WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Google Redirects, gmer wont run Scan, random popups, 100% C

Started by brooklynsystems , Jan 14 2010 12:56 PM

This topic is locked

52 replies to this topic

#1 brooklynsystems

Authentic Member

Authentic Member
29 posts

Posted 14 January 2010 - 12:56 PM

Hello All: I have run adaware, superantispyware, mbam,ccleaner among others to try and combat this attack, but I can't seem to shake it. Any advise would be greatly appreciated! - Ed

MBAM Log:
Malwarebytes' Anti-Malware 1.42
Database version: 3393
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/14/2010 1:06:32 PM
mbam-log-2010-01-14 (13-06-32).txt

Scan type: Quick Scan
Objects scanned: 126213
Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

GMER Quick Scan Log- Long Scan Crashes

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-14 13:22:18
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\uxtdqpog.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A514518

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A4AA618

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] ripyo <-- ROOTKIT !!!

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

DDS LOG:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Admin at 13:37:26.37 on Thu 01/14/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2402 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
c:\windows\system32\ctfmon .exe
C:\WINDOWS\system32\RTHDCPL.EXE
C:\WINDOWS\system32\ALCMTR.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\program files\quicktime\qttask .exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\AIM Lite\aimlite.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\program files\common files\nero\lib\nmindexstoresvr .exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
c:\windows\system32\alcmtr .exe
c:\windows\system32\rthdcpl .exe
c:\program files\microsoft office\office12\groovemonitor .exe
c:\program files\adobe\acrobat 9.0\acrobat\acrobat_sl .exe
c:\program files\airport\apagent .exe
c:\program files\adobe\acrobat 9.0\acrobat\acrotray .exe
c:\program files\itunes\ituneshelper .exe
c:\program files\common files\nero\lib\nmindexstoresvr .exe
c:\documents and settings\admin\local settings\application data\google\update\googleupdate .exe
c:\program files\common files\research in motion\auto update\rimautoupdate .exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = https://login.quickb...;serviceid=2004
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
mWinlogon: SfcDisable=-99 (0xffffff9d)
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\nmindexstoresvr .exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm .exe" -scheduler
uRun: [Google Update] "c:\documents and settings\admin\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [laim] "c:\program files\aim lite\aimlite.exe" -autorun
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [rsltkjca] c:\windows\system32\config\systemprofile\local settings\application data\agnnel\xxjusysguard.exe
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\nero.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - hxxps://accounting.quickbooks.com/c16/v22.158/qboax10.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\uogv0ls2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.liveinfopro.com/?sid=30101011100&s=
FF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.liveinfopro.com/?sid=30101011100&s=
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-13 64288]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-9-8 143360]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-10-10 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-10-10 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-10-10 151297]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2008-9-19 65536]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-10-10 52056]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2009-2-13 25728]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]

