I believe I have Alureon.A

ashlar · December 6, 2010

Followed "I'm infected - What do I do now?, Please follow these instructions to clean your system"..I did remove MS Security Essentials and ran combofix previous to doing this though. I can't get my wireless to work as CF quarantined tcip.reg..not sure if thats even related. Earlier in the days MSE told me I have Trojan:DOS/Alureon.A variant though and I seem to recall it trying to remove something at the MBR level. psbase3.dll has been the only think I know thats been installed before I ran into problems that originally hijaked my web browsers.

==================================================================

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5251

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/5/2010 4:48:01 PM

mbam-log-2010-12-05 (16-48-01).txt

Scan type: Quick scan

Objects scanned: 138824

Time elapsed: 1 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

========================================================================

DDS (Ver_10-12-05.01) - NTFSx86

Run by __ at 16:41:01.56 on Sun 12/05/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2449 [GMT -8:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}

============== Running Processes ===============

E:\Program Files\Avira\AntiVir Desktop\avguard.exe

E:\Program Files\Avira\AntiVir Desktop\avshadow.exe

E:\WINDOWS\system32\Ati2evxx.exe

E:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

E:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

E:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

E:\WINDOWS\System32\bcmwltry.exe

E:\WINDOWS\system32\spoolsv.exe

E:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

E:\Program Files\Avira\AntiVir Desktop\avmailc.exe

E:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE

E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

E:\Program Files\Bonjour\mDNSResponder.exe

E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

E:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe

E:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

E:\Program Files\Norton Ghost\Agent\VProSvc.exe

E:\WINDOWS\system32\svchost.exe -k imgsvc

E:\WINDOWS\system32\dllhost.exe

E:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

E:\Program Files\Norton Ghost\Agent\VProTray.exe

E:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe

E:\WINDOWS\RTHDCPL.EXE

E:\Program Files\iTunes\iTunesHelper.exe

E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

E:\WINDOWS\system32\wltray.exe

E:\Program Files\Avira\AntiVir Desktop\avgnt.exe

E:\Program Files\Dynex G Desktop Card Adapter\DynexWCUI.exe

E:\WINDOWS\system32\dllhost.exe

E:\Program Files\iPod\bin\iPodService.exe

E:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

E:\WINDOWS\system32\wscntfy.exe

E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

E:\WINDOWS\system32\wuauclt.exe

E:\WINDOWS\explorer.exe

E:\Program Files\Mozilla Firefox\firefox.exe

E:\Program Files\Mozilla Firefox\plugin-container.exe

E:\Documents and Settings\__\Desktop\dds.scr

E:\Program Files\Avira\AntiVir Desktop\avconfig.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\program files\spybot - search & destroy\SDHelper.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: {10EDB994-47F8-43F7-AE96-F2EA63E9F90F} - No File

mRun: [iAAnotif] e:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [JMB36X IDE Setup] e:\windows\raidtool\xInsIDE.exe

mRun: [36X Raid Configurer] e:\windows\system32\xRaidSetup.exe boot

mRun: [Norton Ghost 14.0] "e:\program files\norton ghost\agent\VProTray.exe"

mRun: [NeroFilterCheck] e:\windows\system32\NeroCheck.exe

mRun: [PrnStatusMX] e:\program files\hewlett-packard\prnstatusmx\PrnStatusMX.exe

mRun: [AdobeCS4ServiceManager] "e:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe Acrobat Speed Launcher] "e:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [sunJavaUpdateSched] "e:\program files\common files\java\java update\jusched.exe"

mRun: [AppleSyncNotifier] e:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [QuickTime Task] "e:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "e:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [broadcom Wireless Manager] e:\windows\system32\wltray.exe

mRun: [avgnt] "e:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [DWQueuedReporting] "e:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\dynexw~1.lnk - e:\program files\dynex g desktop card adapter\DynexWCUI.exe

IE: Append Link Target to Existing PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\program files\spybot - search & destroy\SDHelper.dll

LSP: e:\program files\avira\antivir desktop\avsda.dll

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272525533046

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\__\applic~1\mozilla\firefox\profiles\rjaoickg.default\

FF - prefs.js: browser.startup.homepage - hxxP://WWW.DJBEEJ.COM

FF - plugin: e:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: e:\program files\mozilla firefox\plugins\npOGAPlugin.dll

FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - e:\docume~1\__\applic~1\mozilla\firefox\profiles\rjaoickg.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - e:\docume~1\__\applic~1\mozilla\firefox\profiles\rjaoickg.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - e:\docume~1\__\applic~1\mozilla\firefox\profiles\rjaoickg.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF - Extension: Firebug: firebug@software.joehewitt.com - e:\docume~1\__\applic~1\mozilla\firefox\profiles\rjaoickg.default\extensions\firebug@software.joehewitt.com

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;e:\program files\avira\antivir desktop\avgio.sys [2010-12-5 11608]

