Jump to content

Malwarebytes

Infections won't permanately delete

- - - - -
Started by Frustrated Dude, Apr 06 2009 04:49 PM

8 replies to this topic

#1
Frustrated Dude
Posted 06 April 2009 - 04:49 PM

    New Member

  • Members
  • Pip
  • 5 posts
I'm having an issue where Malware deletes the infections but they keep coming back. As instructed before, I've downloaded both Avira Antivirus and Hijack this. Thanks in advance for any help!

Here are the logs from Malware and Hijack this:

Malwarebytes' Anti-Malware 1.35
Database version: 1942
Windows 5.1.2600 Service Pack 2

4/6/2009 5:57:11 AM
mbam-log-2009-04-06 (05-57-11).txt

Scan type: Quick Scan
Objects scanned: 92760
Time elapsed: 8 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jdazaranawifuki (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\ofawipiq.dll (Trojan.Agent) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:04 AM, on 4/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [QuickBooksDB19] C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe -n QB_GREGSLAPTOP_19 -qs -gd ALL -gk all -gp 4096 -gu all -ch 64M -c 32M -x tcpip(BroadcastListener=NO;port=55333) -ti 0 -ec simple -qi -qw -tl 120 -oe C:\DOCUME~1\ALLUSE~1\APPLIC~1\Intuit\QUICKB~2\DBSTAR~1.LOG -y
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [peskything] rundll32.exe "C:\WINDOWS\iheyiyukejubetov.dll",e
O4 - HKLM\..\Run: [Jdazaranawifuki] rundll32.exe "C:\WINDOWS\iheyiyukejubetov.dll",e
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...575/mcfscan.cab
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - (no CLSID) - (no file)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe

--
End of file - 11525 bytes

#2
miekiemoes
Posted 06 April 2009 - 06:24 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,127 posts
  • Gender:Female
  • Location:Belgium
Hi,

First of all, I notice from your log that there's more than 1 Antivirus installed. Mcafee, Avira and AVG
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other ones.
Then reboot after uninstalling.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
Mieke Verburgh
Assistant Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3
Frustrated Dude
Posted 06 April 2009 - 07:34 PM

    New Member

  • Members
  • Pip
  • 5 posts
Thanks for the help. Here is my Combofix log file:

ComboFix 09-04-04.01 - gregn 2009-04-06 12:22:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1607 [GMT -7:00]
Running from: c:\documents and settings\gregn\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\gregn\Application Data\inst.exe
c:\windows\system32\Pncrt.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-06 09:29 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-04-05 11:09 . 2009-04-05 11:09 <DIR> d-------- c:\windows\McAfee.com
2009-04-03 13:23 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-03 13:22 . 2009-04-05 10:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-03 13:22 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 13:09 . 2009-04-03 13:09 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-04-03 13:09 . 2009-04-03 13:09 <DIR> d-------- c:\documents and settings\gregn\Application Data\SUPERAntiSpyware.com
2009-04-03 13:09 . 2009-04-03 13:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-03 11:14 . 2009-04-05 12:28 <DIR> d--h----- C:\$AVG8.VAULT$
2009-04-03 10:53 . 2009-04-06 12:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-04-03 10:43 . 2009-04-03 11:00 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-04-01 12:21 . 2009-04-06 09:46 1,366 --a------ c:\windows\Xyekumipoberebe.dat
2009-04-01 12:21 . 2009-04-06 05:27 16 --a------ c:\windows\Gfiheteko.bin
2009-03-23 20:14 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-03-23 20:14 . 2004-08-03 23:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-03-20 08:56 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-03-20 08:55 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-20 08:55 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-20 08:55 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-03-17 10:58 . 2009-03-17 10:58 <DIR> d-------- c:\windows\CD95F661A5C444F5A6AAECDD91C240B7.TMP
2009-03-17 10:45 . 2009-03-17 10:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2009-03-15 07:32 . 2009-03-15 07:32 <DIR> d-------- c:\documents and settings\gregn\Application Data\McAfee
2009-03-12 12:58 . 2009-03-12 12:58 <DIR> d-------- c:\documents and settings\QBDataServiceUser19\Application Data\Roxio
2009-03-12 12:58 . 2009-03-12 13:03 <DIR> d-------- c:\documents and settings\gregn\Application Data\Roxio
2009-03-12 12:58 . 2009-03-15 07:41 156 --a------ c:\windows\Twunk001.MTX
2009-03-12 12:58 . 2009-03-15 07:41 3 --a------ c:\windows\Twain001.Mtx
2009-03-12 12:58 . 2009-03-12 12:58 0 --a------ c:\windows\Twunk002.MTX
2009-03-06 14:38 . 2009-03-06 14:38 1,194 --a------ c:\windows\system32\ClamWin.conf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 18:40 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-03 20:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-03 18:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-03 18:08 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-02 14:09 --------- d-----w c:\program files\McAfee
2009-04-01 18:58 --------- d-----w c:\program files\SiteAdvisor
2009-03-17 18:58 --------- d-----w c:\documents and settings\gregn\Application Data\Azureus
2009-03-15 01:40 --------- d-----w c:\documents and settings\gregn\Application Data\Vso
2009-03-12 20:03 --------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2009-03-10 04:29 --------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-03-07 02:30 --------- d-----w c:\program files\ClamWin
2009-03-05 02:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-03 16:29 --------- d-----w c:\program files\Total Video Converter
2009-03-03 16:28 --------- d-----w c:\program files\Common Files\AVSMedia
2009-03-03 16:28 --------- d-----w c:\program files\AVS4YOU
2009-03-03 15:34 --------- d-----w c:\program files\MagicDisc
2009-03-03 15:33 --------- d-----w c:\program files\MagicISO
2009-03-03 04:27 --------- d-----w c:\program files\Rosetta Stone
2009-03-02 01:27 --------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2009-03-02 00:40 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-02 00:40 47,360 ----a-w c:\documents and settings\gregn\Application Data\pcouffin.sys
2009-03-02 00:40 --------- d-----w c:\program files\VSO
2009-03-01 03:40 --------- d-----w c:\documents and settings\gregn\Application Data\AVS4YOU
2009-03-01 03:33 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2009-03-01 02:57 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-02-28 19:31 --------- d-----w c:\program files\Trend Micro
2009-02-28 17:54 --------- d-----w c:\documents and settings\LocalService\Application Data\SiteAdvisor
2009-02-28 17:54 --------- d-----w c:\documents and settings\gregn\Application Data\SiteAdvisor
2009-02-28 17:54 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-02-28 17:53 --------- d-----w c:\program files\McAfee.com
2009-02-28 17:53 --------- d-----w c:\program files\Common Files\McAfee
2009-02-28 16:58 --------- d-----w c:\documents and settings\gregn\Application Data\Malwarebytes
2009-02-28 16:58 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-28 03:17 --------- d-----w c:\program files\Vuze
2009-02-28 00:53 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2009-02-28 00:52 --------- d-----w c:\program files\Common Files\i4j_jres
2009-02-25 02:42 116,736 ----a-w c:\windows\system32\drivers\mcdbus.sys
2009-02-11 15:00 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-02-11 15:00 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-11 14:59 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-11 14:59 --------- d-----w c:\program files\Lavasoft
2009-02-11 14:47 --------- d-----w c:\program files\TuneUp Utilities 2007
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-23 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2007-02-27 507904]
"QuickBooksDB19"="c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe" [2008-07-10 131072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"peskything"="c:\windows\iheyiyukejubetov.dll" [2007-03-08 154624]
"Jdazaranawifuki"="c:\windows\iheyiyukejubetov.dll" [2007-03-08 154624]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-03-11 984352]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli dmpcd1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 19:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2009-03-04 08:00 515416 c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 16:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
--a------ 2008-09-19 16:06 615696 c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ELBERT_S2P]
--a------ 2006-08-17 22:22 241664 c:\program files\SAMSUNG\Samsung SCX-5x30 Series\SPanel\PSU\Scan2pc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
--a------ 2008-09-09 02:21 623880 c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSCSysTrayUI]
--------- 2006-09-19 11:47 270336 c:\program files\SAMSUNG\NetworkScan\NSCSysTrayUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2007-09-17 11:56 124200 c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2008-08-26 13:23 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
--a------ 2007-02-27 21:31 507904 c:\windows\Samsung\PanelMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2009-03-05 16:07 2260480 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-09-23 15:44 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 17:30 282624 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"QuickBooksDB17"=2 (0x2)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
"gusvc"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\SAMSUNG\\NetworkScan\\NSCSysTrayUI.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-11 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S3 SM_SCX530_FUService;SCX530 Status Monitor Service;"c:\program files\SAMSUNG\Samsung SCX-5x30 Series\SPanel\ssmsrvc /Service --> c:\program files\SAMSUNG\Samsung SCX-5x30 Series\SPanel\ssmsrvc [?]
S4 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d255c0a-c737-11dd-a2ea-0016415dc278}]
\Shell\AutoRun\command - "H:\Install FreeAgent Tools.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
"c:\program files\Windows Sidebar\sidebar.exe" /RegServer
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 07:51]