=============== Created Last 30 ================

2010-01-14 13:05 <DIR> --d----- c:\windows\system32\appmgmt
2010-01-14 09:36 4 a------- c:\program files\58336828.dat
2010-01-14 09:36 4 a------- c:\program files\58332796.dat
2010-01-14 09:36 4 a------- c:\program files\58332750.dat
2010-01-14 09:36 4 a------- c:\program files\58332703.dat
2010-01-13 17:23 4 a------- c:\program files\7522234.dat
2010-01-13 17:23 4 a------- c:\program files\7522218.dat
2010-01-13 17:23 4 a------- c:\program files\7522187.dat
2010-01-13 17:23 4 a------- c:\program files\7522171.dat
2010-01-13 17:23 4 a------- c:\program files\7522156.dat
2010-01-13 17:23 4 a------- c:\program files\7522109.dat
2010-01-13 15:17 4 a------- c:\program files\9239359.dat
2010-01-13 14:06 15,880 a------- c:\windows\system32\lsdelete.exe
2010-01-13 12:42 4 a------- c:\program files\2316484.dat
2010-01-13 12:42 4 a------- c:\program files\2316468.dat
2010-01-13 12:42 4 a------- c:\program files\2316453.dat
2010-01-13 12:42 4 a------- c:\program files\2316437.dat
2010-01-13 12:42 4 a------- c:\program files\2316421.dat
2010-01-13 12:42 4 a------- c:\program files\2316406.dat
2010-01-13 12:42 4 a------- c:\program files\2316390.dat
2010-01-13 12:42 4 a------- c:\program files\2316359.dat
2010-01-13 12:42 4 a------- c:\program files\2316343.dat
2010-01-13 12:42 4 a------- c:\program files\2316328.dat
2010-01-13 12:42 4 a------- c:\program files\2316312.dat
2010-01-13 12:42 4 a------- c:\program files\2316296.dat
2010-01-13 12:42 64,288 a------- c:\windows\system32\drivers\Lbd.sys
2010-01-13 12:11 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-13 12:11 <DIR> --d----- c:\program files\Lavasoft
2010-01-13 12:11 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2010-01-13 12:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-13 12:08 <DIR> --d----- c:\program files\Trend Micro
2010-01-13 12:03 4 a------- c:\program files\1359765.dat
2010-01-13 12:03 4 a------- c:\program files\1359750.dat
2010-01-13 12:03 4 a------- c:\program files\1359734.dat
2010-01-13 12:03 4 a------- c:\program files\1359718.dat
2010-01-13 11:46 <DIR> --d----- c:\program files\CCleaner
2010-01-13 11:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-13 11:45 <DIR> --d----- c:\program files\SUPERAntiSpyware
2010-01-13 11:45 <DIR> --d----- c:\docume~1\admin\applic~1\SUPERAntiSpyware.com
2010-01-13 11:45 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2010-01-13 11:40 4 a------- c:\program files\593078.dat
2010-01-13 11:40 4 a------- c:\program files\592890.dat
2010-01-13 11:40 4 a------- c:\program files\592875.dat
2010-01-13 11:40 4 a------- c:\program files\592859.dat
2010-01-13 11:40 4 a------- c:\program files\592843.dat
2010-01-13 11:40 4 a------- c:\program files\592796.dat
2010-01-13 11:40 4 a------- c:\program files\592781.dat
2010-01-13 11:40 4 a------- c:\program files\592765.dat
2010-01-13 11:40 4 a------- c:\program files\592750.dat
2010-01-13 11:40 4 a------- c:\program files\592734.dat
2010-01-13 11:40 4 a------- c:\program files\592718.dat
2010-01-13 11:40 4 a------- c:\program files\592703.dat
2010-01-13 11:40 4 a------- c:\program files\592687.dat
2010-01-13 11:40 4 a------- c:\program files\592671.dat
2010-01-13 11:40 4 a------- c:\program files\592656.dat
2010-01-13 11:29 4 a------- c:\program files\2639031.dat
2010-01-13 11:29 4 a------- c:\program files\2638484.dat
2010-01-13 11:29 4 a------- c:\program files\2638468.dat
2010-01-13 11:29 4 a------- c:\program files\2638453.dat
2010-01-13 11:29 4 a------- c:\program files\2638437.dat
2010-01-13 11:29 4 a------- c:\program files\2638421.dat
2010-01-13 11:29 4 a------- c:\program files\2638406.dat
2010-01-13 11:29 4 a------- c:\program files\2638390.dat
2010-01-13 11:29 4 a------- c:\program files\2638375.dat
2010-01-13 10:47 40,448 a------- c:\documents and settings\admin\alcmtr.exe
2010-01-13 10:47 40,448 a------- c:\documents and settings\admin\alcmtr .exe
2010-01-13 10:47 40,448 a------- c:\documents and settings\admin\rthdcpl.exe
2010-01-13 10:47 40,448 a------- c:\documents and settings\admin\rthdcpl .exe
2010-01-12 11:59 756,736 a------- c:\windows\system32\drivers\ripyo.sys
2010-01-12 11:58 <DIR> --d----- c:\program files\IEToolbar
2010-01-12 11:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Update
2010-01-12 11:58 198,656 a------- c:\windows\system32\IS15.exe
2010-01-12 11:58 40,960 a------- c:\windows\system32\info.tmp
2010-01-12 11:58 20,992 a------- c:\windows\system32\smss32 .exe
2010-01-12 11:58 40,448 a------- c:\windows\system32\alcmtr.exe
2010-01-12 11:58 40,448 a------- c:\windows\system32\alcmtr .exe
2010-01-12 11:58 40,448 a------- c:\windows\system32\rthdcpl.exe
2010-01-12 11:58 40,448 a------- c:\windows\system32\rthdcpl .exe
2010-01-11 12:17 552 a------- c:\windows\system32\d3d8caps.dat
2010-01-11 12:17 664 a------- c:\windows\system32\d3d9caps.dat
2009-12-24 11:36 46,203 a------- C:\EasyCheck-in_ Boarding Docu...pdf
2009-12-19 11:34 <DIR> --d----- c:\docume~1\admin\applic~1\Malwarebytes
2009-12-19 11:34 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-19 11:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-19 11:33 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-12-19 11:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-12-18 15:12 21,548 a------- C:\Citibank Online - Payments.pdf

==================== Find3M ====================

2010-01-14 09:39 40,448 a------- c:\windows\system32\ctfmon.exe
2009-12-19 13:46 96,512 a------- c:\windows\system32\drivers\atapi.sys
2008-01-07 10:42 1,052 a------- c:\documents and settings\admin\Nero8280.reg

============= FINISH: 13:38:44.20 ===============

Advertisements

Register to Remove

#2 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 14 January 2010 - 05:14 PM

Hi,

If you already have a copy of ComboFix, please delete it.

Please download ComboFix to your desktop from one of these locations. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3

Posted Image

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on Combo-Fix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#3 brooklynsystems

Authentic Member

Authentic Member
29 posts

Posted 14 January 2010 - 05:52 PM

HERE IT IS- THANKS FOR THE HELP. I couldn't stop Avira from running via system tray or task manager, so I just ignored all warnings during the Combofix Scan.

ComboFix 10-01-14.02 - Admin 01/14/2010 18:36:03.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2579 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\Combo-F.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\alcmtr .exe
c:\documents and settings\Admin\alcmtr.exe
c:\documents and settings\Admin\rthdcpl .exe
c:\documents and settings\Admin\rthdcpl.exe
c:\program files\IEToolbar
c:\windows\system32\alcmtr .exe
c:\windows\system32\alcmtr.exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\drivers\ripyo.sys
c:\windows\system32\flags.ini
c:\windows\system32\IS15.exe
c:\windows\system32\kbdsock.dll
c:\windows\system32\mshlps.dll
c:\windows\system32\rthdcpl .exe
c:\windows\system32\rthdcpl.exe
c:\windows\system32\smss32 .exe
c:\windows\system32\Thumbs.db
c:\windows\system32\twain_32.dll
c:\windows\system32\uses32.dat

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ripyo
-------\Service_ripyo

((((((((((((((((((((((((( Files Created from 2009-12-14 to 2010-01-14 )))))))))))))))))))))))))))))))
.

