Jump to content

Need help with trojan in system volume information folder


Recommended Posts

After the end of the scan, I found that System Restore was switched on automatically. Had switched in off again. Once again, I thank you for your patience.

ComboFix 10-07-01.02 - San 02-Jul-10 20:52:52.6.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.955.701 [GMT 8:00]

Running from: c:\documents and settings\San\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\San\Desktop\CFScript.txt

FILE ::

"c:\system volume information\Microsoft\services.exe"

"c:\system volume information\Microsoft\smss.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\system volume information\Microsoft\services.exe . . . . failed to delete

c:\system volume information\Microsoft\smss.exe . . . . failed to delete

.

---- Previous Run -------

.

c:\system volume information\Microsoft\smss.exe

c:\system volume information\Microsoft\services.exe . . . . failed to delete

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_VVDSVC

-------\Service_vvdsvc

((((((((((((((((((((((((( Files Created from 2010-06-02 to 2010-07-02 )))))))))))))))))))))))))))))))

.

2010-07-02 07:00 . 2010-07-02 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2010-07-01 09:33 . 2010-07-01 09:33 -------- d-----w- c:\program files\Compaq

2010-07-01 09:18 . 2010-07-01 09:18 -------- d-----w- C:\DriveKey

2010-07-01 06:52 . 2010-07-01 08:28 -------- d-----w- C:\UBCD4Win

2010-06-19 21:15 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-19 21:15 . 2010-06-19 21:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-19 21:15 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-19 21:09 . 2010-06-30 07:58 -------- d-----w- c:\documents and settings\San\Application Data\QuickScan

2010-06-19 17:34 . 2010-06-19 17:34 -------- d-----w- c:\program files\StreamTorrent 1.0

2010-06-19 17:34 . 2010-06-19 17:34 -------- d-----w- c:\documents and settings\San\Application Data\StreamTorrent

2010-06-18 09:06 . 2010-06-18 09:06 -------- d-----w- c:\program files\AVG

2010-06-18 09:05 . 2010-07-01 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-06-18 08:24 . 2010-06-18 08:24 -------- d-----w- c:\program files\Common Files\Java

2010-06-18 08:23 . 2010-06-18 08:23 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-18 08:14 . 2010-06-18 08:22 -------- d-----w- c:\documents and settings\San\.SunDownloadManager

2010-06-18 07:59 . 2010-06-18 07:59 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-06-18 06:10 . 2010-06-18 06:10 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-06-17 16:48 . 2010-06-17 16:48 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-06-17 16:44 . 2010-06-18 16:46 -------- d-----w- c:\program files\Lavasoft

2010-06-17 16:44 . 2010-06-18 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-06-17 09:23 . 2010-06-17 09:23 -------- d-----w- c:\program files\Sophos

2010-06-17 05:46 . 2010-06-17 05:46 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Threat Expert

2010-06-17 04:20 . 2010-06-17 04:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-06-16 19:30 . 2010-07-02 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-16 19:30 . 2010-06-17 03:44 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-16 14:07 . 2010-06-16 14:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-06-16 14:07 . 2010-06-16 14:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2010-06-10 06:46 . 2010-06-10 10:22 -------- d-----w- c:\documents and settings\San\Local Settings\Application Data\Super Internet TV

2010-06-10 04:23 . 2010-04-20 05:30 285696 -c----w- c:\windows\system32\dllcache\atmfd.dll

2010-06-10 04:22 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-09 16:27 . 2010-06-18 08:43 -------- d-----w- c:\documents and settings\San\Application Data\MechCAD

2010-06-06 04:59 . 2010-06-11 05:16 -------- d-----w- c:\documents and settings\San\Application Data\Red Alert 3 Uprising

2010-06-06 04:22 . 2010-06-06 04:22 -------- d-----w- c:\program files\Electronic Arts

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-02 12:02 . 2010-01-22 04:15 -------- d-----w- c:\program files\Ken Ward's Makeup

2010-07-02 11:16 . 2009-10-04 02:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-07-02 11:16 . 2009-10-04 02:51 -------- d-----w- c:\program files\SpywareBlaster

