Computer Hope
Software => Computer viruses and spyware => Topic started by: mims24 on September 19, 2009, 10:26:41 PM
-
Operating System: Windows XP Professional (5.1, Build 2600) Service Pack 2 (2600.xpsp_sp2_qfe.070227-2300)
Language: English (Regional Setting: English)
System Manufacturer: powerspec
System Model: E361
BIOS: Default System BIOS
Processor: Intel(R) Core(TM)2 Quad CPU Q6700 @ 2.66GHz (4 CPUs)
Memory: 3322MB RAM
Page File: 203MB used, 5002MB available
Windows Dir: C:\WINDOWS
DirectX Version: DirectX 9.0c (4.09.0000.0904)
DX Setup Parameters: Not found
DxDiag Version: 5.03.2600.2180 32bit Unicode
Ok I remember a little while back I had been here when there was a virus that disabled Malwarebytes, and someone had directed me to a link that installed MB but downloaded under a different name, and it worked fine.
Well the other day I updated MB and it no longer worked. (some error code 707 3)
So I deleted both, and re-installed MB again (not the one with the different name, I couldn't find the exe)
Just the link suggested from the Read this before requesting malware removal help page.
Problem in now the mbam-setup exe wont even open, it says C:\Progra~1\Symantec\S32EVNT1.Dll. An installable Virtual Device Driver failed Dll initialization
I know I picked up some kind on malware tonight, so this might be the problem.
I keep getting pop-ups from the bottom right saying Trojen Detected and Computer at risk..ect
And I saw some fishy Dll when I ran CCleaner called Braviex in the start-up, so I deleted that.
Usually MB would take care of this kind of stuff, but now I cant seem to get it to run, and my BIT DEFENDER never seems to pick up anything.
Can someone re-direct me to the link that has the MB but under a different name?
Any help would be greatly appreciated.
-Mike
-
Braviax has been getting around quite a bit lately. It's a nuisance, but relatively easy to get rid of. Go to this page:
http://www.computerhope.com/forum/index.php/topic,46313.0.html
Follow the part that says Step 3: SUPERAntiSpyware. From what I've seen, SAS is quite good at detecting this infection. It doesn't find everything, but it'll get you going in the right direction. Once you've scanned with SAS, post the log here. Then try reinstalling MBAM. If it works, run a scan with it, and it should get rid of the remainder of Braviax. With this infection, the two programs need to work as a team, but as you now know, it disables MBAM!
Anyway, once you've scanned with MBAM, post that log here as well. And then please post a HijackThis log also. If you have any problems, post back and I (or another specialist) will try to help out.
-
Thank you for your reply.
I did the first step and downloaded the SAS exe, but it's telling me The system administrator has set policies to prevent insallation.
Even though I am logged in as the Admin.
Thanks again.
-mike
-
It looks like this little sucker is adapting and becoming trickier. Try doing this in Safe Mode. If you don't know how to enter Safe Mode, look at this link:
http://www.computerhope.com/issues/chsafe.htm
While in Safe Mode, try installing SAS. If it doesn't work, then try installing MBAM again (if you have to, you can download it on another computer and then transfer it via flashdrive). At least one of these should be able to install in Safe Mode.
If either program will work, scan with it and post the log here. If you have no luck, let me know and I'll give you another program to try.
-
Thanks Matt,
Neither of the SAS nor the MB work when in safe, they just don't open.
The MB gives me an error 707 (3), and the SAS with the file permisions
I actually had brought in the SAS yesterday thru email from another comp because it simply wouldn't launch from mine, maybe that had to do with the file permissions?
Tonight when I get home I will bring it in via flash drive and give that a shot.
Then I'll post and let you know.
Thanks.
-
Flash drives are infectable. Please try and use a cd or dvd.
-
No nothing seems to be working.
Still the same errors:(
-
I forgot to suggest renaming the files. Name them to cbmatt1.exe and cbmatt2.exe and see if they will run. If not, see if this will work. Use whatever method you can to get the program onto your computer. Flashdrives are infectable, but they will suffice if you have no other viable option...
Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.
NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
NOTE: If it won't work in Normal Mode, try in Safe Mode. You may also need to rename the ComboFix file if it won't run.