2010-01-14 23:43 . 2010-01-14 23:43 -------- d-----w- c:\windows\system32\xircom
2010-01-14 23:43 . 2010-01-14 23:43 -------- d-----w- c:\windows\system32\wbem\snmp
2010-01-14 14:36 . 2010-01-14 14:36 4 ----a-w- c:\program files\58336828.dat
2010-01-14 14:36 . 2010-01-14 14:36 4 ----a-w- c:\program files\58332796.dat
2010-01-14 14:36 . 2010-01-14 14:36 4 ----a-w- c:\program files\58332750.dat
2010-01-14 14:36 . 2010-01-14 14:36 4 ----a-w- c:\program files\58332703.dat
2010-01-14 14:32 . 2010-01-14 14:32 -------- d-----w- c:\program files\ERUNT
2010-01-14 14:25 . 2010-01-14 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-13 22:23 . 2010-01-13 22:23 4 ----a-w- c:\program files\7522234.dat
2010-01-13 22:23 . 2010-01-13 22:23 4 ----a-w- c:\program files\7522218.dat
2010-01-13 22:23 . 2010-01-13 22:23 4 ----a-w- c:\program files\7522187.dat
2010-01-13 22:23 . 2010-01-13 22:23 4 ----a-w- c:\program files\7522171.dat
2010-01-13 22:23 . 2010-01-13 22:23 4 ----a-w- c:\program files\7522156.dat
2010-01-13 22:23 . 2010-01-13 22:23 4 ----a-w- c:\program files\7522109.dat
2010-01-13 20:17 . 2010-01-13 20:17 4 ----a-w- c:\program files\9239359.dat
2010-01-13 19:06 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-13 17:41 . 2010-01-13 17:41 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-13 17:41 . 2010-01-13 17:41 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-13 17:41 . 2010-01-13 17:41 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-13 17:41 . 2010-01-13 17:41 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-13 17:41 . 2010-01-13 17:41 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-13 17:41 . 2010-01-13 17:41 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-13 17:41 . 2010-01-13 17:41 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-13 17:11 . 2010-01-13 17:11 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-13 17:11 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-01-13 17:11 . 2010-01-13 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-13 17:11 . 2010-01-13 17:11 -------- d-----w- c:\program files\Lavasoft
2010-01-13 17:11 . 2010-01-13 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-13 17:11 . 2010-01-13 17:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-13 17:08 . 2010-01-13 17:08 -------- d-----w- c:\program files\Trend Micro
2010-01-13 17:03 . 2010-01-13 17:03 4 ----a-w- c:\program files\1359765.dat
2010-01-13 17:03 . 2010-01-13 17:03 4 ----a-w- c:\program files\1359750.dat
2010-01-13 17:03 . 2010-01-13 17:03 4 ----a-w- c:\program files\1359734.dat
2010-01-13 17:03 . 2010-01-13 17:03 4 ----a-w- c:\program files\1359718.dat
2010-01-13 16:46 . 2010-01-13 16:46 -------- d-----w- c:\program files\CCleaner
2010-01-13 16:46 . 2010-01-13 16:46 52224 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-13 16:46 . 2010-01-13 16:46 117760 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-13 16:45 . 2010-01-13 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-13 16:45 . 2010-01-13 17:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-13 16:45 . 2010-01-13 16:45 -------- d-----w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com
2010-01-13 16:45 . 2010-01-13 16:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-13 16:29 . 2010-01-13 16:29 4 ----a-w- c:\program files\2639031.dat
2010-01-13 16:29 . 2010-01-13 16:29 4 ----a-w- c:\program files\2638484.dat
2010-01-13 16:29 . 2010-01-13 16:29 4 ----a-w- c:\program files\2638468.dat
2010-01-13 16:29 . 2010-01-13 16:29 4 ----a-w- c:\program files\2638453.dat
2010-01-13 16:29 . 2010-01-13 16:29 4 ----a-w- c:\program files\2638437.dat
2010-01-13 16:29 . 2010-01-13 16:29 4 ----a-w- c:\program files\2638421.dat
2010-01-13 16:29 . 2010-01-13 16:29 4 ----a-w- c:\program files\2638406.dat
2010-01-13 16:29 . 2010-01-13 16:29 4 ----a-w- c:\program files\2638390.dat
2010-01-13 16:29 . 2010-01-13 16:29 4 ----a-w- c:\program files\2638375.dat
2010-01-12 16:58 . 2010-01-12 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-01-12 16:58 . 2010-01-13 16:29 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\agnnel
2010-01-12 15:13 . 2010-01-12 15:13 1076552 ----a-w- c:\documents and settings\All Users\Application Data\Update\tbsk.exe
2010-01-12 15:04 . 2010-01-12 15:04 308997 ----a-w- c:\documents and settings\All Users\Application Data\Update\seupd.exe
2010-01-11 17:17 . 2010-01-11 17:17 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-11 17:17 . 2010-01-12 16:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-11 06:44 . 2010-01-12 16:58 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-03 16:36 . 2010-01-03 16:36 56827 ----a-w- c:\documents and settings\All Users\Application Data\Update\tbupd.exe
2009-12-19 16:34 . 2009-12-19 16:34 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-12-19 16:34 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-19 16:34 . 2009-12-19 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-19 16:33 . 2009-12-19 16:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 16:33 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-14 23:43 . 2009-02-18 01:41 -------- d-----w- c:\program files\AIM Lite
2010-01-14 23:43 . 2008-12-12 16:12 -------- d-----w- c:\program files\AirPort
2010-01-14 23:43 . 2008-10-21 14:02 -------- d-----w- c:\program files\iTunes
2010-01-14 23:43 . 2008-10-21 13:59 -------- d-----w- c:\program files\PowerISO
2010-01-14 23:43 . 2008-10-13 21:42 -------- d-----w- c:\program files\QuickTime
2010-01-14 23:43 . 2010-01-14 23:43 -------- d-----w- c:\program files\microsoft frontpage
2010-01-14 23:32 . 2010-01-14 23:32 4 ----a-w- c:\program files\17899281.dat
2010-01-14 18:07 . 2009-02-17 00:46 -------- d-----w- c:\program files\PokerTracker 3
2010-01-14 18:06 . 2008-10-01 08:25 -------- d-----w- c:\program files\Styler
2010-01-14 18:05 . 2009-02-09 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2010-01-14 14:39 . 2008-04-14 12:00 40448 ----a-w- c:\windows\system32\ctfmon.exe
2010-01-13 22:19 . 2008-10-01 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2010-01-13 16:40 . 2010-01-13 16:40 4 ----a-w- c:\program files\593078.dat
2010-01-13 16:12 . 2008-10-01 08:36 -------- d-----w- c:\program files\AutoPlay Media Studio 7.0
2010-01-12 16:58 . 2010-01-12 16:58 40960 ----a-w- c:\windows\system32\info.tmp
2009-12-26 23:19 . 2009-10-27 19:00 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc
2009-12-25 03:51 . 2009-11-19 13:42 79488 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-19 18:46 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-19 14:57 . 2008-10-10 21:01 -------- d-----w- c:\documents and settings\Admin\Application Data\uTorrent
2009-12-02 13:19 . 2010-01-13 17:42 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
.