2010-07-01 09:18 . 2008-10-19 05:14 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-01 05:45 . 2009-05-09 14:08 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-07-01 05:37 . 2009-04-10 22:34 188152 ----a-w- c:\documents and settings\San\Application Data\Mozilla\Firefox\Profiles\2kkrgtnm.default\FlashGot.exe

2010-07-01 05:35 . 2010-03-20 04:59 117760 ----a-w- c:\documents and settings\San\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-07-01 05:19 . 2009-10-04 03:03 -------- d-----w- c:\program files\a-squared Free

2010-06-30 14:42 . 2008-10-19 09:46 -------- d-----w- c:\program files\ESET

2010-06-21 16:28 . 2009-01-14 12:45 2568656 ----a-w- c:\documents and settings\San\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe

2010-06-21 16:11 . 2009-10-05 19:01 -------- d-----w- c:\documents and settings\San\Application Data\Image Zone Express

2010-06-21 02:01 . 2008-10-19 09:42 -------- d-----w- c:\documents and settings\San\Application Data\Thinstall

2010-06-20 06:19 . 2010-01-02 17:17 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-18 08:37 . 2010-01-02 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-06-18 08:37 . 2010-06-18 08:37 61440 ----a-w- c:\documents and settings\San\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1affcee8-n\decora-sse.dll

2010-06-18 08:37 . 2010-06-18 08:37 12800 ----a-w- c:\documents and settings\San\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1affcee8-n\decora-d3d.dll

2010-06-18 08:36 . 2009-12-08 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-06-18 08:34 . 2010-06-18 08:34 503808 ----a-w- c:\documents and settings\San\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-62020c4a-n\msvcp71.dll

2010-06-18 08:34 . 2010-06-18 08:34 499712 ----a-w- c:\documents and settings\San\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-62020c4a-n\jmc.dll

2010-06-18 08:34 . 2010-06-18 08:34 348160 ----a-w- c:\documents and settings\San\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-62020c4a-n\msvcr71.dll

2010-06-18 04:24 . 2010-03-16 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\X-Setup Pro

2010-06-18 04:17 . 2010-01-22 04:32 -------- d-----w- c:\program files\Advanced JPEG Compressor

2010-06-17 18:09 . 2010-03-22 03:01 -------- d-----w- c:\program files\Advanced MP3 Renamer

2010-06-17 03:39 . 2009-08-23 10:30 -------- d-----w- c:\program files\Glary Utilities

2010-06-10 06:54 . 2010-05-11 05:47 -------- d-----w- c:\program files\SopCast

2010-06-07 13:23 . 2009-10-13 17:31 100620 ---ha-w- c:\windows\system32\mlfcache.dat

2010-06-04 15:30 . 2009-11-11 06:30 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-31 09:33 . 2010-05-31 09:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2010-05-27 02:50 . 2009-11-25 12:01 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-25 08:58 . 2008-10-19 06:13 157648 ----a-w- c:\documents and settings\San\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-25 07:41 . 2009-12-06 10:44 -------- d-----w- c:\documents and settings\San\Application Data\muvee Technologies

2010-05-24 06:04 . 2009-12-05 08:41 -------- d-----w- c:\documents and settings\All Users\Application Data\muvee Technologies

2010-05-24 04:07 . 2009-12-04 13:11 -------- d-----w- c:\program files\MAGIX

2010-05-24 04:01 . 2009-12-04 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\MAGIX

2010-05-23 13:30 . 2009-10-21 04:17 -------- d-----w- c:\documents and settings\San\Application Data\U3

2010-05-23 06:28 . 2010-05-23 06:28 -------- d-----w- c:\documents and settings\San\Application Data\Red Alert 3

2010-05-23 00:13 . 2010-05-23 00:13 -------- d-----w- c:\program files\SystemRequirementsLab

2010-05-23 00:12 . 2010-05-23 00:12 85504 ----a-w- c:\documents and settings\San\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll

2010-05-23 00:12 . 2010-05-23 00:12 -------- d-----w- c:\documents and settings\San\Application Data\SystemRequirementsLab

