lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Trojan.DNSchanger Wont Delete on Reboot with MBAM or SUPERantispyware nor Combofix

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules

Register


 Default 

Trojan.DNSchanger Wont Delete on Reboot with MBAM or SUPERantispyware nor Combofix




Reply
Page 1 of 2 1 2
 
Thread Tools
  #1  
Old 28th Apr 2009, 01:55
New Member Group
  
Hi - sorry for the touble

ive tried scanning computer with MBAM and SUPERantispyware in normal mode and they both say they will delete trojan.DNSchanger on reboot, yet when i reboot and scan again the same things happens and it hasnt been cleaned. i scanned with a-squared and it picked up some things but cleaned them and doesnt pick up on anything else, but the other two both keep coming back with this trojan.
i tried running MBAM and SUPER... in safe mode but when rebooting it would have the blue screen.
i tried disabling system restore and trying the scanning and reboot but still didn't work. i also use ESET and registryfix and have used registryfix to clean but after reboot it picks up the same problems. i have gone through and deleted any items left in quarantine but they still return each scan.
i've used combofix in both safe mode and normal mode and it seems to have finished properly but the scans say the trojan is still there. i've also scanned with gooredfix and OTListIt2 and have log files for each.
this is the combofix log:


ComboFix 09-04-27.03 - Em 28/04/2009 18:05.4 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.61.1033.18.1015.215 [GMT 10:00]
Running from: c:\users\Em\Desktop\Combo-Fix.exe
AV: a-squared Anti-Malware *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-28 01:28 . 2009-04-28 01:28 1340797 ----a-w C:\MGtools.exe
2009-04-27 10:20 . 2009-04-27 10:20 61440 ----a-w c:\windows\system32\drivers\fvupl.sys
2009-04-27 04:45 . 2009-04-27 09:37 -------- d-----w c:\program files\a-squared Anti-Malware
2009-04-27 03:20 . 2009-04-27 03:20 -------- d-----w c:\users\Em\AppData\Roaming\TrojanHunter
2009-04-27 01:31 . 2009-04-27 04:53 -------- d-----w c:\program files\TrojanHunter 5.0
2009-04-26 11:53 . 2009-04-26 11:53 -------- d-----w c:\users\Em\AppData\Roaming\ScanSpyware
2009-04-24 14:11 . 2009-04-24 14:11 -------- d-----w c:\program files\CodeStuff
2009-04-24 13:45 . 2007-01-22 14:43 277504 ----a-w c:\windows\system32\oestore.dll
2009-04-24 13:45 . 2009-04-24 13:45 -------- d-----w c:\program files\Acesoft
2009-04-24 13:38 . 2009-04-28 08:00 -------- d-----w c:\program files\RegistryFix7
2009-04-23 09:52 . 2009-04-23 09:52 -------- d-----w c:\users\Em\AppData\Roaming\Malwarebytes
2009-04-23 09:52 . 2009-04-06 05:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 09:52 . 2009-04-06 05:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 09:52 . 2009-04-23 09:52 -------- d-----w c:\programdata\Malwarebytes
2009-04-23 09:52 . 2009-04-23 09:52 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-23 09:52 . 2009-04-23 09:52 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-21 10:56 . 2009-02-06 08:08 55280 ----a-w c:\windows\system32\drivers\fssfltr.sys
2009-04-21 10:53 . 2009-04-21 10:53 -------- d-----w c:\program files\Microsoft Sync Framework
2009-04-21 10:50 . 2006-11-29 03:06 3426072 ----a-w c:\windows\system32\d3dx9_32.dll
2009-04-21 10:49 . 2009-04-21 10:49 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-04-21 10:38 . 2009-04-21 10:56 -------- d-----w c:\program files\Microsoft
2009-04-21 10:37 . 2009-04-21 10:37 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-21 10:08 . 2009-04-21 10:08 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-17 07:33 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll
2009-04-17 07:33 . 2008-06-06 03:27 562176 ----a-w c:\windows\system32\msdtcprx.dll
2009-04-17 07:33 . 2008-06-06 03:27 38912 ----a-w c:\windows\system32\xolehlp.dll
2009-04-17 07:33 . 2009-03-03 04:39 551424 ----a-w c:\windows\system32\rpcss.dll
2009-04-17 07:33 . 2009-03-03 04:46 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-04-17 07:33 . 2009-03-03 04:46 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-04-17 07:33 . 2009-03-03 03:04 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-04-28 08:10 . 2006-11-09 21:07 1660 ----a-w c:\windows\bthservsdp.dat
2009-04-28 00:04 . 2008-12-25 10:04 -------- d-----w c:\program files\Red Kawa
2009-04-27 23:52 . 2008-10-02 13:07 -------- d-----w c:\program files\Uniblue
2009-04-27 15:15 . 2008-04-01 23:39 1356 ----a-w c:\users\Em\AppData\Local\d3d9caps.dat
2009-04-27 04:23 . 2009-04-27 04:23 43 ----a-w c:\users\Em\AppData\Roaming\~ygw.tmp
2009-04-24 13:20 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infpub.dat
2009-04-24 13:20 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstrng.dat
2009-04-24 13:19 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstor.dat
2009-04-24 12:47 . 2009-01-02 08:36 -------- d-----w c:\program files\VS Revo Group
2009-04-23 02:33 . 2008-03-05 07:39 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-22 13:03 . 2008-05-03 12:19 -------- d-----w c:\program files\Spyware Doctor
2009-04-21 10:55 . 2008-03-28 06:05 -------- d-----w c:\program files\Windows Live
2009-04-20 09:27 . 2007-09-10 06:50 -------- d-----w c:\program files\Java
