38 replies to this topic

[jbd55]

Hi everybody,
I'd be really happy if you can help me find a solution to this annoying problem:
spontaneous pop-ups appear every few minutes, they open through ie even tough i use firefox.
I'm using nod32 and tried to scan with spybot, adaware and spydoctor but nothing fixed the problem.

I couldn't open Malwarebytes' Anti-Malware (it says "error loading database. line: #0.") so i'm posting an hijackthis log only, thanks in advance to anyone who can help me.

*****************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:16:06, on 01/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [SpybotDeletingA5406] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6627] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - HKCU\..\RunOnce: [SpybotDeletingB6196] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1873] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun (User '?')
O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\RunOnce: [SpybotDeletingB6196] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk" (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69043674-3390-46E6-A943-F810AFB0CEB6}: NameServer = 10.0.0.138
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6344 bytes

*****************************************************

[AdvancedSetup]

[indent]Welcome to Malwarebytes
Please remove the current version of Malwarebytes you have and download a new copy from here
Malwarebytes 1.14

Start Hijackthis and do a Scan Only and place a check mark on these items

• O4 - HKLM\..\RunOnce: [SpybotDeletingA5406] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
  
• O4 - HKLM\..\RunOnce: [SpybotDeletingC6627] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
  
• O4 - HKCU\..\RunOnce: [SpybotDeletingB6196] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
  
• O4 - HKCU\..\RunOnce: [SpybotDeletingD1873] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
  
• O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\RunOnce: [SpybotDeletingB6196] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk" (User '?')
  
• O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
  
• O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
  Then click on "Fix selected"

Follow these instructions carefully.

• Download ATF-Cleaner from Snapfiles.com to remove un-needed temporary files from your computer that may contain malware.
  
• You can also download it from Majorgeeks.com
  
• When you run ATF-Cleaner, check the items as shown below for Main.
  
• For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox
  
• NOTE: If you don't have FireFox or Opera installed then they will be grayed out and can be ignored
  
• Then click on "Empty Selected".

[indent] . [/indent]

Then after a reboot install the new downloaded Malwarebytes 1.14 program and allow it to update.
Then do a Quick Scan and allow it to fix any items it finds.
Then run Hijackthis and do a Scan Only and copy that log and report back with both the Hijackthis and MB logs.[/indent]

.

[jbd55]

hi

first of all, thanks for all the help.

now, i still couldnt run malewarebytes (same error)
i did check the items as described in hijackthis and fixed them and used the atf cleaner.

here is the current log of hjt, what should i do next? (the pop-ups didnt stop yet)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:58:40, on 02/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69043674-3390-46E6-A943-F810AFB0CEB6}: NameServer = 10.0.0.138
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5202 bytes

[AdvancedSetup]

This is the rootkit culprit
C:\WINDOWS\system32\drivers\core.cache.dsk

Malwarebytes should be able to remove it for you but we need to find out why MB is not running for you.

Let me check with one of the programmers and see what we can do.

[AdvancedSetup]

Please try starting Windows in a Diagnostic mode and see if you can install, update, and then run Malwarebytes.


Click on START - RUN and then type in MSCONFIG then click on the Diagnostic Startup then OK and reboot your computer.

Download a new version of MB and install it. Then try to scan your system again.

[jbd55]

i downloaded it in normal mode then switched to diag. mode, installed mbam and it still didnt run (same error)

[AdvancedSetup]

Let's try to rename the program.

Browse to this location C:\Program Files\Malwarebytes' Anti-Malware and there you should find mbam.exe rename the file to JBD55.exe

Then double-click on JBD55.exe and try to run the program.

[jbd55]

same thing, i'm attaching a printscreen

Attached Files

•  mbam.bmp   90.84K   43 downloads

[AdvancedSetup]

Okay let's try to do some scanning and cleaning with other tools first.

Please download ComboFix here how-to-use-combofix and run it.

When that's done Download Deckard's System Scanner (DSS) to your Desktop.
Note: You must be logged onto an account with administrator privileges.

• Close all applications and windows.
  
• Double-click on dss.exe to run it, and follow the prompts.
  
