Jump to content

infection again and this time malwarebytes fails!


mukhi

Recommended Posts

my java was not up-to-date, and for that reason (i believe), when i was browsing a forum i regularly visit, i got some malware installed in my computer despite the presence of symantec anti-virus. normally, after running MBAM update and quick scan, and removing all solves this kind of problem, but not this time. the malware did not allow to run mbam.exe, therefore, i renamed it to mam.exe and tried to run quick scan after update. doing this froze my computer several times. one time, i could be able to remove the stuffs MBAM detected, however, after reboot, most of them have been coming back. problem persists, symantec is disabled, spybot is disabled, a-squared anti-spyware is running but without any success, and any attempt to run the full scan of MBAM is freezing the machine. i finally decided to run hijackthis, and here is the log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:30:21 PM, on 12/24/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\windows\System32\smss.exe

C:\windows\system32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\system32\spoolsv.exe

C:\Program Files\a-squared Free\a2service.exe

C:\windows\System32\svchost.exe

C:\Xcalibur\system\programs\CFRDBService.exe

C:\Xcalibur\system\programs\FinAutoLogOff.exe

C:\Xcalibur\system\programs\finSS_Server.exe

C:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe

C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\windows\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\windows\stsystra.exe

C:\Program Files\abit\abit uGuru\AirPaceWifi.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\windows\system32\ctfmon.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\windows\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\pacific\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Search the Internet Toolbar - {386e596f-4dd4-4daa-b66a-2509bedb27e6} - C:\Program Files\Search_the_Internet\tbSea0.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: Search the Internet Toolbar - {386e596f-4dd4-4daa-b66a-2509bedb27e6} - C:\Program Files\Search_the_Internet\tbSea0.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [AirPaceWifi] "C:\Program Files\abit\abit uGuru\AirPaceWifi.exe" -nogui

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF269~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\plugins\Npcdp32.dll

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.anandabazar.com/wfplayer/tdserver.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238853855296

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: acaptuser32.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Finnigan Database Service (CFRDBService) - Thermo Electron Corporation - C:\Xcalibur\system\programs\CFRDBService.exe

O23 - Service: Finnigan Auto Logoff (FinAutoLogOff) - Thermo Electron Corporation - C:\Xcalibur\system\programs\FinAutoLogOff.exe

O23 - Service: Finnigan Security Server - Thermo Electron Corporation - C:\Xcalibur\system\programs\finSS_Server.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: GFI Backup 2009 - Home Edition Attendant Service (GFIBckHAtt) - GFI Software Ltd. - C:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe

O23 - Service: GFI Backup 2009 - Home Edition Scheduler Service (GFIBckHSched) - GFI Software Ltd. - C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--

End of file - 8275 bytes

i have updated java, i know for sure iexplore.exe, wuauclt.exe are malware as they keep coming back even though i kill the processes in task manager. fortunately, wscsvc32.exe is gone after running MBAM. no idea about others. please help. thanks.

Link to post
Share on other sites

Why do you believe they are malware? iexplore.exe is your internet explorer and wuauclt.exe is related with your Windows updates.

Please post the malwarebytes log in your next reply.

because iexplorer.exe keeps coming back although i am not using IE (use only firefox). anyway, this nag is gone after scanning by MBAM another time, and i am gonna post the log shortly. thanks.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.42

Database version: 3430

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/25/2009 4:45:14 PM

mbam-log-2009-12-25 (16-45-14).txt

Scan type: Quick Scan

Objects scanned: 110183

Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\H8SRTrgylblibmw.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\system32\H8SRTrgylblibmw.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Link to post
Share on other sites

My latest scan:

Malwarebytes' Anti-Malware 1.42

Database version: 3435

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/26/2009 1:57:35 PM

mbam-log-2009-12-26 (13-57-35).txt

Scan type: Quick Scan

Objects scanned: 110405

Time elapsed: 2 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\H8SRTrgylblibmw.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\system32\H8SRTrgylblibmw.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Now, i see the issue. even after rebooting the last time, the problems stayed. the same 3 infections are coming back over again & again.

