A worm has taken over my security defenses! [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

A worm has taken over my security defenses! [Solved]

#1 JCas

Group: Member
Posts: 21
Joined: 25-May 09

Posted 25 May 2009 - 07:09 PM

Hi all;

I really need your help, I have installed Bitdefender Internet Security since last year, legal copy bough last year with two years of valid licensing, anyway, that had been working perfect till last week, a worm got in to my system and after I got a few notices of BD blocking some trojans on day 1 I decided to go sleep and leave it running a deep system scan with some results; trojans and a worm and when I try to open BD control panel in the morning non of the BD services were working and after trying to restart, repair, remove and install it over and over for the last week it doesn't seem to work, can't install Hijackthis either, it won't run just like "vsserv.exe" from BD.

On the other hand, I was able to installed SUPERAntiSpyware BUT every time I run it; the same trojans keep coming up after doing the disinfection and restart so I don't know what else to do.

Thanks in advance for your help.

EDIT: Forgot to mention, had installed Spybot S&D from before and since the infection every time I try to run it it gets dump before it loads.

#2 CatByte

Group: GeekU Moderator
Posts: 2,412
Joined: 08-November 08

Posted 26 May 2009 - 05:05 AM

Hi,

Please do the following:

Please download DDS from one of the following links and save it to your desktop.

Disable any script blocking protection (How to Disable your Security Programs)
Double click DDS icon to run the tool (may take up to 3 minutes to run)
When done, DDS.txt will open.
After a few moments, attach.txt will open in a second window.
Save both reports to your desktop.

Post the contents of the DDS.txt report in your next reply
Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

NEXT

Download the GMER Rootkit Scanner. Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

#3 JCas

Group: Member
Posts: 21
Joined: 25-May 09

Posted 27 May 2009 - 04:26 AM

Thank you very much.

Here are the results;

DDS (Ver_09-05-14.01) - NTFSx86
Run by tuyyo at 21:18:24.01 on 26/05/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1270.723 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe "C:\WINDOWS\system32\3com_dmik.exe"
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\PROGRAM FILES\THEWEATHERNETWORK\WEATHEREYE\WEATHEREYE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tuyyo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RocketDock] "c:\windows\bricopacks\vista inspirat 2\rocketdock\RocketDock.exe"
uRun: [MétéoÉclair/WeatherEye] "c:\program files\theweathernetwork\weathereye\WEATHEREYE.EXE"
mRun: [BDWizReg] "c:\program files\bitdefender\bitdefender 2009\bdwizreg.exe" /complete
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: HideRunAsVerb = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~1\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\efcATNFv

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tuyyo\applic~1\mozilla\firefox\profiles\e5wos18f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1434207&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/default.aspx
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-13 29808]
R0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [2003-4-27 8704]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\cinemsup.sys [2002-7-19 6656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-10-6 82696]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-2-3 104328]
R3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [2003-4-27 99360]
S2 EventSystemSENS;COM+ Event System EventSystemSENS;c:\windows\system32\3com_dmik.exe srv --> c:\windows\system32\3com_dmik.exe srv [?]
S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-2-13 4048240]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
S3 DCamUSBIntel;USB Video Camera for Intel Proshare technology;c:\windows\system32\drivers\usbintel.sys [2004-8-3 16000]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
UnknownUnknown b0f39a2c;b0f39a2c; [x]

=============== Created Last 30 ================

2009-05-26 06:33 20,480 a--sh--- c:\windows\system32\accwizv.dll
2009-05-25 21:38 0 a------- c:\windows\system32\drivers\beep.sys
2009-05-25 20:35 <DIR> --d----- c:\docume~1\tuyyo\applic~1\BitDefender
2009-05-25 20:34 <DIR> --d----- c:\program files\BitDefender
2009-05-19 19:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-19 19:41 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-19 19:41 <DIR> --d----- c:\docume~1\tuyyo\applic~1\SUPERAntiSpyware.com
2009-05-19 18:54 2 ----h--- c:\windows\sto453250.dat
2009-05-19 18:54 393 a------- c:\windows\st_1242773678.exe
2009-05-19 18:54 392 a------- c:\windows\st_1242792116.exe
2009-05-19 06:51 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-05-19 06:51 2 ----h--- c:\windows\sto453142.dat
2009-05-18 21:46 <DIR> --d----- c:\docume~1\tuyyo\applic~1\DiskAid
2009-05-18 21:45 <DIR> --d----- c:\program files\DigiDNA
2009-05-18 21:34 <DIR> --d----- c:\program files\WinSCP
2009-05-18 21:22 12,095 a------- C:\Corel DRAW Graphics Suite X4 14.0 Full + Keygen + Activation.torrent
2009-05-18 21:21 148 a--s---- c:\windows\system32\2221848282.dat
2009-05-18 21:21 53,248 ---shr-- c:\windows\system32\3com_dmik.exe
2009-05-18 21:21 20,480 a------- c:\windows\system32\digiwet.dll
2009-05-18 21:15 594 a------- C:\Coreldraw_x4_fix_(30_day_activation_gone_).4042413.TPB.torrent
2009-05-18 12:46 45 a------- c:\windows\system32\initdebug.nfo
2009-05-17 10:02 82,384 a------- c:\windows\system\vntdll.dll
2009-05-17 10:00 15,312 a------- c:\windows\system\vmsvcrt.dll
2009-05-17 09:59 35,328 a------- c:\windows\system\vuser32.dll
2009-05-17 09:58 51,200 a------- c:\windows\system\vkernel32.dll
2009-05-17 09:56 42,720 a------- c:\windows\system\vadvapi32.dll
2009-05-06 19:40 <DIR> --d----- c:\program files\Corel