R2 AntiVirMailService;Avira AntiVir MailGuard;e:\program files\avira\antivir desktop\avmailc.exe [2010-12-5 337064]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\avira\antivir desktop\sched.exe [2010-12-5 135336]

R2 AntiVirService;Avira AntiVir Guard;e:\program files\avira\antivir desktop\avguard.exe [2010-12-5 267432]

R2 AntiVirWebService;Avira AntiVir WebGuard;e:\program files\avira\antivir desktop\avwebgrd.exe [2010-12-5 405672]

R2 avgntflt;avgntflt;e:\windows\system32\drivers\avgntflt.sys [2010-12-5 60936]

R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-5 363344]

R2 NIHardwareService;NIHardwareService;e:\program files\common files\native instruments\hardware\NIHardwareService.exe [2010-10-19 3791872]

R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;e:\windows\system32\dllhost.exe [2008-4-13 5120]

R3 MBAMProtector;MBAMProtector;e:\windows\system32\drivers\mbam.sys [2010-12-5 20952]

R3 SymSnapService;SymSnapService;e:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1553896]

S3 Ambfilt;Ambfilt;e:\windows\system32\drivers\Ambfilt.sys [2010-4-28 1691480]

S3 Bulk;HDJBulk;e:\windows\system32\drivers\hdjbulk.sys --> e:\windows\system32\drivers\HDJBulk.sys [?]

S3 HDJAsioK;HDJAsioK;e:\windows\system32\drivers\hdjasiok.sys --> e:\windows\system32\drivers\HDJAsioK.sys [?]

S3 HDJMidi;Hercules DJ Console Rmx MIDI;e:\windows\system32\drivers\hdjmidi.sys --> e:\windows\system32\drivers\HDJMidi.sys [?]

S3 MAUSBFASTTRACK;Service for M-Audio FastTrack;e:\windows\system32\drivers\maudiofasttrack.sys --> e:\windows\system32\drivers\MAudioFastTrack.sys [?]

S3 MAUSBMIDI;Service for M-Audio USB MIDI Series;e:\windows\system32\drivers\maudiousbmidi.sys --> e:\windows\system32\drivers\MAudioUSBMIDI.sys [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\e:\windows\system32\14.tmp --> e:\windows\system32\14.tmp [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;e:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

=============== Created Last 30 ================

2010-12-06 00:35:03 -------- d-----w- e:\program files\VS Revo Group

2010-12-06 00:28:59 -------- d-----w- E:\ComboFix

2010-12-06 00:15:05 -------- d-----w- e:\docume~1\__\applic~1\Download Manager

2010-12-06 00:12:11 89088 ----a-w- e:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll.new

2010-12-06 00:12:02 89088 -c----w- e:\windows\system32\dllcache\SETE9.tmp

2010-12-06 00:12:02 597504 -c----w- e:\windows\system32\dllcache\SETE8.tmp

2010-12-06 00:12:02 597504 ------w- e:\windows\system32\spool\prtprocs\w32x86\SETCB.tmp

2010-12-06 00:12:02 575488 -c----w- e:\windows\system32\dllcache\SETE7.tmp

2010-12-06 00:12:02 575488 ------w- e:\windows\system32\SETD4.tmp

2010-12-06 00:12:02 1676288 -c----w- e:\windows\system32\dllcache\SETE6.tmp

2010-12-06 00:12:02 1676288 ------w- e:\windows\system32\SETD3.tmp

2010-12-06 00:12:02 117760 ------w- e:\windows\system32\SETD5.tmp

2010-12-06 00:12:02 -------- d-----w- E:\e87a74117322168fdd

2010-12-06 00:09:55 -------- d-----w- E:\98206a87fbdf71a8ee

2010-12-05 23:38:39 -------- d-----w- e:\windows\SQL9_KB970895_ENU

2010-12-05 21:41:11 -------- d-----w- e:\docume~1\__\applic~1\Avira

2010-12-05 21:39:56 -------- d-----w- e:\windows\system32\NtmsData

2010-12-05 21:34:50 60936 ----a-w- e:\windows\system32\drivers\avgntflt.sys

2010-12-05 21:34:50 -------- d-----w- e:\program files\Avira

2010-12-05 21:34:50 -------- d-----w- e:\docume~1\alluse~1\applic~1\Avira

2010-12-05 12:54:34 -------- d-----w- e:\program files\Sophos

2010-12-05 11:20:40 -------- d-----w- e:\windows\Performance

2010-12-05 11:20:34 -------- d-----w- e:\docume~1\__\locals~1\applic~1\Microsoft Corporation

2010-12-05 11:20:12 -------- d-----w- e:\program files\Microsoft Windows 7 Upgrade Advisor

