-13 15:52 . 2009-09-13 15:52 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-13 15:52 . 2009-09-13 15:52 -------- d-----w- c:\program files\Java

2009-09-11 08:59 . 2007-12-27 00:30 679936 ----a-w- c:\windows\system32\D3DX81ab.dll

2009-09-11 08:59 . 2007-12-27 00:30 1970176 ----a-w- c:\windows\system32\d3dx9.dll

2009-09-11 08:59 . 2009-09-14 19:59 -------- d-----w- c:\program files\Cheat Engine

2009-09-11 02:52 . 2009-09-11 02:52 -------- d-----w- c:\program files\Common Files\SWF Studio

2009-09-09 23:21 . 2008-04-14 07:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2009-09-09 23:21 . 2008-04-14 07:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2009-09-09 23:12 . 2009-09-17 07:11 -------- d-----w- c:\program files\MSBuild

2009-09-09 23:05 . 2009-09-09 23:06 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2009-09-07 05:58 . 2009-09-22 03:08 -------- d-----w- c:\program files\PeerGuardian2

2009-09-07 02:08 . 2009-09-20 20:25 -------- d-----w- c:\documents and settings\Loren\Application Data\U3

2009-09-07 02:07 . 2009-09-07 02:07 -------- d-----w- c:\documents and settings\Loren\Local Settings\Application Data\Help

2009-09-06 14:49 . 2009-05-15 01:21 25728 ----a-w- c:\windows\system32\drivers\androidusb.sys

2009-09-06 14:49 . 2009-05-15 01:21 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll

2009-09-06 14:49 . 2006-09-28 22:32 9472 ----a-w- c:\windows\system32\drivers\pnetmdm.sys

2009-09-06 14:49 . 2009-09-21 06:30 -------- d-----w- c:\program files\PdaNet for Android

2009-09-06 06:51 . 2009-09-06 06:51 -------- d-----w- c:\documents and settings\Loren\Application Data\Media Player Classic

2009-09-06 06:51 . 2009-05-26 09:53 5689344 ----a-w- c:\program files\mplayerc.exe

2009-09-06 06:09 . 2009-09-06 06:09 -------- d-----w- c:\documents and settings\Loren\Local Settings\Application Data\Symantec

2009-09-06 06:09 . 2009-09-06 06:09 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-09-06 06:09 . 2009-09-06 06:09 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-09-06 06:08 . 2009-09-06 06:09 -------- d-----w- c:\program files\Symantec

2009-09-06 06:08 . 2009-09-23 18:36 -------- d-----w- c:\program files\Symantec AntiVirus

2009-09-06 06:08 . 2009-09-06 06:09 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-09-06 06:08 . 2009-09-06 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-09-06 05:57 . 2009-09-06 05:57 -------- d-----w- c:\documents and settings\Loren\Application Data\Malwarebytes

2009-09-06 05:56 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-06 05:56 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-06 05:56 . 2009-09-22 00:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-06 05:56 . 2009-09-06 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-06 05:55 . 2009-09-06 05:55 12348 ----a-w- c:\program files\Common Files\ojup.dat

2009-09-05 22:25 . 2009-09-05 22:25 -------- d-----w- c:\documents and settings\Loren\Application Data\Asus

2009-09-05 21:54 . 2009-09-05 22:51 -------- d-----w- c:\program files\AskBarDis

2009-09-05 21:53 . 2009-09-05 21:53 -------- d-----w- c:\program files\uTorrent

2009-09-05 21:53 . 2009-09-20 21:16 -------- d-----w- c:\documents and settings\Loren\Application Data\uTorrent

2009-09-05 21:32 . 2009-09-05 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-09-05 21:27 . 2009-09-05 21:27 -------- d-----w- c:\program files\Bonjour

2009-09-05 21:21 . 2009-09-05 21:21 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-09-05 20:39 . 2009-09-05 20:39 -------- d-----w- c:\program files\PowerISO

2009-09-05 20:38 . 2009-09-05 20:38 -------- d-----w- c:\program files\MagicISO

2009-09-05 15:38 . 2009-06-23 03:49 -------- d-----w- c:\windows\system32\config\systemprofile\Bluetooth Software

2009-09-05 15:38 . 2009-06-23 03:46 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\InstallShield

2009-09-05 15:38 . 2009-06-23 03:49 -------- d-----w- c:\documents and settings\Default User\Bluetooth Software

2009-09-05 14:48 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll

2009-09-05 14:48 . 2008-10-16 21:06 208744 ----a-w- c:\windows\system32\muweb.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-18 03:46 . 2009-09-05 15:39 92344 ----a-w- c:\documents and settings\Loren\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-11 09:26 . 2009-06-23 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-11 01:35 . 2009-06-23 03:51 -------- d-----w- c:\program files\Common Files\Adobe

2009-09-09 23:48 . 2009-09-09 23:41 -------- d-----w- c:\program files\Lexmark 8300 Series

2009-09-06 14:50 . 2009-09-06 14:50 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_androidusb_01005.Wdf

2009-09-06 07:05 . 2009-09-06 07:05 -------- d-----w- c:\program files\K-Lite Codec Pack

2009-09-06 06:09 . 2009-09-06 06:09 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-09-06 06:09 . 2009-09-06 06:09 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-09-05 21:45 . 2009-06-23 03:51 -------- d-----w- c:\program files\Microsoft Works

2009-08-05 09:01 . 2009-05-20 19:07 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-29 04:37 . 2009-05-20 19:07 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:37 . 2009-05-20 19:07 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-07-17 19:01 . 2009-05-20 19:06 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 06:43 . 2009-05-20 19:07 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2009-05-20 19:07 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2009-05-20 19:07 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2009-05-20 19:07 17408 ----a-w- c:\windows\system32\corpol.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]

@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"

[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]

2008-07-25 18:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]

@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"

[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]

2008-07-25 18:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2009-06-08 397312]

"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-01-30 1432064]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-17 630784]

"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]

"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-17 118784]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]

"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-06-23 3054136]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe" [2005-09-30 200704]

"EzPrint"="c:\program files\Lexmark 8300 Series\ezprint.exe" [2006-04-19 94208]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-13 149280]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-03-27 17567744]

c:\documents and settings\Loren\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

PdaNet Desktop.lnk - c:\program files\PdaNet for Android\PdaNetPC.exe [2009-9-20 167936]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-6-22 376832]

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [6/22/2009 9:03 PM 55152]

R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [6/22/2009 8:46 PM 10752]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/5/2009 11:12 PM 102448]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [6/1/2009 12:26 AM 38912]

R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [9/6/2009 7:49 AM 9472]

R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [6/1/2009 12:26 AM 39040]

S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [9/5/2009 2:54 PM 234888]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/22/2009 8:49 PM 1684736]

S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [9/6/2009 7:49 AM 25728]

S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PGFILTER

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-23 11:38

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2536)

c:\windows\system32\WININET.dll

c:\program files\ASUS\Eee Storage\XPClient.dll

c:\program files\ASUS\Eee Storage\LogicNP.EZShellExtensions.dll

c:\program files\ASUS\Eee Storage\EcaremeDLL.dll

c:\windows\assembly\GAC_MSIL\SqliteShared\1.0.3390.31024__0d0f4b69e50e559b\SqliteShared.dll

c:\windows\assembly\GAC_32\System.Data.SQLite\1.0.60.0__db937bc2d44ff139\System.Data.SQLite.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\lxcjcoms.exe

.

**************************************************************************

.

Completion time: 2009-09-23 11:42 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-23 18:42

Pre-Run: 62,745,522,176 bytes free

Post-Run: 64,296,747,008 bytes free

315 --- E O F --- 2009-09-17 07:18

Link to post
Share on other sites

Worked like a charm now i can run HJT so here is my new log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:17:32 PM, on 9/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe

C:\Program Files\EeePC\ACPI\AsEPCMon.exe

C:\Program Files\EeePC\ACPI\AsTray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxext.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\AsScrPro.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Lexmark 8300 Series\lxcjmon.exe

C:\Program Files\Lexmark 8300 Series\ezprint.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\ASUS\Eee Docking\Eee Docking.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\lxcjcoms.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe

O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe

O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [synAsusAcpi] C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\WINDOWS\AsScrPro.exe

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [Eee Docking] C:\Program Files\ASUS\Eee Docking\Eee Docking.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Android\PdaNetPC.exe

O4 - Global Startup: SuperHybridEngine.lnk = ?