-
Thanks, here is the ComboFix log:
ComboFix 09-09-20.04 - Mike 2009-09-22 2:15.1.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3323.2921 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\ydas.bat
c:\documents and settings\All Users\Application Data\ysid.scr
c:\documents and settings\All Users\Documents\fifal.inf
c:\documents and settings\All Users\Documents\koxe.dl
c:\documents and settings\All Users\Documents\ykygoxeh.vbs
c:\documents and settings\Mike\Application Data\axybixovu.com
c:\documents and settings\Mike\Application Data\etypah.vbs
c:\documents and settings\Mike\Application Data\inst.exe
c:\documents and settings\Mike\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Mike\Application Data\yqixer.dll
c:\documents and settings\Mike\Cookies\hulakuvyt.bin
c:\documents and settings\Mike\Cookies\piboceqa.lib
c:\documents and settings\Mike\Cookies\ugojim.bat
c:\documents and settings\Mike\Local Settings\Application Data\cunozupyk.bat
c:\program files\Common Files\vamuwi.exe
c:\recycler\S-1-5-21-1139334371-1240231164-418609414-500
c:\recycler\S-1-5-21-1468007736-1529030422-1409086007-500
c:\recycler\S-1-5-21-1651131100-3297319145-64728309-500
c:\recycler\S-1-5-21-1998970204-1611086259-4156484100-500
c:\recycler\S-1-5-21-2407261895-921458624-2646503882-500
c:\recycler\S-1-5-21-299502267-1214440339-682003330-500
c:\recycler\S-1-5-21-3811009231-2924526007-3457765865-500
c:\windows\ayuduqiyalo.dll
c:\windows\Installer\493c2.msi
c:\windows\Installer\8def05.msi
c:\windows\kohajoruhu.sys
c:\windows\system32\41.exe
c:\windows\system32\acJlmnnn.ini
c:\windows\system32\acJlmnnn.ini2
c:\windows\system32\basukavu.exe
c:\windows\system32\gehudehe.exe
c:\windows\system32\huzitala.exe
c:\windows\system32\iniasd.txt
c:\windows\system32\isazuno.reg
c:\windows\system32\mebasugu.exe
c:\windows\system32\MWaaHRqr.ini
c:\windows\system32\MWaaHRqr.ini2
c:\windows\system32\parahuri.exe
c:\windows\system32\phmdwnkq.ini
c:\windows\system32\prrnnknj.ini
c:\windows\system32\pukimssc.ini
c:\windows\system32\sejuvoma.exe
c:\windows\system32\tevqkmfe.ini
c:\windows\system32\tghtaxre.ini
c:\windows\system32\tyzutu.exe
c:\windows\system32\vxflwrms.ini
c:\windows\system32\winhelper.dll
c:\windows\system32\wisdstr.exe
c:\windows\uqyh.vbs
c:\windows\wojaxyreto.dl
c:\windows\zarij.dl
D:\Autorun.inf
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_PCMSTUB
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))
.
2009-09-22 05:22 . 2009-09-22 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-22 05:22 . 2009-09-22 06:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-22 05:22 . 2009-09-22 05:22 -------- d-----w- c:\documents and settings\Mike\Application Data\SUPERAntiSpyware.com
2009-09-20 18:26 . 2009-09-20 18:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-20 03:56 . 2009-09-20 03:56 13740 ----a-w- c:\windows\edaruzibib.com
2009-09-20 03:56 . 2009-09-20 03:56 11668 ----a-w- c:\documents and settings\Mike\Local Settings\Application Data\apeloxywez.dat
2009-09-20 03:29 . 2009-09-20 03:29 155648 ----a-w- C:\ddbpu.exe
2009-09-20 03:29 . 2009-09-20 03:29 22016 ----a-w- C:\ruptbvv.exe
2009-09-20 03:29 . 2009-09-20 03:29 49664 ----a-w- C:\vhlyrkv.exe
2009-09-20 03:29 . 2009-09-20 03:29 48640 ----a-w- C:\mdnsq.exe
2009-09-09 08:00 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-05 23:45 . 2009-09-05 23:45 -------- d-----w- c:\documents and settings\Mike\Application Data\YouSendIt
2009-09-05 23:45 . 2009-09-05 23:45 -------- d-----w- c:\program files\YouSendIt
2009-09-05 23:44 . 2009-09-05 23:44 -------- d-----w- c:\windows\Downloaded Installations
2009-09-05 23:44 . 2009-09-05 23:44 -------- d-----w- c:\program files\WinPcap
2009-09-05 23:43 . 2009-09-05 23:43 -------- d-----w- c:\windows\Replay Converter 3
2009-09-05 23:43 . 2009-09-05 23:43 737280 ----a-w- c:\windows\iun6002.exe
2009-09-05 23:43 . 2009-09-11 08:13 -------- d-----w- c:\program files\Replay AV 8
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-22 05:53 . 2008-10-20 07:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-22 05:21 . 2008-11-06 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-22 05:14 . 2009-06-22 05:14 49152 --sha-w- c:\windows\system32\zuhuyaba.dll
2009-09-22 05:14 . 2009-06-22 05:14 180224 --sha-w- c:\windows\system32\sagopise.exe
2009-09-21 04:38 . 2009-06-21 04:38 89088 --sha-w- c:\windows\system32\layezefu.dll
2009-09-20 04:35 . 2009-06-20 04:35 38400 --sha-w- c:\windows\system32\dijuzihi.dll
2009-09-20 03:56 . 2009-09-20 03:56 17410 ----a-w- c:\program files\Common Files\qysave._sy
2009-09-20 00:48 . 2008-11-02 20:26 189184 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-20 00:06 . 2009-01-10 16:38 138064 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-19 22:53 . 2008-02-06 16:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-18 18:40 . 2009-09-20 16:47 20780477 ----a-w- c:\program files\PROCESSLIST.DB
2009-09-18 18:40 . 2009-09-20 16:47 1230109 ----a-w- c:\program files\PROCESSLISTRELATED.DB
2009-09-11 08:16 . 2009-06-01 04:56 -------- d-----w- c:\program files\iWin Games
2009-09-05 23:45 . 2008-11-09 17:50 -------- d-----w- c:\program files\Replay Music 3
2009-09-05 23:40 . 2008-08-28 21:11 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2009-08-21 20:34 . 2008-08-03 05:06 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-08-21 20:34 . 2008-08-03 05:06 -------- d-----w- c:\program files\DVDVideoSoft
2009-08-08 23:11 . 2009-08-08 23:11 70144 ----a-w- c:\windows\system32\drivers\tpecwkicvfqrjaib.sys
2009-08-07 07:13 . 2008-06-04 01:41 -------- d-----w- c:\documents and settings\Mike\Application Data\LimeWire
2009-08-05 09:01 . 2008-02-05 22:39 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 03:40 . 2009-01-10 16:37 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-27 23:47 . 2009-01-15 15:38 81984 ----a-w- c:\windows\system32\bdod.bin