<pre>
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl .exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
c:\program files\AIM Lite\aimlite .exe
c:\program files\AirPort\apagent .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
c:\program files\Babylon\Babylon-Pro\babylon .exe
c:\program files\Brother\ControlCenter2\brctrcen .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm   .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm  .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Nero\Lib\nerocheck .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr	.exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr   .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr  .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe
c:\program files\Common Files\Research In Motion\Auto Update\rimautoupdate .exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\roxwatchtray9 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\PowerISO\pwrisovm .exe
c:\program files\QuickTime\qttask		  .exe
c:\program files\QuickTime\qttask		 .exe
c:\program files\QuickTime\qttask		.exe
c:\program files\QuickTime\qttask	   .exe
c:\program files\QuickTime\qttask	  .exe
c:\program files\QuickTime\qttask	 .exe
c:\program files\QuickTime\qttask	.exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\SUPERAntiSpyware\superantispyware .exe
</pre>

------- Sigcheck -------

[-] 2008-09-08 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-09-08 . 8C4050BD9FD87E23CDED28FFA889B0BA . 2306560 . . [5.1.2600.5512] . . c:\windows\system32\ntoskrnl.exe

[-] 2008-04-11 . 561A50497324F378E30F55D09B4E1258 . 975872 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2010-01-14 14:39 . 02C200DB57E674F8F73268D48BA7DB22 . 40448 . . [------] . . c:\windows\system32\ctfmon.exe

[-] 2008-09-08 . D78B8FEF28298C32AAD37745AB26BDE5 . 2185216 . . [5.1.2600.5512] . . c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\common files\nero\lib\nmindexstoresvr .exe ASO-616B5711-6DAE-4795-A05F-39A1E5104020" [X]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe -scheduler" [X]
"Google Update"="c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-14 40448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-13 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2010-01-14 40448]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2010-01-14 40448]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2010-01-14 40448]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-01-14 40448]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-14 40448]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-01-14 40448]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-01-14 40448]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2010-01-14 40448]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-01-14 40448]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2010-01-14 40448]
"laim"="c:\program files\AIM Lite\aimlite.exe" [2010-01-14 40448]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2010-01-14 40448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-09-08 124928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-10-23 114688]
nero.exe [2008-9-5 194819]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-21 05:57 176128 ----a-w- c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp (UI)
"9090:TCP"= 9090:TCP:SqueezeCenter 9090 tcp (CLI)
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/13/2010 12:42 PM 64288]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [9/8/2008 4:08 PM 143360]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [9/19/2008 3:03 AM 65536]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2/13/2009 11:00 AM 25728]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 12:31 PM 42000]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2008-09-08 20:53 124928 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:41]

2010-01-14 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:41]

2010-01-14 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:41]

2010-01-14 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:41]

2010-01-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:41]

2010-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-492894223-682003330-1004Core.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-28 23:43]

2010-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-492894223-682003330-1004UA.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-28 23:43]

2010-01-14 c:\windows\Tasks\TBUpdater.job
- c:\documents and settings\All Users\Application Data\Update\tbupd.exe [2010-01-03 16:36]

2010-01-14 c:\windows\Tasks\Updater.job
- c:\documents and settings\All Users\Application Data\Update\seupd.exe [2010-01-12 15:04]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.quickb...;serviceid=2004
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\Babylon\babylon-pro\Utils\BabylonIEPI.dll/Translate.htm
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\uogv0ls2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.liveinfopro.com/?sid=30101011100&s=
FF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.liveinfopro.com/?sid=30101011100&s=.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-14 18:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

- - - - - - - > 'explorer.exe'(7300)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\RTHDCPL.EXE
c:\program files\quicktime\qttask .exe
c:\program files\common files\nero\lib\nmindexstoresvr .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\microsoft office\office12\groovemonitor .exe
c:\program files\itunes\ituneshelper .exe
c:\program files\adobe\acrobat 9.0\acrobat\acrobat_sl .exe
c:\program files\poweriso\pwrisovm .exe
c:\program files\adobe\acrobat 9.0\acrobat\acrotray .exe
c:\windows\ALCFDRTM.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-01-14 18:48:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-14 23:48

Pre-Run: 413,331,472,384 bytes free
Post-Run: 413,306,380,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - E93502CCBCF644709634DCAC2EE5E47D

#4 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 14 January 2010 - 06:02 PM

Before we go any further, I'd like you to have a file scanned. Please go to this site:
http://virscan.org
Then have this file scanned:
c:\windows\explorer.exe

Please copy/paste the result of the scan into your next reply.