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{46C66030-691B-4250-ADE5-47BD13C7FC4A}: NameServer = 172.16.1.21

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\Aibelive\VOICEC~1\SKYPE4~1.DLL

O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 8804 bytes

Link to post
Share on other sites

MBAM ran fine as well, here is the log from the quick scan

Malwarebytes' Anti-Malware 1.41

Database version: 2852

Windows 5.1.2600 Service Pack 3

9/23/2009 3:33:15 PM

mbam-log-2009-09-23 (15-33-15).txt

Scan type: Quick Scan

Objects scanned: 101910

Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\ddbpu.exe (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\hwdgqmcw.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\joxa.exe (Rootkit.Rustock) -> Quarantined and deleted successfully.

C:\ruptbvv.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Dug a little deeper and did a MBAM full scan most was quarentined stuff and restores... So i turned off Restore, applied it and turned it back on, here is the latest log of MBAM

Malwarebytes' Anti-Malware 1.41

Database version: 2853

Windows 5.1.2600 Service Pack 3

9/23/2009 4:28:29 PM

mbam-log-2009-09-23 (16-28-29).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 170991

Time elapsed: 43 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 22

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\msb.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\msc.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008418.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008421.dll (Trojan.FakeRean) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008443.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008444.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008446.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008447.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008448.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008449.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008450.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008451.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008457.exe (Trojan.Wantvi) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008475.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008476.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008477.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008482.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008483.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP10\A0008734.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Link to post
Share on other sites

forgot to paste, didnt see an edit button, delete above post, but here it is:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:39:32 PM, on 9/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe

C:\Program Files\EeePC\ACPI\AsEPCMon.exe

C:\Program Files\EeePC\ACPI\AsTray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxext.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\AsScrPro.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Lexmark 8300 Series\lxcjmon.exe

C:\Program Files\Lexmark 8300 Series\ezprint.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\lxcjcoms.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe

O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe

O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [synAsusAcpi] C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\WINDOWS\AsScrPro.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: SuperHybridEngine.lnk = ?

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{46C66030-691B-4250-ADE5-47BD13C7FC4A}: NameServer = 172.16.1.21

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\Aibelive\VOICEC~1\SKYPE4~1.DLL

O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 8634 bytes

Link to post
Share on other sites

  • Staff

Hi,

Please download this file and save it as it's originally named, next to ComboFix.exe.

RC1-4.gif

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, it will ask you whether or not to continue with the malware scan. Select Yes, and post the resultant log.

-screen317

Link to post
Share on other sites

Recovery console did not install said something about boot sector enumeration fail, maybe ill do a fixmbr later but heres the log for combofix

ComboFix 09-09-24.01 - Loren 09/25/2009 10:17.6.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.345 [GMT -7:00]

Running from: c:\documents and settings\Loren\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Loren\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\donemo.bin

c:\documents and settings\All Users\Application Data\ebopyw.com

c:\documents and settings\All Users\Application Data\ovojyf.bat

c:\documents and settings\All Users\Application Data\yhoxasi.dll

c:\documents and settings\All Users\Documents\beloh._dl

c:\documents and settings\All Users\Documents\evabef.ban

c:\documents and settings\All Users\Documents\ojija.sys

c:\documents and settings\All Users\Documents\ubatedoz.exe

c:\documents and settings\Loren\Application Data\bevuli.inf

c:\documents and settings\Loren\Application Data\ejybehyc.dl

c:\documents and settings\Loren\Application Data\ipanoz.scr

c:\documents and settings\Loren\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk

c:\documents and settings\Loren\Application Data\nopekuma.sys

c:\documents and settings\Loren\Application Data\ocygibi.bin

c:\documents and settings\Loren\Application Data\piroqoq.reg

c:\documents and settings\Loren\Application Data\pulo.com

c:\documents and settings\Loren\Application Data\wiaserva.log

c:\documents and settings\Loren\Cookies\caciz.vbs

c:\documents and settings\Loren\Cookies\fopajomeq.inf

c:\documents and settings\Loren\Desktop\AntivirusPro_2010.lnk

c:\documents and settings\Loren\Local Settings\Application Data\gyfiz.exe

c:\documents and settings\Loren\Local Settings\Application Data\jovosagy.reg

c:\documents and settings\Loren\Local Settings\Application Data\muqy.bat

c:\documents and settings\Loren\Local Settings\Application Data\obikojisa.exe

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\avyryxawu.pif

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\bejif._dl

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\bycyqeh.scr

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\orykaboc.db

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\utecukyca.lib

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\ykixohip.vbs

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\ytujitiqol.vbs

c:\documents and settings\Loren\Start Menu\Programs\AntivirusPro_2010

c:\documents and settings\Loren\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk

c:\documents and settings\Loren\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk

c:\program files\AntivirusPro_2010

c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg

c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe

c:\program files\Common Files\cejav.sys

c:\program files\Common Files\hudyj.ban

c:\program files\Common Files\lesiwuhyve.pif

c:\program files\Common Files\zydamyfy.sys

c:\windows\9129837.exe

c:\windows\alugyg.bin

c:\windows\icecona.sys

c:\windows\ixahupigy.bat

c:\windows\merebyti.dll

c:\windows\ojiwodi.bat

c:\windows\orid._dl

c:\windows\system32\_scui.cpl

c:\windows\system32\lymyzyl.bin

c:\windows\system32\wbem\proquota.exe

c:\windows\veqyjysaz.reg

c:\windows\ynum.scr

c:\windows\zecehilube.dll

.

---- Previous Run -------

.

c:\documents and settings\All Users\Application Data\fopu.inf

c:\documents and settings\All Users\Application Data\iziwyci.scr

c:\documents and settings\All Users\Application Data\pejip._dl

c:\documents and settings\All Users\Documents\icugyzyty.ban

c:\documents and settings\All Users\Documents\totowy.bat

c:\documents and settings\Loren\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk

c:\documents and settings\Loren\Application Data\wiaserva.log

c:\documents and settings\Loren\Cookies\zejynado.ban

c:\documents and settings\Loren\Desktop\AntivirusPro_2010.lnk

c:\documents and settings\Loren\Local Settings\Application Data\nakama.scr

c:\documents and settings\Loren\Local Settings\Application Data\xewo._dl

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\sepim._dl

c:\documents and settings\Loren\Start Menu\Programs\AntivirusPro_2010

c:\documents and settings\Loren\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk

c:\documents and settings\Loren\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk

c:\program files\AntivirusPro_2010

c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg

c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe

c:\windows\bypi.scr

c:\windows\lisali.bin

c:\windows\system32\_scui.cpl

c:\windows\system32\a9k.bin

c:\windows\system32\cagydy.dll

c:\windows\system32\wbem\proquota.exe

c:\windows\vuzaro.sys

c:\windows\yxucecyb.bin

-- Previous Run --

-- Previous Run --

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\system volume information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP11\A0008789.exe

--------

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\system volume information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP11\A0008789.exe

--------

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\system volume information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP12\A0015955.exe

.

((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))

.