==================== Find3M ====================

2009-05-25 21:11 104,328 a------- c:\windows\system32\drivers\bdfndisf.sys
2009-05-17 09:38 81,984 ac------ c:\windows\system32\bdod.bin
2009-04-19 19:55 87,608 ac------ c:\docume~1\tuyyo\applic~1\inst.exe
2009-04-19 19:55 47,360 ac------ c:\docume~1\tuyyo\applic~1\pcouffin.sys
2009-04-19 19:55 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-03-09 11:28 775,168 a------- c:\windows\is-H9LON.exe
2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 13:43 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 04:41 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 914,944 -------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 -------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 -------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 -------- c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 -------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:33 420,352 -------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:31 183,808 a------- c:\windows\system32\dllcache\iepeers.dll
2009-03-08 04:31 348,160 a------- c:\windows\system32\dllcache\dxtmsft.dll
2009-03-08 04:31 216,064 a------- c:\windows\system32\dllcache\dxtrans.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\dllcache\imgutil.dll
2009-03-08 04:31 46,592 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-03-08 04:31 66,560 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\dllcache\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:31 45,568 a------- c:\windows\system32\dllcache\mshta.exe
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 -------- c:\windows\system32\dllcache\msls31.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-02-28 00:55 105,984 -------- c:\windows\system32\dllcache\iecompat.dll
2008-01-10 18:08 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011020080111\index.dat

============= FINISH: 21:19:15.04 ===============

GMER.txt

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-27 06:18:46
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT 897309E0 ZwAllocateVirtualMemory
SSDT 897494C0 ZwCreateKey
SSDT 8974B4F0 ZwCreateProcess
SSDT 897120A0 ZwCreateProcessEx
SSDT 89730CB0 ZwCreateThread
SSDT 89745080 ZwDeleteKey
SSDT 89751438 ZwDeleteValueKey
SSDT 89730A58 ZwQueueApcThread
SSDT 897308F0 ZwReadVirtualMemory
SSDT 89748398 ZwRenameKey
SSDT 89730B48 ZwSetContextThread
SSDT 8974A450 ZwSetInformationKey
SSDT 89730DA0 ZwSetInformationProcess
SSDT 89730BC0 ZwSetInformationThread
SSDT 89713100 ZwSetValueKey
SSDT 89730D28 ZwSuspendProcess
SSDT 89730AD0 ZwSuspendThread
SSDT 89730E18 ZwTerminateProcess
SSDT 89730C38 ZwTerminateThread
SSDT 89730968 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 108 804E2764 5 Bytes [F0, B4, 74, 89, A0]
.text ntoskrnl.exe!_abnormal_termination + 10E 804E276A 2 Bytes [71, 89] {JNO 0xffffffffffffff8b}

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 89731820
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 89731918
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 89731918
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 89731820
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 89731820
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 89731918
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 89731918
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 89731820
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 89731918
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 89731820
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 89731918
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 89731918
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 89731820
IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisRegisterProtocol] 89731918
IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisDeregisterProtocol] 89731820

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 891319A8

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\Tcpip \Device\Tcp 891319A8

AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\Cdrom \Device\CdRom0 896851B8
Device \Driver\Cdrom \Device\CdRom1 896851B8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 89698010
Device \Driver\atapi \Device\Ide\IdePort0 89698010
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 89698010
Device \Driver\atapi \Device\Ide\IdePort1 89698010
Device \Driver\atapi \Device\Ide\IdePort2 89698010
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 89698010
Device \Driver\atapi \Device\Ide\IdePort3 89698010
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1c 89698010
Device \Driver\Cdrom \Device\CdRom2 896851B8
Device \Driver\Tcpip \Device\Udp 891319A8

AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\Tcpip \Device\RawIp 891319A8

AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\Tcpip \Device\IPMULTICAST 891319A8
Device \Driver\st3wolf \Device\Scsi\st3wolf1 896981B8
Device \Driver\st3wolf \Device\Scsi\st3wolf1Port4Path0Target0Lun0 896981B8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled@iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled@QuickTime Task "C:\Program Files\QuickTime\QTTask.exe" -atboottime

---- EOF - GMER 1.0.15 ----

Thanks for the help.

Attached File(s)

Attach.txt (7.19K)
Number of downloads: 676

#4 CatByte

Group: GeekU Moderator
Posts: 2,412
Joined: 08-November 08

Posted 27 May 2009 - 04:51 AM

Hi,

Please do the following:

Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Double click on ComboFix.exe & follow the prompts.

Open notepad and copy/paste all of the text inside the codebox below into it: (do not copy the word "code")

DDS::
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171

Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

Do not mouse-click Combofix's window while it is running. That may cause it to stall.

Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

[b]Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now[/b

#5 JCas

Group: Member
Posts: 21
Joined: 25-May 09

Posted 27 May 2009 - 07:45 PM

WOW, you rock man! thank you very much and thanks to all the geekstogo community for such a great site!

I don't know how you did it but BitDefender is back and running which is great and was the main issue also everything else seems to be working fine although I haven't tried hijackthis or Spybot S&D at the time of this reply.

I don't know if we are done or there is some more cleaning left to do but here is the log from Combo fix;

ComboFix 09-05-26.05 - tuyyo 27/05/2009 20:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1270.899 [GMT -4:00]
Running from: c:\documents and settings\tuyyo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\tuyyo\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\tuyyo\Application Data\inst.exe
c:\windows\BM0f8b1783.txt
c:\windows\BM0f8b1783.xml
c:\windows\pskt.ini
c:\windows\st_1242773678.exe
c:\windows\st_1242792116.exe
c:\windows\system32\3com_dmik.exe
c:\windows\system32\digiwet.dll
c:\windows\system32\drivers\beep.sys
c:\windows\system32\ehkaidox.ini
c:\windows\system32\kjlwlinc.ini
c:\windows\system32\msconfig.exe
c:\windows\system32\qwyupoal.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EVENTSYSTEMSENS
-------\Service_EventSystemSENS

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-26 10:33 . 2009-05-26 10:33 20480 --sha-w c:\windows\system32\accwizv.dll
2009-05-26 00:35 . 2009-05-26 00:35 -------- d-----w c:\documents and settings\tuyyo\Application Data\BitDefender
2009-05-26 00:34 . 2009-05-26 00:34 -------- d-----w c:\program files\BitDefender
2009-05-20 00:57 . 2009-05-21 01:16 -------- d-----w c:\windows\BDOSCAN8
2009-05-19 23:42 . 2009-05-26 01:42 117760 ----a-w c:\documents and settings\tuyyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-19 23:41 . 2009-05-19 23:41 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-19 23:41 . 2009-05-26 01:41 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-19 23:41 . 2009-05-19 23:41 -------- d-----w c:\documents and settings\tuyyo\Application Data\SUPERAntiSpyware.com
2009-05-19 22:54 . 2009-05-19 22:54 2 ---h--w c:\windows\sto453250.dat
2009-05-19 10:51 . 2009-05-19 10:51 2 ---h--w c:\windows\sto453142.dat
2009-05-19 01:46 . 2009-05-19 02:13 -------- d-----w c:\documents and settings\tuyyo\Application Data\DiskAid
2009-05-19 01:45 . 2009-05-19 01:45 -------- d-----w c:\program files\DigiDNA
2009-05-19 01:34 . 2009-05-19 01:54 -------- d-----w c:\program files\WinSCP
2009-05-19 01:21 . 2009-05-26 10:33 148 --s-a-w c:\windows\system32\2221848282.dat
2009-05-17 14:02 . 2009-03-16 18:13 82384 ----a-w c:\windows\system\vntdll.dll
2009-05-17 14:00 . 2009-02-12 15:24 15312 ----a-w c:\windows\system\vmsvcrt.dll
2009-05-17 13:59 . 2009-01-13 14:10 35328 ----a-w c:\windows\system\vuser32.dll
2009-05-17 13:58 . 2008-10-08 19:48 51200 ----a-w c:\windows\system\vkernel32.dll
2009-05-17 13:56 . 2008-07-17 14:05 42720 ----a-w c:\windows\system\vadvapi32.dll
2009-05-06 23:44 . 2009-05-06 23:44 15240 ----a-w c:\documents and settings\tuyyo\Application Data\Microsoft\IdentityCRL\PROD\ppcrlconfig.dll
2009-05-06 23:40 . 2009-05-06 23:40 -------- d-----w c:\program files\Corel
2009-04-28 20:53 . 2009-04-28 20:53 10684866 ----a-w c:\documents and settings\tuyyo\Application Data\Azureus\plugins\azump\mplayer.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-26 01:11 . 2009-02-03 21:03 104328 ----a-w c:\windows\system32\drivers\bdfndisf.sys
2009-05-26 00:35 . 2008-04-27 15:42 -------- d-----w c:\program files\Common Files\BitDefender
2009-05-21 02:54 . 2008-01-12 01:34 -------- d-----w c:\program files\DivX
2009-05-21 02:54 . 2008-01-10 22:01 -------- d-----w c:\program files\Windows Media Connect 2
2009-05-19 23:40 . 2008-12-15 00:42 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-19 10:49 . 2008-10-28 01:05 -------- d-----w c:\program files\Microsoft Silverlight
2009-05-19 02:14 . 2008-01-13 20:12 -------- d-----w c:\documents and settings\tuyyo\Application Data\Azureus
2009-05-17 13:50 . 2008-11-09 04:39 -------- d-----w c:\program files\Thoosje Vista Sidebar
2009-05-17 13:38 . 2008-04-27 15:46 81984 -c--a-w c:\windows\system32\bdod.bin
2009-05-07 10:42 . 2008-01-13 14:03 -------- d-----w c:\documents and settings\tuyyo\Application Data\LimeWire
2009-04-26 21:03 . 2008-01-26 23:15 -------- d-----w c:\documents and settings\tuyyo\Application Data\Vso
2009-04-26 15:53 . 2009-04-26 15:51 -------- d-----w c:\program files\Vuze
2009-04-23 23:13 . 2009-04-23 23:13 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-21 21:12 . 2008-01-13 14:00 -------- d-----w c:\program files\LimeWire
2009-04-19 23:55 . 2008-01-28 03:33 47360 -c--a-w c:\documents and settings\tuyyo\Application Data\pcouffin.sys
2009-04-19 23:55 . 2008-01-28 03:33 47360 -c--a-w c:\documents and settings\tuyyo\Application Data\pcouffin.sys
2009-04-19 23:55 . 2008-01-28 03:33 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-04-19 23:55 . 2009-04-19 23:54 -------- d-----w c:\program files\VSO
2009-04-19 23:24 . 2008-01-13 20:12 -------- d-----w c:\program files\Azureus
2009-04-19 01:21 . 2009-04-19 01:21 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-19 01:21 . 2009-04-19 01:21 -------- d-----w c:\program files\iTunes
2009-04-19 01:21 . 2009-04-19 01:21 -------- d-----w c:\program files\iPod
2009-04-19 01:21 . 2008-09-28 19:50 -------- d-----w c:\program files\Common Files\Apple
2009-04-19 01:03 . 2009-04-19 01:03 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-07 00:38 . 2009-04-07 00:38 68456 ----a-w c:\documents and settings\tuyyo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2008-09-28 19:55 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 15:28 . 2009-03-09 15:28 775168 ----a-w c:\windows\is-H9LON.exe
2009-03-09 15:26 . 2009-03-09 15:26 164 ----a-w c:\windows\install.dat
2009-03-08 17:43 . 2009-03-08 17:44 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 17:43 . 2009-03-08 17:43 152576 ----a-w c:\documents and settings\tuyyo\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-03-08 08:34 . 2007-06-24 07:40 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2007-06-24 07:41 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2007-06-24 07:41 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2007-06-24 07:40 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2007-06-24 07:41 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2007-06-24 07:41 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2007-06-24 07:41 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2007-06-24 07:41 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2007-06-24 07:41 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2007-06-24 07:41 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 03:59 . 2009-03-14 16:31 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2008-09-28 19:51 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-05-26 01:11 . 2008-10-30 21:34 49664 ----a-w c:\program files\mozilla firefox\components\FFComm.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"RocketDock"="c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" [2007-03-18 630784]
"MétéoÉclair/WeatherEye"="c:\program files\THEWEATHERNETWORK\WEATHEREYE\WEATHEREYE.EXE" [2009-01-16 4519832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-05-26 778240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-05-26 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideRunAsVerb"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Firefox Preloader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Firefox Preloader.lnk
backup=c:\windows\pss\Firefox Preloader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launchy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Launchy.lnk
backup=c:\windows\pss\Launchy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^tuyyo^Start Menu^Programs^Startup^RocketDock.lnk]
path=c:\documents and settings\tuyyo\Start Menu\Programs\Startup\RocketDock.lnk
backup=c:\windows\pss\RocketDock.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58347:TCP"= 58347:TCP:Azureus
"58347:UDP"= 58347:UDP:Azureus