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

i downloaded ComboFix.exe on my desktop as you instructed, turned off windows firewall, could not turn off symantec antivirus as it is already disabled by malware (no icon is showing up in tray, also see my attachment for task manager) and i do not have any anti-spyware running. however, combofix is not running when i double-click on the icon!

post-7379-1261936793_thumb.jpg

Link to post
Share on other sites

  • Staff

Hi,

Please delete the Combofix.exe present on your desktop and try the following method for downloading and running:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

all right, i could be able to run combofix as you directed (w/o safe-mode), after running it and hjthis, here are the logs (windows security center icon is back!):

ComboFix 09-12-28.06 - pacific 12/29/2009 8:24.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2646 [GMT -8:00]

Running from: c:\documents and settings\pacific\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\pacific\Application Data\Desktopicon

c:\documents and settings\pacific\Application Data\Desktopicon\eBay.ico

c:\documents and settings\pacific\Application Data\Desktopicon\uninst.exe

c:\documents and settings\pacific\Application Data\Logs\scns.log

c:\windows\COUPON~1.OCX

c:\windows\CouponPrinter.ocx

c:\windows\system32\BSTIEPrintCtl1.dll

c:\windows\system32\clrviddc.dll

c:\windows\system32\config.dat

c:\windows\system32\drivers\1028_DELL_XPS_Dell DM061 .MRK

c:\windows\system32\drivers\DELL_XPS_Dell DM061 .MRK

c:\windows\system32\drivers\H8SRTpntpygoybd.sys

c:\windows\system32\H8SRToietcypegv.dll

c:\windows\system32\H8SRTrgylblibmw.dll

c:\windows\system32\H8SRTyhqucunohb.dat

c:\windows\system32\krl32mainweq.dll

c:\windows\system32\srcr.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_H8SRTd.sys

-------\Legacy_H8SRTd.sys

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))

.

2009-12-24 20:16 . 2009-12-24 20:16 152576 ----a-w- c:\documents and settings\pacific\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-12-24 20:16 . 2009-12-24 20:16 79488 ----a-w- c:\documents and settings\pacific\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-23 01:54 . 2009-12-23 01:54 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-12-23 01:54 . 2009-12-23 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-12-23 01:12 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-23 00:14 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-23 00:14 . 2009-12-23 02:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-23 00:14 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-22 23:37 . 2009-12-25 19:03 -------- d-----w- c:\program files\a-squared Free

2009-12-13 01:01 . 2009-12-13 01:57 -------- d-----w- C:\data

2009-12-07 01:54 . 2009-12-07 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Returnil

2009-12-07 00:24 . 2009-12-07 00:24 -------- d-----w- c:\documents and settings\pacific\Application Data\Morpheus Software

2009-12-06 21:01 . 2009-12-06 21:01 -------- d-----w- c:\program files\Common Files\eSellerate

2009-12-06 21:01 . 2009-12-06 21:01 -------- d-----w- c:\documents and settings\pacific\avidemux

2009-12-06 20:43 . 2009-12-06 20:43 -------- d-----w- c:\documents and settings\smukherj

2009-12-06 20:18 . 2009-12-06 20:22 -------- d-----w- c:\documents and settings\pacific\Local Settings\Application Data\AnVir

2009-12-05 21:14 . 2009-12-05 21:14 -------- d-----w- c:\documents and settings\pacific\Application Data\Returnil

2009-12-05 21:11 . 2009-12-05 21:11 -------- d-----w- c:\windows\system32\Returnil

2009-12-05 20:04 . 2009-12-05 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-12-04 04:53 . 2009-12-04 04:53 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-12-04 04:53 . 2008-04-07 13:38 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll

2009-12-04 04:53 . 2008-04-07 13:38 45392 ----a-r- c:\windows\system32\AdobePDF.dll

2009-12-04 04:39 . 2009-12-29 19:29 -------- d-----w- c:\program files\Common Files\Akamai

2009-12-03 16:17 . 2009-12-03 16:17 -------- d-----w- c:\documents and settings\pacific\Application Data\Aunsoft

2009-12-03 16:17 . 2009-12-03 16:17 -------- d-----w- c:\program files\Aunsoft

2009-12-02 01:55 . 2009-12-02 01:55 -------- d-----w- c:\documents and settings\pacific\Local Settings\Application Data\Corner-A

2009-12-02 01:55 . 2009-12-02 01:55 -------- d-----w- c:\program files\Corner-A

2009-12-01 00:26 . 2009-12-01 00:26 423464 ----a-w- c:\documents and settings\pacific\Application Data\E-centives\BSTIEPrintCtl1.dll

2009-12-01 00:26 . 2009-12-01 00:26 -------- d-----w- c:\documents and settings\pacific\Application Data\E-centives

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-29 16:27 . 2009-08-09 23:56 -------- d-----w- c:\documents and settings\pacific\Application Data\Logs

2009-12-29 00:43 . 2009-09-19 22:57 -------- d-----w- c:\documents and settings\pacific\Application Data\uTorrent

2009-12-28 17:59 . 2009-02-01 17:41 -------- d-----w- c:\documents and settings\pacific\Application Data\Skype

2009-12-24 20:16 . 2009-05-19 18:45 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-23 02:51 . 2009-04-04 14:41 -------- d-----w- c:\program files\Symantec

