Antispyware Soft infection

messdupcomp · April 30, 2010

Hello all

I have been infected with anitspyware soft.

Cannot open add remove programs

Cannot use or run Malwarebytes

I know there are more issues but those two I just noticed

messdupcomp · April 30, 2010

OK, now I just noticed I really cannot open any programs please help. What ever application I try to open I get. Application cannot be executed. The file .exe is infected.

Maniac · May 1, 2010

Hello messdupcomp! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

The process of cleaning your system may take some time, so please be patient.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install any software or hardware, while work on.

Please follow these instructions:

http://www.bleepingcomputer.com/virus-remo...ntispyware-soft

messdupcomp · May 2, 2010

Thank you for the instructions. I believe virus has been removed.

Maniac · May 2, 2010

Please post your MalwareBytes' Anti-Malware log.

messdupcomp · May 2, 2010

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4059

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

5/2/2010 12:44:25 PM

mbam-log-2010-05-02 (12-44-25).txt

Scan type: Quick scan

Objects scanned: 126626

Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 7

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f382d9f9-25d5-4f44-a6ff-33dacb2851a3} (Adware.WebGuide) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\rewardband.Band (Adware.Rewardnet) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\RewardBHO.Bar (Adware.Rewardnet) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuewcty (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feuewcty (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Administrator\Local Settings\Application Data\lljojolkd\pafnffltssd.exe (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\bjug.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\kblj.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\DOhw.exe (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J8C5V3ET\eHdff10397V03003f36002R58938e11102T942b660cQ000002fc901807F002a000aJ0000050

1l0409K28393011316P000001070[1] (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

C:\Program Files\Common\_helper.sig (Malware.Trace) -> Quarantined and deleted successfully.

Maniac · May 3, 2010

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Open Tools -> Options -> Main tab
- Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

messdupcomp · May 4, 2010

ComboFix 10-05-03.06 - Administrator 05/04/2010 11:54:14.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1481 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Common

c:\program files\Shared

c:\program files\WindowsUpdate

c:\recycler\S-1-5-21-3960319431-794938436-2843483679-500

c:\windows\system32\18467.exe

c:\windows\system32\26500.exe

c:\windows\system32\6334.exe

c:\windows\Tasks.\xydvdcqz.job

D:\Autorun.inf

c:\windows\Tasks.\xydvdcqz.job . . . . failed to delete

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))

.

2010-04-30 05:12 . 2010-05-02 16:44 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\lljojolkd

2010-04-15 02:16 . 2010-04-15 02:16 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{6A3CAA8E-6DDB-4AA7-A411-9982FF9180FE}\ARPPRODUCTICON.exe

2010-04-15 02:15 . 2010-04-15 02:15 -------- d-----w- c:\program files\Common Files\Intuit Shared

2010-04-15 02:10 . 2010-04-15 02:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Lacerte

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-04 15:59 . 2010-02-27 21:28 256 ----a-w- c:\windows\system32\pool.bin

2010-05-03 03:34 . 2008-05-13 22:44 -------- d-----w- c:\program files\PCCW

2010-05-02 16:35 . 2008-09-17 00:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-29 19:39 . 2009-11-18 19:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-11-18 19:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-29 03:48 . 2010-03-26 06:13 -------- d-----w- c:\program files\WebCompass

2010-04-16 03:55 . 2008-02-16 20:07 59448 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-15 19:06 . 2008-02-16 17:16 -------- d-----w- c:\program files\Common Files\lacerte shared

2010-04-01 21:00 . 2009-12-21 00:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\gtk-2.0

2010-03-31 04:55 . 2009-05-21 23:24 -------- d-----w- c:\program files\Broco Trader

2010-03-11 12:38 . 2006-02-28 02:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2006-02-28 02:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2006-02-28 02:00 17408 ------w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2006-02-28 02:00 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-28 22:35 . 2010-02-28 22:35 26694 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{E896DA69-F993-440E-8515-EB197EFB284F}\BlackBerry.exe