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post in your reply

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
  
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Notes: The first time that the Deckard scanner is run, the extra.txt is generated in a minimized window. The second time you will not obtain the extra.txt. You must go to Start=>Run and copy the following "%userprofile%\desktop\dss.exe" /config in the line and click OK You will receive a pop-up box with options to check for the Main log and Extra Log and Options.


Then post back the logs from ComboFix and Deckard's System Scanner

.

[jbd55]

i couldnt run combofix
i drag the windows file i downloaded onto it and then tried to run combofix. it showed some kind of bar (printscreen attached) and then nothing happend.

Attached Files

•  combofix.bmp   21.12K   42 downloads

[AdvancedSetup]

Quote

4. ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Windows Recovery Console has finished installed, ComboFix will open a prompt stating that it was installed and asking if you would like to proceed with scanning your computer. If you wish to continue, then press the Yes button

Did you install the Recovery Console? Did you get a message from ComboFix that it was installed?

Try running ComboFix now by just double-clicking on it and let it run.

[jbd55]

**********************combo fix log*************************************
ComboFix 08-06-03.4 - Administrator 06/05/2008 1:05:12.1 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\MN6YBD4S\iforex.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\MN6YBD4S\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 23:10 932 ------w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-06-04 23:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Babylon
2008-06-04 23:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-06-04 22:36 --------- d-----w C:\Program Files\Neo Mule
2008-06-04 16:54 --------- d-----w C:\Program Files\m
2008-06-04 04:29 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 15:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-01 07:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-01 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-31 10:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-31 10:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-31 09:16 --------- d-----w C:\Program Files\Trend Micro
2008-05-30 20:21 --------- d-----w C:\Program Files\Spyware Doctor
2008-05-17 18:46 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-05-17 17:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 17:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-10 10:55 --------- d-----w C:\Program Files\VstPlugins
2008-05-10 10:55 --------- d-----w C:\Program Files\Image-Line
2008-05-10 10:52 --------- d-----w C:\Program Files\Outsim
2008-04-24 19:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Babylon
2008-04-21 11:38 --------- d-----w C:\Program Files\PFConfig
2008-04-21 11:26 --------- d-----w C:\Program Files\Soulseek
2008-04-21 05:10 --------- d-----w C:\Program Files\Haali
2008-04-21 05:09 --------- d-----w C:\Program Files\AC3Filter
2008-04-17 17:06 --------- d-----w C:\Program Files\Azureus
2008-04-05 18:00 --------- d-----w C:\Program Files\Full Tilt Poker
2007-01-25 04:20 24,192 -c--a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-01-25 04:20 22,768 -c--a-w C:\Documents and Settings\Administrator\usbsermpt.sys
.

<pre>
----a-w		 2,663,480 2008-02-07 04:26:18  C:\Program Files\Babylon\Babylon-Pro\Babylon .exe
----a-w			20,480 2008-02-07 04:25:57  C:\Program Files\Creative\Audio\Program\CTMIX32 .EXE
----a-w		   165,784 2008-02-07 04:26:24  C:\Program Files\DAEMON Tools\daemon .exe
----a-w		 1,410,304 2008-02-07 04:26:15  C:\Program Files\ESET\ESET NOD32 Antivirus\egui .exe
----a-w		 1,694,208 2008-02-07 04:26:28  C:\Program Files\Messenger\msmsgs .exe
----a-w		   282,624 2008-02-07 04:26:02  C:\Program Files\QuickTime\qttask					 .exe
----a-w		   282,624 2008-02-07 05:35:51  C:\Program Files\QuickTime\qttask					.exe
----a-w		   282,624 2008-02-07 05:35:56  C:\Program Files\QuickTime\qttask				   .exe
----a-w		   282,624 2008-02-07 05:35:56  C:\Program Files\QuickTime\qttask				  .exe
----a-w		   282,624 2008-02-07 05:35:56  C:\Program Files\QuickTime\qttask				 .exe
----a-w		   282,624 2008-02-07 05:35:57  C:\Program Files\QuickTime\qttask				.exe
----a-w		   282,624 2008-02-07 05:35:57  C:\Program Files\QuickTime\qttask			   .exe
----a-w		   282,624 2008-02-07 05:35:58  C:\Program Files\QuickTime\qttask			  .exe
----a-w		   282,624 2008-02-07 05:35:58  C:\Program Files\QuickTime\qttask			 .exe
----a-w		   282,624 2008-02-07 05:35:58  C:\Program Files\QuickTime\qttask			.exe
----a-w		   282,624 2008-02-07 05:35:59  C:\Program Files\QuickTime\qttask		   .exe
----a-w		   282,624 2008-02-07 05:35:59  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   282,624 2008-02-07 05:35:59  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   282,624 2008-02-07 05:36:00  C:\Program Files\QuickTime\qttask		.exe
----a-w		   282,624 2008-02-07 05:36:01  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   282,624 2008-02-07 05:36:01  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   282,624 2008-02-07 05:36:01  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   282,624 2008-02-07 05:36:02  C:\Program Files\QuickTime\qttask	.exe
----a-w		   282,624 2008-01-25 12:58:40  C:\Program Files\QuickTime\qttask   .exe
----a-w		   282,624 2008-01-24 06:40:59  C:\Program Files\QuickTime\qttask  .exe
----a-w		   282,624 2008-01-24 06:41:00  C:\Program Files\QuickTime\qttask .exe
----a-w			15,360 2008-02-07 04:26:32  C:\WINDOWS\system32\ctfmon .exe
</pre>