2010-05-22 18:16 . 2010-05-22 18:16 -------- d-----w- c:\program files\vSoft

2010-05-19 07:01 . 2010-05-19 06:57 -------- d-----w- c:\documents and settings\San\Application Data\Similarity

2010-05-19 05:59 . 2010-05-19 05:59 1006080 ----a-r- c:\documents and settings\San\Application Data\Microsoft\Installer\{11ABE2F4-DBCD-45D1-ABBB-C13FDDC4568A}\Similarity.exe

2010-05-19 05:59 . 2010-05-19 05:59 -------- d-----w- c:\program files\Similarity

2010-05-13 03:54 . 2009-01-13 16:06 -------- d-----w- c:\program files\Google

2010-05-11 06:25 . 2010-05-11 06:25 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks

2010-05-11 06:15 . 2008-10-15 16:17 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-05-10 01:01 . 2010-05-10 01:01 -------- d-----w- c:\program files\Sandboxie

2010-05-06 10:41 . 2008-03-04 11:52 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-05 15:57 . 2010-05-05 15:50 -------- d-----w- c:\documents and settings\San\Application Data\DiskSpaceFan

2010-05-05 15:50 . 2010-05-05 15:50 -------- d-----w- c:\program files\DiskSpaceFan

2010-05-02 05:22 . 2007-09-20 01:27 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-28 14:46 . 2010-04-28 14:45 59 ----a-w- c:\windows\wpd99.drv

2010-04-28 14:45 . 2010-04-28 14:45 51716 ----a-w- c:\windows\system32\pdf995mon.dll

2010-04-28 14:45 . 2010-04-28 14:45 249856 ----a-w- c:\windows\system32\pdfmona.dll

2010-04-20 05:30 . 2004-08-04 08:00 285696 ----a-w- c:\windows\system32\atmfd.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]

2009-11-22 22:50 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]

"Google Update"="c:\documents and settings\San\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-01 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-03 1040384]

"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-06-11 1454080]

"EnergyUtility"="c:\program files\Lenovo\Energy Management\utility.exe" [2008-05-21 4456448]

"Energy Management"="c:\program files\Lenovo\Energy Management\Energy Management.exe" [2008-06-30 1283984]

"TpShocks"="c:\windows\system32\TpShocks.exe" [2008-04-09 181512]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"RTHDCPL"="RTHDCPL.EXE" [2008-06-10 16871936]

"SoundMan"="SOUNDMAN.EXE" [2006-07-21 86016]

"AlcWzrd"="ALCWZRD.EXE" [2006-05-04 2808832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"ShowDeskFix"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 06:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^San^Start Menu^Programs^Startup^Adobe Gamma.lnk]

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^San^Start Menu^Programs^Startup^MagicDisc.lnk]

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2010-02-18 08:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [19-Oct-08 1:38 PM 18960]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17-Feb-10 10:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17-Feb-10 10:15 AM 66632]

R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [04-Oct-09 11:03 AM 1872320]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [20-Jun-10 5:15 AM 304464]

R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [19-Oct-08 1:38 PM 430080]

R2 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [19-Oct-08 1:38 PM 47680]

R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [19-Oct-08 1:18 PM 9472]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20-Jun-10 5:15 AM 20952]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [19-Oct-08 1:14 PM 156160]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [13-May-10 11:52 AM 136176]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [24-May-10 12:00 PM 1527900]

S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [09-Dec-09 10:21 AM 102656]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [26-Aug-09 4:49 AM 17408]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17-Feb-10 10:15 AM 12872]

S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [16-Jun-09 9:46 AM 79888]

S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]

S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [19-Oct-08 1:33 PM 81192]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-08 11:04 AM 721904]

.