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [06/10/2008 5:16 PM 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [18/09/2008 11:09 AM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [03/02/2009 5:03 PM 104328]
S3 DCamUSBIntel;USB Video Camera for Intel Proshare technology;c:\windows\system32\drivers\usbintel.sys [03/08/2004 7:08 PM 16000]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HELPSVC
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - BDSelfPr
*Deregistered* - BITS
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - GTNDIS5
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LIVESRV
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - rspndr
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASKUTIL
*Deregistered* - Schedule
*Deregistered* - Secdrv
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - Sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssfs0bbc
*Deregistered* - sshrmd
*Deregistered* - ssidrv
*Deregistered* - stisvc
*Deregistered* - stwlfbus
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VSSERV
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WMP54Gv4SVC
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
SENS
Sharedaccess
SRService
Tapisrv
Themes
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
WmdmPmSN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
Notify-tuvVOGvs - (no file)
SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\tuyyo\Application Data\Mozilla\Firefox\Profiles\e5wos18f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1434207&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/default.aspx
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-27 21:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
@DACL=(02 0000)
"iTunesHelper"="\"c:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"c:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3172)
c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\msls31.dll
c:\windows\system32\credui.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
.
**************************************************************************
.
Completion time: 2009-05-28 21:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-28 01:15

Pre-Run: 12,303,753,216 bytes free
Post-Run: 12,247,289,856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

360

#6 CatByte

Group: GeekU Moderator
Posts: 2,412
Joined: 08-November 08

Posted 27 May 2009 - 08:33 PM

Hi,

There is more work to do - please stay with me till I give you the all clean:

Please do the following:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield: (note the faint colon in front of :Reg - start with that)
```
:Reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost /s
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

#7 JCas

Group: Member
Posts: 21
Joined: 25-May 09

Posted 28 May 2009 - 04:33 AM

Hi, I'll do the System Look tonight when I get back from work, for now just want to show you what BD found after I left it running a scan last night;

BitDefender Log File

Product : BitDefender Internet Security 2009
Version : BitDefender UIScanner v.12
Scanning task : Deep System Scan
Log date : 28/05/2009 6:16:11 AM
Log path : C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1243505771_1_02.xml

Scan Paths:Path 0000: C:\
Path 0001: D:\

Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes

Target Selection Options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : No
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :

Target Processing:Default action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None
Default action for encrypted infected objects : None
Default action for encrypted suspicious objects : None
Default action for password-protected objects : Log as not scanned

Scan engines summaryNumber of virus signatures : 3203098
Archive plugins : 45
Email plugins : 6
Scan plugins : 13
System plugins : 5
Unpack plugins : 7

Overall scan summaryScanned items : 216162
Infected items : 8
Suspicious items : 0
Resolved items : 7
Unresolved items : 238
Password-protected items : 236
Overcompressed items : 1
Individual viruses found : 5
Scanned directories : 5991
Scanned boot sectors : 4
Scanned archives : 8849
Input-output errors : 0
Scan time : 01:52:04
Files per second : 32

Scanned processes summaryScanned : 26
Infected : 0

Scanned registry keys summaryScanned : 964
Infected : 0

Scanned cookies summaryScanned : 1
Infected : 0

Resolved issues:Object Name Threat Name Final Status
C:\WINDOWS\system32\accwizv.dll Backdoor.Generic.127179 Deleted
C:\Qoobox\Quarantine\C\WINDOWS\system32\digiwet.dll.vir Backdoor.Zdoogu.H Deleted
C:\System Volume Information\_restore{469D9C3C-7D39-4C77-9FD6-841302EE40FB}\RP1\A0000096.dll Backdoor.Zdoogu.H Deleted
D:\My Documents\Mis Documentos\Drivers\Acronis.Disk.Director.Suite.v10.0.2160\Keygen.exe Trojan.Generic.1714338 Deleted
D:\System Volume Information\_restore{469D9C3C-7D39-4C77-9FD6-841302EE40FB}\RP1\A0000184.exe Trojan.Generic.1714338 Deleted
C:\Qoobox\Quarantine\C\WINDOWS\system32\3com_dmik.exe.vir Trojan.Waledac.CT Deleted
C:\System Volume Information\_restore{469D9C3C-7D39-4C77-9FD6-841302EE40FB}\RP1\A0000106.exe Trojan.Waledac.CT Deleted

Objects that were not scanned:Object Name Reason Final Status
C:\Program Files\Nero\Nero 7\Nero BackItUp\BackItUp_ImageTool\root.img=]root.img Overcompressed Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon1.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon1.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon10.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon10.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon11.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon11.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon12.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon12.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon13.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon13.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon14.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon14.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon15.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon15.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon2.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon2.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon3.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon3.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon4.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon4.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon5.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon5.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon6.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon6.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon7.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon7.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon8.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon8.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon9.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hupigon9.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL1.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL1.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL10.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL10.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL11.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL11.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL12.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL12.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL13.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL13.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL14.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL14.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL15.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL15.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL16.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL16.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL17.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL17.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL18.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL18.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL19.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL19.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL2.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL2.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL3.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL3.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL4.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL4.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL5.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL5.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL6.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL6.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL7.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL7.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL8.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL8.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL9.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL9.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Startupfiledoesnotexist.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Startupfiledoesnotexist.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip=]vFNTAcfe.ini2 Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip=]vFNTAcfe.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde5.zip=]bwvyhnkc.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde5.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentsd.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentsd.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje1.zip=]796525.dll Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje1.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje2.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje3.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje3.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje4.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje4.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv1.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv1.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv10.