2009-12-23 02:51 . 2009-04-04 14:41 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-12-23 02:51 . 2009-04-04 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-12-23 01:10 . 2009-04-04 14:41 -------- d-----w- c:\program files\Symantec AntiVirus

2009-12-13 02:23 . 2009-04-30 20:49 -------- d-----w- c:\program files\Coupons

2009-12-07 02:22 . 2009-04-03 23:11 -------- d-----w- c:\program files\Google

2009-12-06 20:54 . 2009-07-13 13:27 -------- d-----w- c:\documents and settings\pacific\Application Data\EndNote

2009-12-06 19:53 . 2009-04-03 23:20 127968 ----a-w- c:\documents and settings\pacific\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-04 18:48 . 2009-11-09 22:49 46 ----a-w- c:\windows\system32\_WDYSZYG.sys

2009-12-04 04:53 . 2009-04-03 23:17 -------- d-----w- c:\program files\Common Files\Adobe

2009-12-03 01:48 . 2009-07-10 14:12 -------- d-----w- c:\program files\FormatFactory

2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-18 20:02 . 2009-04-11 14:29 1324 ----a-w- c:\documents and settings\pacific\Application Data\ispro4_0.tmp

2009-11-17 23:44 . 2009-11-17 23:44 -------- d-----w- c:\program files\AnyBizSoft

2009-11-15 18:09 . 2009-11-15 18:09 -------- d-----w- c:\program files\Aimersoft

2009-11-13 22:33 . 2009-08-23 23:15 900 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-11-12 19:44 . 2009-09-10 00:00 -------- d-----w- c:\program files\Search_the_Internet

2009-11-10 17:49 . 2009-07-25 00:50 -------- d-----w- c:\program files\PDF to Word 3

2009-11-10 17:47 . 2009-11-10 17:47 -------- d-----w- c:\program files\FPDFC

2009-11-09 22:49 . 2009-07-10 17:52 -------- d-----w- c:\program files\WinUtilities

2009-11-09 17:17 . 2009-11-09 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound

2009-11-06 19:00 . 2009-06-17 22:45 141 ----a-w- c:\windows\C3DPREF6.DAT

2009-10-29 07:45 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:38 . 2008-04-14 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2008-04-14 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2008-04-14 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2008-04-14 12:00 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 14:03 . 2009-10-12 14:03 130 ----a-w- c:\documents and settings\pacific\Local Settings\Application Data\fusioncache.dat

2009-10-12 13:38 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2008-04-14 12:00 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-02 17:42 . 2009-10-02 17:42 333194 ----a-w- C:\Data.zip

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{386e596f-4dd4-4daa-b66a-2509bedb27e6}]

2009-11-12 19:44 2166296 ----a-w- c:\program files\Search_the_Internet\tbSea0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{386e596f-4dd4-4daa-b66a-2509bedb27e6}"= "c:\program files\Search_the_Internet\tbSea0.dll" [2009-11-12 2166296]

[HKEY_CLASSES_ROOT\clsid\{386e596f-4dd4-4daa-b66a-2509bedb27e6}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{386E596F-4DD4-4DAA-B66A-2509BEDB27E6}"= "c:\program files\Search_the_Internet\tbSea0.dll" [2009-11-12 2166296]

[HKEY_CLASSES_ROOT\clsid\{386e596f-4dd4-4daa-b66a-2509bedb27e6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-06 98304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-06 114688]

"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-06 94208]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]

"AirPaceWifi"="c:\program files\abit\abit uGuru\AirPaceWifi.exe" [2007-02-08 2240512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2009-12-04 00:14 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-12-24 20:16 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\VarianWS\\CHEMIS32.EXE"=

"c:\\Documents and Settings\\pacific\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\pacific\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"C:1\\utorrent.exe"=

"C:0\\utorrent.exe"=

"C:2\\utorrent.exe"=

"C:4\\utorrent.exe"=

"C:3\\utorrent.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 hotcore3;Hotcore helper;c:\windows\system32\drivers\hotcore3.sys [4/8/2009 8:41 AM 40496]

R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/02/01 08:27];c:\program files\CyberLink\PowerDVD9\000.fcl [2/28/2009 7:40 PM 87536]

R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [12/22/2009 3:37 PM 1858144]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/14/2008 4:00 AM 14336]

R2 CFRDBService;Finnigan Database Service;c:\xcalibur\system\programs\CFRDBService.exe [8/12/2009 8:43 PM 335971]

R2 FinAutoLogOff;Finnigan Auto Logoff;c:\xcalibur\system\programs\FinAutoLogOff.exe [8/12/2009 8:43 PM 86116]