Proud Graduate of the TC/WTT Classroom

#5 brooklynsystems

Authentic Member

Authentic Member
29 posts

Posted 14 January 2010 - 06:24 PM

VirSCAN.org Scanned Report :
Scanned time : 2009/12/15 03:32:23 (CST)
Scanner results: Scanners did not find malware!
File Name : explorer.exe
File Size : 975872 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 561a50497324f378e30f55d09b4e1258
SHA1 : 3481f9b9a487ac908cf9ecc24223c19d7357dbc7
Online report : http://virscan.org/r...3fae84dc00.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091215033149 2009-12-15 4.59 -
AhnLab V3 2009.12.15.00 2009.12.15 2009-12-15 1.05 -
AntiVir 8.2.1.108 7.10.1.241 2009-12-14 0.11 -
Antiy 2.0.18 20091214.3483968 2009-12-14 0.12 -
Arcavir 2009 200912131409 2009-12-13 0.07 -
Authentium 5.1.1 200912141123 2009-12-14 2.24 -
AVAST! 4.7.4 091214-0 2009-12-14 0.05 -
AVG 8.5.288 270.14.107/2564 2009-12-14 0.34 -
BitDefender 7.81008.4728733 7.29452 2009-12-15 4.04 -
CA (VET) 35.1.0 7171 2009-12-11 4.24 -
ClamAV 0.95.2 10164 2009-12-14 0.17 -
Comodo 3.13 3242 2009-12-14 1.31 -
CP Secure 1.3.0.5 2009.12.14 2009-12-14 0.11 -
Dr.Web 4.44.0.9170 2009.12.14 2009-12-14 7.90 -
F-Prot 4.4.4.56 20091214 2009-12-14 2.17 -
F-Secure 7.02.73807 2009.12.14.13 2009-12-14 9.40 -
Fortinet 11.265- 11.265 2009-12-13 0.56 -
GData 19.9310/19.623 20091214 2009-12-14 5.65 -
ViRobot 20091214 2009.12.14 2009-12-14 0.41 -
Ikarus T3.1.01.74 2009.12.14.74758 2009-12-14 4.34 -
JiangMin 13.0.900 2009.12.14 2009-12-14 8.33 -
Kaspersky 5.5.10 2009.12.14 2009-12-14 0.07 -
KingSoft 2009.2.5.15 2009.12.14.22 2009-12-14 0.53 -
McAfee 5.3.00 5832 2009-12-14 3.43 -
Microsoft 1.5302 2009.12.14 2009-12-14 6.36 -
Norman 6.01.09 6.01.00 2009-12-14 4.00 -
Panda 9.05.01 2009.12.14 2009-12-14 1.93 -
Trend Micro 9.000-1003 6.692.07 2009-12-14 0.04 -
Quick Heal 10.00 2009.12.14 2009-12-14 1.62 -
Rising 20.0 22.26.00.04 2009-12-14 1.26 -
Sophos 3.02.0 4.48 2009-12-15 2.80 -
Sunbelt 3.9.2386.2 5560 2009-12-13 2.10 -
Symantec 1.3.0.24 20091214.004 2009-12-14 0.08 -
nProtect 20091210.02 6571400 2009-12-10 4.08 -
The Hacker 6.5.0.2 v00092 2009-12-12 0.73 -
VBA32 3.12.12.0 20091213.0730 2009-12-13 2.32 -
VirusBuster 4.5.11.10 10.116.5/2017534 2009-12-14 2.60 -

#6 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 14 January 2010 - 06:43 PM

Open notepad, and copy/paste the following code into the notepad window (starting with the @ sign):

@echo off
if exist "%userprofile%\Desktop\look.txt" del /Q "%userprofile%\Desktop\look.txt"
echo Searching for files, please wait...
for %%g in (
tcpip.sys
ntoskrnl.exe
explorer.exe
ctfmon.exe
ntkrnlpa.exe
) do (
echo.
echo Looking for %%g...
PEV --custom##f #s [#m] #5# %systemdrive%\%%g
) >> "%userprofile%\Desktop\look.txt"
start notepad "%userprofile%\Desktop\look.txt"
del /Q %0

Click File->Save As, then save it to your Desktop, using "look.bat" as the filename (including the speech marks). Double-click the look.bat file on your Desktop, then post the log that pops up.