2010-02-24 12:31 . 2006-02-28 02:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 17:35 . 2006-02-28 02:00 2143744 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 16:57 . 2006-02-28 02:00 2021888 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:36 . 2006-02-28 02:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 11:08 . 2006-02-28 02:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2009-08-28 15:07 . 2009-08-28 15:07 102 ----a-w- c:\program files\rxfcmo.txt

2009-08-17 07:03 . 2009-08-17 07:03 32768 --sha-w- c:\windows\system32\bijehiku.exe

2009-08-17 07:03 . 2009-08-17 07:03 13312 --sha-w- c:\windows\system32\rowahovo.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]

"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-04-28 2633976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]

"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2007-08-11 331288]

"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]

"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]

"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2007-03-26 53248]

"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2007-05-03 36864]

"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2007-08-01 815104]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-20 8466432]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-11-19 1807704]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Service Manager.norun [2008-2-16 1908]

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\SMINST\\Scheduler.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [11/9/2007 5:55 AM 540184]

R2 wcsv;WebCompass Updater Service;c:\windows\system32\svchost.exe -k WebCompass [2/27/2006 10:00 PM 14336]

S?2 gupdate1ca291bb2490f4e;Google Update Service (gupdate1ca291bb2490f4e);c:\program files\Google\Update\GoogleUpdate.exe [8/29/2009 10:43 PM 133104]

S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [5/13/2008 6:44 PM 26304]

S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB [?]

S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

WebCompass REG_MULTI_SZ wcsv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-04-19 21:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2010-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-30 02:43]

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-30 02:43]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.cnn.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: intuit.com

Trusted Zone: intuit.net

Trusted Zone: lscsoft.com

DPF: {0F15679F-75AB-4B96-A08C-472B7DB1A0F2} - hxxps://www.lacertesoftware.com/MyAccount/WebDownloads/bin/03prepinstall.cab

DPF: {4592C0F5-3382-44C6-9F79-BEA2CCBDA2EA} - hxxp://imgweb.charlestoncounty.org/appnet/activex/OBXWebSelect.cab

DPF: {710B08F6-6CD1-48EA-BC2F-5D31741DC480} - hxxps://www.lacertesoftware.com/MyAccount/WebDownloads/bin/03webinstall.cab

DPF: {C021A4D6-173F-4BF4-B38C-B12CAA20E518} - hxxp://www.mgoon.com/launcher.cab

DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} - hxxp://imgweb.charlestoncounty.org/appnet/activex/OBXWebViewer.cab

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\m0ltih7r.default\

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

------- File Associations -------

.

txtfile="c:\program files\e\e.exe" "%1"

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CTFMON - (no file)

AddRemove-WinAce Archiver - c:\program files\WinAce\SXUNINST.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-04 12:01

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pdfcDispatcher]

"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4040)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\windows\system32\CDRTC.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\nvsvc32.exe

c:\windows\RTHDCPL.EXE

c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe

c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\msiexec.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-05-04 12:05:11 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-04 16:05

Pre-Run: 215,310,458,880 bytes free

Post-Run: 217,457,696,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 57C625B19BF39CE2FA0D296ABA6456D6

Maniac · May 4, 2010

Please go to http://virustotal.com

Next to the "Browse" button, in to the blank field, please paste the following:

c:\program files\e\e.exe

Hit SEND FILE. Please be patient, it will take a while to get it scanned. Once all the scanners are done, post back with the results (copy & paste them here).

If there are any files in that folder:

c:\documents and settings\Administrator\Local Settings\Application Data\lljojolkd

Please check and them at Virustotal.

messdupcomp · May 6, 2010

I tried to paste c:\program files\e\e.exe in the field to the left of the browse button. Every time I click inside the field to paste it a window pops up called file upload giving me the option to choose a file path from my computer.

I pasted c:\program files\e\e.exe in the popup window that had the files and folders of my computer and it said "file not found please verify the correct file name was given"

I then pasted the following path in to the pop up window

c:\documents and settings\Administrator\Local Settings\Application Data\lljojolkd

No files where in the folder. I tried to search for the folder manually just to double check but when I got to the administrator folder there was no local settings file folder. I could not go any father with the manual search... but again the file folder lljojolkd does seem to show that it's empty whenever i past the path in the file upload window.