2009-07-17 19:01 . 2008-02-05 22:39 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2008-02-05 22:39 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2008-02-05 22:39 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-02-05 22:39 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-02-05 22:39 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-02-05 22:39 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-02-05 22:39 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-02-05 22:39 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2008-02-05 22:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2008-02-05 22:39 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2008-08-11 05:08 . 2008-08-11 05:08 978396 ----a-w- c:\program files\BDAXP.cab
2008-06-30 17:44 . 2008-08-30 06:45 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-08-13 23:02 . 2008-08-13 23:02 35840 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-06-22 05:14 . 2009-06-22 05:14 49152 --sha-w- c:\windows\system32\pologodi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7d88e64f-79e7-471d-8dce-937dff8b92fd}]
2009-06-22 05:14 49152 --sha-w- c:\windows\system32\pologodi.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2008-08-15 716800]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2008-08-11 69632]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli iacylo.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Mike\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"VSSERV"=2 (0x2)
"NVSvc"=2 (0x2)
"NMIndexingService"=3 (0x3)
"mi-raysat_3dsMax2009_32"=2 (0x2)
"LIVESRV"=2 (0x2)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iWinTrusted"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"IAANTMON"=2 (0x2)
"gusvc"=2 (0x2)
"FlipShare Service"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Autodesk Licensing Service"=2 (0x2)
"Arrakis3"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"aliasdocserver"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
"Adobe LM Service"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Adobe\\After Effects 6.5\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\discreet\\cleaner XL\\cleaner XL.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\Alias\\Maya6.0\\bin\\mayabatch.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-08-12 111112]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 cgwc;cgwc;c:\windows\system32\drivers\admvgxwb.sys --> c:\windows\system32\drivers\admvgxwb.sys [?]
S2 fpinlgk;fpinlgk;c:\windows\system32\drivers\xnpj.sys --> c:\windows\system32\drivers\xnpj.sys [?]
S2 inyiqiv;inyiqiv;c:\windows\system32\drivers\kcsmpoxa.sys --> c:\windows\system32\drivers\kcsmpoxa.sys [?]
S2 lpvlpm;lpvlpm;c:\windows\system32\drivers\sqxof.sys --> c:\windows\system32\drivers\sqxof.sys [?]
S2 lqel;lqel;c:\windows\system32\drivers\hflfdgs.sys --> c:\windows\system32\drivers\hflfdgs.sys [?]
S2 pjqefld;pjqefld;c:\windows\system32\drivers\gczmyi.sys --> c:\windows\system32\drivers\gczmyi.sys [?]
S2 rpwlfydw;rpwlfydw;c:\windows\system32\drivers\mfmbtf.sys --> c:\windows\system32\drivers\mfmbtf.sys [?]
S2 rxium;rxium;c:\windows\system32\drivers\qjnb.sys --> c:\windows\system32\drivers\qjnb.sys [?]
S2 weolfr;weolfr;c:\windows\system32\drivers\fqff.sys --> c:\windows\system32\drivers\fqff.sys [?]
S2 xxgy;xxgy;c:\windows\system32\drivers\bwnabzzh.sys --> c:\windows\system32\drivers\bwnabzzh.sys [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S4 aliasdocserver;Alias Documentation Server;c:\program files\Alias\Maya6.0\docs\Wrapper.exe [2008-08-07 110592]
S4 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [2008-11-13 439616]
S4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-10 65536]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-09-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-06 06:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Block This Image (ABP) - c:\program files\Adblock Pro\blockimg.html
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Save YouTube Video - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {{E7FD3540-AB30-40f1-91E7-101F733C1FD5} - {7685B225-8229-4321-BA13-A24485B0A760} - c:\program files\Adblock Pro\AdblockPro.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\wikb88jo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\Common Files\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll
FF - component: c:\program files\Evernote\Evernote3\FfTbClipper\components\enbar3.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre6\bin\npjpi160_05.dll
FF - plugin: c:\program files\Java\jre6\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-sovibusoba - wamonewe.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 02:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:b5,fe,1f,11,e2,04,7e,b7,fc,0a,c1,20,08,71,d0,02,df,f4,be,19,54,
08,cb,c2,b3,08,e8,0c,49,3f,c1,02,bf,77,83,4c,ab,64,df,fe,0c,9f,86,a3,db,7d,\
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:32,49,1f,c5,b7,af,7b,ea,03,22,52,c7,8a,2e,ee,06,b4,cf,43,6a,0e,
62,7f,57,c9,4e,21,1c,11,d6,1f,1d,93,a9,eb,25,94,7e,07,96,d6,a8,ad,db,1b,65,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(928)
c:\windows\iacylo.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(432)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\iacylo.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\program files\BitDefender\BitDefender 2009\bdshelxt.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\txmlutil.dll
c:\program files\BitDefender\BitDefender 2009\txmlx.dll
c:\program files\BitDefender\BitDefender 2009\ENU\bdshelxt.ui
c:\program files\YouSendIt\Express\version2\YsiExt.dll
c:\program files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
c:\program files\WinRAR\rarext.dll
c:\program files\7-Zip\7-zip.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
c:\windows\system32\pologodi.dll
c:\program files\Microsoft Office\Office10\msohev.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\searchindexer.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
.
