11 replies to this topic

[spywaresucks]

Hi,

MBAM and Hijackthis won't install.
Spybot won't run.
Browser (Firefox) redirects.
Rootrepeal report attached.
Cheers,

Attached Files

•  RootRepeal_report_08_29_09__16_47_05_.txt   3.9K   25 downloads

[Katana]

Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

• Please Read All Instructions Carefully
  
• If you don't understand something, stop and ask! Don't keep going on.
  
• Please do not run any other tools or scans whilst I am helping you
  
• Failure to reply within 5 days will result in the topic being closed.
  
• Please continue to respond until I give you the "All Clear"
  (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

• You must download it to and run it from your Desktop
  
  
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  
  
• Double click combofix.exe & follow the prompts.
  
  
• When finished, it will produce a log. Please save that log to post in your next reply
  
  
• Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Quote

For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

[spywaresucks]

G'day Katana,

Thanks for the advice.
I downloaded Combofix but it wouldn't install either.
I get the windows prompt that says the publisher isn't verified but then the install just stops.
Am I heading towards format c:?

[Katana]

spywaresucks, on Aug 31 2009, 11:16 PM, said:

Am I heading towards format c:?

Not just yet.

Please try the following ....


Please Download GMER to your desktop

Download GMER and extract it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

Note:- If GMER doesn't run, please Reboot and then rename gmer.exe to Look.exe and try again

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click Yes.
  
  
• Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
  
• GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

• Click the Scan button and let the program do its work. GMER will produce a log.
  
• Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

[spywaresucks]

G'day Katana,

Spot on with the need to rename the file.
gmer.exe wouldn't run look.exe was fine.
I tried to attach the file but got an error message stating I couldn't upload this type of file.
Opted for cut and paste - hope that wroks for you.

Cheers.

GMER 1.0.15.15077 [look.exe] - http://www.gmer.net
Rootkit scan 2009-09-03 21:13:32
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 89D5A0D8 ZwEnumerateKey
Code 89DAA560 ZwFlushInstructionCache
Code 89D952CE IofCallDriver
Code 89D590D6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 89D952D3
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 89D590DB
PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF30 5 Bytes JMP 89D5A0DC
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80576A6A 5 Bytes JMP 89DAA564

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F77A9380] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F77A93F0] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F77A9710] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F77A9750] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F77A9710] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F77A93F0] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F77A9380] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F77A9710] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F77A9750] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F77A9380] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F77A93F0] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)
AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)
AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [316] 0x10000000
Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [872] 0x10000000
Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\system32\svchost.exe [940] 0x10000000
Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [1036] 0x10000000
Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [1092] 0x10000000
Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [1220] 0x10000000
Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [2708] 0x10000000
Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [3120] 0x10000000

---- Services - GMER 1.0.15 ----

Service F:\WINDOWS\system32\drivers\UACbwwosrqrms.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACbwwosrqrms.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACbwwosrqrms.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACpllooqbpxo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACmppdiqxhga.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACyxuyrlfwmk.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACbwwosrqrms.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACbwwosrqrms.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACpllooqbpxo.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACmppdiqxhga.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACyxuyrlfwmk.dll

---- EOF - GMER 1.0.15 ----

[Katana]

Download and Run ComboFix
----------------------------------------------------------------------------------------

Delete any copy of Combofix that you have, and download an updated copy of Combofix from the link below. Save it to your desktop.

Link 1
Link 2






--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.

• Please post the C:\ComboFix.txt along with a C:\Qoobox\Add-Remove Programs.txt so we can continue cleaning the system.

---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
Additional Notes


If Comobofix still doesn't run, please do the following and then try Combofix again.


We need to use GMER to disable a service : [list]

1. Start GMER and do a quick scan. It should give a message about rootkit activity.
2. If it asks for full scan, select "no".
3. Right click UACd.sys and select "disable service". You'll be most likely asked to reboot system. Please, let it do so.
4. After reboot, open GMER again and see if the corresponding service is in disabled state.

[spywaresucks]

G'day Katana.

Nice work - you're making good progress - thanks.
The two requested files attached.
Cheers.

Attached Files

•  ComboFix.txt   22.7K   15 downloads
•  Add_Remove_Programs.txt   11.39K   19 downloads

[Katana]

Please can you post the logs rather than attaching them.

Step 1

Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  Driver::
  oflpydin
  RegLock::
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
  ADS::

  
  
• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  
  
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



----------------------------------------------------------------------------------------
Step 2

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
    
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform full scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
• If requested, please reboot
  
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

• Combofix Log
  
• MalwareBytes Log
  
• How are things running now ?

---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
Additional Notes



Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoft...df/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

• Please go to this link Adobe Acrobat Reader Download Link
  
• Click Download
  
• On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  
• Click the Continue button
  
• Click Run, and click Run again
  
• Next click the Install Now button and follow the on screen prompts

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download Java SE Runtime Environment (JRE) . ( don't install it yet )

• Scroll down to where it says "Java SE Runtime Environment (JRE)".
  
• Click the "Download" button to the right.
  
• • Platform = Windows
    
  • Language = Multi Language
• Check the box that says: "Accept License Agreement".
  
• The page will refresh.
  
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Now download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
  
• From the drop-down menu, choose English and click on Select.
  
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  
• A logfile will pop up. Please save it to a convenient location.

Now install the Java SE Runtime Environment (JRE) package you downloaded
(it comes with a toolbar pre-selected, so make sure you uncheck the box)

You can delete JavaRa (zip and exe)

[spywaresucks]

G'day Katana,
combofix log...

ComboFix 09-08-31.03 - Allen n 06/09/09 19:08.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.61.1033.18.1279.913 [GMT 10:00]
Running from: f:\documents and settings\Allen\Desktop\Combo-Fix.exe
Command switches used :: f:\documents and settings\Allen\Desktop\CFScript.txt
AV: Bitdefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\windows\system32\mdm.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-06 06:47 . 2009-09-06 06:47 -------- d-sh--w- f:\documents and settings\Troy\PrivacIE
2009-08-20 23:15 . 2008-12-10 22:38 159600 ----a-w- f:\windows\system32\drivers\pctgntdi.sys
2009-08-20 23:15 . 2009-04-03 00:18 130936 ----a-w- f:\windows\system32\drivers\PCTCore.sys
2009-08-20 23:15 . 2008-12-18 01:16 73840 ----a-w- f:\windows\system32\drivers\PCTAppEvent.sys
2009-08-20 23:15 . 2009-08-20 23:17 -------- d-----w- f:\program files\Common Files\PC Tools
2009-08-20 23:15 . 2008-12-10 01:36 64392 ----a-w- f:\windows\system32\drivers\pctplsg.sys
2009-08-20 23:14 . 2009-08-20 23:17 -------- d-----w- f:\program files\Spyware Doctor
2009-08-20 23:14 . 2009-08-20 23:14 -------- d-----w- f:\documents and settings\Tammy\Application Data\PC Tools
2009-08-20 23:14 . 2009-08-20 23:14 -------- d-----w- f:\documents and settings\All Users\Application Data\PC Tools
2009-08-20 22:59 . 2009-08-20 22:59 -------- d-----w- f:\program files\Common Files\Uninstall
2009-08-20 22:59 . 2009-08-20 22:59 -------- d-----w- f:\program files\PersonalAV
2009-08-13 10:20 . 2009-06-05 07:42 655872 -c----w- f:\windows\system32\dllcache\mstscax.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-06 08:53 . 2007-05-03 21:02 -------- d-----w- f:\documents and settings\Allen\Application Data\Skype
2009-09-06 07:03 . 2007-05-31 09:26 81984 ----a-w- f:\windows\system32\bdod.bin
2009-09-06 06:20 . 2008-10-08 21:00 -------- d---a-w- f:\documents and settings\All Users\Application Data\TEMP
2009-08-31 07:17 . 2006-05-28 03:11 65008 ----a-w- f:\documents and settings\Allen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 06:07 . 2007-01-12 19:57 -------- d-----w- f:\program files\Java
2009-08-29 05:38 . 2007-03-08 20:33 -------- d-----w- f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-29 05:38 . 2007-03-08 20:33 -------- d-----w- f:\program files\Spybot - Search & Destroy
2009-08-28 06:05 . 2008-05-03 10:22 -------- d-----w- f:\program files\Common Files\BitDefender
2009-08-06 08:06 . 2009-08-06 08:06 -------- d-----w- f:\program files\MSBuild
2009-08-06 08:06 . 2009-08-06 08:06 -------- d-----w- f:\program files\Reference Assemblies
2009-08-05 09:11 . 2003-03-31 12:00 204800 ----a-w- f:\windows\system32\mswebdvd.dll
2009-08-04 04:46 . 2008-09-29 05:56 -------- d-----w- f:\documents and settings\All Users\Application Data\NOS
2009-08-03 18:40 . 2008-09-29 05:56 -------- d-----w- f:\program files\NOS
2009-07-24 19:23 . 2008-11-30 09:48 411368 ----a-w- f:\windows\system32\deploytk.dll
2009-07-23 11:24 . 2009-07-23 11:24 -------- d-----w- f:\documents and settings\Tammy\Application Data\GRETECH
2009-07-23 11:15 . 2009-07-23 11:15 -------- d-----w- f:\program files\GNU
2009-07-23 11:13 . 2009-07-23 11:13 -------- d-----w- f:\documents and settings\Allen\Application Data\GRETECH
2009-07-23 11:12 . 2009-07-23 11:12 -------- d-----w- f:\program files\GRETECH
2009-07-23 11:04 . 2009-07-23 11:04 -------- d-----w- f:\program files\LD-Anime
2009-07-22 07:28 . 2008-01-05 09:06 -------- d-----w- f:\documents and settings\Allen\Application Data\CoreFTP
2009-07-17 18:55 . 2003-03-31 12:00 58880 ----a-w- f:\windows\system32\atl.dll
2009-07-13 00:08 . 2006-05-28 02:59 286720 ----a-w- f:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2003-03-31 12:00 915456 ----a-w- f:\windows\system32\wininet.dll
2009-06-25 08:44 . 2008-07-29 11:03 724480 ----a-w- f:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2008-07-29 11:03 133632 ----a-w- f:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2008-07-29 11:03 168448 ----a-w- f:\windows\system32\schannel.dll
2009-06-25 08:44 . 2003-03-31 12:00 59392 ----a-w- f:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2003-03-31 12:00 56320 ----a-w- f:\windows\system32\secur32.dll
2009-06-25 08:44 . 2003-03-31 12:00 298496 ----a-w- f:\windows\system32\kerberos.dll
2009-06-22 11:34 . 2008-07-29 11:03 92544 ----a-w- f:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2003-03-31 12:00 82432 ----a-w- f:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2003-03-31 12:00 119808 ----a-w- f:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2003-03-31 12:00 76288 ----a-w- f:\windows\system32\telnet.exe
2009-06-10 14:21 . 2003-03-31 12:00 84992 ----a-w- f:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2008-07-29 11:03 132096 ----a-w- f:\windows\system32\wkssvc.dll
2007-08-16 10:48 . 2007-08-16 10:48 135680 ----a-w- f:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="f:\program files\Skype\Phone\Skype.exe" [2007-03-30 25263144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="f:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 131072]
"RemoteControl"="f:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"QuickTime Task"="f:\program files\QuickTime\qttask.exe" [2006-06-07 282624]
"EPSON Stylus C67 Series"="f:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE" [2005-01-25 98304]
"SMSTray"="f:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 126976]
"MAAgent"="f:\program files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-30 57344]
"EPSON Stylus C67 Series (Copy 1)"="f:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE" [2005-01-25 98304]
"BitDefender Antiphishing Helper"="f:\program files\BitDefender\2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="f:\program files\BitDefender\2008\bdagent.exe" [2009-08-28 368640]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="f:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

f:\documents and settings\Allen\Start Menu\Programs\Startup\
Capture Express 2000.lnk - f:\program files\Capture Express\capexp.exe [2007-3-19 891904]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - f:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 06:28 352256 ----a-w- f:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\WINDOWS\\system32\\dpvsetup.exe"=
"f:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"f:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"f:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 PCTCore;PCTools KDS;f:\windows\system32\drivers\PCTCore.sys [21/08/09 09:15 130936]
R1 SASDIFSV;SASDIFSV;f:\program files\SUPERAntiSpyware\sasdifsv.sys [3/09/08 14:07 8944]
R1 SASKUTIL;SASKUTIL;f:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/09/08 14:07 55024]
S3 BS_DEF;BS_DEF;\??\f:\windows\system32\drivers\BS_DEF.sys --> f:\windows\system32\drivers\BS_DEF.sys [?]
S3 getPlus® Helper;getPlus® Helper;f:\program files\NOS\bin\getPlus_HelperSvc.exe --> f:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 oflpydin;oflpydin;\??\f:\docume~1\Allen\LOCALS~1\Temp\oflpydin.sys --> f:\docume~1\Allen\LOCALS~1\Temp\oflpydin.sys [?]
S3 SASENUM;SASENUM;f:\program files\SUPERAntiSpyware\SASENUM.SYS [3/09/08 14:07 7408]
S3 sdAuxService;PC Tools Auxiliary Service;f:\program files\Spyware Doctor\pctsAuxs.exe [21/08/09 09:14 348752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"f:\windows\system32\rundll32.exe" "f:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-06 f:\windows\Tasks\Symantec NetDetect.job
- f:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-05-28 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: qld.gov.au\www.qships.transport
FF - ProfilePath - f:\documents and settings\Allen\Application Data\Mozilla\Firefox\Profiles\0stquyp2.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: f:\documents and settings\Allen\Application Data\Mozilla\Firefox\Profiles\0stquyp2.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: f:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 19:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
f:\program files\SUPERAntiSpyware\SASWINLO.dll
f:\windows\system32\WININET.dll
.
Completion time: 2009-09-06 19:22
ComboFix-quarantined-files.txt 2009-09-06 09:21
ComboFix2.txt 2009-09-05 01:07

Pre-Run: 18,474,184,704 bytes free
Post-Run: 18,483,998,720 bytes free

187 --- E O F --- 2009-09-03 11:52

[Katana]

Do you have the MalwareBytes Log ?

[spywaresucks]

Malwarebytes' Anti-Malware 1.40
Database version: 2747
Windows 5.1.2600 Service Pack 2

6/09/09 22:16:44
mbam-log-2009-09-06 (22-16-44).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 235749
Time elapsed: 2 hour(s), 21 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
F:\Program Files\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
F:\Program Files\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
F:\Documents and Settings\All Users\Start Menu\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Files Infected:
F:\Qoobox\Quarantine\F\WINDOWS\system32\UACtheesqvbdx.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
F:\Qoobox\Quarantine\F\WINDOWS\system32\UACyxuyrlfwmk.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{31B1763A-A2C0-44E2-8F10-8599A571FBFA}\RP733\A0178849.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
F:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
F:\Program Files\PersonalAV\pav.exe (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
F:\Documents and Settings\All Users\Start Menu\PersonalAV\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
F:\Documents and Settings\All Users\Start Menu\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

[Katana]

Recovery Console

!!!!!! Warning !!!!!!.... Your log shows that Recovery Console is not installed.
Due to the threat that current and future malware poses it is vital that you have some form of recovery console.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System - (SP3 Users should download the SP2 pack)
Windows XP Home Edition SP2



Download the file & save it as its originally named, next to ComboFix.exe.





Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

----------------------------------------------------------------------------------------
Step 1

Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  C:\Check1.txt
  Driver::
  oflpydin
  RegLock::
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
  File::
  C:\Check2.txt
  ADS::

  
  
• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  
  
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


----------------------------------------------------------------------------------------
Step 2

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
  
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

• Combofix Log
  
• Kaspersky Log
  
• How are things running now ?