When I click the open button to upload it to virustotal nothing happens.

Maniac · May 6, 2010

You can't upload folder in Virustotal.

About e.exe - click on Choose... buton, locate to:

c:\program files\e

Double click on e.exe and finally choose Send file button.

messdupcomp · May 7, 2010

Maybe I am misunderstanding. At the VirusTotal homepage in the middle of the screen it says upload file, directly below those words there is a browse button to the right of the field. When I click in side the field (or click browse) a popup window appears. At the bottom of that window it has two fields one on top of the other. The first field says file name, the second says file type which has the words "all files" in the field. To the right of those fields are buttons that say open and cancel one on top of the other.

In the main content area of the popup window there are the files and folders of my computer.

I placed the path c:\program files\e in the file name field and it found a folder called support, when opened contained a whole bunch of there folders. I did not find e.exe. When I tried e.exe in the file name field it comes up with file not found.

I don't see the options that you are explaining when you say "click on Choose... buton, locate to:

c:\program files\e" I did not see any thing with the words "Choose....buton, locate to:" on my computer when the popup window come up to select a file to open or on the VirusTotal website

Maniac · May 7, 2010

1. Open Virustotal

2. Click on Choose... button

3. From the new dialog box, navigate to c:\program files\e

http://img405.imageshack.us/i/shotab.png/

4. Double click on e.exe

5. Click on Send button.

messdupcomp · May 8, 2010

When I try to send the file a dialog box appears and reads "the item e.exe that this short cut refers to has been changed or moved, so this short cut will no longer work properly"

I also downloaded the virustotal uploader to my desktop then I went to the file path on my computer, right clicked and sent the file to virus total that way. A web browser popped up with nothing was in it?

Thank you for your continued help.

Maniac · May 8, 2010

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=48904

KillAll::

Suspect::[8]
c:\program files\rxfcmo.txt
c:\windows\system32\bijehiku.exe
c:\windows\system32\rowahovo.exe
c:\program files\e\e.exe
c:\windows\Tasks.\xydvdcqz.job

DirLook::
c:\documents and settings\Administrator\Local Settings\Application Data\lljojolkd

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

messdupcomp · May 12, 2010

ComboFix 10-05-11.06 - Administrator 05/12/2010 11:44:15.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1365 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

file zipped: c:\program files\rxfcmo.txt

file zipped: c:\windows\system32\bijehiku.exe

file zipped: c:\windows\system32\rowahovo.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\g2mdlhlpx.exe

c:\windows\system32\bijehiku.exe

c:\windows\system32\rowahovo.exe

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))

.

2010-05-12 15:30 . 2010-05-12 15:30 -------- d-----w- c:\windows\LastGood.Tmp

2010-05-08 21:14 . 2010-05-08 21:14 -------- d-----w- c:\program files\VirusTotalUploader2

2010-05-04 15:51 . 2010-05-04 16:05 -------- d-----w- C:\Combo-Fix

2010-04-30 05:12 . 2010-05-02 16:44 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\lljojolkd

2010-04-15 02:16 . 2010-04-15 02:16 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{6A3CAA8E-6DDB-4AA7-A411-9982FF9180FE}\ARPPRODUCTICON.exe

2010-04-15 02:15 . 2010-04-15 02:15 -------- d-----w- c:\program files\Common Files\Intuit Shared

2010-04-15 02:10 . 2010-04-15 02:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Lacerte

1601-01-01 00:00 . 1601-01-01 00:00 0 ----a-w- c:\windows\system32\pwd.dll

1601-01-01 00:00 . 1601-01-01 00:00 0 ----a-w- c:\windows\system32\chg.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-11 19:53 . 2008-05-13 22:44 -------- d-----w- c:\program files\PCCW

2010-05-07 04:30 . 2009-12-27 19:52 -------- d-----w- c:\program files\e

2010-05-04 21:01 . 2009-12-21 00:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\gtk-2.0

2010-05-04 16:11 . 2010-02-27 21:28 256 ----a-w- c:\windows\system32\pool.bin