2009-09-25 17:28 . 2008-04-14 12:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2009-09-25 17:28 . 2008-04-14 12:00 50176 ----a-w- c:\windows\system32\proquota.exe

2009-09-25 06:56 . 2009-09-25 06:59 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-25 06:42 . 2009-09-25 06:42 19704 ----a-w- c:\windows\qijidiqed.dat

2009-09-25 06:42 . 2009-09-25 06:42 14376 ----a-w- c:\windows\rinu.dat

2009-09-25 06:32 . 2009-09-25 06:32 -------- d-----w- c:\documents and settings\Loren\Local Settings\Application Data\Opera

2009-09-25 06:32 . 2009-09-25 06:32 -------- d-----w- c:\program files\Opera

2009-09-25 06:00 . 2009-09-25 06:00 14301 ----a-w- c:\windows\jyrihimuqy.dat

2009-09-25 05:56 . 2009-09-25 17:07 8768 ----a-w- c:\windows\system32\dbbin.sys

2009-09-25 05:56 . 2009-09-25 17:07 4707 ----a-w- c:\windows\system32\z98a.bin

2009-09-25 05:42 . 2009-09-25 05:42 120 ----a-w- c:\windows\Omadiw.dat

2009-09-25 05:42 . 2009-09-25 05:42 0 ----a-w- c:\windows\Edutik.bin

2009-09-25 05:42 . 2009-09-25 05:42 -------- d-----w- c:\documents and settings\Loren\Local Settings\Application Data\{CEF873D5-441D-4C6E-8DD8-7AB7C2CEF72F}

2009-09-25 05:40 . 2009-09-25 05:40 17535 ----a-w- c:\windows\system32\vudery.com

2009-09-25 05:40 . 2009-09-25 05:40 13447 ----a-w- c:\windows\lycaj.dat

2009-09-24 07:15 . 2009-09-24 07:28 -------- d-----w- c:\program files\AutoIt3

2009-09-23 22:15 . 2009-09-23 23:39 -------- d-----w- C:\HJT

2009-09-22 01:23 . 2009-09-25 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-22 01:23 . 2009-09-22 01:27 -------- d-----w- c:\program files\Spybot - Search & Destroy1

2009-09-22 01:22 . 2009-09-22 01:22 16409960 ----a-w- C:\spybotsd162.exe

2009-09-22 00:54 . 2009-09-22 00:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-21 05:16 . 2009-09-21 05:16 -------- d-----w- c:\program files\Trend Micro

2009-09-21 04:27 . 2009-09-23 18:35 -------- d--h--w- c:\windows\PIF

2009-09-17 07:11 . 2009-09-17 07:11 -------- d-----w- c:\windows\system32\XPSViewer

2009-09-17 07:10 . 2009-09-17 07:10 -------- d-----w- c:\program files\Reference Assemblies

2009-09-17 07:10 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-09-17 07:10 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-09-17 07:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-09-17 07:10 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-09-17 07:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-09-17 07:10 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-09-17 07:10 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-09-17 07:04 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll

2009-09-15 23:10 . 2009-09-15 23:10 -------- d-----w- c:\windows\Sun

2009-09-13 15:53 . 2009-09-14 06:53 -------- d-----w- c:\documents and settings\Loren\Application Data\FrostWire

2009-09-13 15:53 . 2009-09-13 15:53 -------- d-----w- c:\program files\FrostWire

2009-09-13 15:52 . 2009-09-13 15:52 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-13 15:52 . 2009-09-13 15:52 -------- d-----w- c:\program files\Java

2009-09-11 08:59 . 2007-12-27 00:30 679936 ----a-w- c:\windows\system32\D3DX81ab.dll

2009-09-11 08:59 . 2007-12-27 00:30 1970176 ----a-w- c:\windows\system32\d3dx9.dll

2009-09-11 08:59 . 2009-09-14 19:59 -------- d-----w- c:\program files\Cheat Engine

2009-09-11 02:52 . 2009-09-11 02:52 -------- d-----w- c:\program files\Common Files\SWF Studio

2009-09-09 23:21 . 2008-04-14 07:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2009-09-09 23:21 . 2008-04-14 07:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2009-09-09 23:12 . 2009-09-17 07:11 -------- d-----w- c:\program files\MSBuild

2009-09-09 23:05 . 2009-09-09 23:06 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2009-09-07 05:58 . 2009-09-23 22:15 -------- d-----w- c:\program files\PeerGuardian2

2009-09-07 02:08 . 2009-09-20 20:25 -------- d-----w- c:\documents and settings\Loren\Application Data\U3

2009-09-07 02:07 . 2009-09-07 02:07 -------- d-----w- c:\documents and settings\Loren\Local Settings\Application Data\Help

2009-09-06 14:49 . 2009-05-15 01:21 25728 ----a-w- c:\windows\system32\drivers\androidusb.sys

2009-09-06 14:49 . 2009-05-15 01:21 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll

2009-09-06 14:49 . 2006-09-28 22:32 9472 ----a-w- c:\windows\system32\drivers\pnetmdm.sys

2009-09-06 14:49 . 2009-09-21 06:30 -------- d-----w- c:\program files\PdaNet for Android

2009-09-06 06:51 . 2009-09-06 06:51 -------- d-----w- c:\documents and settings\Loren\Application Data\Media Player Classic

2009-09-06 06:51 . 2009-05-26 09:53 5689344 ----a-w- c:\program files\mplayerc.exe

2009-09-06 06:09 . 2009-09-06 06:09 -------- d-----w- c:\documents and settings\Loren\Local Settings\Application Data\Symantec

2009-09-06 06:09 . 2009-09-06 06:09 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-09-06 06:09 . 2009-09-06 06:09 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-09-06 06:08 . 2009-09-06 06:09 -------- d-----w- c:\program files\Symantec

2009-09-06 06:08 . 2009-09-25 17:13 -------- d-----w- c:\program files\Symantec AntiVirus

2009-09-06 06:08 . 2009-09-06 06:09 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-09-06 06:08 . 2009-09-06 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-09-06 05:57 . 2009-09-06 05:57 -------- d-----w- c:\documents and settings\Loren\Application Data\Malwarebytes

2009-09-06 05:56 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-06 05:56 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-06 05:56 . 2009-09-23 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-06 05:56 . 2009-09-06 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-06 05:55 . 2009-09-06 05:55 12348 ----a-w- c:\program files\Common Files\ojup.dat

2009-09-05 22:25 . 2009-09-05 22:25 -------- d-----w- c:\documents and settings\Loren\Application Data\Asus

2009-09-05 21:54 . 2009-09-05 22:51 -------- d-----w- c:\program files\AskBarDis

2009-09-05 21:53 . 2009-09-05 21:53 -------- d-----w- c:\program files\uTorrent

2009-09-05 21:53 . 2009-09-20 21:16 -------- d-----w- c:\documents and settings\Loren\Application Data\uTorrent

2009-09-05 21:32 . 2009-09-05 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-09-05 21:27 . 2009-09-05 21:27 -------- d-----w- c:\program files\Bonjour

2009-09-05 21:21 . 2009-09-05 21:21 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-09-05 20:39 . 2009-09-05 20:39 -------- d-----w- c:\program files\PowerISO

2009-09-05 20:38 . 2009-09-05 20:38 -------- d-----w- c:\program files\MagicISO

2009-09-05 15:38 . 2009-06-23 03:49 -------- d-----w- c:\windows\system32\config\systemprofile\Bluetooth Software

2009-09-05 15:38 . 2009-06-23 03:49 -------- d-----w- c:\documents and settings\Default User\Bluetooth Software

2009-09-05 14:48 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll

2009-09-05 14:48 . 2008-10-16 21:06 208744 ----a-w- c:\windows\system32\muweb.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-25 17:12 . 2009-09-25 17:12 16892 ----a-w- c:\program files\Common Files\ihusy.db

2009-09-25 17:07 . 2009-09-25 05:59 230000 ----a-w- c:\documents and settings\Loren\Application Data\lizkavd.exe

2009-09-25 06:42 . 2009-09-25 06:42 17141 ----a-w- c:\program files\Common Files\nihepu.lib

2009-09-25 06:42 . 2009-09-25 06:42 14323 ----a-w- c:\program files\Common Files\mesyjyxava._sy

2009-09-25 06:42 . 2009-09-25 06:42 11532 ----a-w- c:\documents and settings\All Users\Application Data\xepovujo.dat

2009-09-25 06:00 . 2009-09-25 06:00 10069 ----a-w- c:\documents and settings\Loren\Application Data\olypusu.dat