2010-12-05 08:16:47 -------- d-----w- e:\docume~1\__\applic~1\Malwarebytes

2010-12-05 08:14:58 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys

2010-12-05 08:14:57 -------- d-----w- e:\docume~1\alluse~1\applic~1\Malwarebytes

2010-12-05 08:14:54 20952 ----a-w- e:\windows\system32\drivers\mbam.sys

2010-12-05 08:14:53 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware

2010-12-05 03:42:04 -------- d-----w- e:\docume~1\__\applic~1\InstallShield

2010-12-05 03:34:46 -------- d-sha-r- E:\cmdcons

2010-12-05 03:34:45 -------- d-----w- e:\windows\setup.pss

2010-12-05 02:08:00 98816 ----a-w- e:\windows\sed.exe

2010-12-05 02:08:00 89088 ----a-w- e:\windows\MBR.exe

2010-12-05 02:08:00 256512 ----a-w- e:\windows\PEV.exe

2010-12-05 02:08:00 161792 ----a-w- e:\windows\SWREG.exe

2010-12-05 00:25:13 54784 --sha-r- e:\windows\system32\psbase3.dll

2010-11-29 03:31:22 -------- d-----w- e:\docume~1\__\locals~1\applic~1\WindowsApplication1

2010-11-29 03:19:49 -------- d-----w- e:\docume~1\__\locals~1\applic~1\ContainerEx

2010-11-29 03:19:47 -------- d-----w- e:\program files\Xenocode

2010-11-29 03:19:47 -------- d-----w- e:\docume~1\__\locals~1\applic~1\Xenocode

2010-11-28 04:10:38 57344 ----a-r- e:\docume~1\__\applic~1\microsoft\installer\{269d9c87-36e2-453e-a58d-b39bd617917c}\NewShortcut7_B56E5B51EA954C948003CC703E2AFAD5.exe

2010-11-28 04:10:38 57344 ----a-r- e:\docume~1\__\applic~1\microsoft\installer\{269d9c87-36e2-453e-a58d-b39bd617917c}\NewShortcut1_9046FC1E1C604E8F87F08E640274C274.exe

2010-11-28 04:10:34 -------- d-----w- e:\program files\Serato

2010-11-18 04:01:11 -------- dc-h--w- e:\docume~1\alluse~1\applic~1\{A0DFE2A5-DE68-41F3-8861-73E954C1D41D}

2010-11-18 04:00:10 -------- dc-h--w- e:\docume~1\alluse~1\applic~1\{BB25779E-744C-48F3-94DE-CD6F60A5AC55}

2010-11-18 03:59:45 -------- dc-h--w- e:\docume~1\alluse~1\applic~1\{A6DB2A6F-FF9D-453F-99D6-C1AA54BC0C14}

2010-11-13 22:37:58 -------- d-----w- e:\program files\ASIO4ALL v2

2010-11-10 09:42:31 -------- d-----w- e:\docume~1\__\applic~1\Media Player Classic

==================== Find3M ====================

2010-10-19 20:51:33 222080 ------w- e:\windows\system32\MpSigStub.exe

2010-09-18 20:23:26 974848 ----a-w- e:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- e:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- e:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- e:\windows\system32\mfc40u.dll

2010-09-15 11:50:37 472808 ----a-w- e:\windows\system32\deployJava1.dll

2010-09-15 09:29:49 73728 ----a-w- e:\windows\system32\javacpl.cpl

2010-09-10 05:58:08 916480 ----a-w- e:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- e:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- e:\windows\system32\inetcpl.cpl

2010-09-08 18:17:46 94208 ----a-w- e:\windows\system32\QuickTimeVR.qtx

2010-09-08 18:17:46 69632 ----a-w- e:\windows\system32\QuickTime.qts

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: Intel___ rev.1.0. -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0

device: opened successfully

user: MBR read successfully

Disk trace:

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

user != kernel MBR !!!

sectors 290437118 (+255): user != kernel

============= FINISH: 16:41:18.09 ===============

Attach.zip

ashlar · December 7, 2010

C'mon guys I need your help as a registered owner of your MBAM =)

Gammo · December 9, 2010

Hi,

Please delete your copy of ComboFix.exe from the desktop.

Then download the latest version of ComboFix from one of these locations (or in your case, you can download the file on another PC and then transfer the file with an USB flash drive):

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
Click me
If you can't disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

ashlar · December 10, 2010

I'll be out of the office until this day next week. Please do not remove this post as I will respond as soon as I get back. Thank you very much for your help and time.

Gammo · December 13, 2010

Fine by me. I'll keep this thread open.

ashlar · December 16, 2010

ComboFix 10-12-15.06 - __ 12/16/2010 1:04.10.4 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2642 [GMT -8:00]

Running from: e:\documents and settings\__\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2010-11-16 to 2010-12-16 )))))))))))))))))))))))))))))))

.