**************************************************************************
.
Completion time: 2009-09-22 2:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-22 06:24
Pre-Run: 631,660,593,152 bytes free
Post-Run: 632,225,394,688 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
363 --- E O F --- 2009-09-11 04:23
-
And here's the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:48:33 AM, on 2009-09-22
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {7d88e64f-79e7-471d-8dce-937dff8b92fd} - pologodi.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Block This Image (ABP) - C:\Program Files\Adblock Pro\blockimg.html
O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save YouTube Video - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
O8 - Extra context menu item: Save YouTube Video as MP3 - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - C:\Program Files\Adblock Pro\AdblockPro.dll
O9 - Extra 'Tools' menuitem: Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - C:\Program Files\Adblock Pro\AdblockPro.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O20 - AppInit_DLLs: bezuyiza.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
--
End of file - 8277 bytes
-
Wow, quite the infection. I see that you've got a severe case of Vundo, among other minor things. But don't worry, we've already made a lot of progress just by being able to run this scan.
NOTE: You may want to print out the following.
First, I want you to run another scan with HijackThis and place checkmarks next to these entries:
O2 - BHO: (no name) - {7d88e64f-79e7-471d-8dce-937dff8b92fd} - pologodi.dll (file missing)
O20 - AppInit_DLLs: bezuyiza.dll
Close all other windows (except for HijackThis) and click on Fix Checked. Then do the following...
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
File::
c:\windows\edaruzibib.com
c:\documents and settings\Mike\Local Settings\Application Data\apeloxywez.dat
C:\ddbpu.exe
C:\ruptbvv.exe
C:\vhlyrkv.exe
C:\mdnsq.exe
c:\windows\iun6002.exe
c:\windows\system32\zuhuyaba.dll
c:\windows\system32\sagopise.exe
c:\windows\system32\layezefu.dll
c:\windows\system32\dijuzihi.dll
c:\program files\Common Files\qysave._sy
c:\windows\system32\drivers\tpecwkicvfqrjaib.sys
c:\windows\system32\bdod.bin
c:\windows\system32\pologodi.dll
c:\windows\system32\wamonewe.dll
c:\windows\iacylo.dll
c:\windows\system32\txmlutil.dll
c:\windows\system32\bezuyiza.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7d88e64f-79e7-471d-8dce-937dff8b92fd}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply, along with a new HijackThis log.
Note: Do not click ComboFix's window while it is running. That may cause your system to freeze
After following all of these steps, see if you can get SAS and MBAM to work. If so, please post their logs as well when you can.
-
:) :) :) :) :) :) :) :) :)
CBMatt, my computer is running better now than ever!
I can't thank you enough! I seriously thought I was screwed.
Even my Bit Defender anti-virus is running smooth again. (kept turning off)
After you gave me the code for the combo-fix I was able to reload Malwarebytes, where a deep scan seemed to weed the rest of whatever I had in there.
Thank you for your patience (I hope not to be back too soon ;)
Regards,
Mike.
-
Great, I'm glad to hear that things are running smoothly again. But would you mind posting the new ComboFix log (it should have created another one after my previous steps) and a new HijackThis log just so I can make sure it got everything? I'd hate for you to go on your way when there might still be traces of an infection.
-
Hi CBMatt, sorry for the late reply I didn't realize you had posted again. :-\
Here is the ComboFix log:
---
ComboFix 09-09-20.04 - Mike 2009-09-23 0:25.2.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3323.2830 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning enabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FILE ::
"C:\ddbpu.exe"
"c:\documents and settings\Mike\Local Settings\Application Data\apeloxywez.dat"
"C:\mdnsq.exe"
"c:\program files\Common Files\qysave._sy"
"C:\ruptbvv.exe"
"C:\vhlyrkv.exe"
"c:\windows\edaruzibib.com"
"c:\windows\iacylo.dll"
"c:\windows\iun6002.exe"
"c:\windows\system32\bdod.bin"
"c:\windows\system32\bezuyiza.dll"
"c:\windows\system32\dijuzihi.dll"
"c:\windows\system32\drivers\tpecwkicvfqrjaib.sys"
"c:\windows\system32\layezefu.dll"
"c:\windows\system32\pologodi.dll"
"c:\windows\system32\sagopise.exe"
"c:\windows\system32\txmlutil.dll"
"c:\windows\system32\wamonewe.dll"
"c:\windows\system32\zuhuyaba.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ddbpu.exe
c:\documents and settings\Mike\Local Settings\Application Data\apeloxywez.dat
C:\mdnsq.exe
c:\program files\Common Files\qysave._sy
C:\ruptbvv.exe
C:\vhlyrkv.exe
c:\windows\edaruzibib.com
c:\windows\iacylo.dll
c:\windows\iun6002.exe
c:\windows\system32\bdod.bin
c:\windows\system32\dijuzihi.dll
c:\windows\system32\drivers\tpecwkicvfqrjaib.sys
c:\windows\system32\layezefu.dll
c:\windows\system32\pologodi.dll
c:\windows\system32\sagopise.exe
c:\windows\system32\txmlutil.dll
c:\windows\system32\zuhuyaba.dll
.