2009-09-25 05:56 . 2009-09-25 05:56 264704 ----a-w- c:\documents and settings\Loren\Application Data\svcst.exe

2009-09-25 05:56 . 2009-09-25 05:36 264704 ----a-w- c:\documents and settings\Loren\Application Data\seres.exe

2009-09-18 03:46 . 2009-09-05 15:39 92344 ----a-w- c:\documents and settings\Loren\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-11 09:26 . 2009-06-23 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-11 01:35 . 2009-06-23 03:51 -------- d-----w- c:\program files\Common Files\Adobe

2009-09-09 23:48 . 2009-09-09 23:41 -------- d-----w- c:\program files\Lexmark 8300 Series

2009-09-06 14:50 . 2009-09-06 14:50 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_androidusb_01005.Wdf

2009-09-06 07:05 . 2009-09-06 07:05 -------- d-----w- c:\program files\K-Lite Codec Pack

2009-09-06 06:09 . 2009-09-06 06:09 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-09-06 06:09 . 2009-09-06 06:09 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-09-05 21:45 . 2009-06-23 03:51 -------- d-----w- c:\program files\Microsoft Works

2009-08-05 09:01 . 2009-05-20 19:07 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-29 04:37 . 2009-05-20 19:07 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:37 . 2009-05-20 19:07 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-07-17 19:01 . 2009-05-20 19:06 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 06:43 . 2009-05-20 19:07 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2009-05-20 19:07 827392 ------w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2009-05-20 19:07 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2009-05-20 19:07 17408 ----a-w- c:\windows\system32\corpol.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-23_18.38.16 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-05-20 19:07 . 2009-09-23 18:40 68906 c:\windows\system32\perfc009.dat

- 2009-05-20 19:07 . 2009-09-23 18:28 68906 c:\windows\system32\perfc009.dat

+ 2009-09-05 15:36 . 2009-09-25 17:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-09-05 15:36 . 2009-09-05 15:37 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-09-05 15:36 . 2009-09-05 15:37 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-09-05 15:36 . 2009-09-25 17:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-09-23 23:37 . 2009-09-25 17:05 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-09-05 15:36 . 2009-09-05 15:37 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-05-20 19:07 . 2008-04-14 12:00 45056 c:\windows\msotapn.dll

+ 2009-05-20 19:16 . 2009-05-20 19:16 295424 c:\windows\system32\termsrv32.dll

+ 2009-05-20 19:07 . 2009-09-23 18:40 436160 c:\windows\system32\perfh009.dat

- 2009-05-20 19:07 . 2009-09-23 18:28 436160 c:\windows\system32\perfh009.dat

+ 2009-09-25 06:32 . 2009-09-25 06:32 2215424 c:\windows\Installer\c7354.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]

@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"

[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]

2008-07-25 18:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]

@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"

[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]

2008-07-25 18:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"mserv"="c:\documents and settings\Loren\Application Data\svcst.exe" [2009-09-25 264704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-17 630784]

"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]

"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-17 118784]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]

"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144]

"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-06-23 3054136]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"Eyobekawepazuc"="c:\windows\ulasivolupuf.dll" [bU]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

c:\documents and settings\Loren\Start Menu\Programs\Startup\

mhbupd32.exe [2008-4-14 29184]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-6-22 376832]

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli msotapn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Antivirus Pro 2010"="c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide

"EzPrint"="c:\program files\Lexmark 8300 Series\ezprint.exe"

"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe"

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC

"Persistence"=c:\windows\system32\igfxpers.exe

"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

"RTHDCPL"=RTHDCPL.EXE

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:Remote Desktop

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [6/22/2009 9:03 PM 55152]

R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [6/22/2009 8:46 PM 10752]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/5/2009 11:12 PM 102448]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [6/1/2009 12:26 AM 38912]

R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [9/6/2009 7:49 AM 9472]

R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [6/1/2009 12:26 AM 39040]

S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [9/5/2009 2:54 PM 234888]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/22/2009 8:49 PM 1684736]

S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [9/6/2009 7:49 AM 25728]

S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: {46C66030-691B-4250-ADE5-47BD13C7FC4A} = 172.16.1.21

.

- - - - ORPHANS REMOVED - - - -

Notify-dbbin - dbbin.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-25 10:28

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)

c:\windows\system32\wininet.dll

- - - - - - - > 'lsass.exe'(888)

c:\windows\msotapn.dll

c:\windows\system32\WININET.dll

.

Completion time: 2009-09-25 10:31

ComboFix-quarantined-files.txt 2009-09-25 17:31

ComboFix2.txt 2009-09-23 19:33

ComboFix3.txt 2009-09-23 18:42

Pre-Run: 63,934,746,624 bytes free

Post-Run: 63,897,772,032 bytes free

374 --- E O F --- 2009-09-17 07:18

Link to post
Share on other sites

Alright i updated and i have cut the cord on the laptop, here is the MBAM log

Malwarebytes' Anti-Malware 1.41

Database version: 2860

Windows 5.1.2600 Service Pack 3

9/25/2009 12:20:17 PM

mbam-log-2009-09-25 (12-20-17).txt

Scan type: Quick Scan

Objects scanned: 110567

Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 3

Memory Modules Infected: 1

Registry Keys Infected: 3

Registry Values Infected: 7

Registry Data Items Infected: 4

Folders Infected: 3

Files Infected: 29

Memory Processes Infected:

C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe (Trojan.FakeAlert) -> Unloaded process successfully.

C:\Documents and Settings\Loren\Application Data\seres.exe (Trojan.Agent) -> Unloaded process successfully.

C:\Documents and Settings\Loren\Application Data\svcst.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dbbin (Trojan.Goldun) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus pro 2010 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mserv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: msotapn.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Loren\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\msotapn.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Application Data\lizkavd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Loren\Application Data\lizkavd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wbem\proquota.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\~TM7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\~TM8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Loren\Local Settings\temp\~TM7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.cfg (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Loren\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Loren\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Application Data\seres.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Loren\Application Data\seres.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Application Data\svcst.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Loren\Application Data\svcst.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Loren\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dbbin.sys (Trojan.Goldun) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\z98a.bin (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\temp\wpv321253735602.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\temp\wpv951252864591.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\9129837.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Desktop\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Loren\Desktop\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Loren\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Link to post
Share on other sites

after getting the error message from combo fix i went ahead and let it run heres the log:

ComboFix 09-09-24.01 - Loren 09/25/2009 12:30.7.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.412 [GMT -7:00]

Running from: c:\documents and settings\Loren\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Loren\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\vocotiwam.lib

c:\documents and settings\All Users\Documents\cefabe.sys

c:\documents and settings\All Users\Documents\zogymenehu.bin

c:\documents and settings\Loren\Application Data\cajoh.dl

c:\documents and settings\Loren\Application Data\cyhed.dl

c:\documents and settings\Loren\Application Data\ojifepuri._dl

c:\documents and settings\Loren\Local Settings\Application Data\gepyqagu.bat

c:\documents and settings\Loren\Local Settings\Application Data\ymurihola.reg

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\cozemyzoru.db

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\ewefa.scr

c:\documents and settings\Loren\Local Settings\Temporary Internet Files\mapehyf._sy

c:\windows\ageram.reg

c:\windows\ocapicisuf.vbs

c:\windows\qaguxo._dl

c:\windows\system32\wuvufy.dl

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\system volume information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP12\A0017961.exe

.

((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))

.