2010-12-06 05:36 . 2010-12-06 05:37 -------- d-----w- E:\b91e250315f9bcaf56bb

2010-12-06 04:25 . 2010-12-06 04:25 -------- d-----w- e:\program files\ESET

2010-12-06 00:35 . 2010-12-06 00:51 -------- d-----w- e:\program files\VS Revo Group

2010-12-06 00:15 . 2010-12-06 00:16 -------- d-----w- e:\documents and settings\__\Application Data\Download Manager

2010-12-06 00:12 . 2010-12-06 00:12 -------- d-----w- E:\e87a74117322168fdd

2010-12-05 23:38 . 2010-12-05 23:38 -------- d-----w- e:\windows\SQL9_KB970895_ENU

2010-12-05 21:41 . 2010-12-05 21:41 -------- d-----w- e:\documents and settings\__\Application Data\Avira

2010-12-05 21:39 . 2010-12-06 08:57 -------- d-----w- e:\windows\system32\NtmsData

2010-12-05 21:34 . 2010-12-16 09:00 135096 ----a-w- e:\windows\system32\drivers\avipbb.sys

2010-12-05 21:34 . 2010-12-06 08:37 61960 ----a-w- e:\windows\system32\drivers\avgntflt.sys

2010-12-05 21:34 . 2010-12-05 21:35 -------- d-----w- e:\documents and settings\All Users\Application Data\Avira

2010-12-05 21:34 . 2010-12-05 21:34 -------- d-----w- e:\program files\Avira

2010-12-05 21:34 . 2009-05-11 20:49 51992 ----a-w- e:\windows\system32\drivers\avgntdd.sys

2010-12-05 21:34 . 2009-05-11 20:49 17016 ----a-w- e:\windows\system32\drivers\avgntmgr.sys

2010-12-05 12:54 . 2010-12-05 12:54 -------- d-----w- e:\program files\Sophos

2010-12-05 11:20 . 2010-12-05 11:20 -------- d-----w- e:\windows\Performance

2010-12-05 11:20 . 2010-12-05 11:20 -------- d-----w- e:\documents and settings\__\Local Settings\Application Data\Microsoft Corporation

2010-12-05 11:20 . 2010-12-05 11:20 -------- d-----w- e:\program files\Microsoft Windows 7 Upgrade Advisor

2010-12-05 10:36 . 2010-12-05 11:25 -------- d-----w- e:\program files\Windows Live Safety Center

2010-12-05 08:16 . 2010-12-05 08:16 -------- d-----w- e:\documents and settings\__\Application Data\Malwarebytes

2010-12-05 08:14 . 2010-11-30 01:42 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys

2010-12-05 08:14 . 2010-12-05 08:14 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes

2010-12-05 08:14 . 2010-11-30 01:42 20952 ----a-w- e:\windows\system32\drivers\mbam.sys

2010-12-05 08:14 . 2010-12-05 08:14 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware

2010-12-05 03:42 . 2010-12-05 03:42 -------- d-----w- e:\documents and settings\__\Application Data\InstallShield

2010-12-05 00:25 . 2010-12-05 00:25 54784 --sha-r- e:\windows\system32\psbase3.dll

2010-11-29 03:31 . 2010-11-29 03:31 -------- d-----w- e:\documents and settings\__\Local Settings\Application Data\WindowsApplication1

2010-11-29 03:19 . 2010-11-29 03:19 -------- d-----w- e:\documents and settings\__\Local Settings\Application Data\ContainerEx

2010-11-29 03:19 . 2010-11-29 03:19 -------- d-----w- e:\program files\Xenocode

2010-11-29 03:19 . 2010-11-29 03:19 -------- d-----w- e:\documents and settings\__\Local Settings\Application Data\Xenocode

2010-11-28 04:10 . 2010-11-28 04:10 57344 ----a-r- e:\documents and settings\__\Application Data\Microsoft\Installer\{269D9C87-36E2-453E-A58D-B39BD617917C}\NewShortcut7_B56E5B51EA954C948003CC703E2AFAD5.exe

2010-11-28 04:10 . 2010-11-28 04:10 57344 ----a-r- e:\documents and settings\__\Application Data\Microsoft\Installer\{269D9C87-36E2-453E-A58D-B39BD617917C}\NewShortcut1_9046FC1E1C604E8F87F08E640274C274.exe

2010-11-28 04:10 . 2010-11-28 04:10 -------- d-----w- e:\program files\Serato

2010-11-18 04:01 . 2010-11-18 04:01 -------- dc-h--w- e:\documents and settings\All Users\Application Data\{A0DFE2A5-DE68-41F3-8861-73E954C1D41D}

2010-11-18 04:00 . 2010-11-18 04:00 -------- dc-h--w- e:\documents and settings\All Users\Application Data\{BB25779E-744C-48F3-94DE-CD6F60A5AC55}

2010-11-18 03:59 . 2010-11-18 03:59 -------- dc-h--w- e:\documents and settings\All Users\Application Data\{A6DB2A6F-FF9D-453F-99D6-C1AA54BC0C14}

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-19 20:51 . 2010-09-02 06:30 222080 ------w- e:\windows\system32\MpSigStub.exe

2010-09-18 20:23 . 2007-04-03 06:44 974848 ----a-w- e:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- e:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- e:\windows\system32\mfc40u.dll

2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- e:\windows\system32\mfc40.dll

.