2009-04-18 13:27 . 2007-09-10 06:02 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-18 00:03 . 2008-03-03 09:53 -------- d-----w c:\program files\dl_Cats
2009-04-17 13:41 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-03-27 10:06 . 2009-03-27 10:05 -------- d-----w c:\program files\iTunes
2009-03-27 10:06 . 2009-03-27 10:06 -------- d-----w c:\program files\iPod
2009-03-27 10:06 . 2008-03-03 07:04 -------- d-----w c:\program files\Common Files\Apple
2009-03-27 10:02 . 2009-03-27 10:02 -------- d-----w c:\program files\Bonjour
2009-03-27 10:02 . 2009-03-27 10:00 -------- d-----w c:\program files\QuickTime
2009-03-27 09:50 . 2008-12-24 23:28 -------- d-----w c:\program files\Safari
2009-03-27 04:32 . 2009-01-02 11:17 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-27 04:00 . 2008-05-03 12:14 -------- d-----w c:\program files\Norton Security Scan
2009-03-19 01:45 . 2009-03-19 01:45 38240 ----a-w c:\windows\system32\drivers\epfwwfp.sys
2009-03-19 01:45 . 2009-03-19 01:45 33096 ----a-w c:\windows\system32\drivers\epfwndis.sys
2009-03-19 01:45 . 2009-03-19 01:45 131976 ----a-w c:\windows\system32\drivers\epfw.sys
2009-03-19 01:44 . 2009-03-19 01:44 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-03-19 01:41 . 2009-03-19 01:41 113960 ----a-w c:\windows\system32\drivers\eamon.sys
2009-03-17 03:38 . 2009-04-17 07:32 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-17 07:32 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-17 07:32 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-10 11:05 . 2009-03-09 11:17 -------- d-----w c:\program files\ABC Amber LIT Converter
2009-03-10 10:35 . 2009-03-10 10:35 -------- d-----w c:\program files\VeryPDF PDF2Word v3.0
2009-03-10 09:33 . 2008-05-03 12:31 -------- d-----w c:\program files\Common Files\Adobe
2009-03-08 19:19 . 2008-12-07 10:14 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 23:55 . 2008-06-06 10:24 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-06 12:41 . 2009-02-22 05:02 -------- d-----w c:\program files\NCH Swift Sound
2009-03-05 12:59 . 2009-03-05 12:59 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-05 12:59 . 2009-03-05 12:59 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-05 10:42 . 2009-03-05 10:42 -------- d-----w c:\program files\Extension Changer
2009-03-05 10:40 . 2008-07-31 06:43 -------- d-----w c:\program files\RightNote
2009-03-05 10:00 . 2009-03-05 10:00 -------- d-----w c:\program files\NavRoad HTML Viewer
2009-03-05 09:16 . 2009-03-05 09:16 -------- d-----w c:\program files\Krekeler
2009-03-05 09:01 . 2009-03-05 09:01 -------- d-----w c:\program files\WinBook
2009-03-05 09:01 . 2009-03-05 09:01 45568 ----a-w c:\windows\system32\CyrCon32.dll
2009-03-03 04:40 . 2009-04-17 07:32 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:39 . 2009-04-17 07:32 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 07:32 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 07:32 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:37 . 2009-04-17 07:32 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 07:32 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 04:37 . 2009-04-17 07:32 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 02:38 . 2009-04-17 07:32 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-03 02:28 . 2009-04-17 07:32 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-02-28 12:27 . 2008-11-16 04:17 -------- d-----w c:\program files\Samsung
2009-02-28 07:17 . 2009-02-28 06:59 5632 ----a-w c:\windows\system32\drivers\StarOpen.sys
2009-02-22 04:16 . 2009-02-22 04:16 18816 ----a-w c:\windows\system32\drivers\dvd43llh.sys
2009-02-13 08:49 . 2009-04-17 07:32 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 08:49 . 2009-04-17 07:32 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 07:29 2033152 ----a-w c:\windows\system32\win32k.sys
2009-02-06 09:03 . 2009-02-06 09:03 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 08:52 . 2009-02-06 08:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2008-05-03 03:11 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( SnapShot@2009-04-28_07.34.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-10 05:38 . 2009-04-28 08:17 61938 c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
+ 2006-11-02 13:05 . 2009-04-28 08:17 92046 c:\windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
+ 2008-03-01 13:37 . 2009-04-28 08:17 11564 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2802605701-2481242829-1637053503-1006_UserData.bin
- 2008-03-01 13:47 . 2009-04-28 07:31 32768 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
+ 2008-03-01 13:47 . 2009-04-28 08:15 32768 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
- 2008-03-01 13:47 . 2009-04-28 07:31 65536 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-01 13:47 . 2009-04-28 08:15 65536 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-01 13:47 . 2009-04-28 08:15 16384 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
- 2008-03-01 13:47 . 2009-04-28 07:31 16384 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
- 2008-03-01 08:13 . 2009-04-27 11:56 5106 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-03-01 08:13 . 2009-04-28 08:10 5106 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-04-28 08:14 . 2009-04-28 08:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