2009-09-25 19:38 . 2008-04-14 12:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2009-09-25 19:38 . 2008-04-14 12:00 50176 ----a-w- c:\windows\system32\proquota.exe

2009-09-25 18:57 . 2009-09-25 18:57 14469 ----a-w- c:\windows\tymon.dat

2009-09-25 06:56 . 2009-09-25 06:59 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-25 06:42 . 2009-09-25 06:42 19704 ----a-w- c:\windows\qijidiqed.dat

2009-09-25 06:42 . 2009-09-25 06:42 14376 ----a-w- c:\windows\rinu.dat

2009-09-25 06:32 . 2009-09-25 06:32 -------- d-----w- c:\documents and settings\Loren\Local Settings\Application Data\Opera

2009-09-25 06:32 . 2009-09-25 06:32 -------- d-----w- c:\program files\Opera

2009-09-25 06:00 . 2009-09-25 06:00 14301 ----a-w- c:\windows\jyrihimuqy.dat

2009-09-25 05:42 . 2009-09-25 05:42 120 ----a-w- c:\windows\Omadiw.dat

2009-09-25 05:42 . 2009-09-25 05:42 0 ----a-w- c:\windows\Edutik.bin

2009-09-25 05:42 . 2009-09-25 05:42 -------- d-----w- c:\documents and settings\Loren\Local Settings\Application Data\{CEF873D5-441D-4C6E-8DD8-7AB7C2CEF72F}

2009-09-25 05:40 . 2009-09-25 05:40 17535 ----a-w- c:\windows\system32\vudery.com

2009-09-25 05:40 . 2009-09-25 05:40 13447 ----a-w- c:\windows\lycaj.dat

2009-09-24 07:15 . 2009-09-24 07:28 -------- d-----w- c:\program files\AutoIt3

2009-09-23 22:15 . 2009-09-23 23:39 -------- d-----w- C:\HJT

2009-09-22 01:23 . 2009-09-25 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-22 01:23 . 2009-09-22 01:27 -------- d-----w- c:\program files\Spybot - Search & Destroy1

2009-09-22 01:22 . 2009-09-22 01:22 16409960 ----a-w- C:\spybotsd162.exe

2009-09-22 00:54 . 2009-09-22 00:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-21 05:16 . 2009-09-21 05:16 -------- d-----w- c:\program files\Trend Micro

2009-09-21 04:27 . 2009-09-23 18:35 -------- d--h--w- c:\windows\PIF

2009-09-17 07:11 . 2009-09-17 07:11 -------- d-----w- c:\windows\system32\XPSViewer

2009-09-17 07:10 . 2009-09-17 07:10 -------- d-----w- c:\program files\Reference Assemblies

2009-09-17 07:10 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-09-17 07:10 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-09-17 07:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-09-17 07:10 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-09-17 07:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-09-17 07:10 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-09-17 07:10 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-09-17 07:04 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll

2009-09-15 23:10 . 2009-09-15 23:10 -------- d-----w- c:\windows\Sun

2009-09-13 15:53 . 2009-09-14 06:53 -------- d-----w- c:\documents and settings\Loren\Application Data\FrostWire

2009-09-13 15:53 . 2009-09-13 15:53 -------- d-----w- c:\program files\FrostWire

2009-09-13 15:52 . 2009-09-13 15:52 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-13 15:52 . 2009-09-13 15:52 -------- d-----w- c:\program files\Java

2009-09-11 08:59 . 2007-12-27 00:30 679936 ----a-w- c:\windows\system32\D3DX81ab.dll

2009-09-11 08:59 . 2007-12-27 00:30 1970176 ----a-w- c:\windows\system32\d3dx9.dll

2009-09-11 08:59 . 2009-09-14 19:59 -------- d-----w- c:\program files\Cheat Engine

2009-09-11 02:52 . 2009-09-11 02:52 -------- d-----w- c:\program files\Common Files\SWF Studio

2009-09-09 23:21 . 2008-04-14 07:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2009-09-09 23:21 . 2008-04-14 07:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2009-09-09 23:12 . 2009-09-17 07:11 -------- d-----w- c:\program files\MSBuild

2009-09-09 23:05 . 2009-09-09 23:06 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2009-09-07 05:58 . 2009-09-23 22:15 -------- d-----w- c:\program files\PeerGuardian2

2009-09-07 02:08 . 2009-09-20 20:25 -------- d-----w- c:\documents and settings\Loren\Application Data\U3

2009-09-07 02:07 . 2009-09-07 02:07 -------- d-----w- c:\documents and settings\Loren\Local Settings\Application Data\Help

2009-09-06 14:49 . 2009-05-15 01:21 25728 ----a-w- c:\windows\system32\drivers\androidusb.sys

2009-09-06 14:49 . 2009-05-15 01:21 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll

2009-09-06 14:49 . 2006-09-28 22:32 9472 ----a-w- c:\windows\system32\drivers\pnetmdm.sys

2009-09-06 14:49 . 2009-09-21 06:30 -------- d-----w- c:\program files\PdaNet for Android

2009-09-06 06:51 . 2009-09-06 06:51 -------- d-----w- c:\documents and settings\Loren\Application Data\Media Player Classic

2009-09-06 06:51 . 2009-05-26 09:53 5689344 ----a-w- c:\program files\mplayerc.exe

2009-09-06 06:09 . 2009-09-06 06:09 -------- d-----w- c:\documents and settings\Loren\Local Settings\Application Data\Symantec

2009-09-06 06:09 . 2009-09-06 06:09 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-09-06 06:09 . 2009-09-06 06:09 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-09-06 06:08 . 2009-09-06 06:09 -------- d-----w- c:\program files\Symantec

2009-09-06 06:08 . 2009-09-25 19:23 -------- d-----w- c:\program files\Symantec AntiVirus

2009-09-06 06:08 . 2009-09-06 06:09 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-09-06 06:08 . 2009-09-06 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-09-06 05:57 . 2009-09-06 05:57 -------- d-----w- c:\documents and settings\Loren\Application Data\Malwarebytes

2009-09-06 05:56 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-06 05:56 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-06 05:56 . 2009-09-23 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-06 05:56 . 2009-09-06 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-06 05:55 . 2009-09-06 05:55 12348 ----a-w- c:\program files\Common Files\ojup.dat

2009-09-05 22:25 . 2009-09-05 22:25 -------- d-----w- c:\documents and settings\Loren\Application Data\Asus

2009-09-05 21:54 . 2009-09-05 22:51 -------- d-----w- c:\program files\AskBarDis

2009-09-05 21:53 . 2009-09-05 21:53 -------- d-----w- c:\program files\uTorrent

2009-09-05 21:53 . 2009-09-20 21:16 -------- d-----w- c:\documents and settings\Loren\Application Data\uTorrent

2009-09-05 21:32 . 2009-09-05 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-09-05 21:27 . 2009-09-05 21:27 -------- d-----w- c:\program files\Bonjour

2009-09-05 21:21 . 2009-09-05 21:21 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-09-05 20:39 . 2009-09-05 20:39 -------- d-----w- c:\program files\PowerISO

2009-09-05 20:38 . 2009-09-05 20:38 -------- d-----w- c:\program files\MagicISO

2009-09-05 15:38 . 2009-06-23 03:49 -------- d-----w- c:\windows\system32\config\systemprofile\Bluetooth Software

2009-09-05 15:38 . 2009-06-23 03:49 -------- d-----w- c:\documents and settings\Default User\Bluetooth Software

2009-09-05 14:48 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll

2009-09-05 14:48 . 2008-10-16 21:06 208744 ----a-w- c:\windows\system32\muweb.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-25 18:57 . 2009-09-25 18:57 16639 ----a-w- c:\documents and settings\All Users\Application Data\ifuruly.dat

2009-09-25 18:57 . 2009-09-25 18:57 11053 ----a-w- c:\program files\Common Files\mohi._sy

2009-09-25 17:12 . 2009-09-25 17:12 16892 ----a-w- c:\program files\Common Files\ihusy.db

2009-09-25 06:42 . 2009-09-25 06:42 17141 ----a-w- c:\program files\Common Files\nihepu.lib

2009-09-25 06:42 . 2009-09-25 06:42 14323 ----a-w- c:\program files\Common Files\mesyjyxava._sy

2009-09-25 06:42 . 2009-09-25 06:42 11532 ----a-w- c:\documents and settings\All Users\Application Data\xepovujo.dat

2009-09-25 06:00 . 2009-09-25 06:00 10069 ----a-w- c:\documents and settings\Loren\Application Data\olypusu.dat