((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.
2009-09-23 04:12 . 2009-09-23 04:12 120 ----a-w- c:\windows\Hdofuviyakidalos.dat
2009-09-23 04:12 . 2009-09-23 04:12 0 ----a-w- c:\windows\Jgilupewadag.bin
2009-09-23 04:12 . 2009-09-23 04:12 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\{13185E59-E9FA-4277-B5BA-D271999892E3}
2009-09-22 06:36 . 2009-09-22 06:36 -------- d-----w- c:\program files\Trend Micro
2009-09-22 05:22 . 2009-09-22 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-22 05:22 . 2009-09-23 04:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-22 05:22 . 2009-09-22 05:22 -------- d-----w- c:\documents and settings\Mike\Application Data\SUPERAntiSpyware.com
2009-09-20 18:26 . 2009-09-20 18:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-09 08:00 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-05 23:45 . 2009-09-05 23:45 -------- d-----w- c:\documents and settings\Mike\Application Data\YouSendIt
2009-09-05 23:45 . 2009-09-05 23:45 -------- d-----w- c:\program files\YouSendIt
2009-09-05 23:44 . 2009-09-05 23:44 -------- d-----w- c:\windows\Downloaded Installations
2009-09-05 23:44 . 2009-09-05 23:44 -------- d-----w- c:\program files\WinPcap
2009-09-05 23:43 . 2009-09-05 23:43 -------- d-----w- c:\windows\Replay Converter 3
2009-09-05 23:43 . 2009-09-11 08:13 -------- d-----w- c:\program files\Replay AV 8
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-22 05:53 . 2008-10-20 07:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-22 05:21 . 2008-11-06 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-20 00:48 . 2008-11-02 20:26 189184 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-20 00:06 . 2009-01-10 16:38 138064 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-19 22:53 . 2008-02-06 16:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-18 18:40 . 2009-09-20 16:47 20780477 ----a-w- c:\program files\PROCESSLIST.DB
2009-09-18 18:40 . 2009-09-20 16:47 1230109 ----a-w- c:\program files\PROCESSLISTRELATED.DB
2009-09-11 08:16 . 2009-06-01 04:56 -------- d-----w- c:\program files\iWin Games
2009-09-05 23:45 . 2008-11-09 17:50 -------- d-----w- c:\program files\Replay Music 3
2009-09-05 23:40 . 2008-08-28 21:11 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2009-08-21 20:34 . 2008-08-03 05:06 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-08-21 20:34 . 2008-08-03 05:06 -------- d-----w- c:\program files\DVDVideoSoft
2009-08-07 07:13 . 2008-06-04 01:41 -------- d-----w- c:\documents and settings\Mike\Application Data\LimeWire
2009-08-05 09:01 . 2008-02-05 22:39 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 03:40 . 2009-01-10 16:37 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-17 19:01 . 2008-02-05 22:39 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2008-02-05 22:39 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2008-02-05 22:39 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-02-05 22:39 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-02-05 22:39 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-02-05 22:39 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-02-05 22:39 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-02-05 22:39 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2008-02-05 22:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2008-08-11 05:08 . 2008-08-11 05:08 978396 ----a-w- c:\program files\BDAXP.cab
2008-06-30 17:44 . 2008-08-30 06:45 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-08-13 23:02 . 2008-08-13 23:02 35840 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-22_06.20.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-05 22:39 . 2008-04-14 00:12 164864 c:\windows\uyomodoruvoz.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2008-08-15 716800]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2008-08-11 69632]
"Kbozaqawicoziqow"="c:\windows\uyomodoruvoz.dll" [2008-04-14 164864]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ %I
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Mike\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"VSSERV"=2 (0x2)
"NVSvc"=2 (0x2)
"NMIndexingService"=3 (0x3)
"mi-raysat_3dsMax2009_32"=2 (0x2)
"LIVESRV"=2 (0x2)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iWinTrusted"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"IAANTMON"=2 (0x2)
"gusvc"=2 (0x2)
"FlipShare Service"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Autodesk Licensing Service"=2 (0x2)
"Arrakis3"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"aliasdocserver"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
"Adobe LM Service"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Adobe\\After Effects 6.5\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\discreet\\cleaner XL\\cleaner XL.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\Alias\\Maya6.0\\bin\\mayabatch.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 cgwc;cgwc;c:\windows\system32\drivers\admvgxwb.sys --> c:\windows\system32\drivers\admvgxwb.sys [?]
S2 fpinlgk;fpinlgk;c:\windows\system32\drivers\xnpj.sys --> c:\windows\system32\drivers\xnpj.sys [?]
S2 inyiqiv;inyiqiv;c:\windows\system32\drivers\kcsmpoxa.sys --> c:\windows\system32\drivers\kcsmpoxa.sys [?]
S2 lpvlpm;lpvlpm;c:\windows\system32\drivers\sqxof.sys --> c:\windows\system32\drivers\sqxof.sys [?]
S2 lqel;lqel;c:\windows\system32\drivers\hflfdgs.sys --> c:\windows\system32\drivers\hflfdgs.sys [?]
S2 pjqefld;pjqefld;c:\windows\system32\drivers\gczmyi.sys --> c:\windows\system32\drivers\gczmyi.sys [?]
S2 rpwlfydw;rpwlfydw;c:\windows\system32\drivers\mfmbtf.sys --> c:\windows\system32\drivers\mfmbtf.sys [?]