------- Sigcheck -------

[-] 2010-04-29 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . e:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-12-06_00.25.39 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-12-16 08:58 . 2010-12-16 08:58 16384 e:\windows\temp\Perflib_Perfdata_bb4.dat

+ 2010-12-16 08:58 . 2010-12-16 08:58 16384 e:\windows\temp\Perflib_Perfdata_a3c.dat

+ 2010-07-22 00:47 . 2008-07-06 12:06 89088 e:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

+ 2008-04-14 03:42 . 2008-05-19 14:33 18944 e:\windows\system32\msisip.dll

+ 2008-04-14 03:42 . 2008-05-19 09:57 95744 e:\windows\system32\msiexec.exe

+ 2008-04-14 03:42 . 2008-05-19 14:33 18944 e:\windows\system32\dllcache\msisip.dll

+ 2008-04-14 03:42 . 2008-05-19 09:57 95744 e:\windows\system32\dllcache\msiexec.exe

+ 2007-03-23 03:24 . 2008-07-06 12:06 89088 e:\windows\system32\dllcache\filterpipelineprintproc.dll

- 2010-04-29 05:53 . 2010-12-06 00:01 32768 e:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2010-04-29 05:53 . 2010-12-06 03:23 32768 e:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2010-04-29 05:53 . 2010-12-06 00:01 32768 e:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-04-29 05:53 . 2010-12-06 03:23 32768 e:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-12-05 23:28 . 2010-12-06 03:23 16384 e:\windows\system32\config\systemprofile\Cookies\index.dat

- 2010-12-05 23:28 . 2010-12-06 00:01 16384 e:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2010-12-06 01:19 . 2010-12-06 01:19 37888 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\423f794d1f4ed6e120fbb02e436491cb\System.Windows.Presentation.ni.dll

+ 2010-12-06 01:18 . 2010-12-06 01:18 36864 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\19ca1747c1ea18a3b639b302bca8df93\System.Web.DynamicData.Design.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 94208 e:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\532438e2acfcadc469a4d468c51f8451\System.ComponentModel.DataAnnotations.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 82944 e:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\597b20e1b053d6a510cfe033c07a63e6\System.AddIn.Contract.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 55296 e:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\790cf1edb17ee41b59be62ecbd59613b\Microsoft.Vsa.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 65024 e:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\e9aba2eab90d647356f65e66053da02b\Microsoft.Build.Framework.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 74752 e:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\28343d470d992f169ca0e7cdb3cc3117\Microsoft.Build.Framework.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 14336 e:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\f4e38208e88cb4cc314a1d6543b9fcc6\dfsvc.ni.exe

+ 2010-12-06 01:15 . 2010-12-06 01:15 25600 e:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\11eb4f6606ba01e5128805759121ea6c\Accessibility.ni.dll

+ 2008-04-13 19:09 . 2008-04-17 09:43 2560 e:\windows\system32\msimsg.dll

+ 2008-04-13 19:09 . 2008-04-17 09:43 2560 e:\windows\system32\dllcache\msimsg.dll

+ 2007-03-23 13:07 . 2008-07-06 12:06 575488 e:\windows\system32\xpsshhdr.dll

+ 2010-07-22 00:47 . 2008-07-06 12:06 147456 e:\windows\system32\spool\prtprocs\x64\filterpipelineprintproc.dll

+ 2007-03-23 03:25 . 2008-07-06 10:50 597504 e:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

+ 2007-03-23 03:25 . 2008-07-06 12:06 117760 e:\windows\system32\prntvpt.dll

+ 2008-04-14 03:42 . 2008-05-19 14:33 332800 e:\windows\system32\msihnd.dll

+ 2007-03-23 13:07 . 2008-07-06 12:06 575488 e:\windows\system32\dllcache\xpsshhdr.dll

+ 2007-03-23 03:25 . 2008-07-06 10:50 597504 e:\windows\system32\dllcache\printfilterpipelinesvc.exe

+ 2008-04-14 03:42 . 2008-05-19 14:33 332800 e:\windows\system32\dllcache\msihnd.dll

+ 2010-12-06 01:15 . 2010-12-06 01:15 321536 e:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\2ef5bc3a2edd7570bb23886a4f32294a\WsatConfig.ni.exe

+ 2010-12-06 01:19 . 2010-12-06 01:19 400896 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\c338a470b14851ce5987bb0f0869c310\System.Xml.Linq.ni.dll

+ 2010-12-06 01:18 . 2010-12-06 01:18 129536 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\bb77ea11f46ab438b2b7ed7c180011a1\System.Web.Routing.ni.dll

+ 2010-12-06 01:18 . 2010-12-06 01:18 202240 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\6ee255220d90dcbe80c990e443051cc5\System.Web.RegularExpressions.ni.dll

+ 2010-12-06 01:18 . 2010-12-06 01:18 859648 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\58f62044fa702ea6f936071aa5520baa\System.Web.Extensions.Design.ni.dll