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv10.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv11.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv11.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv12.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv12.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv13.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv13.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv14.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv14.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv15.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv15.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv16.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv16.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv17.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv17.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv18.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv18.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv19.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv19.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv2.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv2.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv20.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv20.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv21.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv21.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv22.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv22.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv23.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv23.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv24.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv24.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv25.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv25.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv26.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv26.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv27.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv27.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv28.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv28.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv29.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv29.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv3.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv3.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv30.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv30.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv31.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv31.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv32.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv32.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv33.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv33.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv34.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv34.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv35.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv35.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv36.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv36.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv37.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv37.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv38.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv38.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv39.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv39.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv4.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv4.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv40.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv40.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv41.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv41.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv42.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv42.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv43.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv43.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv5.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv5.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv6.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv6.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv7.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv7.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv8.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv8.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv9.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDelfuv9.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSalt.zip=]Program Files/aquaplay/Uninstall.exe Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSalt.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSalt1.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSalt1.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSalt2.zip=]Uninstall.lnk Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSalt2.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSalt3.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk1.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk1.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk2.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk2.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk3.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk3.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk4.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk4.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk5.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk5.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk6.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk6.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk7.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk7.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wrongapppath.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wrongapppath.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wrongapppath1.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wrongapppath1.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wronguninstallinformation.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wronguninstallinformation.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDNSChanger.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDNSChanger.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDNSChanger1.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDNSChanger1.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDNSChanger2.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDNSChanger2.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDNSChanger3.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDNSChanger3.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadersit.zip=]sbRecovery.reg Password-protected Not scanned
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadersit.zip=]sbRecovery.ini Password-protected Not scanned
C:\Documents and Settings\tuyyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-19-2009 - 20-36-08.SBU=]{2BDB11AD-EF19-4F80-945A-0948BC84811C} Password-protected Not scanned
C:\Documents and Settings\tuyyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-19-2009 - 20-36-08.SBU=]{775B9895-5F14-4717-9E9B-131428DA0EFA} Password-protected Not scanned
C:\Documents and Settings\tuyyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-19-2009 - 20-36-08.SBU=]{8A50D6B7-7D76-4F89-85B0-13BF712CC42B} Password-protected Not scanned
C:\Documents and Settings\tuyyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-19-2009 - 20-36-08.SBU=]{BACB5886-0E4D-448A-A18B-4AACEB1A9F78} Password-protected Not scanned
C:\Documents and Settings\tuyyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-19-2009 - 20-36-08.SBU=]{BEC719F7-E6E3-4438-88AA-6EC0FFF4BD08} Password-protected Not scanned
C:\Documents and Settings\tuyyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-19-2009 - 20-36-08.SBU=]backup.db Password-protected Not scanned
C:\Documents and Settings\tuyyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-21-2009 - 06-25-14.SBU=]{0555321F-ADFF-4B47-8025-0F9D36DDA90B} Password-protected Not scanned
C:\Documents and Settings\tuyyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-21-2009 - 06-25-14.SBU=]{7741266B-CA40-45FC-A81E-E14F4F418D40} Password-protected Not scanned
C:\Documents and Settings\tuyyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-21-2009 - 06-25-14.SBU=]{82E04DE4-AF4D-457E-B15B-129BFB187EF3} Password-protected Not scanned
C:\Documents and Settings\tuyyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-21-2009 - 06-25-14.SBU=]{D310C0C4-D98D-45B2-BBB1-B979C1B0042A} Password-protected Not scanned
C:\Documents and Settings\tuyyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-21-2009 - 06-25-14.SBU=]backup.db Password-protected Not scanned
C:\Documents and Settings\tuyyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-26-2009 - 06-24-09.SBU=]backup.db Password-protected Not scanned

#8 JCas

Group: Member
Posts: 21
Joined: 25-May 09

Posted 28 May 2009 - 07:45 PM

Here is the log from SystemLook;

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 21:40 on 28/05/2009 by tuyyo (Administrator - Elevation successful)

========== Reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
"bdx"="scan"
"DcomLaunch"="DcomLaunch TermService"
"HTTPFilter"="HTTPFilter"
"imgsvc"="StiSvc"
"LocalService"="WebClient LmHosts upnphost SSDPSRV"
"netsvcs"="6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Netman Nla NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule SENS Sharedaccess SRService Tapisrv Themes WZCSVC Wmi WmdmPmSp winmgmt xmlprov BITS wuauserv ShellHWDetection WmdmPmSN"
"NetworkService"="DnsCache"
"rpcss"="RpcSs"
"termsvcs"="TermService"
"WudfServiceGroup"="WUDFSvc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\bdx]
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\DComLaunch]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"DefaultRpcStackSize"= 0x0000000008 (8)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\HTTPFilter]
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalService]
"AuthenticationCapabilities"= 0x0000002000 (8192)
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs]
"AuthenticationCapabilities"= 0x0000003020 (12320)
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\termsvcs]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"DefaultRpcStackSize"= 0x0000000008 (8)

-=End Of File=-

#9 CatByte

Group: GeekU Moderator
Posts: 2,412
Joined: 08-November 08

Posted 29 May 2009 - 01:10 PM

Hi please do the following:

Download this registry fix from HERE

save it to your desktop.

Unzip the file and extract the registry fix file.

you will see a file that looks like this :

Double click on the registry fix and ALLOW it to merge into your registry.

Then delete the copy of ComboFix from your desktop and download a fresh copy (the program has been updated) from the links I have previously provided.

Run ComboFix and post the resulting log.

#10 JCas

Group: Member
Posts: 21
Joined: 25-May 09

Posted 30 May 2009 - 11:41 AM

ComboFix 09-05-29.01 - tuyyo 30/05/2009 7:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1270.671 [GMT -4:00]
Running from: c:\documents and settings\tuyyo\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.

2009-05-26 00:35 . 2009-05-26 00:35 -------- d-----w c:\documents and settings\tuyyo\Application Data\BitDefender
2009-05-26 00:34 . 2009-05-26 00:34 -------- d-----w c:\program files\BitDefender
2009-05-20 00:57 . 2009-05-21 01:16 -------- d-----w c:\windows\BDOSCAN8
2009-05-19 23:42 . 2009-05-26 01:42 117760 ----a-w c:\documents and settings\tuyyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-19 23:41 . 2009-05-19 23:41 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-19 23:41 . 2009-05-26 01:41 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-19 23:41 . 2009-05-19 23:41 -------- d-----w c:\documents and settings\tuyyo\Application Data\SUPERAntiSpyware.com
2009-05-19 22:54 . 2009-05-19 22:54 2 ---h--w c:\windows\sto453250.dat
2009-05-19 10:51 . 2009-05-19 10:51 2 ---h--w c:\windows\sto453142.dat
2009-05-19 01:46 . 2009-05-19 02:13 -------- d-----w c:\documents and settings\tuyyo\Application Data\DiskAid
2009-05-19 01:45 . 2009-05-19 01:45 -------- d-----w c:\program files\DigiDNA
2009-05-19 01:34 . 2009-05-19 01:54 -------- d-----w c:\program files\WinSCP
2009-05-19 01:21 . 2009-05-26 10:33 148 --s-a-w c:\windows\system32\2221848282.dat
2009-05-17 14:02 . 2009-03-16 18:13 82384 ----a-w c:\windows\system\vntdll.dll
2009-05-17 14:00 . 2009-02-12 15:24 15312 ----a-w c:\windows\system\vmsvcrt.dll
2009-05-17 13:59 . 2009-01-13 14:10 35328 ----a-w c:\windows\system\vuser32.dll
2009-05-17 13:58 . 2008-10-08 19:48 51200 ----a-w c:\windows\system\vkernel32.dll
2009-05-17 13:56 . 2008-07-17 14:05 42720 ----a-w c:\windows\system\vadvapi32.dll
2009-05-06 23:44 . 2009-05-06 23:44 15240 ----a-w c:\documents and settings\tuyyo\Application Data\Microsoft\IdentityCRL\PROD\ppcrlconfig.dll
2009-05-06 23:40 . 2009-05-06 23:40 -------- d-----w c:\program files\Corel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 01:52 . 2008-04-27 15:46 81984 -c--a-w c:\windows\system32\bdod.bin
2009-05-26 01:11 . 2009-02-03 21:03 104328 ----a-w c:\windows\system32\drivers\bdfndisf.sys
2009-05-26 00:35 . 2008-04-27 15:42 -------- d-----w c:\program files\Common Files\BitDefender
2009-05-21 02:54 . 2008-01-12 01:34 -------- d-----w c:\program files\DivX
2009-05-21 02:54 . 2008-01-10 22:01 -------- d-----w c:\program files\Windows Media Connect 2
2009-05-19 23:40 . 2008-12-15 00:42 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-19 10:49 . 2008-10-28 01:05 -------- d-----w c:\program files\Microsoft Silverlight
2009-05-19 02:14 . 2008-01-13 20:12 -------- d-----w c:\documents and settings\tuyyo\Application Data\Azureus
2009-05-17 13:50 . 2008-11-09 04:39 -------- d-----w c:\program files\Thoosje Vista Sidebar
2009-05-07 10:42 . 2008-01-13 14:03 -------- d-----w c:\documents and settings\tuyyo\Application Data\LimeWire
2009-04-28 20:53 . 2009-04-28 20:53 10684866 ----a-w c:\documents and settings\tuyyo\Application Data\Azureus\plugins\azump\mplayer.exe
2009-04-26 21:03 . 2008-01-26 23:15 -------- d-----w c:\documents and settings\tuyyo\Application Data\Vso
2009-04-26 15:53 . 2009-04-26 15:51 -------- d-----w c:\program files\Vuze
2009-04-23 23:13 . 2009-04-23 23:13 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-21 21:12 . 2008-01-13 14:00 -------- d-----w c:\program files\LimeWire
2009-04-19 23:55 . 2008-01-28 03:33 47360 -c--a-w c:\documents and settings\tuyyo\Application Data\pcouffin.sys
2009-04-19 23:55 . 2008-01-28 03:33 47360 -c--a-w c:\documents and settings\tuyyo\Application Data\pcouffin.sys
2009-04-19 23:55 . 2008-01-28 03:33 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-04-19 23:55 . 2009-04-19 23:54 -------- d-----w c:\program files\VSO
2009-04-19 23:24 . 2008-01-13 20:12 -------- d-----w c:\program files\Azureus
2009-04-19 01:21 . 2009-04-19 01:21 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-19 01:21 . 2009-04-19 01:21 -------- d-----w c:\program files\iTunes
2009-04-19 01:21 . 2009-04-19 01:21 -------- d-----w c:\program files\iPod
2009-04-19 01:21 . 2008-09-28 19:50 -------- d-----w c:\program files\Common Files\Apple