R2 Finnigan Security Server;Finnigan Security Server;c:\xcalibur\system\programs\finSS_Server.exe [8/12/2009 8:43 PM 65536]

R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\GFI\GFIBAC~1\GFIHInst.exe [6/25/2009 6:11 PM 440616]

R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\GFI\GFIBAC~1\GFIHSC~1.EXE [6/25/2009 6:11 PM 1012520]

R2 msftesql$CSSQL05;SQL Server FullText Search (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe [6/22/2007 8:22 AM 95592]

R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [11/24/2008 9:31 PM 29263712]

S0 cerc6;cerc6; [x]

S3 AR2425;abit AirPace Wi-Fi Wireless Network Adapter Service;c:\windows\system32\drivers\aw5006.sys [9/30/2009 8:54 AM 556832]

S3 BCASPROT;Advanced System Protector;c:\program files\Systweak\Advanced System Protector\sasprot32.sys [5/4/2009 9:07 AM 6656]

S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [7/22/2009 6:09 PM 23096]

S3 WSStario;WSStario;c:\windows\system32\drivers\WSSTARIO.SYS [1/26/1998 3:48 PM 5856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = about:blank

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MIF269~1\OFFICE11\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

FF - ProfilePath - c:\documents and settings\pacific\Application Data\Mozilla\Firefox\Profiles\sq92wh4o.default\

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\documents and settings\pacific\Application Data\Mozilla\Firefox\Profiles\sq92wh4o.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll

FF - plugin: c:\documents and settings\pacific\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\pacific\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\CambridgeSoft\ChemOffice2010\Chem3D\npChem3DPlugin.dll

FF - plugin: c:\program files\CambridgeSoft\ChemOffice2010\ChemDraw\NPCDP32.DLL

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol400.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npSfAppM.dll

FF - plugin: c:\windows\system32\npmirage.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-fsm - (no file)

Notify-NavLogon - (no file)

AddRemove-eBay Icon - c:\documents and settings\pacific\Application Data\Desktopicon\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-29 12:10

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$CSSQL05]

"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:CSSQL05"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3820)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\windows\system32\PSIService.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\system32\wscntfy.exe

c:\windows\stsystra.exe

.

**************************************************************************

.

Completion time: 2009-12-29 12:12:47 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-29 20:12

Pre-Run: 6,109,200,384 bytes free

Post-Run: 6,490,492,928 bytes free

- - End Of File - - 725A9E1EBF88735E16B14E8FEDE3EA48

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:54:44 PM, on 12/29/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\windows\System32\smss.exe

C:\windows\system32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\system32\spoolsv.exe

C:\Program Files\a-squared Free\a2service.exe

C:\windows\System32\svchost.exe

C:\Xcalibur\system\programs\CFRDBService.exe

C:\Xcalibur\system\programs\FinAutoLogOff.exe

C:\Xcalibur\system\programs\finSS_Server.exe

C:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe

C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\windows\System32\svchost.exe

C:\windows\system32\wscntfy.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\windows\stsystra.exe

C:\Program Files\abit\abit uGuru\AirPaceWifi.exe

C:\windows\explorer.exe

C:\windows\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\pacific\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Search the Internet Toolbar - {386e596f-4dd4-4daa-b66a-2509bedb27e6} - C:\Program Files\Search_the_Internet\tbSea0.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: Search the Internet Toolbar - {386e596f-4dd4-4daa-b66a-2509bedb27e6} - C:\Program Files\Search_the_Internet\tbSea0.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [AirPaceWifi] "C:\Program Files\abit\abit uGuru\AirPaceWifi.exe" -nogui

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF269~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\plugins\Npcdp32.dll

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.anandabazar.com/wfplayer/tdserver.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238853855296

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Finnigan Database Service (CFRDBService) - Thermo Electron Corporation - C:\Xcalibur\system\programs\CFRDBService.exe

O23 - Service: Finnigan Auto Logoff (FinAutoLogOff) - Thermo Electron Corporation - C:\Xcalibur\system\programs\FinAutoLogOff.exe

O23 - Service: Finnigan Security Server - Thermo Electron Corporation - C:\Xcalibur\system\programs\finSS_Server.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: GFI Backup 2009 - Home Edition Attendant Service (GFIBckHAtt) - GFI Software Ltd. - C:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe

O23 - Service: GFI Backup 2009 - Home Edition Scheduler Service (GFIBckHSched) - GFI Software Ltd. - C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--

End of file - 8138 bytes

thanks.

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again. It looks like the Malware was probably blocking some components in malwarebytes as well which explains why it couldn't deal with this infection properly.

Anyway, Combofix could take care of it as well and this looks OK again here.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • Staff

Glad I could help. ;)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.