2009-09-18 03:46 . 2009-09-05 15:39 92344 ----a-w- c:\documents and settings\Loren\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-11 09:26 . 2009-06-23 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-11 01:35 . 2009-06-23 03:51 -------- d-----w- c:\program files\Common Files\Adobe

2009-09-09 23:48 . 2009-09-09 23:41 -------- d-----w- c:\program files\Lexmark 8300 Series

2009-09-06 14:50 . 2009-09-06 14:50 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_androidusb_01005.Wdf

2009-09-06 07:05 . 2009-09-06 07:05 -------- d-----w- c:\program files\K-Lite Codec Pack

2009-09-06 06:09 . 2009-09-06 06:09 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-09-06 06:09 . 2009-09-06 06:09 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-09-05 21:45 . 2009-06-23 03:51 -------- d-----w- c:\program files\Microsoft Works

2009-08-05 09:01 . 2009-05-20 19:07 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-29 04:37 . 2009-05-20 19:07 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:37 . 2009-05-20 19:07 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-07-17 19:01 . 2009-05-20 19:06 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 06:43 . 2009-05-20 19:07 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2009-05-20 19:07 827392 ------w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2009-05-20 19:07 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2009-05-20 19:07 17408 ----a-w- c:\windows\system32\corpol.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-23_18.38.16 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-05-20 19:07 . 2009-09-23 18:40 68906 c:\windows\system32\perfc009.dat

- 2009-05-20 19:07 . 2009-09-23 18:28 68906 c:\windows\system32\perfc009.dat

+ 2009-09-05 15:36 . 2009-09-25 17:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-09-05 15:36 . 2009-09-05 15:37 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-09-05 15:36 . 2009-09-05 15:37 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-09-05 15:36 . 2009-09-25 17:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-09-25 17:32 . 2009-09-25 17:31 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-09-05 15:36 . 2009-09-05 15:37 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-05-20 19:16 . 2009-05-20 19:16 295424 c:\windows\system32\termsrv32.dll

+ 2009-05-20 19:07 . 2009-09-23 18:40 436160 c:\windows\system32\perfh009.dat

- 2009-05-20 19:07 . 2009-09-23 18:28 436160 c:\windows\system32\perfh009.dat

+ 2009-09-25 06:32 . 2009-09-25 06:32 2215424 c:\windows\Installer\c7354.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]

@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"

[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]

2008-07-25 18:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]

@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"

[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]

2008-07-25 18:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-17 630784]

"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]

"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-17 118784]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]

"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144]

"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-06-23 3054136]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"Eyobekawepazuc"="c:\windows\ulasivolupuf.dll" [bU]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

c:\documents and settings\Loren\Start Menu\Programs\Startup\

mhbupd32.exe [2008-4-14 29184]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-6-22 376832]

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Antivirus Pro 2010"="c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide

"EzPrint"="c:\program files\Lexmark 8300 Series\ezprint.exe"

"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe"

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC

"Persistence"=c:\windows\system32\igfxpers.exe

"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

"RTHDCPL"=RTHDCPL.EXE

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:Remote Desktop

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [6/22/2009 9:03 PM 55152]

R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [6/22/2009 8:46 PM 10752]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/5/2009 11:12 PM 102448]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [6/1/2009 12:26 AM 38912]

R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [9/6/2009 7:49 AM 9472]

R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [6/1/2009 12:26 AM 39040]

S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [9/5/2009 2:54 PM 234888]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/22/2009 8:49 PM 1684736]

S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [9/6/2009 7:49 AM 25728]

S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: {46C66030-691B-4250-ADE5-47BD13C7FC4A} = 172.16.1.21

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-25 12:38

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2009-09-25 12:40

ComboFix-quarantined-files.txt 2009-09-25 19:40

ComboFix2.txt 2009-09-25 17:31

ComboFix3.txt 2009-09-23 19:33

ComboFix4.txt 2009-09-23 18:42

Pre-Run: 63,872,118,784 bytes free

Post-Run: 63,836,590,080 bytes free

281 --- E O F --- 2009-09-17 07:18

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:44:59 PM, on 9/25/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\windows\System32\smss.exe

C:\windows\system32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\windows\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\windows\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\EeePC\ACPI\AsEPCMon.exe

C:\Program Files\EeePC\ACPI\AsTray.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\AsScrPro.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\windows\system32\ctfmon.exe

C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\windows\system32\wuauclt.exe

C:\windows\explorer.exe

C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe

O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe

O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [synAsusAcpi] C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe

O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\WINDOWS\AsScrPro.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [Eyobekawepazuc] rundll32.exe "C:\WINDOWS\ulasivolupuf.dll",Startup

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - Startup: mhbupd32.exe

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: SuperHybridEngine.lnk = ?

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{46C66030-691B-4250-ADE5-47BD13C7FC4A}: NameServer = 172.16.1.21

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\Aibelive\VOICEC~1\SKYPE4~1.DLL

O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 5890 bytes

Link to post
Share on other sites

I sure do, eh, my laptop doesnt not have the cd drive, stupid 10 incher, anyways i could copy the I386 folder over to a thumb drive, if you were thinking of doing a SFC, or to make things easier for you, i could get my hands on a portable dvd drive.

Whats the next 5 steps?

ill do them all and post as i go.

It still boots fine, without the boot file, says the "C:\boot.ini can not be opened" when i open the starup and recovery settings and when i click to edit the file, it says file not found. Ive also enabled view of hidden and system files and boot.ini does not exist.

Also on boot it says RUNDLL, Error loading C:\windnows\ulasivolpuf.dll. The specified module could not be found.

So lets work both angles, recover boot.ini and kill some viruses!!!!

Link to post
Share on other sites

  • Staff
So lets work both angles, recover boot.ini and kill some viruses!!!!
Yes, let's do it! B)

Please get the portable DVD drive; we need to use the CD for a specific command (not sfc).

When you have that ready, insert the CD, set the BIOS to boot from CDs, and boot from your Windows CD. Access the Recovery Console by pressing R when everything loads.

When the command prompt is presented before you, enter the following command exactly as shown:

bootcfg /rebuild

Press Enter.

Restart your computer, boot into Windows, and run ComboFix again. Post its log.

-screen317

Link to post
Share on other sites

Currently unable to get my CD drive to connect to my laptop, tried to boot from USB to recovery console, bu i think my USB drive may not be the right one ( i dont know, some seem bootable and others dont/ some are fixed drives and some are removable storage) anyways i have more resources at work on Mon so i will work on it there.

FYI if your looking to run recovery console from usb do the following:

First create a non-iso Bartpe, then use PeToUSB to create a working bootable stick, no Server 2003 files required.

Then copy the i386 from your xp install cd to a temp folder on the usb.

Boot into Bartpe, navigate to your temp folder and execute> winnt32.exe /cmdcons

Click OK, follow the instructions on the screen to finish Setup, and then restart your computer.

Your USB will now be able to dual boot into either mini XP (BartPE) or recovery console. -Credit to gcraw

Link to post
Share on other sites

No luck on the boot.ini file yet, says "no hard drive found" which is odd, but i have a few different OS cd's that i will try later. But when i ran combo fix it says "error" "!!!ALERT!! Its NOT safe to continue. The contents of Combofix Package have been compomised." DL new copy, and Note: you may have been infected with a file patching virus "Virut"

Link to post
Share on other sites

Log file from the new ComboFIX, was renamed to pizza.exe before being copied over to the infected computer

ComboFix 09-09-27.05 - Loren 09/28/2009 11:13.8.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.421 [GMT -7:00]

Running from: c:\documents and settings\Loren\Desktop\pizza.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Loren\Application Data\wiaserva.log

c:\windows\9129837.exe

c:\windows\system32\wbem\proquota.exe

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\system volume information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP12\A0017961.exe

.

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))

.