S2 rxium;rxium;c:\windows\system32\drivers\qjnb.sys --> c:\windows\system32\drivers\qjnb.sys [?]
S2 weolfr;weolfr;c:\windows\system32\drivers\fqff.sys --> c:\windows\system32\drivers\fqff.sys [?]
S2 xxgy;xxgy;c:\windows\system32\drivers\bwnabzzh.sys --> c:\windows\system32\drivers\bwnabzzh.sys [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-08-12 111112]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S4 aliasdocserver;Alias Documentation Server;c:\program files\Alias\Maya6.0\docs\Wrapper.exe [2008-08-07 110592]
S4 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [2008-11-13 439616]
S4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-10 65536]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-09-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-06 06:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Block This Image (ABP) - c:\program files\Adblock Pro\blockimg.html
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Save YouTube Video - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {{E7FD3540-AB30-40f1-91E7-101F733C1FD5} - {7685B225-8229-4321-BA13-A24485B0A760} - c:\program files\Adblock Pro\AdblockPro.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\wikb88jo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\Common Files\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll
FF - component: c:\program files\Evernote\Evernote3\FfTbClipper\components\enbar3.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre6\bin\npjpi160_05.dll
FF - plugin: c:\program files\Java\jre6\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {13185E59-E9FA-4277-B5BA-D271999892E3} - c:\documents and settings\Mike\Local Settings\Application Data\{13185E59-E9FA-4277-B5BA-D271999892E3}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-23 00:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:b5,fe,1f,11,e2,04,7e,b7,fc,0a,c1,20,08,71,d0,02,df,f4,be,19,54,
08,cb,c2,b3,08,e8,0c,49,3f,c1,02,bf,77,83,4c,ab,64,df,fe,0c,9f,86,a3,db,7d,\
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:32,49,1f,c5,b7,af,7b,ea,03,22,52,c7,8a,2e,ee,06,b4,cf,43,6a,0e,
62,7f,57,c9,4e,21,1c,11,d6,1f,1d,93,a9,eb,25,94,7e,07,96,d6,a8,ad,db,1b,65,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2156)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-23 0:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-23 04:38
ComboFix2.txt 2009-09-22 06:26
Pre-Run: 632,212,979,712 bytes free
Post-Run: 632,161,280,000 bytes free
300 --- E O F --- 2009-09-11 04:23
-
And here is the HiJackthis log I just ran:
Thanks
---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:23:41 PM, on 2009-10-04
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [Kbozaqawicoziqow] rundll32.exe "C:\WINDOWS\uyomodoruvoz.dll",Startup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Block This Image (ABP) - C:\Program Files\Adblock Pro\blockimg.html
O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save YouTube Video - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
O8 - Extra context menu item: Save YouTube Video as MP3 - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - C:\Program Files\Adblock Pro\AdblockPro.dll
O9 - Extra 'Tools' menuitem: Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - C:\Program Files\Adblock Pro\AdblockPro.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
--
End of file - 8607 bytes
-
No worries; I understand. Things are looking a little better, but one of the infections has spread somewhat. It's not doing a lot of damage right now, but we still want to get rid of it, of course.
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
Driver::
cgwc
fpinlgk
inyiqiv
lpvlpm
lqel
pjqefld
rpwlfydw
rxium
weolfr
xxgy
File::
c:\windows\Hdofuviyakidalos.dat
c:\windows\Jgilupewadag.bin
c:\windows\uyomodoruvoz.dll
c:\windows\system32\drivers\admvgxwb.sys
c:\windows\system32\drivers\xnpj.sys
c:\windows\system32\drivers\kcsmpoxa.sys
c:\windows\system32\drivers\sqxof.sys
c:\windows\system32\drivers\hflfdgs.sys
c:\windows\system32\drivers\gczmyi.sys
c:\windows\system32\drivers\mfmbtf.sys
c:\windows\system32\drivers\qjnb.sys
c:\windows\system32\drivers\fqff.sys
c:\windows\system32\drivers\bwnabzzh.sys
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kbozaqawicoziqow"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply, along with a new HijackThis log.
Note: Do not click ComboFix's window while it is running. That may cause your system to freeze
-
Ok CBMatt, here is the new Combo log :)
ComboFix 09-10-04.01 - Mike 10/05/2009 19:34.3.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3323.2758 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FILE ::
"c:\windows\Hdofuviyakidalos.dat"
"c:\windows\Jgilupewadag.bin"
"c:\windows\system32\drivers\admvgxwb.sys"
"c:\windows\system32\drivers\bwnabzzh.sys"
"c:\windows\system32\drivers\fqff.sys"
"c:\windows\system32\drivers\gczmyi.sys"
"c:\windows\system32\drivers\hflfdgs.sys"
"c:\windows\system32\drivers\kcsmpoxa.sys"
"c:\windows\system32\drivers\mfmbtf.sys"
"c:\windows\system32\drivers\qjnb.sys"
"c:\windows\system32\drivers\sqxof.sys"
"c:\windows\system32\drivers\xnpj.sys"
"c:\windows\uyomodoruvoz.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Hdofuviyakidalos.dat
c:\windows\Jgilupewadag.bin
c:\windows\uyomodoruvoz.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CGWC
-------\Legacy_FPINLGK
-------\Legacy_INYIQIV
-------\Legacy_LPVLPM
-------\Legacy_LQEL
-------\Legacy_PJQEFLD
-------\Legacy_RPWLFYDW
-------\Legacy_RXIUM
-------\Legacy_WEOLFR
-------\Legacy_XXGY
-------\Service_cgwc
-------\Service_fpinlgk
-------\Service_inyiqiv
-------\Service_lpvlpm
-------\Service_lqel
-------\Service_pjqefld
-------\Service_rpwlfydw
-------\Service_rxium
-------\Service_weolfr
-------\Service_xxgy
((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.
