[Haun]

Ok so I have Spybot search and destroy and Avast antivirus,

Recently i found was doing a paper (open office, cuz my MS Office 07 trial ran out). And i found that my explorer was acting up. [the task bar] was disappear and reappearing, i attributed it to open office quick start, because as soon as i would close it, the task bar would disappear and reappear. I ran spybot and it found some stuff and i killed it and it seemed to take out that problem, but then i got some confusing reports, there was a registry change (that i had to approve) that i had no idea, no to all of them, i set looked at them and they where all the same, i set it to say no each time. and it just kept going, the same one over and over. at some point the reporter got so filled up it had to quit so i dont know if it allowed it or not. I also uninstalled Open office, so that might be what it was. But it was very strange.

[Glaswegian]

Hi

What was the Registry change? Do you have any information? Do you use Spybot's Tea Timer?

[Haun]

Heres the log from spy bot.

Quote:

11/13/2008 8:54:14 PM Denied (based on user decision) value "{113B425F-07A5-4CD3-A2B1-93D69702F3CD}" (new data: "") added in Browser Helper Object!
11/13/2008 8:54:28 PM Allowed (based on user decision) value "{6FFB535C-6932-407B-8912-BE51CF38F12F}" (new data: "") deleted in Browser Helper Object!
11/13/2008 8:54:31 PM Allowed (based on user decision) value "{113B425F-07A5-4CD3-A2B1-93D69702F3CD}" (new data: "") added in Browser Helper Object!
11/13/2008 8:54:33 PM Allowed (based on authenticode whitelist) value "Spybot - Search & Destroy" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
11/13/2008 11:03:02 PM Allowed (based on user decision) value "Spybot - Search & Destroy" (new data: "") deleted in System Startup global entry!
11/14/2008 3:16:58 PM Allowed (based on user decision) value "{3B1ADA04-E3A8-43C4-82E9-3C63307A6F23}" (new data: "") added in Browser Helper Object!
11/14/2008 4:40:40 PM Denied (based on user decision) value "{772F682F-1AF2-496F-B479-1186F117855A}" (new data: "") added in Browser Helper Object!
11/14/2008 4:40:44 PM Denied (based on user decision) value "{772F682F-1AF2-496F-B479-1186F117855A}" (new data: "") added in Browser Helper Object!
11/14/2008 4:40:46 PM Denied (based on user decision) value "{fd0f06cf-8567-46fc-a0f8-a5a99b4f0641}" (new data: "") added in Browser Helper Object!
11/14/2008 4:40:58 PM Allowed (based on user decision) value "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" (new data: "") deleted in Browser Helper Object!
11/14/2008 4:41:02 PM Allowed (based on user decision) value "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" (new data: "") deleted in Browser Helper Object!
11/14/2008 4:41:07 PM Denied (based on user decision) value "{772F682F-1AF2-496F-B479-1186F117855A}" (new data: "") added in Browser Helper Object!
11/14/2008 4:41:09 PM Denied (based on user blacklist) value "{772F682F-1AF2-496F-B479-1186F117855A}" (new data: "") added in Browser Helper Object!
11/14/2008 4:41:10 PM Denied (based on user blacklist) value "{772F682F-1AF2-496F-B479-1186F117855A}" (new data: "") added in Browser Helper Object!
11/14/2008 4:41:11 PM Denied (based on user blacklist) value "{772F682F-1AF2-496F-B479-1186F117855A}" (new data: "") added in Browser Helper Object!
11/14/2008 4:41:13 PM Denied (based on user blacklist) value "{772F682F-1AF2-496F-B479-1186F117855A}" (new data: "") added in Browser Helper Object!
11/14/2008 4:41:14 PM Denied (based on user blacklist) value "{772F682F-1AF2-496F-B479-1186F117855A}" (new data: "") added in Browser Helper Object!
11/14/2008 4:41:16 PM Denied (based on user blacklist) value "{772F682F-1AF2-496F-B479-1186F117855A}" (new data: "") added in Browser Helper Object!
11/14/2008 4:41:17 PM Denied (based on user blacklist) value "{772F682F-1AF2-496F-B479-1186F117855A}" (new data: "") added in Browser Helper Object!
11/14/2008 4:41:19 PM Denied (based on user blacklist) value "{772F682F-1AF2-496F-B479-1186F117855A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:24:48 PM Allowed (based on user decision) value "{CE979544-743A-463D-B22E-05E39CD9F885}" (new data: "") deleted in Browser Helper Object!
11/14/2008 8:25:16 PM Denied (based on user decision) value "load" (new data: "") deleted in NT startup!
11/14/2008 8:26:41 PM Denied (based on user decision) value "8c7116c0" (new data: "rundll32.exe "C:\WINDOWS\system32\uqdvrcwj.dll",b") added in System Startup global entry!
11/14/2008 8:27:09 PM Denied (based on user decision) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:27:10 PM Denied (based on user decision) value "{fb871f9a-19c8-4ca8-8525-325f0bcadd4f}" (new data: "") added in Browser Helper Object!
11/14/2008 8:27:12 PM Allowed (based on user decision) value "{3B1ADA04-E3A8-43C4-82E9-3C63307A6F23}" (new data: "") deleted in Browser Helper Object!
11/14/2008 8:27:15 PM Denied (based on user decision) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:27:16 PM Denied (based on user decision) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:27:29 PM Denied (based on user decision) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:27:31 PM Denied (based on user decision) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:27:33 PM Denied (based on user decision) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:27:44 PM Denied (based on user decision) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:28:04 PM Denied (based on user decision) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:28:07 PM Denied (based on user decision) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:28:10 PM Denied (based on user decision) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:28:38 PM Denied (based on user decision) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:29:45 PM Denied (based on user decision) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:29:56 PM Denied (based on user decision) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:29:59 PM Denied (based on user decision) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:00 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:01 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:02 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:03 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:04 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:05 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:06 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:07 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:09 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:22 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:36 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:39 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:41 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:42 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:43 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:44 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:45 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:50 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:52 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:53 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:55 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:56 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:57 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:58 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/14/2008 8:30:59 PM Denied (based on user blacklist) value "{5CE2C2FE-2B2F-4650-96EC-37E61AFBB03A}" (new data: "") added in Browser Helper Object!
11/15/2008 9:49:39 AM Denied (based on user decision) value "{b656419b-254a-4087-b98e-d36f66bf813e}" (new data: "") added in Browser Helper Object!
11/15/2008 9:49:46 AM Denied (based on user decision) value "8c7116c0" (new data: "rundll32.exe "C:\WINDOWS\system32\jhnkvojh.dll",b") added in System Startup global entry!

There is also a pop up:

Quote:

ATTENTION! If your computer is struck by the spyware, you could suffer data loss, erratic PC behaviour, PC freezes and creahes.

Detect and remove viruses before they damage your computer!
Antivirus 2009 will perform a 100% FREE and quick scan of your computer for Viruses, Spyware and Adware.

Do you want to install Antivirus 2009 to scan your computer for malware now? (Recommended)

The popup says its from "http://proffesionalscan.com"
If you select cancel it moves you to: "http://proffesionalscan.com/2009/1/en/freescan.php?id=770522154349"

Avast calls virus as soon as the page is 'loaded" as a "JS:Agent-DE [Trj]

I did a spybot scan, and a Avast boot scan over the night and i set it to remove any viruses automatically.

Its also showing that i dont have automatic updates on. But I do.

[Haun]

OOPS!!!! Ok dont you hate it when you post something trying to get help, and then you remember an old post on another forum? Then you go and Download Malware bites and it fixes the problem?

Well thats what i just did. It took an hour and 20 minutes on my 120 gb hd and it seems to have fixed the problem.

Sorry if i wasted you time!!!

[Bubba]

It sounds to me like you might want to download and run Malware bites.............. It will probably take about an hour and twenty minutes to run on say a 120 GB hard drive..............

LOL sorry, I couldn't resist.

EDIT: The above posts is an attempt at jocularity and in no means an offer of advice. I am in no way qualified to offer advise for any malware problems at this time. If you continue to have problems, post again and wait for Glaswegian or Evil Fantasy to reply.

[Glaswegian]

Hi

Glad you were able to use MBAM. However, malware like this often invites friends to join in, so humour me here and let's run a specialised tool to check for any leftovers.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, ComboFix shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Haun]

Here it is

Quote:

ComboFix 08-11-13.02 - Ian Bertolacci 2008-11-15 13:55:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.609 [GMT -7:00]
Running from: c:\documents and settings\Ian Bertolacci\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Ian Bertolacci\Application Data\Adobe\crc.dat
c:\documents and settings\Ian Bertolacci\Application Data\Adobe\Player.exe.bak
c:\windows\system32\EKUEeMoq.ini
c:\windows\system32\EKUEeMoq.ini2
c:\windows\system32\rbpsgkiw.ini
c:\windows\system32\rrlqulwa.ini
c:\windows\system32\rwkkhtrh.ini
c:\windows\system32\setup_.exe
c:\windows\system32\soympvqw.ini
c:\windows\system32\StCcJkkj.ini
c:\windows\system32\StCcJkkj.ini2
c:\windows\system32\SvuDdMoq.ini
c:\windows\system32\SvuDdMoq.ini2
c:\windows\system32\ugxqrkdu.ini
c:\windows\system32\vmjqhhsb.ini
c:\windows\Tasks\ttlmcxjl.job

----- BITS: Possible infected sites -----

hxxp://78.157.143.163
hxxp://bobscash.wewillhostit.com
hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 )))))))))))))))))))))))))))))))
.

2008-11-15 12:46 . 2008-11-15 12:46 <DIR> d-------- c:\program files\OpenOffice.org 3
2008-11-15 12:46 . 2008-11-15 12:46 <DIR> d-------- c:\program files\JRE
2008-11-15 12:08 . 2008-11-15 12:08 <DIR> d-------- c:\windows\system32\CatRoot2
2008-11-15 10:09 . 2008-11-15 10:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-15 10:09 . 2008-11-15 10:09 <DIR> d-------- c:\documents and settings\Ian Bertolacci\Application Data\Malwarebytes
2008-11-15 10:09 . 2008-11-15 10:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-15 10:09 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-15 10:09 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-13 22:55 . 2008-11-13 22:55 95 --a------ c:\windows\wininit.ini
2008-11-13 19:26 . 2008-11-13 19:26 <DIR> d-------- c:\documents and settings\Ian Bertolacci\Application Data\OpenOffice.org
2008-11-13 15:46 . 2008-11-13 15:46 <DIR> d-------- c:\documents and settings\Ian Bertolacci\Application Data\IObit
2008-11-13 15:29 . 2008-11-13 15:29 <DIR> d-------- c:\program files\IObit
2008-11-13 15:28 . 2008-11-13 15:32 <DIR> d-------- c:\documents and settings\Ian Bertolacci\Application Data\Sammsoft
2008-11-12 20:04 . 2008-11-12 21:03 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2008-11-11 18:03 . 2008-11-11 18:03 60,240 --ah----- c:\windows\system32\mlfcache.dat
2008-11-11 15:12 . 2008-11-11 15:12 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-11 15:09 . 2008-10-24 04:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 15:08 . 2008-09-04 10:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-09 10:47 . 2008-11-09 10:48 <DIR> d-------- c:\windows\system32\NtmsData
2008-11-07 07:17 . 2008-11-07 07:17 <DIR> d-------- C:\MicroProse
2008-11-04 21:14 . 2008-11-04 21:19 115,771 --a------ c:\windows\system32\Air
2008-11-04 17:35 . 2008-11-04 17:35 <DIR> d-------- c:\program files\DAEMON Tools Toolbar
2008-11-04 17:34 . 2008-11-04 17:35 <DIR> d-------- c:\program files\DAEMON Tools Lite
2008-11-04 17:25 . 2008-11-04 17:46 78 --a------ c:\windows\t be located
2008-11-04 05:58 . 2008-11-04 05:58 <DIR> d-------- c:\program files\Recuva
2008-11-04 05:44 . 2008-11-04 17:21 <DIR> d-------- c:\program files\Defraggler
2008-10-31 05:44 . 2007-09-18 15:24 676,224 --a------ c:\windows\system32\OGACheckControl.dll
2008-10-30 21:31 . 2008-10-30 21:31 <DIR> d-------- c:\windows\Creativity Extension for Autodesk 3ds Max 2009
2008-10-29 19:35 . 2006-10-26 18:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-10-29 19:29 . 2008-10-29 19:29 <DIR> d-------- c:\program files\Microsoft Works
2008-10-29 19:18 . 2008-10-29 19:18 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-10-28 19:17 . 2008-11-10 18:41 <DIR> d-------- c:\program files\Yahoo!
2008-10-23 14:23 . 2008-10-15 09:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-22 06:00 . 2008-10-24 10:44 <DIR> d-------- C:\GTK
2008-10-19 14:37 . 2008-10-19 14:37 <DIR> d-------- C:\ProgramData
2008-10-19 14:36 . 2008-10-19 14:48 2,994 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-10-18 20:00 . 2004-03-29 15:23 90,112 --a------ c:\windows\unvise32.exe
2008-10-18 19:58 . 2008-10-18 19:59 <DIR> d-------- c:\program files\The Rosetta Stone
2008-10-18 19:51 . 2008-10-18 19:51 <DIR> d-------- c:\program files\uTorrent SpeedUp Pro
2008-10-16 18:54 . 2008-10-16 18:54 <DIR> d-------- c:\program files\EA Games
2008-10-16 18:35 . 2008-04-13 11:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-10-16 18:35 . 2008-04-13 11:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-10-16 18:34 . 2008-04-13 11:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-10-16 18:34 . 2008-04-13 11:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-10-16 18:28 . 2008-10-16 18:28 <DIR> d--h----- c:\windows\system32\CanonIJ Uninstaller Information
2008-10-16 18:28 . 2008-10-16 18:28 <DIR> d--h----- c:\program files\CanonBJ
2008-10-16 18:28 . 2008-10-16 18:28 <DIR> d--h----- c:\documents and settings\All Users\Application Data\CanonBJ
2008-10-16 18:28 . 2006-09-13 13:00 197,632 --a------ c:\windows\system32\CNMLM7R.DLL
2008-10-16 18:28 . 2006-09-26 17:08 194,560 --a------ c:\windows\system32\CNCC530.DLL
2008-10-16 18:28 . 2005-11-01 19:17 143,360 --a------ c:\windows\system32\CNCL530.DLL
2008-10-16 18:28 . 2006-09-29 22:28 130,048 --a------ c:\windows\system32\CNCF2La.DLL
2008-10-16 18:28 . 2006-06-29 22:29 106,496 --a------ c:\windows\system32\cncisco.dll
2008-10-16 18:28 . 2006-09-29 22:28 49,152 --a------ c:\windows\system32\CNCFMSa.EXE
2008-10-16 18:28 . 2006-09-13 19:49 37,888 --a------ c:\windows\system32\CNCI530.DLL
2008-10-16 18:28 . 2006-09-29 22:28 3,072 --a------ c:\windows\system32\CNCFLaUS.DLL
2008-10-16 18:28 . 2006-09-29 22:28 2,560 --a------ c:\windows\system32\CNCFLaJP.DLL
2008-10-16 15:52 . 2008-10-17 21:07 <DIR> d-------- c:\program files\All Emulators
2008-10-15 19:00 . 2008-09-08 03:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-15 18:57 . 2008-08-14 03:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 18:57 . 2008-08-14 03:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 18:57 . 2008-08-14 02:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 18:57 . 2008-08-14 02:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-15 18:57 . 2008-09-15 05:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-15 13:03 . 2008-11-06 15:55 <DIR> d-------- c:\program files\Wavosaur

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-11-15 19:59 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-15 19:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-15 02:32 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-14 04:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-14 02:01 --------- d-----w c:\documents and settings\Ian Bertolacci\Application Data\uTorrent
2008-11-14 01:45 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-13 04:31 --------- d-----w c:\program files\Maxis
2008-11-11 04:22 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 04:17 --------- d-----w c:\program files\MySpace
2008-11-11 01:42 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-11-11 01:41 --------- d-----w c:\program files\YafRay
2008-11-09 17:58 --------- d-----w c:\program files\MagicDisc
2008-11-08 22:18 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-11-08 22:18 --------- d-----w c:\program files\Autodesk
2008-11-08 22:18 --------- d-----w c:\documents and settings\Ian Bertolacci\Application Data\Autodesk
2008-11-08 17:59 --------- d-----w c:\program files\Microsoft Games
2008-11-08 01:22 --------- d-----w c:\program files\Common Files\Adobe
2008-11-05 04:11 --------- d-----w c:\program files\Bonjour
2008-11-04 04:28 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-10-30 02:29 --------- d-----w c:\program files\MSBuild
2008-10-29 04:10 --------- d-----w c:\program files\Gmax
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 02:31 --------- d-----w c:\documents and settings\Ian Bertolacci\Application Data\IcoFX
2008-10-20 21:40 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-15 17:54 --------- d-----w c:\program files\FlightGear
2008-10-14 23:33 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-14 23:31 --------- d-----w c:\program files\CCleaner
2008-10-14 22:17 --------- d-----w c:\documents and settings\All Users\Application Data\NexonUS
2008-10-10 03:24 --------- d-----w c:\documents and settings\All Users\Application Data\Age of Empires 3
2008-10-09 22:56 --------- d-----w c:\program files\Red Storm Entertainment
2008-10-08 03:11 --------- d-----w c:\program files\Phun
2008-10-06 04:28 --------- d-----w c:\program files\Abacus
2008-10-06 01:26 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-06 01:26 --------- d--h--r c:\documents and settings\Ian Bertolacci\Application Data\SecuROM
2008-10-05 17:22 --------- d-----w c:\program files\MagicISO
2008-10-05 15:08 --------- d-----w c:\program files\uTorrent
2008-10-04 01:10 --------- d-----w c:\program files\GameSpy Arcade
2008-10-03 23:53 --------- d-----w c:\program files\iTunes
2008-10-03 23:53 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-03 23:52 --------- d-----w c:\program files\iPod
2008-10-02 23:43 62,208 -c--a-w c:\windows\iun1401.exe
2008-10-02 23:43 1,409 -c--a-w c:\windows\Fonts\MAIDWORD.fot
2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-23 02:32 --------- d-----w c:\program files\DAP
2008-09-23 02:32 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-09-21 21:53 --------- d-----w c:\documents and settings\Ian Bertolacci\Application Data\U3
2008-09-21 16:57 118,784 -c--a-w c:\windows\GREUninstall.exe
2008-09-20 14:35 --------- d-----w c:\documents and settings\Ian Bertolacci\Application Data\NCH Swift Sound
2008-09-19 22:00 --------- d-----w c:\program files\TI Education
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-31 20:46 24 -c--a-w c:\documents and settings\Ian Bertolacci\jagex_runescape_preferences.dat
2008-08-29 16:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 15:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-16 15:55 86,016 ----a-w c:\windows\system32\OpenAL32.dll
2008-08-16 15:55 262,144 ----a-w c:\windows\system32\wrap_oal.dll
2008-01-07 00:43 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-01-03 19:58 90 --sh--w c:\windows\cnerolf.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{F4F10C1D-87C7-404A-B4B3-000000000000}"= "c:\progra~1\DAP\SBSearch.dll" [2008-02-26 32768]

[HKEY_CLASSES_ROOT\clsid\{f4f10c1d-87c7-404a-b4b3-000000000000}]
[HKEY_CLASSES_ROOT\SearchHook.SrchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}]
[HKEY_CLASSES_ROOT\SearchHook.SrchHook]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Start WingMan Profiler"="c:\program files\Logitech\Profiler\lwemon.exe" [2004-04-23 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"QT4HPOT"="c:\program files\HPQ\One-Touch\OneTouch.EXE" [2003-01-30 106496]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 610304]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 335872]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-09 185896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2008-07-19 78008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"CARPService"="carpserv.exe" [2003-11-08 c:\windows\system32\carpserv.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-10-06 575488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=zwfgxk.dll liofyh.dll llkdbr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= CSvidcap.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Microsoft Games\\Programs\\FSHost\\FSHost32.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Games\\Combat Flight Simulator 3\\cfs3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"c:\\Program Files\\EA Games\\Need For Speed Hot Pursuit 2\\NfsHP2.ori"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"19708:TCP"= 19708:TCP:Utorrent

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-09 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswF sBlk.sys [2008-07-09 20560]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;"c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32serve r.exe" [2008-03-09 65536]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [2008-01-02 291328]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\cali hal.sys [2008-01-02 244608]
R3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;c:\windows\system32\DRIVERS\FA312nd5.sys [2008-01-02 16074]
R3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;c:\windows\system32\DRIVERS\WPC54Gv3.SYS [2006-11-30 610816]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\c:\windows\System32\CBTNDIS5.SYS [2008-01-02 17142]
S3 odysseyIM4;Odyssey Network Agent Miniport;c:\windows\system32\DRIVERS\odysseyIM4.sy s [2005-05-18 173056]
S3 TiglUsb;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver;c:\windows\system32\Drivers\TiglUsb.sys []
S4 hpt3xx;hpt3xx; []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d5cd27ee-877c-11dd-90f8-0018f8b3f09c}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
*Newly Created Service* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder

2008-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-09 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2008-10-29 07:13]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0FE1A32E-47E6-42CA-AA24-B64CD9262E15} - (no file)
BHO-{113B425F-07A5-4CD3-A2B1-93D69702F3CD} - (no file)
BHO-{5282CECF-B3F2-409F-BB2A-C699CAE31F83} - (no file)
BHO-{9060A69F-95E6-4E99-838D-9B895E1445AF} - (no file)
BHO-{C43C06F4-B665-46D2-8A16-03773B144F6C} - c:\windows\system32\qoMeEUKE.dll
BHO-{F701BE8D-4EB3-426A-8675-F235D88A5A86} - (no file)
Notify-pmnnLBtr - pmnnLBtr.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Ian Bertolacci\Application Data\Mozilla\Firefox\Profiles\8ku76zxa.default\
FF -: plugin - c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-15 13:59:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-11-15 14:01:13
ComboFix-quarantined-files.txt 2008-11-15 21:00:50

Pre-Run: 43,771,293,696 bytes free
Post-Run: 43,973,505,024 bytes free

282 --- E O F --- 2008-11-11 22:21:06

[Glaswegian]

Hi again

As you can see from the first section of the log, there were a few things still remaining on your system.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.


Combofix

• Close any open browsers.
• Open notepad and copy/paste the text in the box below into it:

Code:

  Folder::
  c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
   
  DirLook:
  c:\windows\t be located
  C:\ProgramData
   
  Registry::
  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
 
 

Looking at the image below as an example



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Please post the log C:\ComboFix.txt for further review.