2009-04-19 01:03 . 2009-04-19 01:03 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-07 00:38 . 2009-04-07 00:38 68456 ----a-w c:\documents and settings\tuyyo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2008-09-28 19:55 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 15:28 . 2009-03-09 15:28 775168 ----a-w c:\windows\is-H9LON.exe
2009-03-09 15:26 . 2009-03-09 15:26 164 ----a-w c:\windows\install.dat
2009-03-08 17:43 . 2009-03-08 17:44 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 17:43 . 2009-03-08 17:43 152576 ----a-w c:\documents and settings\tuyyo\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-03-08 08:34 . 2007-06-24 07:40 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2007-06-24 07:41 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2007-06-24 07:41 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2007-06-24 07:40 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2007-06-24 07:41 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2007-06-24 07:41 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2007-06-24 07:41 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2007-06-24 07:41 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2007-06-24 07:41 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2007-06-24 07:41 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 03:59 . 2009-03-14 16:31 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2008-09-28 19:51 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-05-26 01:11 . 2008-10-30 21:34 49664 ----a-w c:\program files\mozilla firefox\components\FFComm.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-28_01.04.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-30 10:44 . 2009-05-30 10:44 16384 c:\windows\Temp\Perflib_Perfdata_1e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"RocketDock"="c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" [2007-03-18 630784]
"MétéoÉclair/WeatherEye"="c:\program files\THEWEATHERNETWORK\WEATHEREYE\WEATHEREYE.EXE" [2009-01-16 4519832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-05-26 778240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-05-26 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideRunAsVerb"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Firefox Preloader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Firefox Preloader.lnk
backup=c:\windows\pss\Firefox Preloader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launchy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Launchy.lnk
backup=c:\windows\pss\Launchy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^tuyyo^Start Menu^Programs^Startup^RocketDock.lnk]
path=c:\documents and settings\tuyyo\Start Menu\Programs\Startup\RocketDock.lnk
backup=c:\windows\pss\RocketDock.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58347:TCP"= 58347:TCP:Azureus
"58347:UDP"= 58347:UDP:Azureus

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [13/02/2009 5:09 PM 29808]
R0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [27/04/2003 1:39 PM 8704]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 2:22 PM 72944]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [06/10/2008 5:16 PM 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [18/09/2008 11:09 AM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [03/02/2009 5:03 PM 104328]
R3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [27/04/2003 12:43 PM 99360]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [17/07/2008 12:06 PM 118784]
S3 DCamUSBIntel;USB Video Camera for Intel Proshare technology;c:\windows\system32\drivers\usbintel.sys [03/08/2004 7:08 PM 16000]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 2:22 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\tuyyo\Application Data\Mozilla\Firefox\Profiles\e5wos18f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1434207&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/default.aspx
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-30 07:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
@DACL=(02 0000)
"iTunesHelper"="\"c:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"c:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(4000)
c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\msls31.dll
c:\windows\system32\credui.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2009-05-30 7:13
ComboFix-quarantined-files.txt 2009-05-30 11:13
ComboFix2.txt 2009-05-28 01:15

Pre-Run: 12,449,091,584 bytes free
Post-Run: 12,438,974,464 bytes free

218

#11 CatByte

Group: GeekU Moderator
Posts: 2,412
Joined: 08-November 08

Posted 30 May 2009 - 12:03 PM

Hi,

Please do the following:

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Double-click GooredFix.exe to run it.
Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).Note: Do not run GooredFix option #2 yet

NEXT

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- very important
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

#12 JCas

Group: Member
Posts: 21
Joined: 25-May 09

Posted 30 May 2009 - 12:54 PM

Hi, BD just informed me about blocking "Backdoor.Generic.12717", BD said that it was deleted because the file could not be disinfected. Now I'm going to start with GooredFix. Thanks

EDIT:

GooredFix v1.92 by jpshortstuff
Log created at 14:54 on 30/05/2009 running Option #1 (tuyyo)
Firefox version 3.0.7 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"FFToolbar@bitdefender.com"="C:\Program Files\BitDefender\BitDefender 2009\FFToolbar\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

Malwarebytes' Anti-Malware 1.37
Database version: 2198
Windows 5.1.2600 Service Pack 2

30/05/2009 3:08:28 PM
mbam-log-2009-05-30 (15-08-28).txt

Scan type: Quick Scan
Objects scanned: 86282
Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.

Kaspersky Log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 31, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 31, 2009 02:03:00
Records in database: 2281711
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 54626
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 03:06:46

File name / Threat name / Threats count
D:\My Documents\Mis Documentos\poetas2.zip Infected: Backdoor.Win32.Agent.obl 1

The selected area was scanned.

#13 CatByte

Group: GeekU Moderator
Posts: 2,412
Joined: 08-November 08

Posted 30 May 2009 - 09:48 PM

OK, thanks, the Kaspersky scan can take several hours to complete

#14 JCas

Group: Member
Posts: 21
Joined: 25-May 09

Posted 31 May 2009 - 11:06 AM

Hi; Kaspersky Log posted on my last post, Thanks.

#15 CatByte

Group: GeekU Moderator
Posts: 2,412
Joined: 08-November 08

Posted 31 May 2009 - 02:21 PM

Hi,

Please do the following:

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

Quote

cmd /c del /f/a/q "D:\My Documents\Mis Documentos\poetas2.zip"

NEXT

Go to Start >> Control Panel >> Add/Remove Programs
Locate all the old Java programs on your computer and select REMOVE leaving the most up to date version 6 update 13.

NEXT

While you are in Add/Remove programs, you would be doing yourself a favour by removing Limewire, I am almost certain that is how you became infected as you cannot trust the source from where you are downloading. Most of the infections we see today are through the use of peer2peer programs.

As a precaution I would change all your passwords (from a clean machine) for all of your banks/creditcards and other businesses you deal with as one of the infections you had, had "backdoor" capabilities which can have unauthorized access to your computer where private data could be compromised.

Next

run the DDS program once more, post the DDS.txt and describe how your computer is running now.

Back to Virus, Spyware, Malware Removal

Share this topic:

2 Pages
1
2
→

Please log in to reply

A worm has taken over my security defenses! [Solved] - Geeks to Go Forums