[Malucogus]

Eset Smartsecurity reports 1 infection when scan is requested.
Operating memory - Win32/Olmarik trojan - unable to clean

Also at boot get red circle with cross and text balloon saying
'Your machine has been infected,click this link to download'

Download free version 'Malwarebytes' Anti-Malware and installed
First time i tried to run it it just shut down immediatly,any further attempts to run ends in error message saying

'Windows cannot access the specified device,path,or file,You may not have appropriate permisions'

I take it that the infection i have is responsible for terminating MB antimalware

Please advise next step.

[Advertisements]

Hi Malucogus,to G2G Malware Removal Forum!

My name is Summer and I am here to help you.

I am still a trainee so all my posts will be checked by an Expert. It's your advantage that there are two people looking at your log but responses may be a little delayed so please be patient.

Some points you need to remember while we clean your computer:

• Please do not run any other tools unless I ask you to.
  
• Perform all instructions in the same order as posted. If you need clarification please don't hesitate to ask before you proceed.
  
• Print or save my responses as there will be times when you will not be able access them.
  
• Please continue to follow my instructions until I tell you your machine looks clean because even if your computer seems better after few runs it does not mean we are done.
  
• Make sure you subscribe to this topic so you get notified when I respond. This will facilitate the cleaning of your machine and at the same time will ensure that you don't miss any instruction.

Step 1. Download and Run Rootrepeal

Download RootRepeal from one of the following locations and save it to your desktop:Link 1
Link 2
Link 3

• Double click to start the program
• Click on the Report tab at the bottom of the program window
• Click the button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
  • Shadow SSDT
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Step 2. Download and Run OTL

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Summer

[Carina]

Hi Malucogus,to G2G Malware Removal Forum!

My name is Summer and I am here to help you.

I am still a trainee so all my posts will be checked by an Expert. It's your advantage that there are two people looking at your log but responses may be a little delayed so please be patient.

Some points you need to remember while we clean your computer:

• Please do not run any other tools unless I ask you to.
  
• Perform all instructions in the same order as posted. If you need clarification please don't hesitate to ask before you proceed.
  
• Print or save my responses as there will be times when you will not be able access them.
  
• Please continue to follow my instructions until I tell you your machine looks clean because even if your computer seems better after few runs it does not mean we are done.
  
• Make sure you subscribe to this topic so you get notified when I respond. This will facilitate the cleaning of your machine and at the same time will ensure that you don't miss any instruction.

Step 1. Download and Run Rootrepeal

Download RootRepeal from one of the following locations and save it to your desktop:Link 1
Link 2
Link 3

• Double click to start the program
• Click on the Report tab at the bottom of the program window
• Click the button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
  • Shadow SSDT
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Step 2. Download and Run OTL

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Summer

[Malucogus]

Hi Summer, first I want to say thank you for you help .
And this is the report of the RootRepeal.txt:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/29 14:47
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF43FC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BFE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal[1].sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal[1].sys
Address: 0xEDE73000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF79B4000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF780C000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\netlogon.dll
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\gasfkyfpxuerfo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyfyatnpcv.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkykpdqqfpb.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkypyeypiaj.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyvpxbxnxm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyoientssixn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyqxvmhpivrp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gasfkyceyuocnr.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Gustavo\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{D3EF6621-CEC3-501C-251B-49CC4A243766}\25\25-{546C661D-7E73-49AF-8958-970709EE8854}-v25-{546C661D-7E73-49AF-8958-970709EE8854}-v25-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Gustavo\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{62057AB1-BFAE-4110-EE3E-F0B36EA876C2}\48\48-{546C661D-7E73-49AF-8958-970709EE8854}-v48-{546C661D-7E73-49AF-8958-970709EE8854}-v48-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x84982cb0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x849830d0

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x849836d0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x849834f0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x84982ee0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x84983310

Stealth Objects
-------------------
Object: Hidden Module [Name: gasfkyvpxbxnxm.dll]
Process: svchost.exe (PID: 928) Address: 0x10000000 Size: 53248

Object: Hidden Module [Name: gasfkyoientssixn.tmpll]
Process: Explorer.EXE (PID: 1584) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: gasfkyoientssixn.tmpll]
Process: IEXPLORE.EXE (PID: 1996) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: gasfkyoientssixn.tmpll]
Process: IEXPLORE.EXE (PID: 3856) Address: 0x10000000 Size: 32768

Object: Hidden Code [ETHREAD: 0x84a30838]
Process: System Address: 0x84981930 Size: 1000

Hidden Services
-------------------
Service Name: gasfkyyxdnoitm
Image Path: C:\WINDOWS\system32\drivers\gasfkyceyuocnr.sys

==EOF==

[Malucogus]

Hi Summer,
I tried to do the 2 step but run it just shut down immediatly,any further attempts to run ends in error message saying

'Windows cannot access the specified device,path,or file,You may not have appropriate permisions'


Let me know what I can do .

Thanks

[Carina]

Hi Malucogus,

I tried to do the 2 step but run it just shut down immediatly

You may not have appropriate permisions'

This is due to the infection present in your machine, it removed the necessary permission to make it run.



Please download Win32kDiag from any of the following locations and save it to your Desktop.
Link 1
Link 2
Link 3

• Double-click this icon to run Win32kDiag and let it finish. (If you are using Windows Vista, please right-click and select Run As Administrator )
  
• Press any key to exit once you see "Finished!" from the black screen.
  
• Look for Win32kDiag.txt file on your Desktop.
  
• Copy and paste the contents of that log file here in your next reply.

Summer

[Malucogus]

Log file is located at: C:\Documents and Settings\Gustavo\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-04 00:56:50 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[Carina]

Hi Malucogus,

Can you please check again the contents of Win32kDiag.txt. Copy and paste everything here.


Summer

[Malucogus]

Hi Summer, I'm sorry

Log file is located at: C:\Documents and Settings\Gustavo\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-04 00:56:50 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()



Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-07-07 11:10:56 24539592 C:\WINDOWS\system32\MRT.exe ()

[2] 2009-06-01 12:51:12 23635392 C:\System Volume Information\_restore{71474FB7-10D0-45AD-852D-A6D7B61549D1}\RP610\A0077144.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\netlogon.dll

[1] 2004-08-04 00:56:46 407040 C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:01 407040 C:\WINDOWS\ServicePackFiles\i386\netlogon.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:01 60928 C:\WINDOWS\system32\netlogon.dll ()

[2] 2008-04-13 20:12:01 407040 C:\WINDOWS\system32\ntelogon.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\wbem\SET11B1.tmp

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\SET11B1.tmp ()



Cannot access: C:\WINDOWS\system32\wbem\SET123F.tmp

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\SET123F.tmp ()



Cannot access: C:\WINDOWS\system32\wbem\SET126.tmp

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\SET126.tmp ()



Cannot access: C:\WINDOWS\system32\wbem\SET14.tmp

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\SET14.tmp ()



Cannot access: C:\WINDOWS\system32\wbem\SET16E.tmp

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\SET16E.tmp ()



Cannot access: C:\WINDOWS\system32\wbem\SET23.tmp

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\SET23.tmp ()



Cannot access: C:\WINDOWS\system32\wbem\SET2458.tmp

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\SET2458.tmp ()



Cannot access: C:\WINDOWS\system32\wbem\SET380.tmp

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\SET380.tmp ()



Cannot access: C:\WINDOWS\system32\wbem\SET3E.tmp

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\SET3E.tmp ()



Cannot access: C:\WINDOWS\system32\wbem\SET6BB1.tmp

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\SET6BB1.tmp ()



Cannot access: C:\WINDOWS\system32\wbem\SET99.tmp

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\SET99.tmp ()



Cannot access: C:\WINDOWS\system32\wbem\SETA10.tmp

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\SETA10.tmp ()



Cannot access: C:\WINDOWS\system32\wbem\SETAB.tmp

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\SETAB.tmp ()



Cannot access: C:\WINDOWS\system32\wbem\SETB6.tmp

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\SETB6.tmp ()



Cannot access: C:\WINDOWS\system32\wbem\SETE1.tmp

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\SETE1.tmp ()



Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

[1] 2009-02-06 06:15:13 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2004-08-04 00:56:58 218112 C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:40 218112 C:\WINDOWS\$NtUninstallKB956572$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:40 218112 C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 12:39:29 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 05:41:05 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 06:15:13 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\dllcache\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\wmiprvse.exe ()





Finished!

[Carina]

Hi Malucogus,

Please carefully read and follow the steps below:

Step 1. The Avenger

Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All" (extract the avenger folder to your desktop)
  
• Copy the text in the code box below by highlighting all of it and pressing Ctrl + C or right clicking and selecting Copy.
  
  

  Files to move:
  C:\WINDOWS\system32\ntelogon.dll | C:\WINDOWS\system32\netlogon.dll

  
  Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  
• Now, start The Avenger program. Double click Avenger.exe
• Right click on the window under "Input script here", and select paste or click on the window and press Ctrl+V to paste
• Click on Execute.
• Select "Yes" twice for the two confirmation prompts. Your computer will restart. ( Avenger may restart your system twice )
• Avenger log should open. >> C:\avenger.txt
• Paste the content of that log into your reply.

Step 2. Download, Rename and Run Combofix

Download Combofix from any of the links below. You must rename it to MalucogusCF before saving it to your desktop.

If you are using Firefox, make sure that your download is set to "Always ask me where to Save the file."

Tools->Options->Main tab
Set to "Always ask me where to Save the files."

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  

  If you have problems doing this part you may want to read this.

• Double click on renamed ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please post the C:\ComboFix.txt so we can continue cleaning the system.

Step 3. Download and Run OTS

To ensure that I get all the information, this log will need to be attached (instructions at the end). If it is to large to attach then upload to Mediafire and post the sharing link.

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans, put check mark on Shell Spawning, EventViewer, LOP check, and Purity Scan.
  • 
• Under Custom Scan, copy & paste the text in the quotebox below into it.
  

  %systemroot%\*. /s /r

• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.



The following logs are needed in you reply:
Avenger.txt
Combofix.txt
OTS log



Summer

[Malucogus]

Hi summer, thanks for your help.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\ntelogon.dll" not found!
File move operation "C:\WINDOWS\system32\ntelogon.dll|C:\WINDOWS\system32\netlogon.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

[Malucogus]

ComboFix 09-10-01.01 - Gustavo 10/01/2009 23:10.1.1 - NTFSx86
Running from: c:\documents and settings\Gustavo\Desktop\malucoguscf.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Gustavo\Favorites\videos.url
c:\documents and settings\Gustavo\Local Settings\Application Data\gigupulapa.reg
c:\documents and settings\Gustavo\Local Settings\Application Data\ipygeqy.inf
c:\program files\Common Files\qati.bat
C:\test.txt
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\934fdfg34fgjf23
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\efiqogijil.exe
c:\windows\Installer\1ef923.msi
c:\windows\Installer\5ed26a.msp
c:\windows\Installer\7e0b47d.msp
c:\windows\Installer\7e373c4.msp
c:\windows\pp21cn.dll
c:\windows\prxid93ps.dat
c:\windows\system32\drivers\gasfkyceyuocnr.sys
c:\windows\system32\gasfkyfpxuerfo.dll
c:\windows\system32\gasfkyfyatnpcv.dll
c:\windows\system32\gasfkykpdqqfpb.dat
c:\windows\system32\gasfkypyeypiaj.dat
c:\windows\system32\gasfkyvpxbxnxm.dll
c:\windows\system32\katuli.inf
c:\windows\system32\muzapp.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyyxdnoitm
-------\Legacy_gasfkyyxdnoitm
-------\Legacy_SFX
-------\Legacy_SFXDRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_sFxdrv


((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))
.

2009-09-29 04:17 . 2009-09-29 04:17 -------- d-----w- c:\documents and settings\Gustavo\Application Data\Malwarebytes
2009-09-29 04:17 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-29 04:17 . 2009-09-29 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-29 04:17 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-29 04:17 . 2009-09-29 04:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-26 15:06 . 2009-09-26 15:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-26 14:54 . 2009-09-26 14:54 -------- d-----w- c:\program files\Enigma Software Group
2009-09-20 15:44 . 2009-09-20 15:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-13 16:32 . 2009-09-13 16:32 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-09-13 15:46 . 2009-09-30 02:16 -------- d-----w- c:\documents and settings\Gustavo\Tracing
2009-09-08 22:57 . 2009-09-08 23:00 -------- d-----w- c:\program files\Coupons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 14:47 . 2009-07-16 21:15 -------- d-----w- c:\documents and settings\Gustavo\Application Data\LimeWire
2009-09-29 18:23 . 2009-05-26 04:19 -------- d-----w- c:\documents and settings\Gustavo\Application Data\uTorrent
2009-09-26 20:05 . 2009-08-29 03:39 -------- d-----w- c:\program files\Google
2009-09-26 15:50 . 2008-10-16 02:04 -------- d-----w- c:\program files\AVG
2009-09-26 15:06 . 2009-07-11 15:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-22 15:41 . 2008-10-26 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-13 16:30 . 2008-02-08 20:49 -------- d-----w- c:\program files\Windows Live
2009-09-10 16:59 . 2009-08-19 05:18 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-31 03:36 . 2007-09-22 16:47 -------- d-----w- c:\documents and settings\Gustavo\Application Data\AdobeUM
2009-08-29 03:40 . 2009-08-29 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-21 04:34 . 2009-08-21 04:34 0 ----a-w- c:\windows\nsreg.dat
2009-08-21 02:42 . 2009-07-16 21:15 -------- d-----w- c:\program files\LimeWire
2009-08-19 20:59 . 2007-09-11 16:31 50880 -c--a-w- c:\documents and settings\Gustavo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 05:57 . 2008-01-01 03:33 -------- d-----w- c:\program files\Common Files\logishrd
2009-08-19 05:50 . 2008-02-08 21:00 -------- d-----w- c:\program files\Windows Live Toolbar
2009-08-19 05:49 . 2009-08-19 05:49 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-08-19 05:41 . 2009-08-19 05:41 -------- d-----w- c:\program files\Microsoft
2009-08-19 05:40 . 2009-08-19 05:40 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-19 05:12 . 2009-08-19 03:56 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-19 04:52 . 2009-08-19 04:52 -------- d-----w- c:\program files\MSBuild
2009-08-19 04:01 . 2009-08-19 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-08-19 03:59 . 2009-08-19 03:59 -------- d-----w- c:\documents and settings\Gustavo\Application Data\Windows Search
2009-08-19 03:57 . 2009-08-19 03:57 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-19 03:57 . 2009-08-19 03:57 -------- d-----w- c:\documents and settings\Gustavo\Application Data\Windows Desktop Search
2009-08-16 06:03 . 2009-08-16 06:03 -------- d-----w- c:\documents and settings\Gustavo\Application Data\ImgBurn
2009-08-16 04:04 . 2009-08-16 04:04 -------- d-----w- c:\program files\ImgBurn
2009-08-12 22:00 . 2009-08-11 03:35 -------- d-----w- c:\program files\Common Files\BinarySense
2009-08-12 15:24 . 2007-11-17 18:42 -------- d-----w- c:\program files\TVAnts
2009-08-12 04:02 . 2009-08-11 03:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-11 03:36 . 2009-08-11 03:36 -------- d-----w- c:\documents and settings\Gustavo\Application Data\BinarySense
2009-08-11 03:31 . 2009-08-11 03:31 -------- d-----w- c:\program files\HDD Health
2009-08-06 02:48 . 2009-08-19 05:51 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-08-05 09:01 . 2004-08-04 04:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-26 20:44 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-24 02:42 . 2009-07-24 02:42 19874 ----a-w- c:\program files\Common Files\oboxonewop.scr
2009-07-24 02:42 . 2009-07-24 02:42 19207 ----a-w- c:\program files\Common Files\umivivam.dl
2009-07-24 02:42 . 2009-07-24 02:42 18744 ----a-w- c:\documents and settings\Gustavo\Local Settings\Application Data\xybamyh.sys
2009-07-24 02:42 . 2009-07-24 02:42 18507 ----a-w- c:\documents and settings\All Users\Application Data\iqadugic.sys
2009-07-24 02:42 . 2009-07-24 02:42 16493 ----a-w- c:\documents and settings\All Users\Application Data\zuhi.pif
2009-07-24 02:42 . 2009-07-24 02:42 15420 ----a-w- c:\windows\system32\wufoxaren.pif
2009-07-24 02:42 . 2009-07-24 02:42 15230 ----a-w- c:\documents and settings\Gustavo\Application Data\omamon.exe
2009-07-24 02:42 . 2009-07-24 02:42 14758 ----a-w- c:\program files\Common Files\mahumehyr.pif
2009-07-24 02:42 . 2009-07-24 02:42 11963 ----a-w- c:\windows\quna.sys
2009-07-22 17:00 . 2008-11-09 22:55 48 --sh--w- c:\windows\S42FFAA56.tmp
2009-07-17 19:01 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 03:35 . 2009-07-15 03:36 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 03:43 . 2004-08-04 04:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 16:15 . 2009-07-10 16:15 306544 ----a-w- c:\windows\WLXPGSS.SCR
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 19:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 401491]
"HDDHealth"="c:\program files\HDD Health\HDDHealth.exe" [2008-06-15 1692672]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-04-02 868352]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" - c:\windows\system32\S3Trayp.exe [2007-09-30 200704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\PPMate\\ppmate.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Documents and Settings\\Gustavo\\Desktop\\utorrent-1.8.2.upx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 gupdate1ca285afab5edb8;Google Update Service (gupdate1ca285afab5edb8);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-29 133104]
R3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-08-06 704864]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-06-23 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-06-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-06-23 72944]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2009-08-06 54752]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 S3GIGP;S3GIGP;c:\windows\system32\DRIVERS\S3gIGPm.sys [2008-04-17 603648]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-29 03:39]

2009-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-29 03:44]

2009-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-29 03:44]
.
.
------- Supplementary Scan -------
.
uStart Page = www.ole.com.ar/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: com.tw\www.msi
FF - ProfilePath - c:\documents and settings\Gustavo\Application Data\Mozilla\Firefox\Profiles\alppyhfg.default\
FF - prefs.js: browser.startup.homepage - www.ole.com.ar
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
AddRemove-ppmate - c:\program files\PPMate\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-01 23:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"A0C0110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3412)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\searchindexer.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-02 23:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-02 03:30

Pre-Run: 74,777,747,456 bytes free
Post-Run: 76,702,666,752 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

271 --- E O F --- 2009-09-30 02:55

[Malucogus]

http://www.mediafire.com/?m2lwtozvmli

Attached Files

•  OTS.Txt   144.75KB   219 downloads
•  OTS.Txt   144.75KB   232 downloads

[Carina]

Hi Malucogus,


Please follow the steps below:

Step 1. Important! Please Read

Whenever you are running peer-to-peer applications you are more prone to infection by malware although the P2P application itself may be 'clean', the files you download may contain malware. P2P is often used as a method of distributing malware.

I see that you are using peer-to-peer programs, particularly Limewaire, utorrent, and emule. These are optional removals. Nevertheless, I strongly recommend that you remove these programs from your system through Add/Remove programs in the control panel.

Here's how to do it: Click start> click on control panel > then click on Add/Remove programs> choose the application you want to remove> then click the remove button.

Viewpoint Manager is used by various products of Viewpoint Corporation and is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager will access the internet and check for updates periodically. If it detects an update, it will automatically download and install the change. Although, Viewpoint is not technically malware it is considered to be foistware since it is often installed without a user's knowledge or approval.


If you decide to remove this, please do the following steps:

Go to Start > Run and copy/paste or type: taskmgr

• Under the Processes tab find the following tasks or processes:
  ViewpointService.exe
  ViewMgr.exe
• Highlight and click "End Process".
• Exit Task Manager.

Click on Start > Run and type: services.msc

• Press "OK".
• Click the "Extended tab".
• Scroll down the list and find the service called "Viewpoint Manager Service"
• When you find the service, double-click on it.
• In the Properties Window > General Tab that opens, click the "Stop" button.
• From the drop-down menu next to "Startup Type", click on "Disabled".
• Now click "Apply", then "OK" and close any open windows.

Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

Also, I strongly suggest that you uninstall Ask Toolbar due to the following reasons:

• Promoting its toolbars on sites targeted to kids.
• Promoting its toolbars through ads that appear to be part of other companies' sites.
• Promoting its toolbars through other companies' spyware.
• Installing without any disclosure whatsoever and without any consent whatsoever.
• Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
• Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

Please read the full details HERE.

If you decided to remove Ask Toolbar. Go to Start > Control Panel > Add Remove programs and remove AskBarDis.

Then go to C: > Program Files and delete AskBarDis folder.

Step 2. Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\program files\Common Files\oboxonewop.scr
c:\program files\Common Files\umivivam.dl
c:\documents and settings\Gustavo\Local Settings\Application Data\xybamyh.sys
c:\documents and settings\All Users\Application Data\iqadugic.sys
c:\documents and settings\All Users\Application Data\zuhi.pif
c:\windows\system32\wufoxaren.pif
c:\documents and settings\Gustavo\Application Data\omamon.exe
c:\program files\Common Files\mahumehyr.pif
c:\windows\quna.sys
c:\windows\S42FFAA56.tmp

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




Step 3. OTS fix

Start OTS.
Copy/Paste the information in the codebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill All Processes]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {5C255C8A-E604-49b4-9D64-90988571CECB} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY -> cpnprt2.cid -> C:\WINDOWS\cpnprt2.cid
NY -> cpnprt2.cid -> C:\WINDOWS\System32\cpnprt2.cid
[Files/Folders - Modified Within 30 Days]
NY -> imsins.BAK -> C:\WINDOWS\imsins.BAK
NY -> cpnprt2.cid -> C:\WINDOWS\cpnprt2.cid
NY -> cpnprt2.cid -> C:\WINDOWS\System32\cpnprt2.cid
[Empty Temp Folders]
[Reboot]

When the fix is completed your computer will reboot. Post the log in your next reply.


Logs needed in your next reply:
Combofix
OTS


Summer

[Malucogus]

Hi Summer , thanks for your help
ComboFix 09-10-05.01 - Gustavo 10/06/2009 13:02.2.1 - NTFSx86
Running from: c:\documents and settings\Gustavo\Desktop\malucoguscf.exe
Command switches used :: c:\documents and settings\Gustavo\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\documents and settings\All Users\Application Data\iqadugic.sys"
"c:\documents and settings\All Users\Application Data\zuhi.pif"
"c:\documents and settings\Gustavo\Application Data\omamon.exe"
"c:\documents and settings\Gustavo\Local Settings\Application Data\xybamyh.sys"
"c:\program files\Common Files\mahumehyr.pif"
"c:\program files\Common Files\oboxonewop.scr"
"c:\program files\Common Files\umivivam.dl"
"c:\windows\quna.sys"
"c:\windows\S42FFAA56.tmp"
"c:\windows\system32\wufoxaren.pif"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\iqadugic.sys
c:\documents and settings\All Users\Application Data\zuhi.pif
c:\documents and settings\Gustavo\Application Data\omamon.exe
c:\documents and settings\Gustavo\Local Settings\Application Data\xybamyh.sys
c:\program files\Common Files\mahumehyr.pif
c:\program files\Common Files\oboxonewop.scr
c:\program files\Common Files\umivivam.dl
c:\windows\quna.sys
c:\windows\system32\wufoxaren.pif
c:\windows\S42FFAA56.tmp . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-09-29 04:17 . 2009-09-29 04:17 -------- d-----w- c:\documents and settings\Gustavo\Application Data\Malwarebytes
2009-09-29 04:17 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-29 04:17 . 2009-09-29 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-29 04:17 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-29 04:17 . 2009-09-29 04:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-26 15:06 . 2009-09-26 15:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-26 14:54 . 2009-09-26 14:54 -------- d-----w- c:\program files\Enigma Software Group
2009-09-20 15:44 . 2009-09-20 15:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-13 16:32 . 2009-09-13 16:32 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-09-13 15:46 . 2009-09-30 02:16 -------- d-----w- c:\documents and settings\Gustavo\Tracing
2009-09-08 22:57 . 2009-09-08 23:00 -------- d-----w- c:\program files\Coupons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 17:11 . 2008-11-09 22:55 0 ------w- c:\windows\S42FFAA56.tmp
2009-10-04 18:09 . 2009-07-16 21:15 -------- d-----w- c:\documents and settings\Gustavo\Application Data\LimeWire
2009-09-29 18:23 . 2009-05-26 04:19 -------- d-----w- c:\documents and settings\Gustavo\Application Data\uTorrent
2009-09-26 20:05 . 2009-08-29 03:39 -------- d-----w- c:\program files\Google
2009-09-26 15:50 . 2008-10-16 02:04 -------- d-----w- c:\program files\AVG
2009-09-26 15:06 . 2009-07-11 15:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-22 15:41 . 2008-10-26 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-13 16:30 . 2008-02-08 20:49 -------- d-----w- c:\program files\Windows Live
2009-09-10 16:59 . 2009-08-19 05:18 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-31 03:36 . 2007-09-22 16:47 -------- d-----w- c:\documents and settings\Gustavo\Application Data\AdobeUM
2009-08-29 03:40 . 2009-08-29 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-21 04:34 . 2009-08-21 04:34 0 ----a-w- c:\windows\nsreg.dat
2009-08-21 02:42 . 2009-07-16 21:15 -------- d-----w- c:\program files\LimeWire
2009-08-19 20:59 . 2007-09-11 16:31 50880 -c--a-w- c:\documents and settings\Gustavo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 05:57 . 2008-01-01 03:33 -------- d-----w- c:\program files\Common Files\logishrd
2009-08-19 05:50 . 2008-02-08 21:00 -------- d-----w- c:\program files\Windows Live Toolbar
2009-08-19 05:49 . 2009-08-19 05:49 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-08-19 05:41 . 2009-08-19 05:41 -------- d-----w- c:\program files\Microsoft
2009-08-19 05:40 . 2009-08-19 05:40 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-19 05:12 . 2009-08-19 03:56 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-19 04:52 . 2009-08-19 04:52 -------- d-----w- c:\program files\MSBuild
2009-08-19 04:01 . 2009-08-19 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-08-19 03:59 . 2009-08-19 03:59 -------- d-----w- c:\documents and settings\Gustavo\Application Data\Windows Search
2009-08-19 03:57 . 2009-08-19 03:57 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-19 03:57 . 2009-08-19 03:57 -------- d-----w- c:\documents and settings\Gustavo\Application Data\Windows Desktop Search
2009-08-16 06:03 . 2009-08-16 06:03 -------- d-----w- c:\documents and settings\Gustavo\Application Data\ImgBurn
2009-08-16 04:04 . 2009-08-16 04:04 -------- d-----w- c:\program files\ImgBurn
2009-08-12 22:00 . 2009-08-11 03:35 -------- d-----w- c:\program files\Common Files\BinarySense
2009-08-12 15:24 . 2007-11-17 18:42 -------- d-----w- c:\program files\TVAnts
2009-08-12 04:02 . 2009-08-11 03:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-11 03:36 . 2009-08-11 03:36 -------- d-----w- c:\documents and settings\Gustavo\Application Data\BinarySense
2009-08-11 03:31 . 2009-08-11 03:31 -------- d-----w- c:\program files\HDD Health
2009-08-06 02:48 . 2009-08-19 05:51 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-08-05 09:01 . 2004-08-04 04:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-26 20:44 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 03:35 . 2009-07-15 03:36 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 03:43 . 2004-08-04 04:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 16:15 . 2009-07-10 16:15 306544 ----a-w- c:\windows\WLXPGSS.SCR
.

((((((((((((((((((((((((((((( SnapShot@2009-10-02_03.24.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-06 17:12 . 2009-10-06 17:12 16384 c:\windows\temp\Perflib_Perfdata_718.dat
+ 2002-08-29 08:00 . 2009-10-04 04:12 79294 c:\windows\system32\perfc009.dat
- 2002-08-29 08:00 . 2009-10-02 03:14 79294 c:\windows\system32\perfc009.dat
+ 2002-08-29 08:00 . 2009-10-04 04:12 465512 c:\windows\system32\perfh009.dat
- 2002-08-29 08:00 . 2009-10-02 03:14 465512 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 401491]
"HDDHealth"="c:\program files\HDD Health\HDDHealth.exe" [2008-06-15 1692672]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-04-02 868352]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" - c:\windows\system32\S3Trayp.exe [2007-09-30 200704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\PPMate\\ppmate.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Documents and Settings\\Gustavo\\Desktop\\utorrent-1.8.2.upx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 gupdate1ca285afab5edb8;Google Update Service (gupdate1ca285afab5edb8);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-29 133104]
R3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-08-06 704864]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-06-23 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-06-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-06-23 72944]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2009-08-06 54752]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 S3GIGP;S3GIGP;c:\windows\system32\DRIVERS\S3gIGPm.sys [2008-04-17 603648]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-29 03:39]

2009-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-29 03:44]

2009-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-29 03:44]
.
.
------- Supplementary Scan -------
.
uStart Page = www.ole.com.ar/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: com.tw\www.msi
FF - ProfilePath - c:\documents and settings\Gustavo\Application Data\Mozilla\Firefox\Profiles\alppyhfg.default\
FF - prefs.js: browser.startup.homepage - www.ole.com.ar
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 13:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"A0C0110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2908)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\searchindexer.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-06 13:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-06 17:19
ComboFix2.txt 2009-10-02 03:30

Pre-Run: 75,409,747,968 bytes free
Post-Run: 75,509,538,816 bytes free

230 --- E O F --- 2009-10-04 01:55

[Malucogus]

Summer, this is the ots.log

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
[Files/Folders - Created Within 30 Days]
C:\WINDOWS\cpnprt2.cid moved successfully.
C:\WINDOWS\System32\cpnprt2.cid moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\imsins.BAK moved successfully.
File C:\WINDOWS\cpnprt2.cid not found!
File C:\WINDOWS\System32\cpnprt2.cid not found!
[Empty Temp Folders]


User: Administrator

User: Administrator.OWNER-3321AF21C
->Temp folder emptied: 163202985 bytes
->Temporary Internet Files folder emptied: 1468291 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1468291 bytes

User: Gustavo
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1551949 bytes
->Java cache emptied: 15105605 bytes
->FireFox cache emptied: 38631985 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 111759 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
File delete failed. C:\WINDOWS\S42FFAA56.tmp scheduled to be deleted on reboot.
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 578 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 211.28 mb

< End of fix log >
OTS by OldTimer - Version 3.0.19.0 fix logfile created on 10062009_132434

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\S42FFAA56.tmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...