2009-10-05 23:33 . 2009-10-05 23:34 -------- d-----w- C:\32788R22FWJFW
2009-09-27 21:55 . 2009-09-27 21:55 -------- d-----w- c:\documents and settings\Heather\Local Settings\Application Data\{7C57F359-DCD5-4829-A18F-24C46AF9A74E}
2009-09-27 00:01 . 2009-09-27 00:01 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Citrix
2009-09-27 00:01 . 2009-09-27 00:01 103720 ----a-w- c:\documents and settings\Mike\GoToAssistDownloadHelper.exe
2009-09-25 18:00 . 2009-09-25 18:00 -------- d-----w- C:\My Music
2009-09-25 17:00 . 2009-09-25 17:00 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-25 17:00 . 2009-09-25 17:00 -------- d-----w- c:\program files\real
2009-09-23 04:43 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-23 04:43 . 2009-09-23 04:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-23 04:43 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-23 04:12 . 2009-09-23 04:12 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\{13185E59-E9FA-4277-B5BA-D271999892E3}
2009-09-22 06:36 . 2009-09-22 06:36 -------- d-----w- c:\program files\Trend Micro
2009-09-22 05:22 . 2009-09-22 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-22 05:22 . 2009-09-23 04:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-22 05:22 . 2009-09-22 05:22 -------- d-----w- c:\documents and settings\Mike\Application Data\SUPERAntiSpyware.com
2009-09-20 18:26 . 2009-09-20 18:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-09 08:00 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-05 23:45 . 2009-09-05 23:45 -------- d-----w- c:\documents and settings\Mike\Application Data\YouSendIt
2009-09-05 23:45 . 2009-09-05 23:45 -------- d-----w- c:\program files\YouSendIt
2009-09-05 23:44 . 2009-09-05 23:44 -------- d-----w- c:\windows\Downloaded Installations
2009-09-05 23:44 . 2009-09-05 23:44 -------- d-----w- c:\program files\WinPcap
2009-09-05 23:43 . 2009-09-05 23:43 -------- d-----w- c:\windows\Replay Converter 3
2009-09-05 23:43 . 2009-09-11 08:13 -------- d-----w- c:\program files\Replay AV 8
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-05 23:26 . 2008-11-06 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-05 01:23 . 2008-11-02 20:26 189184 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-05 00:25 . 2009-01-10 16:38 138064 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-25 17:00 . 2009-03-09 08:34 -------- d-----w- c:\program files\Common Files\Real
2009-09-25 17:00 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-22 05:53 . 2008-10-20 07:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-19 22:53 . 2008-02-06 16:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-18 18:40 . 2009-09-20 16:47 20780477 ----a-w- c:\program files\PROCESSLIST.DB
2009-09-18 18:40 . 2009-09-20 16:47 1230109 ----a-w- c:\program files\PROCESSLISTRELATED.DB
2009-09-11 08:16 . 2009-06-01 04:56 -------- d-----w- c:\program files\iWin Games
2009-09-05 23:45 . 2008-11-09 17:50 -------- d-----w- c:\program files\Replay Music 3
2009-09-05 23:40 . 2008-08-28 21:11 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2009-08-21 20:34 . 2008-08-03 05:06 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-08-21 20:34 . 2008-08-03 05:06 -------- d-----w- c:\program files\DVDVideoSoft
2009-08-07 07:13 . 2008-06-04 01:41 -------- d-----w- c:\documents and settings\Mike\Application Data\LimeWire
2009-08-05 09:01 . 2008-02-05 22:39 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 03:40 . 2009-01-10 16:37 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-17 19:01 . 2008-02-05 22:39 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2008-02-05 22:39 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2008-08-11 05:08 . 2008-08-11 05:08 978396 ----a-w- c:\program files\BDAXP.cab
2008-06-30 17:44 . 2008-08-30 06:45 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-08-13 23:02 . 2008-08-13 23:02 35840 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-22_06.20.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-16 20:58 . 2009-09-23 12:17 57344 c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\texticon.exe
- 2008-09-16 20:58 . 2009-08-07 15:48 57344 c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\texticon.exe
- 2008-09-16 20:58 . 2009-08-07 15:48 22486 c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\register_icon.exe
+ 2008-09-16 20:58 . 2009-09-23 12:17 22486 c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\register_icon.exe
+ 2008-09-16 20:58 . 2009-09-23 12:17 32768 c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\maintenance_icon.exe
- 2008-09-16 20:58 . 2009-08-07 15:48 32768 c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\maintenance_icon.exe
+ 2008-09-16 20:58 . 2009-09-23 12:17 61440 c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\helpicon.exe
- 2008-09-16 20:58 . 2009-08-07 15:48 61440 c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\helpicon.exe
+ 2009-09-25 17:00 . 2009-09-25 17:00 5632 c:\windows\system32\pndx5032.dll
- 2009-03-09 08:34 . 2009-03-09 08:34 5632 c:\windows\system32\pndx5032.dll
- 2009-03-09 08:34 . 2009-03-09 08:34 6656 c:\windows\system32\pndx5016.dll
+ 2009-09-25 17:00 . 2009-09-25 17:00 6656 c:\windows\system32\pndx5016.dll
+ 2009-09-25 17:00 . 2009-09-25 17:00 185920 c:\windows\system32\rmoc3260.dll
- 2009-03-09 08:34 . 2009-03-09 08:34 185920 c:\windows\system32\rmoc3260.dll
- 2009-03-09 08:34 . 2009-03-09 08:34 278528 c:\windows\system32\pncrt.dll
