All browsers hijacked - redirecting search links - Safer-Networking Forums

j_global · 2009-11-26, 05:41

Hi,

I have gone nearly 2 years without any significant infection because I am usually pretty careful. I know the exact moment when my PC became infected and admittedly it is because I was stupid.

I have a fair amount of up front info that may help narrow down the issue. I was opening a downloaded movie (yes, file sharing) and was prompted for a codec. I have had to get codecs before so I thought no big deal, it changed from 'codec needed' to 'licensing service' in the Windows Media status as the download/install started. I went to my task bar and tried to close the setup window but it wouldn't close until after several tries of stopping the setup.exe service.

I can usually sort out bad things in the HJT log, but I am not seeing anything. Malwarebytes and Spybot each found a couple trackers and something they thought were trojans but fixing them did nothing for the problem. I also did a system restore, which is usually the failsafe but it didn't help.

It appears to affect the 3 browsers I commonly use - IE8, Firefox, and Chrome. It mainly affects search engine result links. Even links to very well known sites like my personal home page get redirected to ad lists and other oddball searches. If I do a search and right click on the link and use open in new tab, I don't appear to get redirected in IE. It also doesn't do anything if the address is typed or pasted into the address bar.

Here are a couple of the sites it redirects to:

alibaba.com
reliableheat.com

I have read the "read this first" thread. I am running XP SP3. I use BitDefender 9 for Antivirus/Firewall (paid version). I have Spybot SD w/ TeaTimer but admittedly only picked it up after this problem occurred. I also have Kaspersky but only picked up the free virus scan to see if it would find something that bitdefender missed. I don't run them together.

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:29:37 PM, on 11/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\JL2005A\cam_mon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Software_Downloads\Antivirus\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAMMON_JL2005A] C:\Program Files\JL2005A\cam_mon
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: is-KKU82.lnk = Desktop\Virus Removal Tool\is-KKU82\startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coolsavings.coupons.smartsour...ad/cscmv5X.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147699052265
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing)
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe" /service (file missing)

Any help is greatly appreciated. I thought I was pretty good at this stuff until now.

Sorry, I just realized my HJT was out of date:

Here's a scan with the new version ...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:28 PM, on 11/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\JL2005A\cam_mon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAMMON_JL2005A] C:\Program Files\JL2005A\cam_mon
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [{442E26B2-0AE9-1033-0203-060506210001}] "C:\Program Files\Common Files\{442E26B2-0AE9-1033-0203-060506210001}\Update.exe" te-110-12-0000213
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: is-KKU82.lnk = Desktop\Virus Removal Tool\is-KKU82\startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coolsavings.coupons.smartsour...ad/cscmv5X.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147699052265
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 10594 bytes

**IndiGenus** · 2009-11-28, 02:15

Hi j_global and welcome to the forums here at Spybot S&D.

Based on what I see (or don't see) it's most likely a rootkit. Let's get a couple more scans.