2009-04-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-04 08:00]

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-04-06 c:\windows\Tasks\User_Feed_Synchronization-{1EEEA52D-4AC0-4FDB-9290-9F2599277B54}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-realtecks - c:\documents and settings\gregn\Application Data\Google\wcwdu16814728.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\gregn\Application Data\Mozilla\Firefox\Profiles\nfzkvwu8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\program files\SiteAdvisor\6173\FF\components\FFHook.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 12:26:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SM_SCX530_FUService]
"ImagePath"="\"c:\program files\SAMSUNG\Samsung SCX-5x30 Series\SPanel\ssmsrvc /Service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(908)
c:\windows\dmpcd1.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\rundll32.exe
c:\program files\SiteAdvisor\6173\SAService.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-04-06 12:29:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 19:29:49

Pre-Run: 14,888,275,968 bytes free
Post-Run: 14,855,417,856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

289 --- E O F --- 2009-03-26 14:37:00

#4
miekiemoes
Posted 06 April 2009 - 08:01 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,127 posts
  • Gender:Female
  • Location:Belgium
Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\dmpcd1.dll
c:\windows\iheyiyukejubetov.dll
c:\windows\Xyekumipoberebe.dat
c:\windows\Gfiheteko.bin
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"peskything"=-
"Jdazaranawifuki"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Mieke Verburgh
Assistant Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5
Frustrated Dude
Posted 06 April 2009 - 08:22 PM

    New Member

  • Members
  • Pip
  • 5 posts
Here's the newest log file:

ComboFix 09-04-04.01 - gregn 2009-04-06 13:11:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1586 [GMT -7:00]
Running from: c:\documents and settings\gregn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\gregn\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\dmpcd1.dll
c:\windows\Gfiheteko.bin
c:\windows\iheyiyukejubetov.dll
c:\windows\Xyekumipoberebe.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\dmpcd1.dll
c:\windows\Gfiheteko.bin
c:\windows\iheyiyukejubetov.dll
c:\windows\Xyekumipoberebe.dat