Contents of the 'Scheduled Tasks' folder

2010-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2010-07-02 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2009-08-23 02:01]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-13 11:47]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-13 11:47]

2010-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-1960408961-725345543-1003Core.job

- c:\documents and settings\San\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-24 17:31]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-1960408961-725345543-1003UA.job

- c:\documents and settings\San\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-24 17:31]

2010-07-02 c:\windows\Tasks\User_Feed_Synchronization-{62C52952-E98C-4041-869E-5C46156D1019}.job

- c:\windows\system32\msfeedssync.exe [2008-10-19 20:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {C3A57B60-C117-11D2-BD9B-00105A0A7E89} - hxxp://web.lead.com.sg/SchoolDNA/Common/saxfile.cab

FF - ProfilePath - c:\documents and settings\San\Application Data\Mozilla\Firefox\Profiles\2kkrgtnm.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/ig

FF - plugin: c:\documents and settings\San\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil10b.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-02 21:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1960408961-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:55,39,98,6a,05,23,f5,ce,5e,a9,a9,88,22,d1,03,13,9c,6b,29,fb,12,

9c,26,13,cd,2d,08,ec,a8,4b,68,e6,65,38,a9,81,85,12,9a,35,66,e1,9b,af,4a,1d,\

"rkeysecu"=hex:31,1d,5f,b7,c5,09,e5,84,7f,b6,8a,d1,23,6b,c9,40

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1140)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3456)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lenovo\Bluetooth Software\bin\btwdins.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Hotspot Shield\HssWPR\hsssrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\Sandboxie\SbieSvc.exe

c:\windows\System32\TPHDEXLG.exe

c:\program files\Internet Explorer\IEXPLORE.EXE

c:\program files\Internet Explorer\IEXPLORE.EXE

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\SOUNDMAN.EXE

c:\program files\iPod\bin\iPodService.exe

c:\system volume information\Microsoft\services.exe

c:\system volume information\Microsoft\smss.exe

.

**************************************************************************

.

Completion time: 2010-07-02 21:16:48 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-02 13:16

ComboFix2.txt 2010-06-28 08:40

Pre-Run: 10,546,401,280 bytes free

Post-Run: 9,481,588,736 bytes free

- - End Of File - - C2ED2E25E557C0314093B237E4E9C435

Link to post
Share on other sites

Let's try this:

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

Rootkit::
C:\System Volume Information\Microsoft\services.exe
C:\System Volume Information\Microsoft\smss.exe

MBR::

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

ComboFix 10-07-01.02 - San 02-Jul-10 23:12:07.7.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.955.669 [GMT 8:00]

Running from: c:\documents and settings\San\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\San\Desktop\CFScript.txt

.

((((((((((((((((((((((((( Files Created from 2010-06-02 to 2010-07-02 )))))))))))))))))))))))))))))))

.

2010-07-02 07:00 . 2010-07-02 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2010-07-01 09:33 . 2010-07-01 09:33 -------- d-----w- c:\program files\Compaq

2010-07-01 09:18 . 2010-07-01 09:18 -------- d-----w- C:\DriveKey

2010-07-01 06:52 . 2010-07-01 08:28 -------- d-----w- C:\UBCD4Win

2010-06-19 21:15 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-19 21:15 . 2010-06-19 21:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-19 21:15 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-19 21:09 . 2010-06-30 07:58 -------- d-----w- c:\documents and settings\San\Application Data\QuickScan

2010-06-19 17:34 . 2010-06-19 17:34 -------- d-----w- c:\program files\StreamTorrent 1.0

2010-06-19 17:34 . 2010-06-19 17:34 -------- d-----w- c:\documents and settings\San\Application Data\StreamTorrent

2010-06-18 09:06 . 2010-06-18 09:06 -------- d-----w- c:\program files\AVG

2010-06-18 09:05 . 2010-07-01 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-06-18 08:24 . 2010-06-18 08:24 -------- d-----w- c:\program files\Common Files\Java

2010-06-18 08:23 . 2010-06-18 08:23 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-18 08:14 . 2010-06-18 08:22 -------- d-----w- c:\documents and settings\San\.SunDownloadManager

2010-06-18 07:59 . 2010-06-18 07:59 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-06-18 06:10 . 2010-06-18 06:10 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-06-17 16:48 . 2010-06-17 16:48 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-06-17 16:44 . 2010-06-18 16:46 -------- d-----w- c:\program files\Lavasoft

2010-06-17 16:44 . 2010-06-18 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-06-17 09:23 . 2010-06-17 09:23 -------- d-----w- c:\program files\Sophos