Download DDS and save it to your desktop from here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. Post them back to your topic.

~~~~~~~~~~~~~~~~~~~~~~

Download This file. Note its name and save it to your root folder, such as C:\.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
Click on this link to see a list of programs that should be disabled.
Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
Allow the driver to load if asked.
You may be prompted to scan immediately if it detects rootkit activity.
If you are prompted to scan your system click "Yes" to begin the scan.
If not prompted, click the "Rootkit/Malware" tab.
On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
Select all drives that are connected to your system to be scanned.
Click the Scan button to begin. (Please be patient as it can take some time to complete)
When the scan is finished, click Save to save the scan results to your Desktop.
Save the file as Results.log and copy/paste the contents in your next reply.
Exit the program and re-enable all active protection when done.

j_global · 2009-11-28, 16:08

Here's the DDS:

DDS (Ver_09-11-24.02) - NTFSx86
Run by Global at 9:02:03.13 on Sat 11/28/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.298 [GMT -5:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\JL2005A\cam_mon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Global\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/
uSearch Bar =
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\global\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [BDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [CAMMON_JL2005A] c:\program files\jl2005a\cam_mon
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uExplorerRun: [{442E26B2-0AE9-1033-0203-060506210001}] "c:\program files\common files\{442e26b2-0ae9-1033-0203-060506210001}\Update.exe" te-110-12-0000213
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://coolsavings.coupons.smartsource.com/download/cscmv5X.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147699052265
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\global\applic~1\mozilla\firefox\profiles\kdpyzawl.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\global\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 is-KKU82drv;is-KKU82drv;c:\windows\system32\drivers\39940974.sys [2009-11-22 148496]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-10-6 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-10-17 104456]
S2 Audiowerk;Emagic Audiowerk Kernel Mode Driver;c:\windows\system32\drivers\emagicaw.sys [2006-4-13 19816]
S2 FILESpy;FILESpy;\??\c:\program files\softwin\bitdefender9\filespy.sys --> c:\program files\softwin\bitdefender9\filespy.sys [?]
S2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2007-3-3 202096]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;c:\windows\system32\drivers\usbmidim.sys --> c:\windows\system32\drivers\usbmidim.sys [?]
S3 USBMM1X1;USB Midi 1x1 USB Driver;c:\windows\system32\drivers\usbmm1x1.sys --> c:\windows\system32\drivers\usbmm1x1.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-11-26 03:50:50 0 d-----w- c:\program files\HijackThis2
2009-11-26 01:11:43 0 d-----w- c:\docume~1\global\applic~1\Malwarebytes
2009-11-26 01:11:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 01:11:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 01:11:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-26 01:11:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 18:45:07 0 dc-h--w- c:\windows\ie8
2009-11-22 16:03:47 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-22 16:03:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-22 14:48:26 44435488 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-22 14:48:26 397976 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-22 14:48:01 148496 ----a-w- c:\windows\system32\drivers\39940974.sys
2009-11-18 04:49:01 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-09 13:05:39 15204352 ----a-w- c:\documents and settings\global\ntuser.bak
2009-11-06 05:50:30 0 d-----w- C:\avd
2009-11-06 05:04:13 38 ----a-w- c:\windows\AviSplitter.INI

==================== Find3M ====================

2009-11-25 08:22:58 81984 ----a-w- c:\windows\system32\bdod.bin
2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-02 04:44:07 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2008-09-05 04:25:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 9:05:11.70 ===============

Here's the attach:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-11-24.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 4/12/2006 9:46:04 PM
System Uptime: 11/25/2009 8:57:01 PM (61 hours ago)

Motherboard: Dell Inc. | | 0HJ054
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 1.633 GiB free.
D: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1221: 10/30/2009 10:05:54 AM - System Checkpoint
RP1222: 11/2/2009 1:07:15 AM - System Checkpoint
RP1223: 11/3/2009 1:55:34 AM - System Checkpoint
RP1224: 11/4/2009 2:10:17 AM - System Checkpoint
RP1225: 11/5/2009 12:44:31 AM - Software Distribution Service 3.0
RP1226: 11/6/2009 5:28:57 AM - System Checkpoint
RP1227: 11/7/2009 5:41:27 AM - System Checkpoint
RP1228: 11/8/2009 4:53:12 AM - System Checkpoint
RP1229: 11/8/2009 8:49:07 PM - Removed Sony Sound Forge 8.0b
RP1230: 11/8/2009 8:55:30 PM - Installed Sound Forge Pro 10.0
RP1231: 11/9/2009 8:05:52 AM - Software Distribution Service 3.0
RP1232: 11/10/2009 10:11:27 AM - System Checkpoint
RP1233: 11/11/2009 3:01:09 AM - Software Distribution Service 3.0
RP1234: 11/12/2009 4:52:43 AM - System Checkpoint
RP1235: 11/13/2009 6:11:33 AM - System Checkpoint
RP1236: 11/14/2009 7:23:32 AM - System Checkpoint
RP1237: 11/15/2009 7:47:35 AM - System Checkpoint
RP1238: 11/16/2009 8:17:14 AM - System Checkpoint
RP1239: 11/17/2009 8:52:51 AM - System Checkpoint
RP1240: 11/17/2009 11:45:09 PM - Restore Operation
RP1241: 11/18/2009 12:58:05 AM - Software Distribution Service 3.0
RP1242: 11/19/2009 1:35:18 AM - System Checkpoint
RP1243: 11/20/2009 4:35:26 AM - System Checkpoint
RP1244: 11/21/2009 4:47:51 AM - System Checkpoint
RP1245: 11/22/2009 6:59:04 AM - System Checkpoint
RP1246: 11/22/2009 12:59:31 PM - Installed Java(TM) 6 Update 17
RP1247: 11/22/2009 1:46:29 PM - Installed Windows Internet Explorer 8.
RP1248: 11/22/2009 1:48:29 PM - Software Distribution Service 3.0
RP1249: 11/22/2009 7:15:54 PM - Software Distribution Service 3.0
RP1250: 11/22/2009 8:40:36 PM - Software Distribution Service 3.0
RP1251: 11/23/2009 9:25:58 PM - System Checkpoint
RP1252: 11/24/2009 9:46:47 PM - System Checkpoint
RP1253: 11/25/2009 3:01:41 AM - Software Distribution Service 3.0
RP1254: 11/26/2009 4:40:53 AM - System Checkpoint
RP1255: 11/27/2009 5:20:46 AM - System Checkpoint
RP1256: 11/28/2009 5:55:54 AM - System Checkpoint

==== Installed Programs ======================

µTorrent
AAC Decoder
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe Acrobat 8.1.7 - CPSID_50029
Adobe Acrobat 8.1.7 Professional
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Audition 3.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Codecs
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader 7.0
Adobe Setup
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server {ko_KR}
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
AiO_Scan_CDA
AiOSoftwareNPI
Amazon MP3 Downloader 1.0.3
Antares Auto-Tune v1.3 DX
Antares Autotune VST RTAS TDM v5.08
AOLIcon
Arturia Arp2600 V VSTi RTAS v1.6
Arturia CS-80V v1.5
Arturia Moog Modular V2 v1.0
ATI Control Panel
ATI Display Driver
AutoUpdate
BitDefender Internet Security 2009
Boardmaker version 5
BufferChm
C3100
c3100_Help
Camel Audio Cameleon 5000 v1.7 VSTi
CD - DVD Publishing Service
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
CrunchDude 0.1
db audioware mastering plugins 1.05c
Dell CinePlayer
Dell Driver Reset Tool
Dell System Restore
Destinations
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DocProc