+ 2010-12-06 01:18 . 2010-12-06 01:18 328704 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\79c29ac85dd57dd485ab60118ac292ff\System.Web.Entity.ni.dll

+ 2010-12-06 01:18 . 2010-12-06 01:18 301056 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\d3d65e34fa60f0b6c72ca0d12ec89933\System.Web.Entity.Design.ni.dll

+ 2010-12-06 01:18 . 2010-12-06 01:18 547328 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\b7891f5659db299dbd1b3c72db7edb9f\System.Web.DynamicData.ni.dll

+ 2010-12-06 01:18 . 2010-12-06 01:18 141312 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\00ec08741a765c707bd9169346064a81\System.Web.Abstractions.ni.dll

+ 2010-12-06 01:18 . 2010-12-06 01:18 627200 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\5a555c9ae6984c40157cf940bb519f7c\System.Transactions.ni.dll

+ 2010-12-06 01:18 . 2010-12-06 01:18 212992 e:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\ea3366939280c1715f1c620e33ee3c8a\System.ServiceProcess.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 676352 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\1c8df2da33222c048d683017f2095f04\System.Security.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 311296 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\bfd6e16d8c3589cd2bd3f8d46f0a5402\System.Runtime.Serialization.Formatters.Soap.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 621056 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\519d9c618341b136f9b963ffb7495308\System.Net.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 998400 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\8642fdfbf02a6cb6f01169fe6fdb5d11\System.Management.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 330752 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\1d3fbbd23ce1e8637ef4f40a8d23cd32\System.Management.Instrumentation.ni.dll

+ 2010-12-06 01:14 . 2010-12-06 01:14 381440 e:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\7c367a96b10d626ec8cbf8149272d845\System.IO.Log.ni.dll

+ 2010-12-06 01:14 . 2010-12-06 01:14 212992 e:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\68e71147704ef0d34d9a4bece7767fc5\System.IdentityModel.Selectors.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 280064 e:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4267bd908175603006c6c90bb5d900c7\System.EnterpriseServices.Wrapper.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 627712 e:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4267bd908175603006c6c90bb5d900c7\System.EnterpriseServices.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 455680 e:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\c434a07332ce490711c27fd0edb7562f\System.DirectoryServices.Protocols.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 881152 e:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\8b3bb7a2c2f3ffe94c866283f1cd5957\System.DirectoryServices.AccountManagement.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 939008 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\a4b887f476fa4b8746a93a9fc2208560\System.Data.Services.Client.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 354816 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1cf3acad6553d6c59df576794f4e8bd6\System.Data.Services.Design.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 756736 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\392de34573f9f8ec885714f2f3e7f07f\System.Data.Entity.Design.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 135680 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\1db495ff00bbd14df4af6680c4de0653\System.Data.DataSetExtensions.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 971264 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\b82c00e2d24305ad6cb08556e3779b75\System.Configuration.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 141312 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\de514e484e49b04b016949d57ffac03e\System.Configuration.Install.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 633856 e:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\ce984d754e3c0b6be4504b785cc43574\System.AddIn.ni.dll

+ 2010-12-06 01:15 . 2010-12-06 01:15 366080 e:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\045dd501b7257b1cc26083538ae69045\SMSvcHost.ni.exe

+ 2010-12-06 01:15 . 2010-12-06 01:15 256000 e:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\9790551187e294b4ed3aaa1c221891c7\SMDiagnostics.ni.dll

+ 2010-12-06 01:15 . 2010-12-06 01:15 320512 e:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\10a0c9707876fc1f65e64b811a28b020\ServiceModelReg.ni.exe

+ 2010-12-06 01:16 . 2010-12-06 01:16 133632 e:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\6d38e317128608bc4516ea46ab94590e\MSBuild.ni.exe

+ 2010-12-06 01:15 . 2010-12-06 01:15 386560 e:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\1820d6a012fc0e16c3e1d29d973cd2d0\Microsoft.Transactions.Bridge.Dtc.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 144384 e:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\55b9eff9e23359faed4351386c062238\Microsoft.Build.Utilities.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 175104 e:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\4217124db1ea5de5f1a1f3eea75e8d32\Microsoft.Build.Utilities.v3.5.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 839680 e:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\96825c34d7e1f7df1923ff2123bed8da\Microsoft.Build.Engine.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 222720 e:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\9b321ebf67587237f576df6104a32588\Microsoft.Build.Conversion.v3.5.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 220672 e:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\9bea05938bee3555c5aa8763d89a68f9\CustomMarshalers.ni.dll

+ 2010-12-06 01:15 . 2010-12-06 01:15 410112 e:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\12629e2f3e315459bee67cbbaac85cb2\ComSvcConfig.ni.exe

+ 2010-12-06 01:16 . 2010-12-06 01:16 842240 e:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\b5b2feadc3943e3976daebc0bcd2b5e2\AspNetMMCExt.ni.dll