2010-06-17 05:46 . 2010-06-17 05:46 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Threat Expert

2010-06-17 04:20 . 2010-06-17 04:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-06-16 19:30 . 2010-07-02 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-16 19:30 . 2010-06-17 03:44 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-16 14:07 . 2010-06-16 14:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-06-16 14:07 . 2010-06-16 14:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2010-06-10 06:46 . 2010-06-10 10:22 -------- d-----w- c:\documents and settings\San\Local Settings\Application Data\Super Internet TV

2010-06-10 04:23 . 2010-04-20 05:30 285696 -c----w- c:\windows\system32\dllcache\atmfd.dll

2010-06-10 04:22 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-09 16:27 . 2010-06-18 08:43 -------- d-----w- c:\documents and settings\San\Application Data\MechCAD

2010-06-06 04:59 . 2010-06-11 05:16 -------- d-----w- c:\documents and settings\San\Application Data\Red Alert 3 Uprising

2010-06-06 04:22 . 2010-06-06 04:22 -------- d-----w- c:\program files\Electronic Arts

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-02 12:02 . 2010-01-22 04:15 -------- d-----w- c:\program files\Ken Ward's Makeup

2010-07-02 11:16 . 2009-10-04 02:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-07-02 11:16 . 2009-10-04 02:51 -------- d-----w- c:\program files\SpywareBlaster

2010-07-01 09:18 . 2008-10-19 05:14 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-01 05:45 . 2009-05-09 14:08 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-07-01 05:37 . 2009-04-10 22:34 188152 ----a-w- c:\documents and settings\San\Application Data\Mozilla\Firefox\Profiles\2kkrgtnm.default\FlashGot.exe

2010-07-01 05:35 . 2010-03-20 04:59 117760 ----a-w- c:\documents and settings\San\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-07-01 05:19 . 2009-10-04 03:03 -------- d-----w- c:\program files\a-squared Free

2010-06-30 14:42 . 2008-10-19 09:46 -------- d-----w- c:\program files\ESET

2010-06-21 16:28 . 2009-01-14 12:45 2568656 ----a-w- c:\documents and settings\San\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe

2010-06-21 16:11 . 2009-10-05 19:01 -------- d-----w- c:\documents and settings\San\Application Data\Image Zone Express

2010-06-21 02:01 . 2008-10-19 09:42 -------- d-----w- c:\documents and settings\San\Application Data\Thinstall

2010-06-20 06:19 . 2010-01-02 17:17 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-18 08:37 . 2010-01-02 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-06-18 08:37 . 2010-06-18 08:37 61440 ----a-w- c:\documents and settings\San\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1affcee8-n\decora-sse.dll

2010-06-18 08:37 . 2010-06-18 08:37 12800 ----a-w- c:\documents and settings\San\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1affcee8-n\decora-d3d.dll

2010-06-18 08:36 . 2009-12-08 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-06-18 08:34 . 2010-06-18 08:34 503808 ----a-w- c:\documents and settings\San\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-62020c4a-n\msvcp71.dll

2010-06-18 08:34 . 2010-06-18 08:34 499712 ----a-w- c:\documents and settings\San\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-62020c4a-n\jmc.dll

2010-06-18 08:34 . 2010-06-18 08:34 348160 ----a-w- c:\documents and settings\San\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-62020c4a-n\msvcr71.dll

2010-06-18 04:24 . 2010-03-16 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\X-Setup Pro

2010-06-18 04:17 . 2010-01-22 04:32 -------- d-----w- c:\program files\Advanced JPEG Compressor

2010-06-17 18:09 . 2010-03-22 03:01 -------- d-----w- c:\program files\Advanced MP3 Renamer

2010-06-17 03:39 . 2009-08-23 10:30 -------- d-----w- c:\program files\Glary Utilities

2010-06-10 06:54 . 2010-05-11 05:47 -------- d-----w- c:\program files\SopCast

2010-06-07 13:23 . 2009-10-13 17:31 100620 ---ha-w- c:\windows\system32\mlfcache.dat