DocProcQFolder
DSP/FX v6.2a
Edirol HQ Orchestral v1.01
ELIcon
ERUNT 1.1j
eSupportQFolder
Fax_CDA
FL Studio 6
GDR 1406 for SQL Server Analysis Services 2005 ENU (KB932557)
GDR 1406 for SQL Server Database Services 2005 ENU (KB932557)
GDR 1406 for SQL Server Integration Services 2005 ENU (KB932557)
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892)
Google Chrome
H.264 Decoder
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0.A
HP Photosmart Essential
HP Product Assistant
HP Solution Center 7.0
HP Update
HPPhotoSmartExpress
HPProductAssistant
HPSSupply
InstantShareDevicesMFC
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Ipswitch WS_FTP Professional 2006
IsoBuster 1.8
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 17
LiquidInstrumentVst 1.1
Lounge Lizard 1.0
Mastering Edition 1.5
MCU
Microsoft .NET Compact Framework 1.0 SP3 Developer
Microsoft .NET Compact Framework 2.0
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ASP.NET 2.0 AJAX Extensions 1.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Analysis Services
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Integration Services
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Midisport 1x1 1.0.1.0
MKV Splitter
Mozilla Firefox (3.0.15)
MSDN Library for Visual Studio 2005
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
MySQL Server 5.0
Native Instruments Absynth 3
Native Instruments FM8 v1.0.1.002 VSTi DXi RTAS
Native Instruments Guitar Rig 3
Native Instruments Reaktor 5
Nero 6 Ultra Edition
Nero Digital
NewCopy_CDA
Novation V-Station for Cubase SX3 VSTi v1.41
OCR Software by I.R.I.S 7.0
PanoStandAlone
PDF Settings
PicoZip Recovery Tool 1.02
PowerISO
ProductContextNPI
Quicken 2007
QuickTime
Readme
ReFX Beast VSTi v1.0
Rob Papen Albino 3
Rob Papen BLUE Version 1.7.0
Rob Papen Predator V1.1.0
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB925674)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937060)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shop for HP Supplies
SolutionCenter
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Sony ACID Pro 6.0
Sony Media Manager 2.1
Sony Media Manager 2.2
Sound Forge Pro 10.0
Space Synthesizer 1.2
Spybot - Search & Destroy
Status
T-RackS 3 Deluxe
Toolbox
TrayApp
Uninstall JL2005A Toy Camera
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
VC80CRTRedist - 8.0.50727.762
Vokko 1.67
Waldorf.PPG.Wave2.V-OxYGeN
Waves Diamond Bundle v5.2
Waves L3 Multimaximizer v1.0
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
WinZip
XML Paper Specification Shared Components Pack 1.0
XP Codec Pack
Xvid 1.1.2 final uninstall

==== Event Viewer Messages From Past Week ========

11/25/2009 5:35:47 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the FLEXnet Licensing Service service to connect.
11/25/2009 5:35:47 PM, error: Service Control Manager [7000] - The FLEXnet Licensing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/25/2009 5:18:31 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the COM+ System Application service to connect.
11/25/2009 5:18:31 PM, error: Service Control Manager [7000] - The COM+ System Application service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/25/2009 5:18:31 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service COMSysApp with arguments "" in order to run the server: {ECABAFBC-7F19-11D2-978E-0000F8757E2A}
11/25/2009 5:17:16 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the SQL Server Integration Services service to connect.
11/25/2009 5:17:16 PM, error: Service Control Manager [7000] - The SQL Server Integration Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/25/2009 3:03:54 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
11/25/2009 3:03:54 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/22/2009 9:37:30 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: bdpredir
11/22/2009 9:37:30 AM, error: Service Control Manager [7000] - The REGSpy service failed to start due to the following error: The system cannot find the path specified.
11/22/2009 9:37:30 AM, error: Service Control Manager [7000] - The FILESpy service failed to start due to the following error: The system cannot find the path specified.
11/22/2009 9:37:30 AM, error: Service Control Manager [7000] - The Emagic Audiowerk Kernel Mode Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/22/2009 9:37:30 AM, error: Service Control Manager [7000] - The BDRSDRV service failed to start due to the following error: The system cannot find the file specified.
11/22/2009 9:36:23 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
11/22/2009 9:36:23 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================

Thanks for the help. Running the other utility now ...

**IndiGenus** · 2009-11-28, 18:08

Hi,

Per the instructions at the following post you must uninstall any and all P2P/BitTorrent/File Sharing Software prior to getting help here.

http://forums.spybot.info/showpost.p...03&postcount=4

Please do so, then run DDS again and post the log.

j_global · 2009-11-28, 22:35

Hi IndieGenus,

I had uTorrent installed but as per the instructions, uninstalled it prior to starting the thread here. Are you seeing some other software? Or is there a file left over from uTorrent that is causing problems? Let me know and I'll take care of it.

I have attached the results.log from the run of the other utility. I had to zip it up to meet the zise requirements.

Regards,
Jonathan

**IndiGenus** · 2009-11-29, 16:06

Quote:

Originally Posted by j_global

Hi IndieGenus,

I had uTorrent installed but as per the instructions, uninstalled it prior to starting the thread here. Are you seeing some other software? Or is there a file left over from uTorrent that is causing problems? Let me know and I'll take care of it.

uTorrent still was showing in the list of programs from DDS, but if you uninstalled it then we can move on.

Please read through the instructions to familiarize yourself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:

It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

Double click on ComboFix.exe & follow the prompts.Close all other windows/browser first.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do Not run combofix more than once. If you have problems please post back for further instructions.
3.CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

j_global · 2009-11-30, 15:55

Hi IndieGenus,

Here's the log from Combo Fix:

ComboFix 09-11-29.06 - Global 11/30/2009 8:09.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.446 [GMT -5:00]
Running from: c:\documents and settings\Global\Desktop\Combo-Fix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\sstem~1
C:\Thumbs.db
c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\kb913800.exe
c:\windows\stem~1
c:\windows\system32\Cache
c:\windows\system32\msvcsv60.dll
c:\windows\system32\pppatc~1
c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-26 01:11 . 2009-11-26 01:11 -------- d-----w- c:\documents and settings\Global\Application Data\Malwarebytes
2009-11-26 01:11 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 01:11 . 2009-11-26 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 01:11 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 01:11 . 2009-11-26 01:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 00:44 . 2009-11-26 00:44 -------- d-----w- C:\ERDNT
2009-11-26 00:43 . 2009-11-26 00:43 -------- d-----w- c:\program files\ERUNT
2009-11-22 18:45 . 2009-11-22 18:48 -------- dc-h--w- c:\windows\ie8
2009-11-22 17:54 . 2009-11-22 17:54 152576 ----a-w- c:\documents and settings\Global\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-22 16:03 . 2009-11-22 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-22 16:03 . 2009-11-22 16:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-22 14:48 . 2009-11-30 13:41 52269088 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-22 14:48 . 2008-07-08 18:54 148496 ----a-w- c:\windows\system32\drivers\39940974.sys