.
((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-06 09:29 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-04-05 11:09 . 2009-04-05 11:09 <DIR> d-------- c:\windows\McAfee.com
2009-04-03 13:23 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-03 13:22 . 2009-04-05 10:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-03 13:22 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 13:09 . 2009-04-03 13:09 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-04-03 13:09 . 2009-04-03 13:09 <DIR> d-------- c:\documents and settings\gregn\Application Data\SUPERAntiSpyware.com
2009-04-03 13:09 . 2009-04-03 13:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-03 11:14 . 2009-04-05 12:28 <DIR> d--h----- C:\$AVG8.VAULT$
2009-04-03 10:53 . 2009-04-06 12:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-04-03 10:43 . 2009-04-03 11:00 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-23 20:14 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-03-23 20:14 . 2004-08-03 23:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-03-20 08:56 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-03-20 08:55 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-20 08:55 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-20 08:55 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-03-17 10:58 . 2009-03-17 10:58 <DIR> d-------- c:\windows\CD95F661A5C444F5A6AAECDD91C240B7.TMP
2009-03-17 10:45 . 2009-03-17 10:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2009-03-15 07:32 . 2009-03-15 07:32 <DIR> d-------- c:\documents and settings\gregn\Application Data\McAfee
2009-03-12 12:58 . 2009-03-12 12:58 <DIR> d-------- c:\documents and settings\QBDataServiceUser19\Application Data\Roxio
2009-03-12 12:58 . 2009-03-12 13:03 <DIR> d-------- c:\documents and settings\gregn\Application Data\Roxio
2009-03-12 12:58 . 2009-03-15 07:41 156 --a------ c:\windows\Twunk001.MTX
2009-03-12 12:58 . 2009-03-15 07:41 3 --a------ c:\windows\Twain001.Mtx
2009-03-12 12:58 . 2009-03-12 12:58 0 --a------ c:\windows\Twunk002.MTX
2009-03-06 14:38 . 2009-03-06 14:38 1,194 --a------ c:\windows\system32\ClamWin.conf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 18:40 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-03 20:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-03 18:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-03 18:08 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-02 14:09 --------- d-----w c:\program files\McAfee
2009-04-01 18:58 --------- d-----w c:\program files\SiteAdvisor
2009-03-17 18:58 --------- d-----w c:\documents and settings\gregn\Application Data\Azureus
2009-03-15 01:40 --------- d-----w c:\documents and settings\gregn\Application Data\Vso
2009-03-12 20:03 --------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2009-03-10 04:29 --------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-03-07 02:30 --------- d-----w c:\program files\ClamWin
2009-03-05 02:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-03 16:29 --------- d-----w c:\program files\Total Video Converter
2009-03-03 16:28 --------- d-----w c:\program files\Common Files\AVSMedia
2009-03-03 16:28 --------- d-----w c:\program files\AVS4YOU
2009-03-03 15:34 --------- d-----w c:\program files\MagicDisc
2009-03-03 15:33 --------- d-----w c:\program files\MagicISO
2009-03-03 04:27 --------- d-----w c:\program files\Rosetta Stone
2009-03-02 01:27 --------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2009-03-02 00:40 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-02 00:40 47,360 ----a-w c:\documents and settings\gregn\Application Data\pcouffin.sys
2009-03-02 00:40 --------- d-----w c:\program files\VSO
2009-03-01 03:40 --------- d-----w c:\documents and settings\gregn\Application Data\AVS4YOU
2009-03-01 03:33 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2009-03-01 02:57 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-02-28 19:31 --------- d-----w c:\program files\Trend Micro
2009-02-28 17:54 --------- d-----w c:\documents and settings\LocalService\Application Data\SiteAdvisor
2009-02-28 17:54 --------- d-----w c:\documents and settings\gregn\Application Data\SiteAdvisor
2009-02-28 17:54 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-02-28 17:53 --------- d-----w c:\program files\McAfee.com
2009-02-28 17:53 --------- d-----w c:\program files\Common Files\McAfee
2009-02-28 16:58 --------- d-----w c:\documents and settings\gregn\Application Data\Malwarebytes
2009-02-28 16:58 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-28 03:17 --------- d-----w c:\program files\Vuze
2009-02-28 00:53 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2009-02-28 00:52 --------- d-----w c:\program files\Common Files\i4j_jres
2009-02-25 02:42 116,736 ----a-w c:\windows\system32\drivers\mcdbus.sys
2009-02-11 15:00 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-02-11 15:00 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-11 14:59 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-11 14:59 --------- d-----w c:\program files\Lavasoft
2009-02-11 14:47 --------- d-----w c:\program files\TuneUp Utilities 2007
.