2009-09-28 18:21 . 2008-04-14 12:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2009-09-28 18:21 . 2008-04-14 12:00 50176 ----a-w- c:\windows\system32\proquota.exe

2009-09-28 17:58 . 2009-09-28 17:58 -------- d-----w- c:\windows\LastGood

2009-09-25 18:57 . 2009-09-25 18:57 14469 ----a-w- c:\windows\tymon.dat

2009-09-25 06:56 . 2009-09-25 06:59 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-25 06:42 . 2009-09-25 06:42 19704 ----a-w- c:\windows\qijidiqed.dat

2009-09-25 06:42 . 2009-09-25 06:42 14376 ----a-w- c:\windows\rinu.dat

2009-09-25 06:32 . 2009-09-25 06:32 -------- d-----w- c:\documents and settings\Loren\Local Settings\Application Data\Opera

2009-09-25 06:32 . 2009-09-25 06:32 -------- d-----w- c:\program files\Opera

2009-09-25 06:00 . 2009-09-25 06:00 14301 ----a-w- c:\windows\jyrihimuqy.dat

2009-09-25 05:42 . 2009-09-25 05:42 120 ----a-w- c:\windows\Omadiw.dat

2009-09-25 05:42 . 2009-09-25 05:42 0 ----a-w- c:\windows\Edutik.bin

2009-09-25 05:42 . 2009-09-25 05:42 -------- d-----w- c:\documents and settings\Loren\Local Settings\Application Data\{CEF873D5-441D-4C6E-8DD8-7AB7C2CEF72F}

2009-09-25 05:40 . 2009-09-25 05:40 17535 ----a-w- c:\windows\system32\vudery.com

2009-09-25 05:40 . 2009-09-25 05:40 13447 ----a-w- c:\windows\lycaj.dat

2009-09-24 07:15 . 2009-09-24 07:28 -------- d-----w- c:\program files\AutoIt3

2009-09-23 22:15 . 2009-09-25 19:44 -------- d-----w- C:\HJT

2009-09-22 01:23 . 2009-09-25 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-22 01:23 . 2009-09-22 01:27 -------- d-----w- c:\program files\Spybot - Search & Destroy1

2009-09-22 01:22 . 2009-09-22 01:22 16409960 ----a-w- C:\spybotsd162.exe

2009-09-22 00:54 . 2009-09-22 00:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-21 05:16 . 2009-09-21 05:16 -------- d-----w- c:\program files\Trend Micro

2009-09-21 04:27 . 2009-09-23 18:35 -------- d--h--w- c:\windows\PIF

2009-09-17 07:11 . 2009-09-17 07:11 -------- d-----w- c:\windows\system32\XPSViewer

2009-09-17 07:10 . 2009-09-17 07:10 -------- d-----w- c:\program files\Reference Assemblies

2009-09-17 07:10 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-09-17 07:10 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-09-17 07:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-09-17 07:10 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-09-17 07:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-09-17 07:10 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-09-17 07:10 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-09-17 07:04 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll

2009-09-15 23:10 . 2009-09-15 23:10 -------- d-----w- c:\windows\Sun

2009-09-13 15:53 . 2009-09-14 06:53 -------- d-----w- c:\documents and settings\Loren\Application Data\FrostWire

2009-09-13 15:53 . 2009-09-13 15:53 -------- d-----w- c:\program files\FrostWire

2009-09-13 15:52 . 2009-09-13 15:52 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-13 15:52 . 2009-09-13 15:52 -------- d-----w- c:\program files\Java

2009-09-11 08:59 . 2007-12-27 00:30 679936 ----a-w- c:\windows\system32\D3DX81ab.dll

2009-09-11 08:59 . 2007-12-27 00:30 1970176 ----a-w- c:\windows\system32\d3dx9.dll

2009-09-11 08:59 . 2009-09-14 19:59 -------- d-----w- c:\program files\Cheat Engine

2009-09-11 02:52 . 2009-09-11 02:52 -------- d-----w- c:\program files\Common Files\SWF Studio

2009-09-09 23:21 . 2008-04-14 07:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2009-09-09 23:21 . 2008-04-14 07:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2009-09-09 23:12 . 2009-09-17 07:11 -------- d-----w- c:\program files\MSBuild

2009-09-09 23:05 . 2009-09-09 23:06 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2009-09-07 05:58 . 2009-09-23 22:15 -------- d-----w- c:\program files\PeerGuardian2

2009-09-07 02:08 . 2009-09-20 20:25 -------- d-----w- c:\documents and settings\Loren\Application Data\U3

2009-09-07 02:07 . 2009-09-07 02:07 -------- d-----w- c:\documents and settings\Loren\Local Settings\Application Data\Help

2009-09-06 14:49 . 2009-05-15 01:21 25728 ----a-w- c:\windows\system32\drivers\androidusb.sys

2009-09-06 14:49 . 2009-05-15 01:21 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll

2009-09-06 14:49 . 2006-09-28 22:32 9472 ----a-w- c:\windows\system32\drivers\pnetmdm.sys

2009-09-06 14:49 . 2009-09-21 06:30 -------- d-----w- c:\program files\PdaNet for Android

2009-09-06 06:51 . 2009-09-06 06:51 -------- d-----w- c:\documents and settings\Loren\Application Data\Media Player Classic

2009-09-06 06:51 . 2009-05-26 09:53 5689344 ----a-w- c:\program files\mplayerc.exe

2009-09-06 06:09 . 2009-09-06 06:09 -------- d-----w- c:\documents and settings\Loren\Local Settings\Application Data\Symantec

2009-09-06 06:09 . 2009-09-06 06:09 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-09-06 06:09 . 2009-09-06 06:09 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-09-06 06:08 . 2009-09-06 06:09 -------- d-----w- c:\program files\Symantec

2009-09-06 06:08 . 2009-09-28 18:10 -------- d-----w- c:\program files\Symantec AntiVirus

2009-09-06 06:08 . 2009-09-06 06:09 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-09-06 06:08 . 2009-09-06 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-09-06 05:57 . 2009-09-06 05:57 -------- d-----w- c:\documents and settings\Loren\Application Data\Malwarebytes

2009-09-06 05:56 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-06 05:56 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-06 05:56 . 2009-09-23 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-06 05:56 . 2009-09-06 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-06 05:55 . 2009-09-06 05:55 12348 ----a-w- c:\program files\Common Files\ojup.dat

2009-09-05 22:25 . 2009-09-05 22:25 -------- d-----w- c:\documents and settings\Loren\Application Data\Asus

2009-09-05 21:54 . 2009-09-05 22:51 -------- d-----w- c:\program files\AskBarDis

2009-09-05 21:53 . 2009-09-05 21:53 -------- d-----w- c:\program files\uTorrent

2009-09-05 21:53 . 2009-09-20 21:16 -------- d-----w- c:\documents and settings\Loren\Application Data\uTorrent

2009-09-05 21:32 . 2009-09-05 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-09-05 21:27 . 2009-09-05 21:27 -------- d-----w- c:\program files\Bonjour

2009-09-05 21:21 . 2009-09-05 21:21 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-09-05 20:39 . 2009-09-05 20:39 -------- d-----w- c:\program files\PowerISO

2009-09-05 20:38 . 2009-09-05 20:38 -------- d-----w- c:\program files\MagicISO

2009-09-05 15:38 . 2009-06-23 03:49 -------- d-----w- c:\windows\system32\config\systemprofile\Bluetooth Software

2009-09-05 15:38 . 2009-06-23 03:49 -------- d-----w- c:\documents and settings\Default User\Bluetooth Software

2009-09-05 14:48 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll

2009-09-05 14:48 . 2008-10-16 21:06 208744 ----a-w- c:\windows\system32\muweb.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-25 18:57 . 2009-09-25 18:57 16639 ----a-w- c:\documents and settings\All Users\Application Data\ifuruly.dat

2009-09-25 18:57 . 2009-09-25 18:57 11053 ----a-w- c:\program files\Common Files\mohi._sy

2009-09-25 17:12 . 2009-09-25 17:12 16892 ----a-w- c:\program files\Common Files\ihusy.db