Proud Graduate of the TC/WTT Classroom

#7 brooklynsystems

Authentic Member

Authentic Member
29 posts

Posted 14 January 2010 - 06:46 PM

Looking for tcpip.sys... C:\WINDOWS\system32\drivers\tcpip.sys 361,600 [2008-09-08 20:56:20] CBEEBEB899E31EF52B962CB31FC8CA5C Looking for ntoskrnl.exe... C:\WINDOWS\system32\ntoskrnl.exe 2,306,560 [2008-09-08 20:56:14] 8C4050BD9FD87E23CDED28FFA889B0BA Looking for explorer.exe... C:\WINDOWS\explorer.exe 975,872 [2008-04-11 14:00:00] 561A50497324F378E30F55D09B4E1258 Looking for ctfmon.exe... C:\WINDOWS\system32\ctfmon.exe 40,448 [2010-01-14 14:39:10] 02C200DB57E674F8F73268D48BA7DB22 Looking for ntkrnlpa.exe... C:\WINDOWS\system32\ntkrnlpa.exe 2,185,216 [2008-09-08 21:00:54] D78B8FEF28298C32AAD37745AB26BDE5

#8 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 14 January 2010 - 07:26 PM

Hi,

1. Please open Notepad

Click Start , then Run
Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

RenV::
c:\program files\Common Files\Nero\Lib\nmindexstoresvr	.exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm   .exe
c:\program files\QuickTime\qttask		  .exe
c:\program files\Common Files\Nero\Lib\nerocheck .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
c:\program files\PowerISO\pwrisovm .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl .exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
c:\program files\AirPort\apagent .exe
c:\program files\Common Files\Research In Motion\Auto Update\rimautoupdate .exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\roxwatchtray9 .exe
c:\program files\AIM Lite\aimlite .exe
c:\program files\Brother\ControlCenter2\brctrcen .exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\common files\nero\lib\nmindexstoresvr.exe ASO-616B5711-6DAE-4795-A05F-39A1E5104020"
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe -scheduler"
"Google Update"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask.exe -atboottime"

File::
c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
c:\program files\SUPERAntiSpyware\superantispyware .exe
c:\program files\58336828.dat
c:\program files\58332796.dat
c:\program files\58332750.dat
c:\program files\58332703.dat
c:\program files\7522234.dat
c:\program files\7522218.dat
c:\program files\7522187.dat
c:\program files\7522171.dat
c:\program files\7522156.dat
c:\program files\7522109.dat
c:\program files\9239359.dat
c:\program files\1359765.dat
c:\program files\1359750.dat
c:\program files\1359734.dat
c:\program files\1359718.dat
c:\program files\2639031.dat
c:\program files\2638484.dat
c:\program files\2638468.dat
c:\program files\2638453.dat
c:\program files\2638437.dat
c:\program files\2638421.dat
c:\program files\2638406.dat
c:\program files\2638390.dat
c:\program files\2638375.dat
c:\documents and settings\All Users\Application Data\Update\tbsk.exe
c:\documents and settings\All Users\Application Data\Update\seupd.exe
c:\documents and settings\All Users\Application Data\Update\tbupd.exe
c:\program files\17899281.dat
c:\program files\593078.dat
c:\windows\system32\info.tmp
c:\windows\Tasks\TBUpdater.job
c:\documents and settings\All Users\Application Data\Update\tbupd.exe
c:\windows\Tasks\Updater.job

Folder::
c:\documents and settings\All Users\Application Data\Update
c:\windows\system32\config\systemprofile\Local Settings\Application Data\agnnel

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post ComboFix.txt in your next reply.[/list]
Please also post the contents of C:\QooBox\Add-Remove Programs.txt.

Proud Graduate of the TC/WTT Classroom

#9 brooklynsystems

Authentic Member

Authentic Member
29 posts

Posted 14 January 2010 - 10:12 PM

here is the ComboFix.txt log:

ComboFix 10-01-14.02 - Admin 01/14/2010 18:36:03.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2579 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\Combo-F.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\alcmtr .exe
c:\documents and settings\Admin\alcmtr.exe
c:\documents and settings\Admin\rthdcpl .exe
c:\documents and settings\Admin\rthdcpl.exe
c:\program files\IEToolbar
c:\windows\system32\alcmtr .exe
c:\windows\system32\alcmtr.exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\drivers\ripyo.sys
c:\windows\system32\flags.ini
c:\windows\system32\IS15.exe
c:\windows\system32\kbdsock.dll
c:\windows\system32\mshlps.dll
c:\windows\system32\rthdcpl .exe
c:\windows\system32\rthdcpl.exe
c:\windows\system32\smss32 .exe
c:\windows\system32\Thumbs.db
c:\windows\system32\twain_32.dll
c:\windows\system32\uses32.dat

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it

<pre>
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl .exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
c:\program files\AIM Lite\aimlite .exe
c:\program files\AirPort\apagent .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
c:\program files\Babylon\Babylon-Pro\babylon .exe
c:\program files\Brother\ControlCenter2\brctrcen .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm   .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm  .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Nero\Lib\nerocheck .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr	.exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr   .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr  .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe
c:\program files\Common Files\Research In Motion\Auto Update\rimautoupdate .exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\roxwatchtray9 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\PowerISO\pwrisovm .exe
c:\program files\QuickTime\qttask		  .exe
c:\program files\QuickTime\qttask		 .exe
c:\program files\QuickTime\qttask		.exe
c:\program files\QuickTime\qttask	   .exe
c:\program files\QuickTime\qttask	  .exe
c:\program files\QuickTime\qttask	 .exe
c:\program files\QuickTime\qttask	.exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\SUPERAntiSpyware\superantispyware .exe
</pre>

#10 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 15 January 2010 - 01:09 AM

That log is the same as the first, did ComboFix not run again? The latest log should be at C:\ComboFix.txt Let me know if ComboFix had problems running with that script. P.S. Do you have a Windows Installation Disk?

Proud Graduate of the TC/WTT Classroom

Advertisements

Register to Remove

#11 brooklynsystems

Authentic Member

Authentic Member
29 posts

Posted 15 January 2010 - 06:44 AM

Sorry- Here is the later one- I must have mixed them up....