2009-11-22 14:09 . 2009-11-22 14:09 79488 ----a-w- c:\documents and settings\Global\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-18 04:49 . 2009-11-18 04:49 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-10 14:26 . 2009-11-10 14:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-10 12:50 . 2009-11-10 12:50 -------- d-----w- c:\documents and settings\LocalService\IETldCache
2009-11-09 02:25 . 2009-11-09 02:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Publish Providers
2009-11-09 02:24 . 2009-11-09 02:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-11-09 02:24 . 2009-11-09 02:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-11-09 02:20 . 2009-11-09 02:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sony
2009-11-09 02:20 . 2009-11-09 02:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony
2009-11-09 02:16 . 2009-11-09 02:16 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-11-09 02:14 . 2009-11-09 02:14 37688 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-09 02:14 . 2009-11-09 02:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\HP
2009-11-09 02:13 . 2009-11-09 02:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-11-09 02:11 . 2009-11-09 02:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitDefender
2009-11-09 02:10 . 2009-11-09 02:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-06 05:50 . 2009-11-06 05:50 -------- d-----w- C:\avd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 20:34 . 2009-11-28 20:34 23895 ----a-w- C:\Results.zip
2009-11-28 20:14 . 2009-11-22 14:48 528872 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-28 14:11 . 2009-11-28 14:11 292352 ----a-w- C:\b5cjwng8.exe
2009-11-26 03:55 . 2009-11-26 03:50 -------- d-----w- c:\program files\HijackThis2
2009-11-25 22:10 . 2007-01-03 22:31 -------- d-----w- c:\documents and settings\Global\Application Data\uTorrent
2009-11-25 08:22 . 2006-05-13 13:56 81984 ----a-w- c:\windows\system32\bdod.bin
2009-11-22 18:36 . 2006-04-08 21:00 -------- d-----w- c:\program files\Google
2009-11-22 18:00 . 2006-04-08 20:44 -------- d-----w- c:\program files\Java
2009-11-22 16:50 . 2009-03-24 03:25 -------- d-----w- c:\program files\WinMorse
2009-11-18 04:48 . 2008-01-20 00:49 -------- d-----w- c:\program files\Bonjour
2009-11-09 03:12 . 2006-04-13 19:47 -------- d-----w- c:\documents and settings\Global\Application Data\Sony
2009-11-09 03:10 . 2009-03-28 20:55 16 ----a-w- c:\windows\msocreg32.dat
2009-11-09 03:09 . 2006-04-13 19:47 -------- d-----w- c:\program files\VSTplugins
2009-11-09 01:56 . 2006-04-13 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-11-09 01:55 . 2006-04-13 19:46 -------- d-----w- c:\program files\Sony
2009-10-20 21:10 . 2006-04-26 03:19 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-16 07:17 . 2006-04-13 20:25 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-11 09:17 . 2009-02-14 17:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 12:36 . 2009-09-07 12:36 152576 ----a-w- c:\documents and settings\Global\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-04 21:03 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-11-13 04:58 . 2008-10-30 22:34 65536 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-10 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CAMMON_JL2005A"="c:\program files\JL2005A\cam_mon" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-11-13 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-01 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"{442E26B2-0AE9-1033-0203-060506210001}"="c:\program files\Common Files\{442E26B2-0AE9-1033-0203-060506210001}\Update.exe te-110-12-0000213" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=usbmn1x1.dll
"midi2"=usbmn1x1.dll
"midi3"=usbmn1x1.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 is-KKU82drv;is-KKU82drv;c:\windows\system32\drivers\39940974.sys [11/22/2009 9:48 AM 148496]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 5:16 PM 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 11:09 AM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/17/2008 2:01 PM 104456]
S2 Audiowerk;Emagic Audiowerk Kernel Mode Driver;c:\windows\system32\drivers\emagicaw.sys [4/13/2006 2:41 PM 19816]
S2 FILESpy;FILESpy;\??\c:\program files\Softwin\BitDefender9\filespy.sys --> c:\program files\Softwin\BitDefender9\filespy.sys [?]
S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [3/3/2007 10:12 PM 202096]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [7/17/2008 12:06 PM 118784]
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;c:\windows\system32\drivers\usbmidim.sys --> c:\windows\system32\drivers\usbmidim.sys [?]
S3 USBMM1X1;USB Midi 1x1 USB Driver;c:\windows\system32\drivers\usbmm1x1.sys --> c:\windows\system32\drivers\usbmm1x1.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 6:01 AM 2799808]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 9DE23BFB
*Deregistered* - 9de23bfb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4171330342-2219528107-224207411-1005Core.job
- c:\documents and settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-10 01:06]

2009-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4171330342-2219528107-224207411-1005UA.job
- c:\documents and settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-10 01:06]

2009-11-30 c:\windows\Tasks\User_Feed_Synchronization-{CB68F05E-22E8-4B1A-88CA-B8953A2C5289}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Global\Application Data\Mozilla\Firefox\Profiles\kdpyzawl.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\Global\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-BDSwitchAgent - c:\progra~1\softwin\BITDEF~1\bdswitch.exe
AddRemove-uTorrent - c:\program files\uTorrent\uninstall.exe
AddRemove-Waldorf.PPG.Wave2.V-OxYGeN - c:\progra~1\VSTPLU~1\Audio\Waldorf\UNWISE.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 08:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86D53170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7696f28
\Driver\ACPI -> ACPI.sys @ 0xf7529cb8
\Driver\atapi -> atapi.sys @ 0xf74bb852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{66D2B6B0-0AC3-1D5E-AFE4FCFC2DBC1E0D}\{D0054572-6CDD-7E67-D144F5B82EF8A509}\{800AEEDD-FDE9-D9F6-54124DEBF6D799D2}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,91,ad,bb,
d7,ad,ff,70,94,f4,b8,0c,ad,cd,f1,37,33,3c,a1,99,f3,46,77,c4,71,c9,ca,45,f6,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{945169D7-C27E-315B-97A3E6913A1C7622}\{06C63AB7-5C18-FA8E-E5D32118C99A5B59}\{F7BD6AFF-A45B-6FB8-BB91AB79C0A3DA53}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,91,ad,bb,
d7,ad,ff,70,94,f4,b8,0c,ad,cd,f1,37,33,3c,a1,99,f3,46,77,c4,71,c9,ca,45,f6,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B2D6F484-260A-7B5D-9DECE03114A71318}\{16279713-416B-AABF-512733F99CDDA7F7}\{FB965560-4DCA-8EF0-2DC335C1EACB0D08}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C1D66034-199B-5834-FAD091A744E2DF52}\{A9398372-0762-3A7E-A7C8ABB3F38F2F6E}\{F18374B6-D35D-16D4-9DBDDA1016548C70}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\WININET.dll
.
Completion time: 2009-11-30 08:51
ComboFix-quarantined-files.txt 2009-11-30 13:51

Pre-Run: 1,590,513,664 bytes free
Post-Run: 4,611,928,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 38D1130E9399786F1D0C47488FF02C9B

**IndiGenus** · 2009-11-30, 18:22

Please go to http://www.virustotal.com/en/indexf.html
Click on Browse, and upload the following file for analysis:

c:\windows\system32\drivers\39940974.sys

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. Or you can copy the link to the VT results page if that is easier.

j_global · 2009-12-01, 03:34

Hi Indegenus ... not sure how much of this you need:

Result: 0/41 (0%)

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.11.30 -
AhnLab-V3 5.0.0.2 2009.11.30 -
AntiVir 7.9.1.88 2009.11.30 -
Antiy-AVL 2.0.3.7 2009.11.30 -