((((((((((((((((((((((((((((( SnapShot@2009-04-06_12.29.11.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-06 19:08:45 63,590 ----a-w c:\windows\system32\perfc009.dat
+ 2009-04-06 19:29:51 63,590 ----a-w c:\windows\system32\perfc009.dat
- 2009-04-06 19:08:45 404,536 ----a-w c:\windows\system32\perfh009.dat
+ 2009-04-06 19:29:51 404,536 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-23 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2007-02-27 507904]
"QuickBooksDB19"="c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe" [2008-07-10 131072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-03-11 984352]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 19:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2009-03-04 08:00 515416 c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 16:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
--a------ 2008-09-19 16:06 615696 c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ELBERT_S2P]
--a------ 2006-08-17 22:22 241664 c:\program files\SAMSUNG\Samsung SCX-5x30 Series\SPanel\PSU\Scan2pc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
--a------ 2008-09-09 02:21 623880 c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSCSysTrayUI]
--------- 2006-09-19 11:47 270336 c:\program files\SAMSUNG\NetworkScan\NSCSysTrayUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2007-09-17 11:56 124200 c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2008-08-26 13:23 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
--a------ 2007-02-27 21:31 507904 c:\windows\Samsung\PanelMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2009-03-05 16:07 2260480 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-09-23 15:44 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 17:30 282624 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"QuickBooksDB17"=2 (0x2)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
"gusvc"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\SAMSUNG\\NetworkScan\\NSCSysTrayUI.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-11 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S3 SM_SCX530_FUService;SCX530 Status Monitor Service;"c:\program files\SAMSUNG\Samsung SCX-5x30 Series\SPanel\ssmsrvc /Service --> c:\program files\SAMSUNG\Samsung SCX-5x30 Series\SPanel\ssmsrvc [?]
S4 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d255c0a-c737-11dd-a2ea-0016415dc278}]
\Shell\AutoRun\command - "H:\Install FreeAgent Tools.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
"c:\program files\Windows Sidebar\sidebar.exe" /RegServer
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 07:51]

2009-04-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-04 08:00]

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-04-06 c:\windows\Tasks\User_Feed_Synchronization-{1EEEA52D-4AC0-4FDB-9290-9F2599277B54}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\gregn\Application Data\Mozilla\Firefox\Profiles\nfzkvwu8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\program files\SiteAdvisor\6173\FF\components\FFHook.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 13:17:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SM_SCX530_FUService]
"ImagePath"="\"c:\program files\SAMSUNG\Samsung SCX-5x30 Series\SPanel\ssmsrvc /Service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\rundll32.exe
c:\program files\SiteAdvisor\6173\SAService.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-04-06 13:20:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 20:20:05
ComboFix2.txt 2009-04-06 19:29:53

Pre-Run: 14,843,076,608 bytes free
Post-Run: 14,827,720,704 bytes free

287 --- E O F --- 2009-03-26 14:37:00

#6
miekiemoes
Posted 06 April 2009 - 08:40 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,127 posts
  • Gender:Female
  • Location:Belgium
Hi,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
Mieke Verburgh
Assistant Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7
Frustrated Dude
Posted 06 April 2009 - 08:56 PM

    New Member

  • Members
  • Pip
  • 5 posts
Wow! Looks like it worked. Thank you so much for your help!

#8
miekiemoes
Posted 06 April 2009 - 09:12 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,127 posts
  • Gender:Female
  • Location:Belgium
Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
Mieke Verburgh
Assistant Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9
miekiemoes
Posted 10 April 2009 - 12:59 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,127 posts
  • Gender:Female
  • Location:Belgium
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Mieke Verburgh
Assistant Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us