+ 2009-03-09 08:34 . 2009-09-25 17:00 278528 c:\windows\system32\pncrt.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2008-08-15 716800]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2008-08-11 69632]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-25 198160]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Mike\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"VSSERV"=2 (0x2)
"NVSvc"=2 (0x2)
"NMIndexingService"=3 (0x3)
"mi-raysat_3dsMax2009_32"=2 (0x2)
"LIVESRV"=2 (0x2)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iWinTrusted"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"IAANTMON"=2 (0x2)
"gusvc"=2 (0x2)
"FlipShare Service"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Autodesk Licensing Service"=2 (0x2)
"Arrakis3"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"aliasdocserver"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
"Adobe LM Service"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Adobe\\After Effects 6.5\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\discreet\\cleaner XL\\cleaner XL.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\Alias\\Maya6.0\\bin\\mayabatch.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [8/12/2008 6:40 PM 111112]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [7/17/2008 1:06 PM 118784]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]
S4 aliasdocserver;Alias Documentation Server;c:\program files\Alias\Maya6.0\docs\Wrapper.exe [8/7/2008 3:29 PM 110592]
S4 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [11/13/2008 2:17 PM 439616]
S4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [3/10/2008 12:04 AM 65536]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-10-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-06 06:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Block This Image (ABP) - c:\program files\Adblock Pro\blockimg.html
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Save YouTube Video - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {{E7FD3540-AB30-40f1-91E7-101F733C1FD5} - {7685B225-8229-4321-BA13-A24485B0A760} - c:\program files\Adblock Pro\AdblockPro.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\wikb88jo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\Common Files\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll
FF - component: c:\program files\Evernote\Evernote3\FfTbClipper\components\enbar3.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre6\bin\npjpi160_05.dll
FF - plugin: c:\program files\Java\jre6\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {13185E59-E9FA-4277-B5BA-D271999892E3} - c:\documents and settings\Mike\Local Settings\Application Data\{13185E59-E9FA-4277-B5BA-D271999892E3}
FF - HiddenExtension: XULRunner: {7C57F359-DCD5-4829-A18F-24C46AF9A74E} - c:\documents and settings\Heather\Local Settings\Application Data\{7C57F359-DCD5-4829-A18F-24C46AF9A74E}\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 19:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:b5,fe,1f,11,e2,04,7e,b7,fc,0a,c1,20,08,71,d0,02,df,f4,be,19,54,
08,cb,c2,b3,08,e8,0c,49,3f,c1,02,bf,77,83,4c,ab,64,df,fe,0c,9f,86,a3,db,7d,\
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:32,49,1f,c5,b7,af,7b,ea,03,22,52,c7,8a,2e,ee,06,b4,cf,43,6a,0e,
62,7f,57,c9,4e,21,1c,11,d6,1f,1d,93,a9,eb,25,94,7e,07,96,d6,a8,ad,db,1b,65,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3024)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\searchindexer.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
.
**************************************************************************
.
Completion time: 2009-10-05 19:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-05 23:46
ComboFix2.txt 2009-09-23 04:39
ComboFix3.txt 2009-09-22 06:26
Pre-Run: 631,884,476,416 bytes free
Post-Run: 631,833,182,208 bytes free
310 --- E O F --- 2009-09-11 04:23
-
And here is the new HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:47 PM, on 10/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: &Block This Image (ABP) - C:\Program Files\Adblock Pro\blockimg.html
O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save YouTube Video - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
O8 - Extra context menu item: Save YouTube Video as MP3 - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - C:\Program Files\Adblock Pro\AdblockPro.dll
O9 - Extra 'Tools' menuitem: Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - C:\Program Files\Adblock Pro\AdblockPro.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
--
End of file - 8486 bytes
-
Great, that looks much better! Judging by what I can see in these logs, you look clean. Is everything still running smoothly? If so, go ahead and uninstall ComboFix. You can do that by going to Start > Run, typing in combofix /u (note the space before "/u"), and clicking OK. You can also remove HijackThis.
You should also reset and re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
- On the Desktop, right-click My Computer.
- Click Properties.
- Click the System Restore tab.
- Check Turn off System Restore.
- Click Apply, and then click OK.
2. Restart your computer.
3. Turn ON System Restore.
- On the Desktop, right-click My Computer.
- Click Properties.
- Click the System Restore tab.
- UN-Check Turn off System Restore.
- Click Apply, and then click OK.
System Restore will now be active again.
Once you've done that, you are good to go.
-
Ok I deleted the Combo fix and HiJackThis, and did the System Restore.
Thank you very very much Matt, and yes my computer has never felt more smooth- it feels like new, what an awesome feeling right? (whew!)
Take care and god bless,
Mike.
-
Fantastic, I'm glad everything is going well. Take care!