Authentium 5.2.0.5 2009.11.30 -
Avast 4.8.1351.0 2009.11.30 -
AVG 8.5.0.426 2009.12.01 -
BitDefender 7.2 2009.12.01 -
CAT-QuickHeal 10.00 2009.11.30 -
ClamAV 0.94.1 2009.11.30 -
Comodo 3095 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.01 -
eSafe 7.0.17.0 2009.11.30 -
eTrust-Vet 35.1.7149 2009.12.01 -
F-Prot 4.5.1.85 2009.11.30 -
F-Secure 9.0.15370.0 2009.11.29 -
Fortinet 4.0.14.0 2009.11.30 -
GData 19 2009.12.01 -
Ikarus T3.1.1.74.0 2009.11.30 -
Jiangmin 11.0.800 2009.11.29 -
K7AntiVirus 7.10.906 2009.11.27 -
Kaspersky 7.0.0.125 2009.12.01 -
McAfee 5818 2009.11.30 -
McAfee+Artemis 5818 2009.11.30 -
McAfee-GW-Edition 6.8.5 2009.11.30 -
Microsoft 1.5302 2009.12.01 -
NOD32 4650 2009.11.30 -
Norman 6.03.02 2009.11.30 -
nProtect 2009.1.8.0 2009.11.28 -
Panda 10.0.2.2 2009.11.30 -
PCTools 7.0.3.5 2009.12.01 -
Prevx 3.0 2009.12.01 -
Rising 22.24.00.09 2009.11.30 -
Sophos 4.48.0 2009.12.01 -
Sunbelt 3.2.1858.2 2009.12.01 -
Symantec 1.4.4.12 2009.12.01 -
TheHacker 6.5.0.2.082 2009.11.30 -
TrendMicro 9.100.0.1001 2009.11.30 -
VBA32 3.12.12.0 2009.11.30 -
ViRobot 2009.11.30.2062 2009.11.30 -
VirusBuster 5.0.21.0 2009.11.30 -
Additional information
File size: 148496 bytes
MD5...: 0aa3ad071827118fcc8f37f7a6ab7aa1
SHA1..: 59784c49ffe530931010070c8843366f9d7fa6f0
SHA256: 3e893bcf9e3ec8fa44c8ef0cf7c2d269212651d65c16b30bd953cc3a54f3b2aa
ssdeep: 3072:xoZsjyhxlNCet3MATPO1jUFLVFnRkPjcow9gT7wNwSk7Fa/4NJ:xnjyhx8A
d6jcpgTsW/KqJ

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x23010
timedatestamp.....: 0x4873470a (Tue Jul 08 10:52:58 2008)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1a848 0x1aa00 6.38 ca8bbffb8c1aac75560de3ffede16f38
NONPAGED 0x1c000 0x25 0x200 0.30 76fbfaa1c4997eccce3ca016c3b1345b
.rdata 0x1d000 0x850 0xa00 4.25 6ffc26ac817e2ae1a1cf5ce42adc9f0b
.data 0x1e000 0x1b00 0x600 6.42 2680643c152bf562cae4ab5d1ed2070c
PAGE 0x20000 0x2cdc 0x2e00 6.28 7516763c152ec5b6c5df87c555fadbb5
INIT 0x23000 0x1b88 0x1c00 5.96 4459dca4b85a564cb98f26cfbff36fbe
.rsrc 0x25000 0x400 0x400 3.36 09f200edb8e02e6fa4ab2f6bc27ad921
.reloc 0x26000 0x1b6e 0x1c00 6.47 5d73a4e2a3be56c2448dbd9511deefa3

( 3 imports )
> ntoskrnl.exe: IoAllocateWorkItem, RtlDeleteElementGenericTableAvl, RtlGetElementGenericTableAvl, FsRtlIsNameInExpression, RtlInsertElementGenericTableAvl, InitSafeBootMode, InterlockedPopEntrySList, InterlockedPushEntrySList, ExInitializeNPagedLookasideList, ExDeleteNPagedLookasideList, SeTokenType, SeCreateClientSecurity, SeImpersonateClientEx, IoVerifyVolume, IoDeviceObjectType, IoBuildSynchronousFsdRequest, IoDeleteDevice, IoDeleteSymbolicLink, IoUnregisterShutdownNotification, MmIsAddressValid, IoFreeMdl, MmUnlockPages, MmProbeAndLockPages, IoAllocateMdl, IoRegisterShutdownNotification, IoCreateSymbolicLink, IoCreateDevice, RtlAppendUnicodeToString, KeDelayExecutionThread, KeQuerySystemTime, strncmp, IoGetCurrentProcess, ExGetPreviousMode, SeReleaseSubjectContext, IoQueueWorkItem, SeCaptureSubjectContext, PsDereferenceImpersonationToken, RtlCopySid, RtlLengthSid, SeQueryInformationToken, PsReferencePrimaryToken, PsReferenceImpersonationToken, PsIsThreadTerminating, IoThreadToProcess, RtlInitializeGenericTableAvl, READ_REGISTER_UCHAR, ProbeForRead, RtlLookupElementGenericTableAvl, ObQueryNameString, CmUnRegisterCallback, MmUserProbeAddress, CmRegisterCallback, ZwEnumerateValueKey, ZwDeleteValueKey, ZwQueryKey, wcsrchr, NtBuildNumber, KeClearEvent, ExInitializePagedLookasideList, ExDeletePagedLookasideList, PsLookupProcessByProcessId, RtlCopyUnicodeString, RtlNumberGenericTableElementsAvl, RtlEnumerateGenericTableAvl, PsSetLoadImageNotifyRoutine, PsSetCreateThreadNotifyRoutine, PsSetCreateProcessNotifyRoutine, PsRemoveCreateThreadNotifyRoutine, PsRemoveLoadImageNotifyRoutine, IoFreeWorkItem, IofCompleteRequest, IoWMIRegistrationControl, MmGetSystemRoutineAddress, RtlCompareMemory, IoWMIWriteEvent, ZwQueryInformationProcess, KeStackAttachProcess, _wcsicmp, KeUnstackDetachProcess, ZwOpenKey, ZwEnumerateKey, RtlUnicodeStringToInteger, ZwQueryValueKey, ZwCreateKey, RtlIntegerToUnicodeString, ZwSetValueKey, RtlAppendUnicodeStringToString, ZwDeleteKey, DbgBreakPoint, ZwCreateFile, IoGetRelatedDeviceObject, _vsnwprintf, KeQueryInterruptTime, strncpy, RtlInitUnicodeString, RtlCompareUnicodeString, IoFileObjectType, ObReferenceObjectByPointer, _allmul, KeWaitForMultipleObjects, KeSetEvent, ExDeleteResourceLite, ExInitializeResourceLite, memcpy, _except_handler3, ZwOpenProcess, ZwTerminateProcess, PsCreateSystemThread, ObReferenceObjectByHandle, ZwClose, PsTerminateSystemThread, ObfDereferenceObject, KeGetCurrentThread, PsGetCurrentProcessId, PsGetCurrentThreadId, RtlUpcaseUnicodeChar, RtlUpperChar, memset, ExAllocatePoolWithTag, KeInitializeEvent, IoBuildDeviceIoControlRequest, IofCallDriver, KeWaitForSingleObject, SeQueryAuthenticationIdToken, ExFreePoolWithTag
> HAL.dll: KfReleaseSpinLock, KeGetCurrentIrql, ExAcquireFastMutex, ExReleaseFastMutex, KfAcquireSpinLock
> FLTMGR.SYS: FltQueryInformationFile, FltGetRoutineAddress, FltIsDirectory, FltGetFileNameInformation, FltParseFileNameInformation, FltAllocateCallbackData, FltPerformSynchronousIo, FltFreeCallbackData, FltReferenceFileNameInformation, FltReleaseFileNameInformation, FltGetStreamHandleContext, FltGetStreamContext, FltEnumerateVolumeInformation, FltRegisterFilter, FltStartFiltering, FltSetCallbackDataDirty, FltGetDestinationFileNameInformation, FltSetStreamHandleContext, FltCancelFileOpen, FltSetStreamContext, FltReleaseContext, FltGetVolumeProperties, FltAllocateContext, FltQueryVolumeInformation, FltGetVolumeName, FltSetInstanceContext, FltSetVolumeContext, FltUnregisterFilter, FltFsControlFile, FltGetVolumeFromFileObject, FltGetVolumeContext, FltGetInstanceContext, FltCreateFile, FltClose, FltFlushBuffers, FltSetInformationFile, FltWriteFile, FltBuildDefaultSecurityDescriptor, FltCreateCommunicationPort, FltFreeSecurityDescriptor, FltObjectReference, FltAllocatePoolAlignedWithTag, FltReadFile, FltFreePoolAlignedWithTag, FltObjectDereference, FltSendMessage, FltCloseClientPort, FltCloseCommunicationPort, FltReleaseResource, FltAcquireResourceShared, FltAcquireResourceExclusive, FltGetFileNameInformationUnsafe

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Kaspersky Lab
copyright....: Copyright (c) Kaspersky Lab 1996-2008.
product......: Kaspersky Anti-Virus
description..: Klif Mini-Filter
original name: KLIF.SYS
internal name: KLIF
file version.: 7.0.0.312
comments.....: n/a
signers......: Kaspersky Lab
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 11:54 AM 7/8/2008
verified.....: -

**IndiGenus** · 2009-12-01, 18:32

Hi,

It looks like that file might be part of a removal tool from Kaspersky. Are you familiar with anything like that?

Use ATF Cleaner to remove temp files, cookies, cache, ect...
Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download Malwarebytes' Anti-Malware from Here
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.

Please let me know how it's running also.

2009-11-26, 05:41	#1