ComboFix 10-01-14.02 - Admin 01/14/2010 23:02:50.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2239 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\Combo-F.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe"
"c:\documents and settings\All Users\Application Data\Update\seupd.exe"
"c:\documents and settings\All Users\Application Data\Update\tbsk.exe"
"c:\documents and settings\All Users\Application Data\Update\tbupd.exe"
"c:\program files\1359718.dat"
"c:\program files\1359734.dat"
"c:\program files\1359750.dat"
"c:\program files\1359765.dat"
"c:\program files\17899281.dat"
"c:\program files\2638375.dat"
"c:\program files\2638390.dat"
"c:\program files\2638406.dat"
"c:\program files\2638421.dat"
"c:\program files\2638437.dat"
"c:\program files\2638453.dat"
"c:\program files\2638468.dat"
"c:\program files\2638484.dat"
"c:\program files\2639031.dat"
"c:\program files\58332703.dat"
"c:\program files\58332750.dat"
"c:\program files\58332796.dat"
"c:\program files\58336828.dat"
"c:\program files\593078.dat"
"c:\program files\7522109.dat"
"c:\program files\7522156.dat"
"c:\program files\7522171.dat"
"c:\program files\7522187.dat"
"c:\program files\7522218.dat"
"c:\program files\7522234.dat"
"c:\program files\9239359.dat"
"c:\program files\SUPERAntiSpyware\superantispyware .exe"
"c:\windows\system32\info.tmp"
"c:\windows\Tasks\TBUpdater.job"
"c:\windows\Tasks\Updater.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Admin\rthdcpl .exe
c:\documents and settings\Admin\rthdcpl.exe
c:\documents and settings\All Users\Application Data\Update
c:\documents and settings\All Users\Application Data\Update\seupd.exe
c:\documents and settings\All Users\Application Data\Update\tbsk.exe
c:\documents and settings\All Users\Application Data\Update\tbupd.exe
c:\program files\1359718.dat
c:\program files\1359734.dat
c:\program files\1359750.dat
c:\program files\1359765.dat
c:\program files\17899281.dat
c:\program files\2638375.dat
c:\program files\2638390.dat
c:\program files\2638406.dat
c:\program files\2638421.dat
c:\program files\2638437.dat
c:\program files\2638453.dat
c:\program files\2638468.dat
c:\program files\2638484.dat
c:\program files\2639031.dat
c:\program files\58332703.dat
c:\program files\58332750.dat
c:\program files\58332796.dat
c:\program files\58336828.dat
c:\program files\593078.dat
c:\program files\7522109.dat
c:\program files\7522156.dat
c:\program files\7522171.dat
c:\program files\7522187.dat
c:\program files\7522218.dat
c:\program files\7522234.dat
c:\program files\9239359.dat
c:\program files\Internet Explorer\wmpscfgs.exe
c:\program files\SUPERAntiSpyware\superantispyware .exe
c:\windows\system32\config\systemprofile\Local Settings\Application Data\agnnel
c:\windows\system32\info.tmp
c:\windows\Tasks\TBUpdater.job
c:\windows\Tasks\Updater.job

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-12-15 to 2010-01-15 )))))))))))))))))))))))))))))))
.

2010-01-15 04:04 . 2010-01-15 04:04 4 ----a-w- c:\program files\15688671.dat
2010-01-15 04:02 . 2010-01-15 04:02 4 ----a-w- c:\program files\15571125.dat
2010-01-15 04:02 . 2010-01-15 04:02 4 ----a-w- c:\program files\15571109.dat
2010-01-14 23:43 . 2010-01-14 23:43 -------- d-----w- c:\windows\system32\xircom
2010-01-14 23:43 . 2010-01-14 23:43 -------- d-----w- c:\windows\system32\wbem\snmp
2010-01-14 23:43 . 2010-01-14 23:43 -------- d-----w- c:\program files\microsoft frontpage
2010-01-14 14:32 . 2010-01-14 14:32 -------- d-----w- c:\program files\ERUNT
2010-01-14 14:25 . 2010-01-14 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-13 19:06 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-13 17:41 . 2010-01-13 17:41 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-13 17:41 . 2010-01-13 17:41 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-13 17:41 . 2010-01-13 17:41 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-13 17:41 . 2010-01-13 17:41 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-13 17:41 . 2010-01-13 17:41 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-13 17:41 . 2010-01-13 17:41 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-13 17:41 . 2010-01-13 17:41 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-13 17:11 . 2010-01-13 17:11 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-13 17:11 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-01-13 17:11 . 2010-01-13 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-13 17:11 . 2010-01-13 17:11 -------- d-----w- c:\program files\Lavasoft
2010-01-13 17:11 . 2010-01-13 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-13 17:11 . 2010-01-13 17:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-13 17:08 . 2010-01-13 17:08 -------- d-----w- c:\program files\Trend Micro
2010-01-13 16:46 . 2010-01-13 16:46 -------- d-----w- c:\program files\CCleaner
2010-01-13 16:46 . 2010-01-13 16:46 52224 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-13 16:46 . 2010-01-13 16:46 117760 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-13 16:45 . 2010-01-13 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-13 16:45 . 2010-01-15 04:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-13 16:45 . 2010-01-13 16:45 -------- d-----w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com
2010-01-13 16:45 . 2010-01-13 16:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-11 17:17 . 2010-01-11 17:17 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-11 17:17 . 2010-01-12 16:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-11 06:44 . 2010-01-12 16:58 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2009-12-19 16:34 . 2009-12-19 16:34 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-12-19 16:34 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-19 16:34 . 2009-12-19 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-19 16:33 . 2009-12-19 16:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 16:33 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-15 04:03 . 2009-02-18 01:41 -------- d-----w- c:\program files\AIM Lite
2010-01-15 04:02 . 2008-12-12 16:12 -------- d-----w- c:\program files\AirPort
2010-01-15 04:02 . 2008-10-21 14:02 -------- d-----w- c:\program files\iTunes
2010-01-15 04:02 . 2008-10-21 13:59 -------- d-----w- c:\program files\PowerISO
2010-01-15 04:02 . 2008-10-13 21:42 -------- d-----w- c:\program files\QuickTime
2010-01-14 18:07 . 2009-02-17 00:46 -------- d-----w- c:\program files\PokerTracker 3
2010-01-14 18:06 . 2008-10-01 08:25 -------- d-----w- c:\program files\Styler
2010-01-14 18:05 . 2009-02-09 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2010-01-14 14:39 . 2008-04-14 12:00 40448 ----a-w- c:\windows\system32\ctfmon.exe
2010-01-13 22:19 . 2008-10-01 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2010-01-13 16:40 . 2010-01-13 16:40 4 ----a-w- c:\program files\592890.dat
2010-01-13 16:12 . 2008-10-01 08:36 -------- d-----w- c:\program files\AutoPlay Media Studio 7.0
2009-12-26 23:19 . 2009-10-27 19:00 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc
2009-12-25 03:51 . 2009-11-19 13:42 79488 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-19 18:46 . 2008-04-14 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-19 14:57 . 2008-10-10 21:01 -------- d-----w- c:\documents and settings\Admin\Application Data\uTorrent
2009-12-02 13:19 . 2010-01-13 17:42 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
.