- 2009-04-28 07:31 . 2009-04-28 07:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
- 2009-04-28 07:31 . 2009-04-28 07:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
+ 2009-04-28 08:14 . 2009-04-28 08:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
+ 2006-11-02 10:33 . 2009-04-28 07:40 658318 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-04-28 06:22 658318 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-04-28 07:40 127908 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-04-28 06:22 127908 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-27 1830128]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-16 71176]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"DLBTCATS"="c:\windows\system32\spool\DRIVERS\W32X 86\3\DLBTtime.dll" [2007-02-21 73728]
"dlbtmon.exe"="c:\program files\Dell Photo AIO Printer 922\dlbtmon.exe" [2007-02-28 431600]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]
"ST Recovery Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-09 44168]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-5 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-12 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 00:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-09-16 21:05 222456 ----a-w c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 15:19 49152 ----a-w c:\windows\System32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll c:\progra~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"ControlCenter3"=c:\program files\Brother\ControlCenter3\brctrcen.exe /autorun
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0"
"UpdatesDisableNotify"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2802605701-2481242829-1637053503-1006]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{73ED4E17-37E7-4D95-A27C-6BC54FA89676}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{AB0D05A3-A373-44C6-A756-2F52DA5884FD}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{730D69EA-7E56-4196-ACCF-7D9B5BFCFC76}"= UDP:c:\windows\System32\dlbtcoms.exe:Lexmark Communications System
"{44BABC57-5C04-445A-A16C-2307A7F05CE6}"= TCP:c:\windows\System32\dlbtcoms.exe:Lexmark Communications System
"{AB3E27E2-02BE-422F-99A5-2B361E7B6E92}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\dlb tpswx.exe:Printer Status Window
"{156841C0-AD6C-4C07-A549-2370D696C2A5}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\dlb tpswx.exe:Printer Status Window
"{8D430E8A-2C67-44E5-A148-2EA850EC7B62}"= UDP:c:\program files\Dell Photo AIO Printer 922\DLBTmon.exe:Device Monitor
"{2165391A-8631-4C73-9AC7-DD883DCBCB27}"= TCP:c:\program files\Dell Photo AIO Printer 922\DLBTmon.exe:Device Monitor
"{87CB1152-88FC-44AE-BE9B-92AA723457A6}"= UDP:c:\program files\Dell Photo AIO Printer 922\DLBTaiox.exe:All In One Center
"{D58C1AF8-D361-44AC-9476-166FAD191380}"= TCP:c:\program files\Dell Photo AIO Printer 922\DLBTaiox.exe:All In One Center
"{E5BE50D4-2CC8-4403-B309-E6BF3324097F}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E8CB0BE9-88E3-4267-A617-C43D31B6AF8F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D5C32B5C-18BA-4495-BA1C-C8AA47122775}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C620B1DF-8782-42F5-99D5-BD7E27660282}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C33384F2-E8E4-413E-B9FE-8B60A167645A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{3DD7CD8B-894C-4319-932F-DB460327B2A0}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{BF2DD50B-B705-491F-B4BB-5CB9537B2120}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.s ys [2007-04-23 30008]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-04-30 172131]
R3 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssflt r.sys [2009-02-06 55280]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
R3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-05-03 29744]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
R3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\DRIVERS\s125bus.sys [2007-04-23 83336]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-02-01 747912]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-03-19 107256]
S1 RsvLock;RsvLock; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-27 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-22 55024]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [2008-01-18 21504]
S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe [2008-01-18 21504]
S2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-03-19 731840]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwf p.sys [2009-03-19 38240]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-04-27 221184]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-08-07 24880]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2007-05-08 540448]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-06 809296]
S2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.s ys [2007-01-08 5120]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-24 183808]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\H]
\shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\I]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL i:\resycled\boot.com i:
\shell\Open\command - i:\resycled\boot.com i:

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{3676b30b-e794-11dc-bdb9-001e3774f911}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL i:\resycled\boot.com i:
\shell\Open\command - i:\resycled\boot.com i:

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{74b10a6c-e771-11dc-9135-001e3774f911}]
\shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-03-27 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-09-18 13:42]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=none&bd=smb&pf =laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Em\AppData\Roaming\Mozilla\Firefox\Profil es\hssg7s0q.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 18:15
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBTtim e.dll,_RunDLLEntry@16????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ??????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2802605701-2481242829-1637053503-1006\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{36E22076-4265-6A74-E43D-51B99D40FDF1}*]
"maljljambdapcepkdplhpahlfm"=hex:69,61,63,70,62,64 ,6c,65,66,61,6f,6c,65,66,67,
6c,65,67,00,00
"nafknkapjlagpaadlcdjgoahbplb"=hex:6a,61,61,70,67, 61,69,68,6d,69,69,6f,6f,66,
62,69,68,67,65,68,00,00

[HKEY_USERS\SOFTWARE\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Denied: (A 2) (Everyone)
@SACL=
@="FlashProp Class"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@SACL=
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash9b .ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\Programmable]
@SACL=

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@SACL=
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macrome d\\Flash\\FlashUtil9e.exe,-101"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
@SACL=
"Enabled"=dword:00000001

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
@SACL=
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUt il9e.exe"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_USERS\SOFTWARE\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@SACL=
@="IFlashBroker"

[HKEY_USERS\SOFTWARE\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@SACL=
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_USERS\SOFTWARE\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_USERS\SOFTWARE\Classes\videosoft\CLSID]
@DACL=(02 0000)
@="{6BF52A52-394A-11D3-B153-00C04F79FAA6}"

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D3 6E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D3 6E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D3 6E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D3 6E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D3 6E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D3 6E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet003\Control\Class\{4D3 6E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet003\Control\Class\{4D3 6E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet003\Control\Class\{4D3 6E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet003\Control\Class\{4D3 6E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet003\Control\Class\{4D3 6E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet003\Control\Class\{4D3 6E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(684)
c:\windows\SbHpNp.dll
c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll

- - - - - - - > 'Explorer.exe'(3404)
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\progra~1\Stardock\Object Desktop\WindowBlinds\VistaSrv.exe
c:\progra~1\Stardock\Object Desktop\WindowBlinds\WBVista.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\Stardock\Object Desktop\WindowBlinds\WBVista.exe
c:\program files\Hewlett-Packard\IAM\Bin\asghost.exe
c:\program files\a-squared Anti-Malware\a2service.exe
c:\windows\System32\AEADISRV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\dlbtcoms.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\SMINST\Scheduler.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
.
************************************************** ************************
.
Completion time: 2009-04-28 18:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 08:24
ComboFix2.txt 2009-04-28 07:41

Pre-Run: 3,392,589,824 bytes free
Post-Run: 3,328,065,536 bytes free

428 --- E O F --- 2009-04-28 01:17







thanks for trying to help - this problem is starting to worry me
  #2  
Old 28th Apr 2009, 10:45
Moderator Group
  
I see you installed MGtools. Do you have a topic at MajorGeeks?
__________________
  #3  
Old 29th Apr 2009, 03:59
New Member Group
  
hi

nope, no topic at Major geeks, i posted at Bleeping computer, but realised it was the wrong section and thought i'd ask here instead. i've looked at other posts and tried some of their suggestions with what programs to download and scanners - im not that great with this type of thing.