2009-09-25 06:42 . 2009-09-25 06:42 17141 ----a-w- c:\program files\Common Files\nihepu.lib

2009-09-25 06:42 . 2009-09-25 06:42 14323 ----a-w- c:\program files\Common Files\mesyjyxava._sy

2009-09-25 06:42 . 2009-09-25 06:42 11532 ----a-w- c:\documents and settings\All Users\Application Data\xepovujo.dat

2009-09-25 06:00 . 2009-09-25 06:00 10069 ----a-w- c:\documents and settings\Loren\Application Data\olypusu.dat

2009-09-18 03:46 . 2009-09-05 15:39 92344 ----a-w- c:\documents and settings\Loren\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-11 09:26 . 2009-06-23 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-11 01:35 . 2009-06-23 03:51 -------- d-----w- c:\program files\Common Files\Adobe

2009-09-09 23:48 . 2009-09-09 23:41 -------- d-----w- c:\program files\Lexmark 8300 Series

2009-09-06 14:50 . 2009-09-06 14:50 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_androidusb_01005.Wdf

2009-09-06 07:05 . 2009-09-06 07:05 -------- d-----w- c:\program files\K-Lite Codec Pack

2009-09-06 06:09 . 2009-09-06 06:09 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-09-06 06:09 . 2009-09-06 06:09 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-09-05 21:45 . 2009-06-23 03:51 -------- d-----w- c:\program files\Microsoft Works

2009-08-05 09:01 . 2009-05-20 19:07 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-29 04:37 . 2009-05-20 19:07 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:37 . 2009-05-20 19:07 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-07-17 19:01 . 2009-05-20 19:06 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 06:43 . 2009-05-20 19:07 286208 ----a-w- c:\windows\system32\wmpdxm.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-23_18.38.16 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-05-20 19:07 . 2009-09-23 18:40 68906 c:\windows\system32\perfc009.dat

- 2009-05-20 19:07 . 2009-09-23 18:28 68906 c:\windows\system32\perfc009.dat

- 2009-09-05 15:36 . 2009-09-05 15:37 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-09-05 15:36 . 2009-09-25 17:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-09-05 15:36 . 2009-09-25 17:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-09-05 15:36 . 2009-09-05 15:37 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-09-28 17:58 . 2003-03-24 23:52 20538 c:\windows\LastGood\system32\dllcache\fpremadm.exe

+ 2009-09-28 17:58 . 2003-03-24 23:52 20541 c:\windows\LastGood\system32\dllcache\fpexedll.dll

+ 2009-09-28 17:58 . 2003-03-24 23:52 14608 c:\windows\LastGood\system32\dllcache\fp98sadm.exe

+ 2009-09-28 17:58 . 2003-03-24 23:52 49212 c:\windows\LastGood\system32\dllcache\fp4awebs.dll

+ 2009-09-28 17:58 . 2003-03-24 23:52 32826 c:\windows\LastGood\system32\dllcache\fp4avss.dll

+ 2009-09-28 17:58 . 2003-03-24 23:52 41020 c:\windows\LastGood\system32\dllcache\fp4avnb.dll

+ 2009-09-28 17:58 . 2003-03-24 23:52 49210 c:\windows\LastGood\system32\dllcache\fp4areg.dll

+ 2009-09-28 17:58 . 2003-03-24 23:52 82035 c:\windows\LastGood\system32\dllcache\fp4anscp.dll

+ 2009-09-28 17:58 . 2003-03-24 23:52 16439 c:\windows\LastGood\system32\dllcache\author.exe

+ 2009-09-28 17:58 . 2003-03-24 23:52 20540 c:\windows\LastGood\system32\dllcache\author.dll

+ 2009-09-28 17:58 . 2003-03-24 23:52 16439 c:\windows\LastGood\system32\dllcache\admin.exe

+ 2009-09-28 17:58 . 2003-03-24 23:52 20540 c:\windows\LastGood\system32\dllcache\admin.dll

+ 2009-05-20 19:16 . 2009-05-20 19:16 295424 c:\windows\system32\termsrv32.dll

- 2009-05-20 19:07 . 2009-09-23 18:28 436160 c:\windows\system32\perfh009.dat

+ 2009-05-20 19:07 . 2009-09-23 18:40 436160 c:\windows\system32\perfh009.dat

+ 2009-09-28 17:58 . 2003-03-24 23:52 208896 c:\windows\LastGood\system32\dllcache\fpmmcsat.dll

+ 2009-09-28 17:58 . 2004-05-13 07:39 598071 c:\windows\LastGood\system32\dllcache\fpmmc.dll

+ 2009-09-28 17:58 . 2003-03-24 23:52 188494 c:\windows\LastGood\system32\dllcache\fpcount.exe

+ 2009-09-28 17:58 . 2003-03-24 23:52 109328 c:\windows\LastGood\system32\dllcache\fp98swin.exe

+ 2009-09-28 17:58 . 2004-05-13 07:39 876653 c:\windows\LastGood\system32\dllcache\fp4awel.dll

+ 2009-09-28 17:58 . 2003-03-24 23:52 102509 c:\windows\LastGood\system32\dllcache\fp4atxt.dll

+ 2009-09-28 17:58 . 2003-03-24 23:52 147513 c:\windows\LastGood\system32\dllcache\fp4apws.dll

+ 2009-09-28 17:58 . 2004-05-13 07:39 184435 c:\windows\LastGood\system32\dllcache\fp4amsft.dll

+ 2009-09-28 17:58 . 2003-03-24 23:52 188480 c:\windows\LastGood\system32\dllcache\cfgwiz.exe

+ 2009-09-25 06:32 . 2009-09-25 06:32 2215424 c:\windows\Installer\c7354.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]

@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"

[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]

2008-07-25 18:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]

@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"

[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]

2008-07-25 18:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-17 630784]

"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]

"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-17 118784]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]

"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144]

"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-06-23 3054136]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"Eyobekawepazuc"="c:\windows\ulasivolupuf.dll" [bU]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

c:\documents and settings\Loren\Start Menu\Programs\Startup\

mhbupd32.exe [2008-4-14 29184]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-6-22 376832]

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Antivirus Pro 2010"="c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide

"EzPrint"="c:\program files\Lexmark 8300 Series\ezprint.exe"

"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe"

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC

"Persistence"=c:\windows\system32\igfxpers.exe

"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

"RTHDCPL"=RTHDCPL.EXE

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:Remote Desktop

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [6/22/2009 9:03 PM 55152]

R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [6/22/2009 8:46 PM 10752]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/5/2009 11:12 PM 102448]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [6/1/2009 12:26 AM 38912]

R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [9/6/2009 7:49 AM 9472]

R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [6/1/2009 12:26 AM 39040]

S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [9/5/2009 2:54 PM 234888]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/22/2009 8:49 PM 1684736]

S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [9/6/2009 7:49 AM 25728]

S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: {46C66030-691B-4250-ADE5-47BD13C7FC4A} = 172.16.1.21

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-28 11:22

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)

c:\windows\system32\wininet.dll

- - - - - - - > 'lsass.exe'(888)

c:\windows\system32\wininet.dll

.

Completion time: 2009-09-28 11:24

ComboFix-quarantined-files.txt 2009-09-28 18:24

ComboFix2.txt 2009-09-25 19:40

ComboFix3.txt 2009-09-25 17:31

ComboFix4.txt 2009-09-23 19:33

ComboFix5.txt 2009-09-28 18:12

Pre-Run: 63,823,347,712 bytes free

Post-Run: 63,786,766,336 bytes free

293 --- E O F --- 2009-09-17 07:18

Link to post
Share on other sites

Booting off the Windows xp SP2 cd it starts loading all of the files and when it gets to starting up windows I get a BSOD STOP: 0x0000007B Check for viruses...but the odd thing is when i tap the power button the screen just turns blue and all of the text disappears. In my expirence with BSOD's you cant do anything to change the screen. But ive also heard of MSAV 2010 showing fake BSOD's like that... may have to try a different angle

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.