<pre>
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl .exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
c:\program files\AIM Lite\aimlite .exe
c:\program files\AirPort\apagent .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
c:\program files\Babylon\Babylon-Pro\babylon .exe
c:\program files\Brother\ControlCenter2\brctrcen .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm  .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr   .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr  .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe
c:\program files\Common Files\Research In Motion\Auto Update\rimautoupdate .exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\roxwatchtray9 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\PowerISO\pwrisovm .exe
c:\program files\QuickTime\qttask		  .exe
c:\program files\QuickTime\qttask		 .exe
c:\program files\QuickTime\qttask		.exe
c:\program files\QuickTime\qttask	   .exe
c:\program files\QuickTime\qttask	  .exe
c:\program files\QuickTime\qttask	 .exe
c:\program files\QuickTime\qttask	.exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
</pre>

#12 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 15 January 2010 - 12:57 PM

OK, there is a minor problem in that some (5) of your critical system files have become infected, and unfortunately there are no replacements available on your machine for us to replace them with. We do have methods to sort this out, so don't worry.

If you have your Windows Installation CD - we should be able to restore the files from that. Did your CD/Computer come with Service Pack 3 pre-installed?

Otherwise, we will have to download Service Pack 3 and re-install it to replace those files.

If you have a CD Burner (and a blank CD), you can download the .iso version:
http://www.microsoft...50-fe22559d164e

Otherwise, you can download this version:
http://www.microsoft...ckInfoContainer
There are messages on that page that instruct you to use Windows Update, but you can't use this method because you already have SP3 and it won't show up. Double-check that you don't have the option to uninstall SP3 in Add/Remove Programs, as this would make things easier.

I don't know how technical minded you are so I haven't gone into much detail for any of these options. If you do want any more info, just let me know and I would happy to provide detailed instructions on how to perform the route that you need to take. Let me know.

Note that there will still be further cleaning we need to do afterwards - but we can't go any further since the remaining infections will just respawn from these system files.

Proud Graduate of the TC/WTT Classroom

#13 brooklynsystems

Authentic Member

Authentic Member
29 posts

Posted 16 January 2010 - 08:09 AM

ok- I downloaded the sp3 iso and the exe version- anything specific I should do? or just a general restore?

#14 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 16 January 2010 - 11:55 AM

We want to (re)install SP3 - if there is anything like a repair or install option when you run it that is what we want. I'm not at a computer at the moment so I can't check the exact options I'm afraid, so if you are unsure I will be able to check tomorrow.

Proud Graduate of the TC/WTT Classroom

#15 brooklynsystems

Authentic Member

Authentic Member
29 posts

Posted 16 January 2010 - 12:12 PM

OK- Ran the SP3 Install- Whats up next?

Body Background

skin color theme

[Resolved] Google Redirects, gmer wont run Scan, random popups, 100% C

#1 brooklynsystems

Advertisements

Register to Remove

#2 jpshortstuff

#3 brooklynsystems

#4 jpshortstuff

#5 brooklynsystems

#6 jpshortstuff

#7 brooklynsystems

#8 jpshortstuff

#9 brooklynsystems

#10 jpshortstuff

Advertisements

Register to Remove

#11 brooklynsystems

#12 jpshortstuff

#13 brooklynsystems

#14 jpshortstuff

#15 brooklynsystems

Related Topics

0 user(s) are reading this topic

About What the Tech

Follow Us

Body Background

skin color theme

[Resolved] Google Redirects, gmer wont run Scan, random popups, 100% C

#1 brooklynsystems

Advertisements Register to Remove

#2 jpshortstuff

#3 brooklynsystems

#4 jpshortstuff

#5 brooklynsystems

#6 jpshortstuff

#7 brooklynsystems

#8 jpshortstuff

#9 brooklynsystems

#10 jpshortstuff

Advertisements Register to Remove

#11 brooklynsystems

#12 jpshortstuff

#13 brooklynsystems

#14 jpshortstuff

#15 brooklynsystems

Related Topics

0 user(s) are reading this topic

About What the Tech

Follow Us

Sign In

Advertisements

Register to Remove

Advertisements

Register to Remove