j_global Junior Member Join Date: Nov 2009 Posts: 16	Hi, I have gone nearly 2 years without any significant infection because I am usually pretty careful. I know the exact moment when my PC became infected and admittedly it is because I was stupid. I have a fair amount of up front info that may help narrow down the issue. I was opening a downloaded movie (yes, file sharing) and was prompted for a codec. I have had to get codecs before so I thought no big deal, it changed from 'codec needed' to 'licensing service' in the Windows Media status as the download/install started. I went to my task bar and tried to close the setup window but it wouldn't close until after several tries of stopping the setup.exe service. I can usually sort out bad things in the HJT log, but I am not seeing anything. Malwarebytes and Spybot each found a couple trackers and something they thought were trojans but fixing them did nothing for the problem. I also did a system restore, which is usually the failsafe but it didn't help. It appears to affect the 3 browsers I commonly use - IE8, Firefox, and Chrome. It mainly affects search engine result links. Even links to very well known sites like my personal home page get redirected to ad lists and other oddball searches. If I do a search and right click on the link and use open in new tab, I don't appear to get redirected in IE. It also doesn't do anything if the address is typed or pasted into the address bar. Here are a couple of the sites it redirects to: alibaba.com reliableheat.com I have read the "read this first" thread. I am running XP SP3. I use BitDefender 9 for Antivirus/Firewall (paid version). I have Spybot SD w/ TeaTimer but admittedly only picked it up after this problem occurred. I also have Kaspersky but only picked up the free virus scan to see if it would find something that bitdefender missed. I don't run them together. Here is my HJT log: Logfile of HijackThis v1.99.1 Scan saved at 10:29:37 PM, on 11/25/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\JL2005A\cam_mon.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Software_Downloads\Antivirus\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [CAMMON_JL2005A] C:\Program Files\JL2005A\cam_mon O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Startup: is-KKU82.lnk = Desktop\Virus Removal Tool\is-KKU82\startup.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coolsavings.coupons.smartsour...ad/cscmv5X.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147699052265 O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing) O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing) O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service (file missing) O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing) O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing) O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing) O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing) O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe" /service (file missing) Any help is greatly appreciated. I thought I was pretty good at this stuff until now. Sorry, I just realized my HJT was out of date: Here's a scan with the new version ... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:52:28 PM, on 11/25/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\JL2005A\cam_mon.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HijackThis2\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [CAMMON_JL2005A] C:\Program Files\JL2005A\cam_mon O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Policies\Explorer\Run: [{442E26B2-0AE9-1033-0203-060506210001}] "C:\Program Files\Common Files\{442E26B2-0AE9-1033-0203-060506210001}\Update.exe" te-110-12-0000213 O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Startup: is-KKU82.lnk = Desktop\Virus Removal Tool\is-KKU82\startup.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coolsavings.coupons.smartsour...ad/cscmv5X.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147699052265 O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe -- End of file - 10594 bytes Last edited by tashi; 2009-11-26 at 06:00. Reason: Merged two posts

2009-11-28, 02:15	#2
IndiGenus Security Expert Join Date: Oct 2009 Location: New England, USA Posts: 177	Hi j_global and welcome to the forums here at Spybot S&D. Based on what I see (or don't see) it's most likely a rootkit. Let's get a couple more scans. Download DDS and save it to your desktop from here. Disable any script blocker, and then double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txt Save both reports to your desktop. Post them back to your topic. ~~~~~~~~~~~~~~~~~~~~~~ Download This file. Note its name and save it to your root folder, such as C:\. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file. Click on this link to see a list of programs that should be disabled. Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator") Allow the driver to load if asked. You may be prompted to scan immediately if it detects rootkit activity. If you are prompted to scan your system click "Yes" to begin the scan. If not prompted, click the "Rootkit/Malware" tab. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked. Select all drives that are connected to your system to be scanned. Click the Scan button to begin. (Please be patient as it can take some time to complete) When the scan is finished, click Save to save the scan results to your Desktop. Save the file as Results.log and copy/paste the contents in your next reply. Exit the program and re-enable all active protection when done. Last edited by IndiGenus; 2009-11-28 at 02:16.

2009-11-30, 15:55	#7
j_global Junior Member Join Date: Nov 2009 Posts: 16	Combofix Log Hi IndieGenus, Here's the log from Combo Fix: ComboFix 09-11-29.06 - Global 11/30/2009 8:09.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.446 [GMT -5:00] Running from: c:\documents and settings\Global\Desktop\Combo-Fix.exe AV: BitDefender Antivirus On-access scanning disabled (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB} FW: BitDefender Firewall disabled {4055920F-2E99-48A8-A270-4243D2B8F242} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Common Files\sstem~1 C:\Thumbs.db c:\windows\Downloaded Program Files\CpnMgr.dll c:\windows\kb913800.exe c:\windows\stem~1 c:\windows\system32\Cache c:\windows\system32\msvcsv60.dll c:\windows\system32\pppatc~1 c:\windows\system32\twain_32.dll . ((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 ))))))))))))))))))))))))))))))) . 2009-11-26 01:11 . 2009-11-26 01:11 -------- d-----w- c:\documents and settings\Global\Application Data\Malwarebytes 2009-11-26 01:11 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-26 01:11 . 2009-11-26 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-26 01:11 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-26 01:11 . 2009-11-26 01:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-26 00:44 . 2009-11-26 00:44 -------- d-----w- C:\ERDNT 2009-11-26 00:43 . 2009-11-26 00:43 -------- d-----w- c:\program files\ERUNT 2009-11-22 18:45 . 2009-11-22 18:48 -------- dc-h--w- c:\windows\ie8 2009-11-22 17:54 . 2009-11-22 17:54 152576 ----a-w- c:\documents and settings\Global\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-22 16:03 . 2009-11-22 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-11-22 16:03 . 2009-11-22 16:05 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-11-22 14:48 . 2009-11-30 13:41 52269088 --sha-w- c:\windows\system32\drivers\fidbox.dat 2009-11-22 14:48 . 2008-07-08 18:54 148496 ----a-w- c:\windows\system32\drivers\39940974.sys 2009-11-22 14:09 . 2009-11-22 14:09 79488 ----a-w- c:\documents and settings\Global\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-11-18 04:49 . 2009-11-18 04:49 -------- d-----w- c:\windows\system32\wbem\Repository 2009-11-10 14:26 . 2009-11-10 14:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-11-10 12:50 . 2009-11-10 12:50 -------- d-----w- c:\documents and settings\LocalService\IETldCache 2009-11-09 02:25 . 2009-11-09 02:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Publish Providers 2009-11-09 02:24 . 2009-11-09 02:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer 2009-11-09 02:24 . 2009-11-09 02:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX 2009-11-09 02:20 . 2009-11-09 02:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sony 2009-11-09 02:20 . 2009-11-09 02:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony 2009-11-09 02:16 . 2009-11-09 02:16 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-11-09 02:14 . 2009-11-09 02:14 37688 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-09 02:14 . 2009-11-09 02:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\HP 2009-11-09 02:13 . 2009-11-09 02:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe 2009-11-09 02:11 . 