2010-06-04 15:30 . 2009-11-11 06:30 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-31 09:33 . 2010-05-31 09:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2010-05-27 02:50 . 2009-11-25 12:01 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-25 08:58 . 2008-10-19 06:13 157648 ----a-w- c:\documents and settings\San\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-25 07:41 . 2009-12-06 10:44 -------- d-----w- c:\documents and settings\San\Application Data\muvee Technologies

2010-05-24 06:04 . 2009-12-05 08:41 -------- d-----w- c:\documents and settings\All Users\Application Data\muvee Technologies

2010-05-24 04:07 . 2009-12-04 13:11 -------- d-----w- c:\program files\MAGIX

2010-05-24 04:01 . 2009-12-04 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\MAGIX

2010-05-23 13:30 . 2009-10-21 04:17 -------- d-----w- c:\documents and settings\San\Application Data\U3

2010-05-23 06:28 . 2010-05-23 06:28 -------- d-----w- c:\documents and settings\San\Application Data\Red Alert 3

2010-05-23 00:13 . 2010-05-23 00:13 -------- d-----w- c:\program files\SystemRequirementsLab

2010-05-23 00:12 . 2010-05-23 00:12 85504 ----a-w- c:\documents and settings\San\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll

2010-05-23 00:12 . 2010-05-23 00:12 -------- d-----w- c:\documents and settings\San\Application Data\SystemRequirementsLab

2010-05-22 18:16 . 2010-05-22 18:16 -------- d-----w- c:\program files\vSoft

2010-05-19 07:01 . 2010-05-19 06:57 -------- d-----w- c:\documents and settings\San\Application Data\Similarity

2010-05-19 05:59 . 2010-05-19 05:59 1006080 ----a-r- c:\documents and settings\San\Application Data\Microsoft\Installer\{11ABE2F4-DBCD-45D1-ABBB-C13FDDC4568A}\Similarity.exe

2010-05-19 05:59 . 2010-05-19 05:59 -------- d-----w- c:\program files\Similarity

2010-05-13 03:54 . 2009-01-13 16:06 -------- d-----w- c:\program files\Google

2010-05-11 06:25 . 2010-05-11 06:25 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks

2010-05-11 06:15 . 2008-10-15 16:17 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-05-10 01:01 . 2010-05-10 01:01 -------- d-----w- c:\program files\Sandboxie

2010-05-06 10:41 . 2008-03-04 11:52 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-05 15:57 . 2010-05-05 15:50 -------- d-----w- c:\documents and settings\San\Application Data\DiskSpaceFan

2010-05-05 15:50 . 2010-05-05 15:50 -------- d-----w- c:\program files\DiskSpaceFan

2010-05-02 05:22 . 2007-09-20 01:27 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-28 14:46 . 2010-04-28 14:45 59 ----a-w- c:\windows\wpd99.drv

2010-04-28 14:45 . 2010-04-28 14:45 51716 ----a-w- c:\windows\system32\pdf995mon.dll

2010-04-28 14:45 . 2010-04-28 14:45 249856 ----a-w- c:\windows\system32\pdfmona.dll

2010-04-20 05:30 . 2004-08-04 08:00 285696 ----a-w- c:\windows\system32\atmfd.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]

2009-11-22 22:50 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]

"Google Update"="c:\documents and settings\San\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-01 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-03 1040384]

"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-06-11 1454080]

"EnergyUtility"="c:\program files\Lenovo\Energy Management\utility.exe" [2008-05-21 4456448]

"Energy Management"="c:\program files\Lenovo\Energy Management\Energy Management.exe" [2008-06-30 1283984]

"TpShocks"="c:\windows\system32\TpShocks.exe" [2008-04-09 181512]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"RTHDCPL"="RTHDCPL.EXE" [2008-06-10 16871936]

"SoundMan"="SOUNDMAN.EXE" [2006-07-21 86016]

"AlcWzrd"="ALCWZRD.EXE" [2006-05-04 2808832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"ShowDeskFix"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 06:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^San^Start Menu^Programs^Startup^Adobe Gamma.lnk]

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^San^Start Menu^Programs^Startup^MagicDisc.lnk]

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2010-02-18 08:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [19-Oct-08 1:38 PM 18960]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17-Feb-10 10:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17-Feb-10 10:15 AM 66632]