+ 2007-03-23 13:07 . 2008-07-06 12:06 1676288 e:\windows\system32\xpssvcs.dll

+ 2008-04-14 03:42 . 2008-05-19 14:33 4445184 e:\windows\system32\msi.dll

- 2010-04-28 22:43 . 2010-12-05 23:47 2009632 e:\windows\system32\FNTCACHE.DAT

+ 2010-04-28 22:43 . 2010-12-06 02:39 2009632 e:\windows\system32\FNTCACHE.DAT

+ 2007-03-23 13:07 . 2008-07-06 12:06 1676288 e:\windows\system32\dllcache\xpssvcs.dll

+ 2008-04-14 03:42 . 2008-05-19 14:33 4445184 e:\windows\system32\dllcache\msi.dll

+ 2010-12-06 01:19 . 2010-12-06 01:19 1356288 e:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\ac1750e78d79520dcf19195772eff1b6\System.WorkflowServices.ni.dll

+ 2010-12-06 01:19 . 2010-12-06 01:19 1908224 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\d265da36954fcb4cb7ad5adc693ea0f2\System.Workflow.Runtime.ni.dll

+ 2010-12-06 01:19 . 2010-12-06 01:19 4514304 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\693a8fbe6f7ad6e4e429052da4317e59\System.Workflow.ComponentModel.ni.dll

+ 2010-12-06 01:19 . 2010-12-06 01:19 2992640 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\cc99fbbac0b6e4e9ca62093e49b0c16b\System.Workflow.Activities.ni.dll

+ 2010-12-06 01:19 . 2010-12-06 01:19 1840640 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\b57bb002a655920cbfa2bee29d1e22b7\System.Web.Services.ni.dll

+ 2010-12-06 01:18 . 2010-12-06 01:18 2209280 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\81197e32ec931f439b3114e9031b65d6\System.Web.Mobile.ni.dll

+ 2010-12-06 01:18 . 2010-12-06 01:18 2403328 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\7f64c9d25471b72e1e957bdfe67947c8\System.Web.Extensions.ni.dll

+ 2010-12-06 01:18 . 2010-12-06 01:18 1917440 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\63cf639b6e0a3c25c1643c85016e7422\System.Speech.ni.dll

+ 2010-12-06 01:18 . 2010-12-06 01:18 1706496 e:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\340cad17fe57947eacbc8fa2cea780da\System.ServiceModel.Web.ni.dll

+ 2010-12-06 01:15 . 2010-12-06 01:15 2338304 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\034c91b133dee73d452652c52767b5ea\System.Runtime.Serialization.ni.dll

+ 2010-12-06 01:14 . 2010-12-06 01:14 1056768 e:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c2de8479e54852f56996f79bc93acb13\System.IdentityModel.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 1116672 e:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\543aced762f6b0c3f8e037955941afc6\System.DirectoryServices.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 1801216 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\a6b58624486714fa71e5e35186850ff0\System.Deployment.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 2510336 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\826b09ab0d0e36f4d631b4cd335df511\System.Data.SqlXml.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 1328128 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\956a513dcbd44d5a6801840ef2b0b47b\System.Data.Services.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 9924096 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\6479f975b105808a8d9e7a7fdc762551\System.Data.Entity.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 1712128 e:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\1c86afc399d0fdd8e069266ffbe748d1\Microsoft.VisualBasic.ni.dll

+ 2010-12-06 01:15 . 2010-12-06 01:15 1093120 e:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\6b2f62f5e981913fce1d223f645d9ddf\Microsoft.Transactions.Bridge.ni.dll

+ 2010-12-06 01:17 . 2010-12-06 01:17 2332160 e:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\b261961046545831aa60963e84905968\Microsoft.JScript.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 1620992 e:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\bd241492d96db39f20e758c13c845033\Microsoft.Build.Tasks.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 1966080 e:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\a47100d8f4574bed2d49d83d0ab8964e\Microsoft.Build.Tasks.v3.5.ni.dll

+ 2010-12-06 01:16 . 2010-12-06 01:16 1888768 e:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\6cfe582681724965fb817e8ece5f0909\Microsoft.Build.Engine.ni.dll

+ 2010-12-06 01:18 . 2010-12-06 01:18 11796992 e:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\3963ce03d445a8619abbf388d590134b\System.Web.ni.dll

+ 2010-12-06 01:15 . 2010-12-06 01:15 17317888 e:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\85a68b5908535729e0458a1a58001df3\System.ServiceModel.ni.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="e:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]

"JMB36X IDE Setup"="e:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]

"36X Raid Configurer"="e:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]

"Norton Ghost 14.0"="e:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-20 2245984]

"NeroFilterCheck"="e:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"PrnStatusMX"="e:\program files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" [2007-08-29 1077248]

"AdobeCS4ServiceManager"="e:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"Adobe Acrobat Speed Launcher"="e:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]

"RTHDCPL"="RTHDCPL.EXE" [2010-05-01 19523616]

"SunJavaUpdateSched"="e:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"AppleSyncNotifier"="e:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]

"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

"Malwarebytes' Anti-Malware"="e:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-11-30 443728]

"Broadcom Wireless Manager"="e:\windows\system32\wltray.exe" [2007-03-02 1282048]

"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-06 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="e:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

e:\documents and settings\All Users\Start Menu\Programs\Startup\

Dynex Wireless Networking Utility.lnk - e:\program files\Dynex G Desktop Card Adapter\DynexWCUI.exe [2010-12-5 1462272]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2008-06-12 05:43 640376 ----a-w- e:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"e:\\Program Files\\DC++\\DCPlusPlus.exe"=

"e:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=

"e:\\Program Files\\uTorrent\\uTorrent.exe"=

"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"e:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"e:\\Program Files\\iTunes\\iTunes.exe"=

"e:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"e:\\Program Files\\Guillemot\\tools\\giWebUpdater.exe"=

"e:\\WINDOWS\\system32\\dpvsetup.exe"=

"e:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

"3689:TCP"= 3689:TCP:iTunes Sharing

R2 AntiVirMailService;Avira AntiVir MailGuard;e:\program files\Avira\AntiVir Desktop\avmailc.exe [12/5/2010 1:34 PM 339624]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [12/5/2010 1:34 PM 135336]

R2 AntiVirWebService;Avira AntiVir WebGuard;e:\program files\Avira\AntiVir Desktop\avwebgrd.exe [12/5/2010 1:34 PM 403624]

R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/5/2010 12:14 AM 363344]

R2 NIHardwareService;NIHardwareService;e:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [10/19/2010 9:34 AM 3791872]

R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;e:\windows\system32\dllhost.exe [4/13/2008 7:42 PM 5120]

R3 MBAMProtector;MBAMProtector;e:\windows\system32\drivers\mbam.sys [12/5/2010 12:14 AM 20952]

R3 SymSnapService;SymSnapService;e:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 4:13 PM 1553896]

R3 WDC_SAM;WD SCSI Pass Thru driver;e:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]

S3 Ambfilt;Ambfilt;e:\windows\system32\drivers\Ambfilt.sys [4/28/2010 10:34 PM 1691480]

S3 Bulk;HDJBulk;e:\windows\system32\Drivers\HDJBulk.sys --> e:\windows\system32\Drivers\HDJBulk.sys [?]

S3 HDJAsioK;HDJAsioK;e:\windows\system32\Drivers\HDJAsioK.sys --> e:\windows\system32\Drivers\HDJAsioK.sys [?]

S3 HDJMidi;Hercules DJ Console Rmx MIDI;e:\windows\system32\DRIVERS\HDJMidi.sys --> e:\windows\system32\DRIVERS\HDJMidi.sys [?]

S3 MAUSBFASTTRACK;Service for M-Audio FastTrack;e:\windows\system32\DRIVERS\MAudioFastTrack.sys --> e:\windows\system32\DRIVERS\MAudioFastTrack.sys [?]

S3 MAUSBMIDI;Service for M-Audio USB MIDI Series;e:\windows\system32\DRIVERS\MAudioUSBMIDI.sys --> e:\windows\system32\DRIVERS\MAudioUSBMIDI.sys [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\e:\windows\system32\14.tmp --> e:\windows\system32\14.tmp [?]

S4 sptd;sptd;e:\windows\system32\drivers\sptd.sys [4/29/2010 12:50 AM 691696]

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: Append Link Target to Existing PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: e:\program files\Avira\AntiVir Desktop\avsda.dll

FF - ProfilePath - e:\documents and settings\__\Application Data\Mozilla\Firefox\Profiles\rjaoickg.default\

FF - prefs.js: browser.startup.homepage - hxxP://WWW.DJBEEJ.COM

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-16 01:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: Intel___ rev.1.0. -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys iaStor.sys hal.dll

e:\docume~1\__\LOCALS~1\Temp\catchme.sys

e:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AE62700]

3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IAAStorageDevice-3[0x8A89D028]

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

user != kernel MBR !!!

sectors 290437118 (+255): user != kernel

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\e:\windows\system32\14.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)

e:\windows\system32\Ati2evxx.dll

e:\windows\system32\atiadlxx.dll

- - - - - - - > 'lsass.exe'(836)

e:\program files\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(3424)

e:\windows\system32\WININET.dll

e:\windows\system32\ieframe.dll

e:\windows\system32\msi.dll

e:\windows\system32\webcheck.dll

e:\windows\system32\WPDShServiceObj.dll

e:\windows\system32\PortableDeviceTypes.dll

e:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-12-16 01:09:22

ComboFix-quarantined-files.txt 2010-12-16 09:09

ComboFix2.txt 2010-12-06 00:33

ComboFix3.txt 2010-12-06 00:27

Pre-Run: 8,017,989,632 bytes free

Post-Run: 8,016,961,536 bytes free

- - End Of File - - 4166DEF6DB57631FCCF851772773502D

ashlar · December 17, 2010

Fine by me. I'll keep this thread open.