2009-11-09 02:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitDefender 2009-11-09 02:10 . 2009-11-09 02:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-11-06 05:50 . 2009-11-06 05:50 -------- d-----w- C:\avd . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-28 20:34 . 2009-11-28 20:34 23895 ----a-w- C:\Results.zip 2009-11-28 20:14 . 2009-11-22 14:48 528872 --sha-w- c:\windows\system32\drivers\fidbox.idx 2009-11-28 14:11 . 2009-11-28 14:11 292352 ----a-w- C:\b5cjwng8.exe 2009-11-26 03:55 . 2009-11-26 03:50 -------- d-----w- c:\program files\HijackThis2 2009-11-25 22:10 . 2007-01-03 22:31 -------- d-----w- c:\documents and settings\Global\Application Data\uTorrent 2009-11-25 08:22 . 2006-05-13 13:56 81984 ----a-w- c:\windows\system32\bdod.bin 2009-11-22 18:36 . 2006-04-08 21:00 -------- d-----w- c:\program files\Google 2009-11-22 18:00 . 2006-04-08 20:44 -------- d-----w- c:\program files\Java 2009-11-22 16:50 . 2009-03-24 03:25 -------- d-----w- c:\program files\WinMorse 2009-11-18 04:48 . 2008-01-20 00:49 -------- d-----w- c:\program files\Bonjour 2009-11-09 03:12 . 2006-04-13 19:47 -------- d-----w- c:\documents and settings\Global\Application Data\Sony 2009-11-09 03:10 . 2009-03-28 20:55 16 ----a-w- c:\windows\msocreg32.dat 2009-11-09 03:09 . 2006-04-13 19:47 -------- d-----w- c:\program files\VSTplugins 2009-11-09 01:56 . 2006-04-13 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony 2009-11-09 01:55 . 2006-04-13 19:46 -------- d-----w- c:\program files\Sony 2009-10-20 21:10 . 2006-04-26 03:19 -------- d-----w- c:\program files\Common Files\Adobe 2009-10-16 07:17 . 2006-04-13 20:25 -------- d-----w- c:\program files\Microsoft SQL Server 2009-10-11 09:17 . 2009-02-14 17:06 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-09-11 14:18 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-07 12:36 . 2009-09-07 12:36 152576 ----a-w- c:\documents and settings\Global\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-09-04 21:03 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-11-13 04:58 . 2008-10-30 22:34 65536 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-10 133104] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CAMMON_JL2005A"="c:\program files\JL2005A\cam_mon" [X] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992] "BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-11-13 782336] "BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-01 69632] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] [HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run] "{442E26B2-0AE9-1033-0203-060506210001}"="c:\program files\Common Files\{442E26B2-0AE9-1033-0203-060506210001}\Update.exe te-110-12-0000213" [X] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "midi1"=usbmn1x1.dll "midi2"=usbmn1x1.dll "midi3"=usbmn1x1.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\javaw.exe"= "c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server R1 is-KKU82drv;is-KKU82drv;c:\windows\system32\drivers\39940974.sys [11/22/2009 9:48 AM 148496] R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 5:16 PM 82696] R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 11:09 AM 111112] R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/17/2008 2:01 PM 104456] S2 Audiowerk;Emagic Audiowerk Kernel Mode Driver;c:\windows\system32\drivers\emagicaw.sys [4/13/2006 2:41 PM 19816] S2 FILESpy;FILESpy;\??\c:\program files\Softwin\BitDefender9\filespy.sys --> c:\program files\Softwin\BitDefender9\filespy.sys [?] S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [3/3/2007 10:12 PM 202096] S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [7/17/2008 12:06 PM 118784] S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;c:\windows\system32\drivers\usbmidim.sys --> c:\windows\system32\drivers\usbmidim.sys [?] S3 USBMM1X1;USB Midi 1x1 USB Driver;c:\windows\system32\drivers\usbmm1x1.sys --> c:\windows\system32\drivers\usbmm1x1.sys [?] S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 6:01 AM 2799808] --- Other Services/Drivers In Memory --- NewlyCreated - 9DE23BFB Deregistered - 9de23bfb [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bdx REG_MULTI_SZ scan . Contents of the 'Scheduled Tasks' folder 2009-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4171330342-2219528107-224207411-1005Core.job - c:\documents and settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-10 01:06] 2009-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4171330342-2219528107-224207411-1005UA.job - c:\documents and settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-10 01:06] 2009-11-30 c:\windows\Tasks\User_Feed_Synchronization-{CB68F05E-22E8-4B1A-88CA-B8953A2C5289}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 09:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/ uInternet Settings,ProxyOverride = .local IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Global\Application Data\Mozilla\Firefox\Profiles\kdpyzawl.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll FF - plugin: c:\documents and settings\Global\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file) HKLM-Run-BDSwitchAgent - c:\progra~1\softwin\BITDEF~1\bdswitch.exe AddRemove-uTorrent - c:\program files\uTorrent\uninstall.exe AddRemove-Waldorf.PPG.Wave2.V-OxYGeN - c:\progra~1\VSTPLU~1\Audio\Waldorf\UNWISE.EXE *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-30 08:40 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86D53170]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf7696f28 \Driver\ACPI -> ACPI.sys @ 0xf7529cb8 \Driver\atapi -> atapi.sys @ 0xf74bb852 IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 user & kernel MBR OK ************************************************************************ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql] "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL] "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{66D2B6B0-0AC3-1D5E-AFE4FCFC2DBC1E0D}\{D0054572-6CDD-7E67-D144F5B82EF8A509}\{800AEEDD-FDE9-D9F6-54124DEBF6D799D2}] "{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,91,ad,bb, d7,ad,ff,70,94,f4,b8,0c,ad,cd,f1,37,33,3c,a1,99,f3,46,77,c4,71,c9,ca,45,f6,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{945169D7-C27E-315B-97A3E6913A1C7622}\{06C63AB7-5C18-FA8E-E5D32118C99A5B59}\{F7BD6AFF-A45B-6FB8-BB91AB79C0A3DA53}] "{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,91,ad,bb, d7,ad,ff,70,94,f4,b8,0c,ad,cd,f1,37,33,3c,a1,99,f3,46,77,c4,71,c9,ca,45,f6,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B2D6F484-260A-7B5D-9DECE03114A71318}\{16279713-416B-AABF-512733F99CDDA7F7}\{FB965560-4DCA-8EF0-2DC335C1EACB0D08}] "SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21, 5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C1D66034-199B-5834-FAD091A744E2DF52}\{A9398372-0762-3A7E-A7C8ABB3F38F2F6E}\{F18374B6-D35D-16D4-9DBDDA1016548C70}] "SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21, 5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€\|ÿÿÿÿ•€\|ù•A~*] "AB141C35E9F4BF344B9FC010BB17F68A"="" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(668) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(732) c:\windows\system32\WININET.dll . Completion time: 2009-11-30 08:51 ComboFix-quarantined-files.txt 2009-11-30 13:51 Pre-Run: 1,590,513,664 bytes free Post-Run: 4,611,928,064 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect - - End Of File - - 38D1130E9399786F1D0C47488FF02C9B

2009-12-01, 18:32	#10
IndiGenus Security Expert Join Date: Oct 2009 Location: New England, USA Posts: 177	Hi, It looks like that file might be part of a removal tool from Kaspersky. Are you familiar with anything like that? Use ATF Cleaner to remove temp files, cookies, cache, ect... Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. Please download Malwarebytes' Anti-Malware from Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy and Paste the entire report in your next reply along with a Hijackthis log. Please let me know how it's running also.