thanx
  #4  
Old 29th Apr 2009, 10:08
Moderator Group
  
Please Run Malwarebytes' Anti-Malware.
  • Click the Update tab.
  • Click Check for Updates
  • If an update is found, it will download and install.
  • Click the Scanner tab.
  • Select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Scan with Panda ActiveScan 2.0

This scanner requires Internet Explorer

  • Once you are on the Panda site click the Scan your PC now button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Select the appropriate Yes or No to receiving marketing information
  • Click the Free Online Scan button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


Post the contents of the ActiveScan report in your next reply.
__________________
  #5  
Old 3rd May 2009, 05:32
New Member Group
  
Hi
Heres the MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 2061
Windows 6.0.6001 Service Pack 1

30/04/2009 7:23:28 PM
mbam-log-2009-04-30 (19-23-28).txt

Scan type: Quick Scan
Objects scanned: 64740
Time elapsed: 4 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


and the HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:14 PM, on 3/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SMINST\scheduler.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Dell Photo AIO Printer 922\DLBTmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...=smb&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLBTtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlbtmon.exe] "C:\Program Files\Dell Photo AIO Printer 922\dlbtmon.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\RunOnce: [ST Recovery Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O20 - AppInit_DLLs: APSHook.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DeviceNP - C:\Windows\SYSTEM32\DeviceNP.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: dlbt_device - - C:\Windows\system32\dlbtcoms.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\Windows\system32\flcdlock.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Stardock Corporation - C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\VistaSrv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9418 bytes

this was the Panda activescan log:
;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-05-03 15:21:05
PROTECTIONS: 5
MALWARE: 5
SUSPECTS: 1
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
a-squared Anti-Malware 4 No Yes
Spyware Doctor 5.5.0.204 No Yes
Spybot - Search and Destroy 1.0.0.6 No No
Windows Defender 1.1.1505.0 No Yes
SUPERAntiSpyware 4, 26, 0, 1000 No Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00034347 dialer.su Dialers No 0 Yes No hkey_local_machine\software\microsoft\windows\curr entversion\uninstall\switch
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Users\Em\AppData\Roaming\Microsoft\Windows\Cook ies\em@tribalfusion[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\Em\AppData\Roaming\Microsoft\Windows\Cook ies\em@ad.yieldmanager[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\Em\AppData\Roaming\Microsoft\Windows\Cook ies\em@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\Em\AppData\Roaming\Microsoft\Windows\Cook ies\em@bs.serving-sys[1].txt
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location �3
�`��39
;================================================= ================================================== ================================================== ==============================
No C:\Users\Em\Desktop\Combo-Fix.exe �3
�`��39
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description �3
�`��39
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================


thanx
  #6  
Old 3rd May 2009, 08:55
Moderator Group
  
I don't see any problems. How is the computer running now?
__________________
  #7  
Old 4th May 2009, 01:02
New Member Group
  
hi
my computer seems to be working fine, before my computer used to disconnect often - that hasnt happened in a while though, but my scanners still say my computers infected even after deleting on reboot. Is there something i can do to just delete whatevers being picked up or something?
thanx
  #8  
Old 4th May 2009, 09:53
Moderator Group
  
  • Click START then RUN
  • Now type Combofix /u in the runbox
  • Make sure there's a space between Combofix and /u
  • Then hit Enter.


  • The above procedure will:
  • Delete the following:
  • ComboFix and its associated files and folders.
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Set a new, clean Restore Point.


----------

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator
  • Under Main: Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords click No at the prompt.
  • Click Exit on the Main menu to close the program.


Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it yourself.


Important: Restart the computer before continuing.

----------

What scanner is still detecting the threat?
__________________
  #9  
Old 4th May 2009, 23:42
New Member Group
  
hi
malwarebytes anti-malware comes up with "Trojan.DNSchanger" as a registry key in "HKEY_CLASSES_ROOT\videosoft" and SUPERantispyware detects 2 problems of "Trojan.DNSchanger-codec" under "HKCR\videosoft" and "HKCR\videosoft\CLSID".
after i restarted after uninstalling combofix and using the cleaners, the blue screen came up while shutting down, it stayed for a few seconds before turning black and freezing without shutting down and i had to manually turn it off, is there something i can do to fix?
thanx
  #10  
Old 5th May 2009, 09:53
Moderator Group
  
Update MBAM and then run a FULL system scan. Post the log it creates.
__________________
Reply
Page 1 of 2 1 2

Register
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.