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [01/17/2008 06:51 PM 486856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM 144784]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [06/13/2007 08:16 AM 528384]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/24/2008 08:41 AM 282624]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [02/08/2008 03:53 PM 949376]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"CreativeMixer"="C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.exe" [ ]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [03/04/2008 10:58 PM 3165920]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EnsoniqMixer"=C:\WINDOWS\System32\Starter.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Neo Mule\\emule.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49578:TCP"= 49578:TCP:azu
"49578:UDP"= 49578:UDP:azu1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 15:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-06-04 22:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 07:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 08:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 09:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 10:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 11:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 12:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 13:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 14:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 15:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 16:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 23:00:01 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 17:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 18:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 19:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 20:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 21:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-03 00:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-03 01:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-03 02:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-03 03:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-03 04:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 05:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
"2008-06-04 06:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\tWPxlP4s.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 01:10:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 06/05/2008 1:13:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-04 23:13:26

Pre-Run: 1,487,745,024 bytes free
Post-Run: 1,972,273,152 bytes free

187

****************************DSS logs:***********************************
*****************************EXTRA*************************************
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 59%
Physical Memory (total/avail): 383.46 MiB / 155.75 MiB
Pagefile Memory (total/avail): 921.74 MiB / 753.54 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1949.54 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 12.7 GiB total, 1.84 GiB free.
D: is Fixed (NTFS) - 6.43 GiB total, 0.08 GiB free.
E: is Fixed (NTFS) - 37.26 GiB total, 0.3 GiB free.
F: is CDROM (No Media)
G: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
UpdatesDisableNotify is set.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ZIV
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA8
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\ZIV
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 0 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=000a
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=ZIV
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Audio\CTMixer.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Uninstall\Installer.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
ASIO4ALL --> C:\Program Files\ASIO4ALL v2\uninstall.exe
Azureus --> C:\Program Files\Azureus\Uninstall.exe
Babylon --> C:\Program Files\Babylon\Babylon-Pro\Utils\uninstbb.exe
Babylon Toolbar --> MsiExec.exe /I{67A339E5-D8AA-4E88-9278-A571B397F798}
BSPlayer --> "C:\Program Files\Webteh\BSplayerPro\uninstall.exe"
Collab --> C:\Program Files\Image-Line\Collab\uninstall.exe
Cool Edit Pro 2.0 --> C:\Program Files\coolpro2\cep2unin.exe
Delete FXP Files --> MsiExec.exe /X{77FB26DF-10D9-45FF-BA74-6278DB55130F}
FL Studio 8 --> C:\Program Files\Image-Line\FL Studio 8\uninstall.exe
Full Tilt Poker --> "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -runfromtemp -l0x0009 -removeonly
Haali Media Splitter --> "C:\Program Files\Haali\MatroskaSplitter\uninstall.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
ICQ 5.1 --> C:\Program Files\ICQLite\ICQLiteUninstall.EXE
IL Download Manager --> C:\Program Files\Image-Line\Downloader\uninstall.exe
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
Motorola Phone Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Neo Mule --> C:\Program Files\Neo Mule\uninstall.exe
Nero 6 Enterprise Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX --> "C:\Program Files\Eset\unins000.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PoiZone --> C:\Program Files\Image-Line\PoiZone\uninstall.exe
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Sony Ericsson Device Data --> MsiExec.exe /I{C92E7DF1-624A-4D95-A4C4-18CB491B44A4}
Sony Ericsson Drivers --> MsiExec.exe /I{C60BA916-9E44-4DA4-B11A-9E27B7624EF5}
Sony Ericsson PC Suite --> C:\WINDOWS\Installer\{D6BF6477-8369-489F-8DE6-3731F4B88560}\setup.exe /uninstall
Sony Ericsson PC Suite --> MsiExec.exe /I{D59AC9E9-FFAE-471B-B1FF-4B311D23417A}
SoulSeek Client 156c --> "C:\Program Files\Soulseek\uninstall.exe"
Sound Blaster PCI --> C:\Program Files\Creative\Uninstall\CTUNINST.EXE /U:UNINST1.INI
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
The Rosetta Stone --> C:\WINDOWS\unvise32.exe C:\Program Files\The Rosetta Stone\TRS Support\uninstal.log
Toxic Biohazard --> C:\Program Files\Image-Line\Toxic Biohazard\uninstall.exe
TuneUp Utilities 2007 --> MsiExec.exe /I{C8BB4912-12D9-42AE-B571-E580D8CD1B5B}
VSO Image Resizer 1.0.11 --> "C:\Program Files\VSO\Image Resizer\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip 9.0 --> C:\PROGRA~1\Winzip\PROGRA~1\Winzip\UNWISE.EXE C:\PROGRA~1\Winzip\PROGRA~1\Winzip\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type6 / Error
Event Submitted/Written: 06/02/2008 00:47:07 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.5.2.20, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type12629 / Error
Event Submitted/Written: 06/05/2008 01:03:53 AM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Event Record #/Type12628 / Error
Event Submitted/Written: 06/05/2008 01:03:13 AM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Event Record #/Type12627 / Error
Event Submitted/Written: 06/05/2008 01:01:41 AM / 06/05/2008 01:01:42 AM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Event Record #/Type12626 / Error
Event Submitted/Written: 06/05/2008 01:00:02 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At2.job command failed to start due to the following error:
%%2147942405

Event Record #/Type12625 / Error
Event Submitted/Written: 06/05/2008 00:57:45 AM / 06/05/2008 00:57:46 AM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort0, did not respond within the timeout period.



-- End of Deckard's System Scanner: finished at 2008-06-05 06:08:45 ------------

**********************************MAIN*****************************************
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-05 06:07:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 384 MiB (512 MiB recommended).
System Drive C: has 1.84 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:08:11, on 05/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun (User '?')
O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69043674-3390-46E6-A943-F810AFB0CEB6}: NameServer = 10.0.0.138
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5192 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080601-203347-269 O4 - HKCU\..\RunOnce: [SpybotDeletingD1873] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
backup-20080601-203347-359 O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\RunOnce: [SpybotDeletingB6196] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk" (User '?')
backup-20080601-203347-392 O4 - HKCU\..\RunOnce: [SpybotDeletingB6196] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
backup-20080601-203347-557 O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
backup-20080601-203347-919 O4 - HKLM\..\RunOnce: [SpybotDeletingA5406] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
backup-20080601-203347-997 O4 - HKLM\..\RunOnce: [SpybotDeletingC6627] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
backup-20080601-203348-839 O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys (file missing)
3 UnlockerDriver4 (UnlockerDriver4 Driver) - c:\windows\system32\unlockerdriver4.sys
1 usbhubb - c:\windows\system32\drivers\usbhubb.sys
3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 UxTuneUp (TuneUp Design Expansion) - c:\windows\system32\svchost.exe


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Scheduled Tasks -------------------------------------------------------------

2008-06-05 01:00:01 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-06-05 00:00:00 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-06-04 23:00:00 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-06-04 22:00:00 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-06-04 21:00:00 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-06-04 20:00:00 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-06-04 19:00:00 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-06-04 18:00:00 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-06-04 17:00:00 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-06-04 16:00:00 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-06-04 15:00:00 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-06-04 14:00:00 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-06-04 13:00:00 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-06-04 12:00:00 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-06-04 11:00:00 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-06-04 10:00:00 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-06-04 09:00:00 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-06-04 08:00:00 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-06-04 07:00:00 350 --a------ C:\WINDOWS\Tasks\At8.job
2008-06-03 06:00:00 350 --a------ C:\WINDOWS\Tasks\At7.job
2008-06-03 05:00:00 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-06-03 04:00:00 350 --a------ C:\WINDOWS\Tasks\At5.job
2008-06-03 03:00:00 350 --a------ C:\WINDOWS\Tasks\At4.job
2008-06-03 02:00:00 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-05-30 17:15:00 406 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-05-05 and 2008-06-05 -----------------------------

2008-06-05 01:04:23 68096 --a------ C:\WINDOWS\zip.exe
2008-06-05 01:04:23 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-05 01:04:23 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-05 01:04:23 98816 --a------ C:\WINDOWS\sed.exe
2008-06-05 01:04:23 80412 --a------ C:\WINDOWS\grep.exe
2008-06-05 01:04:23 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-05 01:04:22 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-05 01:04:22 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-04 18:54:22 0 d-------- C:\Program Files\m
2008-06-03 17:16:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 17:16:57 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 16:55:36 0 d-------- C:\WINDOWS\pss
2008-06-01 09:08:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-31 12:11:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-31 11:16:07 0 d-------- C:\Program Files\Trend Micro
2008-05-17 20:46:39 0 d-------- C:\Program Files\Spyware Doctor
2008-05-17 20:46:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-05-10 12:52:31 0 d-------- C:\Program Files\Outsim


-- Find3M Report ---------------------------------------------------------------

2008-06-05 01:04:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
2008-06-05 00:36:18 0 d-------- C:\Program Files\Neo Mule
2008-05-17 19:07:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 12:55:30 0 d-------- C:\Program Files\VstPlugins
2008-05-10 12:55:22 0 d-------- C:\Program Files\Image-Line
2008-04-24 21:05:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Babylon
2008-04-21 13:38:31 0 d-------- C:\Program Files\PFConfig
2008-04-21 13:26:45 0 d-------- C:\Program Files\Soulseek
2008-04-21 07:10:26 0 d-------- C:\Program Files\Haali
2008-04-21 07:09:44 0 d-------- C:\Program Files\AC3Filter
2008-04-17 19:06:08 0 d-------- C:\Program Files\Azureus
2008-04-05 20:00:17 0 d-------- C:\Program Files\Full Tilt Poker


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [06/13/2007 08:16 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/24/2008 08:41 AM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [02/08/2008 03:53 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"CreativeMixer"="C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.exe" []
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [03/04/2008 10:58 PM]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [01/17/2008 06:51 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EnsoniqMixer"=C:\WINDOWS\System32\Starter.Exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-06-05 06:08:45 ------------

[AdvancedSetup]

Now we're getting somewhere.


Full Tilt Poker has been reported as being malware-related so I strongly recommend you remove it.
Full Tilt Poker

You have Azureus , Neo Mule, and Soulseek, P2P file sharing programs installed on your computer. These program do not come bundled with malware as some similar programs do, but peer-to-peer file sharing networks are one of the biggest sources of malware we see. Anything downloaded from them cannot be trusted to be clean, because even if the file appears to be what it claims to be, it can have malware embedded in it.
I recommend you remove them, but of course the choice is yours.

There have been multiple attacks on Java lately so you need to ensure you have the latest version installed at all times.
Please go into Control Panel - Add/Remove and remove the following applications and we'll download and install newer versions after you're cleaned up.
J2SE Runtime Environment 5.0 Update 4
Java™ 6 Update 5
Macromedia Shockwave Player

Start Hijackthis and do a Scan Only and place a check mark on the following items

• O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
  
• O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
  
• O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  
• O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
  
• O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
  
• O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
  Then click on "Fix selected"

What is in this folder? C:\Program Files\m

Notice the files here. They have a SPACE in the name and that is why they won't run correctly.
You only need 1 copy but basically you need to do a search for *.EXE and every one that has a SPACE you need to remove the space.
EXAMPLE: The file qttask has many versions now with multiple spaces. You can delete all but one of them and for that one that is left make sure it has no spaces and is qttask.exe

----a-w		 2,663,480 2008-02-07 04:26:18  C:\Program Files\Babylon\Babylon-Pro\Babylon .exe
----a-w			20,480 2008-02-07 04:25:57  C:\Program Files\Creative\Audio\Program\CTMIX32 .EXE
----a-w		   165,784 2008-02-07 04:26:24  C:\Program Files\DAEMON Tools\daemon .exe
----a-w		 1,410,304 2008-02-07 04:26:15  C:\Program Files\ESET\ESET NOD32 Antivirus\egui .exe
----a-w		 1,694,208 2008-02-07 04:26:28  C:\Program Files\Messenger\msmsgs .exe
----a-w		   282,624 2008-02-07 04:26:02  C:\Program Files\QuickTime\qttask					 .exe
----a-w		   282,624 2008-02-07 05:35:51  C:\Program Files\QuickTime\qttask					.exe
----a-w		   282,624 2008-02-07 05:35:56  C:\Program Files\QuickTime\qttask				   .exe
----a-w		   282,624 2008-02-07 05:35:56  C:\Program Files\QuickTime\qttask				  .exe
----a-w		   282,624 2008-02-07 05:35:56  C:\Program Files\QuickTime\qttask				 .exe
----a-w		   282,624 2008-02-07 05:35:57  C:\Program Files\QuickTime\qttask				.exe
----a-w		   282,624 2008-02-07 05:35:57  C:\Program Files\QuickTime\qttask			   .exe
----a-w		   282,624 2008-02-07 05:35:58  C:\Program Files\QuickTime\qttask			  .exe
----a-w		   282,624 2008-02-07 05:35:58  C:\Program Files\QuickTime\qttask			 .exe
----a-w		   282,624 2008-02-07 05:35:58  C:\Program Files\QuickTime\qttask			.exe
----a-w		   282,624 2008-02-07 05:35:59  C:\Program Files\QuickTime\qttask		   .exe
----a-w		   282,624 2008-02-07 05:35:59  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   282,624 2008-02-07 05:35:59  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   282,624 2008-02-07 05:36:00  C:\Program Files\QuickTime\qttask		.exe
----a-w		   282,624 2008-02-07 05:36:01  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   282,624 2008-02-07 05:36:01  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   282,624 2008-02-07 05:36:01  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   282,624 2008-02-07 05:36:02  C:\Program Files\QuickTime\qttask	.exe
----a-w		   282,624 2008-01-25 12:58:40  C:\Program Files\QuickTime\qttask   .exe
----a-w		   282,624 2008-01-24 06:40:59  C:\Program Files\QuickTime\qttask  .exe
----a-w		   282,624 2008-01-24 06:41:00  C:\Program Files\QuickTime\qttask .exe
----a-w			15,360 2008-02-07 04:26:32  C:\WINDOWS\system32\ctfmon .exe

NOTE! When saving screen shots please save them as .JPG not .BMP - Thanks.

Perform the tasks above and then browse to the folder: C:\Program Files\Malwarebytes' Anti-Malware and ensure all the files do not have spaces in them.

Quote

changes.rtf
comctl32.ocx
Languages
license.txt
mbam.chm
mbam.dll
mbam.exe
mbamext.dll
mbamservice.exe
mbamtrayctrl.exe
ssubtmr6.dll
unins000.dat
unins000.exe
unins000.msg
vbalsgrid6.ocx
zlib.dll

In the LANGUAGES folder the files should be named:

Quote

albanian.lng
bulgarian.lng
catalan.lng
danish.lng
dutch.lng
english.lng
finnish.lng
french.lng
german.lng
hungarian.lng
italian.lng
norwegian.lng
portugueseBR.lng
romanian.lng
serbian.lng
slovak.lng
slovenian.lng
spanish.lng
swedish.lng

Go into Control Panel - Scheduled Tasks and delete ALL the scheduled tasks. We can recreate any that you may want later on.

If all looks well then try another scan with the Malwarebytes program or correct any file names and try to scan.

Report back how things are going after the above.

.

[jbd55]

well, i've done everything you mentioned, except:
1. some files werent shown in the hjt scan, probably because i removed java:
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
2. even after cleaning files with spaces and renaming, i still cant run mbam.


i removed all the scheduled tasks, there were many suspicus looking tasks there. I also removed full tilt poker

[AdvancedSetup]

Okay well there is a new version of Malwarebytes that came out today.

Please uninstall and fully remove your current version of Malwarebytes and reboot. Then download and install this new version and let me know if it runs or not.

Malwarebytes Anti-Malware 1.15


.

[jbd55]

okay, i've done everything you said. it still doesnt run, now it says : "run-time error '48': file not found: zlib.dll"

i checked and the file zlib.dll is okay, im attaching a screenshot of the folder contents.


sorry for uploading a .bmp screenshot, but the forums wont let me upload a .jpg....

Attached Files

•  mbam_error.bmp   229.88K   37 downloads

[AdvancedSetup]

Okay, please click on START - RUN and type in ComboFix /U and remove ComboFix and all backups.

Then download a new version ComboFix.exe and double-click on it and run it.

Then post back the log from ComboFix.

[jbd55]

ComboFix 08-06-06.6 - Administrator 06/07/2008 13:20:10.2 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 11:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Babylon
2008-06-07 11:24 932 ------w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-06-06 09:06 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-06 09:06 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-06-06 09:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 22:39 --------- d-----w C:\Program Files\QuickTime
2008-06-05 22:39 --------- d-----w C:\Program Files\DAEMON Tools
2008-06-05 22:33 --------- d-----w C:\Program Files\Java
2008-06-05 22:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-05 22:31 --------- d-----w C:\Program Files\Full Tilt Poker
2008-06-05 22:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-06-05 14:04 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 14:04 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-05 04:59 --------- d-----w C:\Program Files\Neo Mule
2008-06-01 07:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-01 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-31 10:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-31 10:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-31 09:16 --------- d-----w C:\Program Files\Trend Micro
2008-05-30 20:21 --------- d-----w C:\Program Files\Spyware Doctor
2008-05-17 18:46 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-05-17 17:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 17:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-10 10:55 --------- d-----w C:\Program Files\VstPlugins
2008-05-10 10:55 --------- d-----w C:\Program Files\Image-Line
2008-05-10 10:52 --------- d-----w C:\Program Files\Outsim
2008-04-24 19:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Babylon
2008-04-21 11:38 --------- d-----w C:\Program Files\PFConfig
2008-04-21 11:26 --------- d-----w C:\Program Files\Soulseek
2008-04-21 05:10 --------- d-----w C:\Program Files\Haali
2008-04-21 05:09 --------- d-----w C:\Program Files\AC3Filter
2008-04-17 17:06 --------- d-----w C:\Program Files\Azureus
2007-01-25 04:20 24,192 -c--a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-01-25 04:20 22,768 -c--a-w C:\Documents and Settings\Administrator\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [02/07/2008 06:26 AM 1694208]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [01/17/2008 06:51 PM 486856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/07/2008 06:26 AM 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [06/13/2007 08:16 AM 528384]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [02/08/2008 03:53 PM 949376]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"CreativeMixer"="C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.exe" [02/07/2008 06:25 AM 20480]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [03/04/2008 10:58 PM 3165920]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EnsoniqMixer"=C:\WINDOWS\System32\Starter.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Neo Mule\\emule.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49578:TCP"= 49578:TCP:azu
"49578:UDP"= 49578:UDP:azu1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 13:25:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 06/07/2008 13:27:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-07 11:27:49
ComboFix2.txt 2008-06-04 23:13:31

Pre-Run: 2,096,713,728 bytes free
Post-Run: 2,116,382,720 bytes free

104

[jbd55]

?

[AdvancedSetup]

Sorry about the delay JB. You have a bad case of Vundo on your system.

Please give me a full listing of the files in your WINDOWS and sub folders. Since some of the other options didn't work we'll look to see if we can unregister some files and then remove all the startups.

From DOS you should be able to run something like this.

• Click on START - RUN and type in CMD and press the Enter key. Then press the ENTER key after each command below as well.
  

• DIR C:\WINDOWS /AD /AH /AS /AR /AA /A /O:G /O:N /S >C:\MBALLFILES.TXT

  
  
• When completed please please ZIP up this file C:\MBALLFILES.TXT and attach it to your next reply

How To Use Compressed (Zipped) Folders in Windows XP
aboutzip