R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [04-Oct-09 11:03 AM 1872320]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [20-Jun-10 5:15 AM 304464]

R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [19-Oct-08 1:38 PM 430080]

R2 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [19-Oct-08 1:38 PM 47680]

R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [19-Oct-08 1:18 PM 9472]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20-Jun-10 5:15 AM 20952]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [19-Oct-08 1:14 PM 156160]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [13-May-10 11:52 AM 136176]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [24-May-10 12:00 PM 1527900]

S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [09-Dec-09 10:21 AM 102656]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [26-Aug-09 4:49 AM 17408]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17-Feb-10 10:15 AM 12872]

S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [16-Jun-09 9:46 AM 79888]

S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]

S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [19-Oct-08 1:33 PM 81192]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-08 11:04 AM 721904]

.

Contents of the 'Scheduled Tasks' folder

2010-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2010-07-02 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2009-08-23 02:01]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-13 11:47]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-13 11:47]

2010-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-1960408961-725345543-1003Core.job

- c:\documents and settings\San\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-24 17:31]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-1960408961-725345543-1003UA.job

- c:\documents and settings\San\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-24 17:31]

2010-07-02 c:\windows\Tasks\User_Feed_Synchronization-{62C52952-E98C-4041-869E-5C46156D1019}.job

- c:\windows\system32\msfeedssync.exe [2008-10-19 20:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {C3A57B60-C117-11D2-BD9B-00105A0A7E89} - hxxp://web.lead.com.sg/SchoolDNA/Common/saxfile.cab

FF - ProfilePath - c:\documents and settings\San\Application Data\Mozilla\Firefox\Profiles\2kkrgtnm.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/ig

FF - plugin: c:\documents and settings\San\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\San\Desktop\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-02 23:20

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1960408961-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:55,39,98,6a,05,23,f5,ce,5e,a9,a9,88,22,d1,03,13,9c,6b,29,fb,12,

9c,26,13,cd,2d,08,ec,a8,4b,68,e6,65,38,a9,81,85,12,9a,35,66,e1,9b,af,4a,1d,\

"rkeysecu"=hex:31,1d,5f,b7,c5,09,e5,84,7f,b6,8a,d1,23,6b,c9,40

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1140)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(780)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lenovo\Bluetooth Software\bin\btwdins.exe

c:\system volume information\Microsoft\services.exe

c:\system volume information\Microsoft\smss.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Hotspot Shield\HssWPR\hsssrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\Sandboxie\SbieSvc.exe

c:\windows\System32\TPHDEXLG.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\SOUNDMAN.EXE

c:\program files\Internet Explorer\IEXPLORE.EXE

c:\program files\iPod\bin\iPodService.exe

c:\program files\Internet Explorer\IEXPLORE.EXE

.

**************************************************************************

.

Completion time: 2010-07-02 23:26:55 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-02 15:26

ComboFix2.txt 2010-07-02 13:16

ComboFix3.txt 2010-06-28 08:40

Pre-Run: 10,547,032,064 bytes free

Post-Run: 9,479,434,240 bytes free

- - End Of File - - 4AF465B0239D0D861BCDADE031BAE7E8

Link to post
Share on other sites

C:\Documents and Settings\San\desktop\UBCD4WinV350.exe multiple threats deleted - quarantined

C:\Documents and Settings\San\Local Settings\Application Data\Mozilla\Firefox\Profiles\2kkrgtnm.default\Cache\1EF26877d01 a variant of Win32/Kryptik.YI trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\System Volume Information\Microsoft\services.exe.vir Win32/TrojanDownloader.Unruy.BT trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\System Volume Information\Microsoft\smss.exe.vir Win32/TrojanDownloader.Unruy.BT trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\System Volume Information\Microsoft\_services_.exe.zip Win32/TrojanDownloader.Unruy.BT trojan deleted - quarantined

C:\Qoobox\Quarantine\C\System Volume Information\Microsoft\_smss_.exe.zip Win32/TrojanDownloader.Unruy.BT trojan deleted - quarantined

C:\System Volume Information\Microsoft\services.exe Win32/TrojanDownloader.Unruy.BT trojan cleaned by deleting (after the next restart) - quarantined

C:\System Volume Information\Microsoft\smss.exe Win32/TrojanDownloader.Unruy.BT trojan cleaned by deleting (after the next restart) - quarantined

C:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exe Win32/PrcView application deleted - quarantined

C:\UBCD4Win\plugin\Network\CrossLoop\files\winvnc.exe Win32/RemoteAdmin.WinVNC application cleaned by deleting - quarantined

Operating memory Win32/TrojanDownloader.Unruy.BT trojan contained infected files

Link to post
Share on other sites

Please download The Avenger2 by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\System Volume Information\Microsoft\services.exe
C:\System Volume Information\Microsoft\smss.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

Link to post
Share on other sites

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File "C:\System Volume Information\Microsoft\services.exe" deleted successfully.

File "C:\System Volume Information\Microsoft\smss.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 03:09:45, on 03-Jul-10

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe

C:\System Volume Information\Microsoft\services.exe

C:\WINDOWS\system32\spoolsv.exe

C:\System Volume Information\Microsoft\smss.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\Lenovo\Energy Management\utility.exe

C:\Program Files\Lenovo\Energy Management\Energy Management.exe

C:\Windows\system32\TpShocks.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Sandboxie\SbieSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\San\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [EnergyUtility] C:\Program Files\Lenovo\Energy Management\utility.exe

O4 - HKLM\..\Run: [Energy Management] C:\Program Files\Lenovo\Energy Management\Energy Management.exe

O4 - HKLM\..\Run: [TpShocks] C:\Windows\system32\TpShocks.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\San\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab

O16 - DPF: {C3A57B60-C117-11D2-BD9B-00105A0A7E89} (SAXFile ActiveX Control) - http://web.lead.com.sg/SchoolDNA/Common/saxfile.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.vexcast.com/download/vexcast.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe

O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX

Link to post
Share on other sites

C:\System Volume Information\Microsoft\smss.exe Win32/TrojanDownloader.Unruy.BT trojan cleaned by deleting (after the next restart) - quarantined

Operating memory Win32/TrojanDownloader.Unruy.BT trojan contained infected files

To note: the 2 exe files are from Black Internet Inc. Is there anything I can do to tackle it from MBR?

Link to post
Share on other sites

C:\System Volume Information\Microsoft\smss.exe Win32/TrojanDownloader.Unruy.BT trojan cleaned by deleting (after the next restart) - quarantined

Operating memory Win32/TrojanDownloader.Unruy.BT trojan contained infected files

To note: the 2 exe files are from Black Internet Inc. Is there anything I can do to tackle it from MBR?

Just restart my Laptop, the 2 files reappeared.

Based on your knowledge, can this be effective?

http://forums.majorgeeks.com/showthread.php?t=217807

Link to post
Share on other sites

Download bootkitremover.rar and save it to your desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip
  • After extracing remover.exe to your Desktop, double-click the remover.exe file to run the program.
  • Attach or post inline here, the output from remover.exe

Link to post
Share on other sites

Bootkit Remover version 1.0.0.1

© 2009 eSage Lab

www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0

MD5: 3052b732c75e3784ad1b1f06d0fcf12f

\\.\D: -> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

232 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.

To inspect the boot code manually, dump the master boot sector:

remover.exe dump <device_name> [output_file]

To disinfect the master boot sector, use the following command:

remover.exe fix <device_name>

Press any key to quit...

Link to post
Share on other sites

Open Notepad. Copy and paste the following text into it:

@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXIT

Save it as Fix.bat at the desktop. Make sure the Save as type: is All Files (*.*).

Double click on Fix.bat to run it. Allow if prompted by any security software.

Finally, please post your log file in your next reply.

Link to post
Share on other sites

Good work! :P

Last steps:

Step 1

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2

To enable CD Emulation programs using DeFogger please perform these steps:

  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Step 3

Please manually delete DDS, Defogger, GMER, TDSSKiller, OTL, The Avenger and bootkitremover.

Step 4

Please uninstall ESET Online Scanner.

Step 5

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :P

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.