2009-11-28, 18:08	#4
IndiGenus Security Expert Join Date: Oct 2009 Location: New England, USA Posts: 177	Hi, Per the instructions at the following post you must uninstall any and all P2P/BitTorrent/File Sharing Software prior to getting help here. http://forums.spybot.info/showpost.p...03&postcount=4 Please do so, then run DDS again and post the log.

2009-11-30, 18:22	#8
IndiGenus Security Expert Join Date: Oct 2009 Location: New England, USA Posts: 177	Please go to http://www.virustotal.com/en/indexf.html Click on Browse, and upload the following file for analysis: c:\windows\system32\drivers\39940974.sys Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. Or you can copy the link to the VT results page if that is easier.

2009-12-01, 03:34	#9
j_global Junior Member Join Date: Nov 2009 Posts: 16	Hi Indegenus ... not sure how much of this you need: Result: 0/41 (0%) Antivirus Version Last Update Result a-squared 4.5.0.43 2009.11.30 - AhnLab-V3 5.0.0.2 2009.11.30 - AntiVir 7.9.1.88 2009.11.30 - Antiy-AVL 2.0.3.7 2009.11.30 - Authentium 5.2.0.5 2009.11.30 - Avast 4.8.1351.0 2009.11.30 - AVG 8.5.0.426 2009.12.01 - BitDefender 7.2 2009.12.01 - CAT-QuickHeal 10.00 2009.11.30 - ClamAV 0.94.1 2009.11.30 - Comodo 3095 2009.12.01 - DrWeb 5.0.0.12182 2009.12.01 - eSafe 7.0.17.0 2009.11.30 - eTrust-Vet 35.1.7149 2009.12.01 - F-Prot 4.5.1.85 2009.11.30 - F-Secure 9.0.15370.0 2009.11.29 - Fortinet 4.0.14.0 2009.11.30 - GData 19 2009.12.01 - Ikarus T3.1.1.74.0 2009.11.30 - Jiangmin 11.0.800 2009.11.29 - K7AntiVirus 7.10.906 2009.11.27 - Kaspersky 7.0.0.125 2009.12.01 - McAfee 5818 2009.11.30 - McAfee+Artemis 5818 2009.11.30 - McAfee-GW-Edition 6.8.5 2009.11.30 - Microsoft 1.5302 2009.12.01 - NOD32 4650 2009.11.30 - Norman 6.03.02 2009.11.30 - nProtect 2009.1.8.0 2009.11.28 - Panda 10.0.2.2 2009.11.30 - PCTools 7.0.3.5 2009.12.01 - Prevx 3.0 2009.12.01 - Rising 22.24.00.09 2009.11.30 - Sophos 4.48.0 2009.12.01 - Sunbelt 3.2.1858.2 2009.12.01 - Symantec 1.4.4.12 2009.12.01 - TheHacker 6.5.0.2.082 2009.11.30 - TrendMicro 9.100.0.1001 2009.11.30 - VBA32 3.12.12.0 2009.11.30 - ViRobot 2009.11.30.2062 2009.11.30 - VirusBuster 5.0.21.0 2009.11.30 - Additional information File size: 148496 bytes MD5...: 0aa3ad071827118fcc8f37f7a6ab7aa1 SHA1..: 59784c49ffe530931010070c8843366f9d7fa6f0 SHA256: 3e893bcf9e3ec8fa44c8ef0cf7c2d269212651d65c16b30bd953cc3a54f3b2aa ssdeep: 3072:xoZsjyhxlNCet3MATPO1jUFLVFnRkPjcow9gT7wNwSk7Fa/4NJ:xnjyhx8A d6jcpgTsW/KqJ PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x23010 timedatestamp.....: 0x4873470a (Tue Jul 08 10:52:58 2008) machinetype.......: 0x14c (I386) ( 8 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x1a848 0x1aa00 6.38 ca8bbffb8c1aac75560de3ffede16f38 NONPAGED 0x1c000 0x25 0x200 0.30 76fbfaa1c4997eccce3ca016c3b1345b .rdata 0x1d000 0x850 0xa00 4.25 6ffc26ac817e2ae1a1cf5ce42adc9f0b .data 0x1e000 0x1b00 0x600 6.42 2680643c152bf562cae4ab5d1ed2070c PAGE 0x20000 0x2cdc 0x2e00 6.28 7516763c152ec5b6c5df87c555fadbb5 INIT 0x23000 0x1b88 0x1c00 5.96 4459dca4b85a564cb98f26cfbff36fbe .rsrc 0x25000 0x400 0x400 3.36 09f200edb8e02e6fa4ab2f6bc27ad921 .reloc 0x26000 0x1b6e 0x1c00 6.47 5d73a4e2a3be56c2448dbd9511deefa3 ( 3 imports ) > ntoskrnl.exe: IoAllocateWorkItem, RtlDeleteElementGenericTableAvl, RtlGetElementGenericTableAvl, FsRtlIsNameInExpression, RtlInsertElementGenericTableAvl, InitSafeBootMode, InterlockedPopEntrySList, InterlockedPushEntrySList, ExInitializeNPagedLookasideList, ExDeleteNPagedLookasideList, SeTokenType, SeCreateClientSecurity, SeImpersonateClientEx, IoVerifyVolume, IoDeviceObjectType, IoBuildSynchronousFsdRequest, IoDeleteDevice, IoDeleteSymbolicLink, IoUnregisterShutdownNotification, MmIsAddressValid, IoFreeMdl, MmUnlockPages, MmProbeAndLockPages, IoAllocateMdl, IoRegisterShutdownNotification, IoCreateSymbolicLink, IoCreateDevice, RtlAppendUnicodeToString, KeDelayExecutionThread, KeQuerySystemTime, strncmp, IoGetCurrentProcess, ExGetPreviousMode, SeReleaseSubjectContext, IoQueueWorkItem, SeCaptureSubjectContext, PsDereferenceImpersonationToken, RtlCopySid, RtlLengthSid, SeQueryInformationToken, PsReferencePrimaryToken, PsReferenceImpersonationToken, PsIsThreadTerminating, IoThreadToProcess, RtlInitializeGenericTableAvl, READ_REGISTER_UCHAR, ProbeForRead, RtlLookupElementGenericTableAvl, ObQueryNameString, CmUnRegisterCallback, MmUserProbeAddress, CmRegisterCallback, ZwEnumerateValueKey, ZwDeleteValueKey, ZwQueryKey, wcsrchr, NtBuildNumber, KeClearEvent, ExInitializePagedLookasideList, ExDeletePagedLookasideList, PsLookupProcessByProcessId, RtlCopyUnicodeString, RtlNumberGenericTableElementsAvl, RtlEnumerateGenericTableAvl, PsSetLoadImageNotifyRoutine, PsSetCreateThreadNotifyRoutine, PsSetCreateProcessNotifyRoutine, PsRemoveCreateThreadNotifyRoutine, PsRemoveLoadImageNotifyRoutine, IoFreeWorkItem, IofCompleteRequest, IoWMIRegistrationControl, MmGetSystemRoutineAddress, RtlCompareMemory, IoWMIWriteEvent, ZwQueryInformationProcess, KeStackAttachProcess, _wcsicmp, KeUnstackDetachProcess, ZwOpenKey, ZwEnumerateKey, RtlUnicodeStringToInteger, ZwQueryValueKey, ZwCreateKey, RtlIntegerToUnicodeString, ZwSetValueKey, RtlAppendUnicodeStringToString, ZwDeleteKey, DbgBreakPoint, ZwCreateFile, IoGetRelatedDeviceObject, _vsnwprintf, KeQueryInterruptTime, strncpy, RtlInitUnicodeString, RtlCompareUnicodeString, IoFileObjectType, ObReferenceObjectByPointer, _allmul, KeWaitForMultipleObjects, KeSetEvent, ExDeleteResourceLite, ExInitializeResourceLite, memcpy, _except_handler3, ZwOpenProcess, ZwTerminateProcess, PsCreateSystemThread, ObReferenceObjectByHandle, ZwClose, PsTerminateSystemThread, ObfDereferenceObject, KeGetCurrentThread, PsGetCurrentProcessId, PsGetCurrentThreadId, RtlUpcaseUnicodeChar, RtlUpperChar, memset, ExAllocatePoolWithTag, KeInitializeEvent, IoBuildDeviceIoControlRequest, IofCallDriver, KeWaitForSingleObject, SeQueryAuthenticationIdToken, ExFreePoolWithTag > HAL.dll: KfReleaseSpinLock, KeGetCurrentIrql, ExAcquireFastMutex, ExReleaseFastMutex, KfAcquireSpinLock > FLTMGR.SYS: FltQueryInformationFile, FltGetRoutineAddress, FltIsDirectory, FltGetFileNameInformation, FltParseFileNameInformation, FltAllocateCallbackData, FltPerformSynchronousIo, FltFreeCallbackData, FltReferenceFileNameInformation, FltReleaseFileNameInformation, FltGetStreamHandleContext, FltGetStreamContext, FltEnumerateVolumeInformation, FltRegisterFilter, FltStartFiltering, FltSetCallbackDataDirty, FltGetDestinationFileNameInformation, FltSetStreamHandleContext, FltCancelFileOpen, FltSetStreamContext, FltReleaseContext, FltGetVolumeProperties, FltAllocateContext, FltQueryVolumeInformation, FltGetVolumeName, FltSetInstanceContext, FltSetVolumeContext, FltUnregisterFilter, FltFsControlFile, FltGetVolumeFromFileObject, FltGetVolumeContext, FltGetInstanceContext, FltCreateFile, FltClose, FltFlushBuffers, FltSetInformationFile, FltWriteFile, FltBuildDefaultSecurityDescriptor, FltCreateCommunicationPort, FltFreeSecurityDescriptor, FltObjectReference, FltAllocatePoolAlignedWithTag, FltReadFile, FltFreePoolAlignedWithTag, FltObjectDereference, FltSendMessage, FltCloseClientPort, FltCloseCommunicationPort, FltReleaseResource, FltAcquireResourceShared, FltAcquireResourceExclusive, FltGetFileNameInformationUnsafe ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (68.0%) Generic Win/DOS Executable (15.9%) DOS Executable Generic (15.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck: publisher....: Kaspersky Lab copyright....: Copyright (c) Kaspersky Lab 1996-2008. product......: Kaspersky Anti-Virus description..: Klif Mini-Filter original name: KLIF.SYS internal name: KLIF file version.: 7.0.0.312 comments.....: n/a signers......: Kaspersky Lab VeriSign Class 3 Code Signing 2004 CA Class 3 Public Primary Certification Authority signing date.: 11:54 AM 7/8/2008 verified.....: -

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode