Virus Runs As iexplore.exe ; Full Screen Popup Ads ; Unwanted Sounds In Video Streams

George San Marcos · Jun 22, 2010

I am unable to eradicate a virus / trojan / malware that is shown in Windows Task Manager as iexplore.exe even when Internet Explorer is not running.

Symptom: During video streaming from hulu.com using Opera 10 browser, an occasional unwanted sound is heard, such as "Congratulations! You're a winner!". No new window appears, just the sound. Using the Task Manager to kill the iexplore.exe process immediately silences the unwanted sound. It also adjusts the WAV volume control to the lowest, "off" position.

Symptom: At intervals (typically 20 minutes or so) while running the Opera 10 browser, a full-screen advertisement will appear in an Internet Explorer window.

Symptom: Settings for Windows are being modified without permission. The account login screen required a password when no password had been required previously. This was corrected using "run" "control userpasswords2" by deselecting "Users must enter a use name and password...". Outlook Express no longer recognizes existing email accounts (this has not been fixed).

Diagnostic Activity To Date: Spybot Search & Destroy, AdAware, Malwarebytes Anti-Malware, Superantispyware, Trojan Hunter. Some viruses and trojans were found and eliminated, only cookies are reported now. However, the problem with iexplore.exe remains.

----------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 14:56:59.81 on Tue 06/22/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1129 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
E:\Trojan_Hunter\TrojanHunter 5.3\THGuard.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes2\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
E:\superantispyware\8bd1c99c-f86d-4aa7-a866-9aa8b4a855af.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\spybot162\spybot\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [THGuard] "e:\trojan_hunter\trojanhunter 5.3\THGuard.exe"
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes2\iTunesHelper.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\spybot162\spybot\SDHelper.dll
Notify: !SASWinLogon - e:\superantispyware_2\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\superantispyware_2\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-22 64288]
R1 SASDIFSV;SASDIFSV;e:\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;e:\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
R3 SASENUM;SASENUM;e:\superantispyware\SASENUM.SYS [2009-9-15 7408]

=============== Created Last 30 ================

2010-06-22 20:45:09 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-06-22 18:01:05 0 d-----w- c:\windows\pss
2010-06-22 16:22:56 0 d-----w- c:\docume~1\alluse~1.win\applic~1\TrojanHunter
2010-06-22 15:36:54 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-22 07:28:42 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-22 07:28:38 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-22 07:17:08 0 dc-h--w- c:\docume~1\alluse~1.win\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-22 07:17:00 0 d-----w- c:\program files\Lavasoft
2010-06-22 04:28:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-22 04:28:31 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-06-22 04:28:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

==================== Find3M ====================

============= FINISH: 14:57:58.93 ===============

Blade81 · Jun 27, 2010

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

George San Marcos · Jun 28, 2010

Scans Complete

Thank you for your help, Blade81! Logs from ComboFix and DDS are below.

ComboFix 10-06-27.03 - User 06/27/2010 20:26:32.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1378 [GMT -7:00]
Running from: c:\documents and settings\User.BUNGALOW\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\windows\system32\Cache

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-25 13:01 . 2010-06-25 13:01 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Sunbelt Software
2010-06-23 00:32 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-23 00:32 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-23 00:32 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-23 00:32 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-23 00:32 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-23 00:32 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-23 00:32 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-23 00:32 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-06-23 00:32 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-23 00:32 . 2010-06-23 00:32 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-06-22 23:11 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-22 20:47 . 2010-06-22 20:47 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-22 20:47 . 2010-06-22 20:47 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-22 20:45 . 2010-06-22 20:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-06-22 20:01 . 2010-06-22 20:01 17672 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-22 20:01 . 2010-06-22 20:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-06-22 19:55 . 2010-06-22 19:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-06-22 17:25 . 2010-06-22 17:25 -------- d-----w- c:\documents and settings\User.BUNGALOW\Application Data\TrojanHunter
2010-06-22 16:22 . 2010-06-22 16:23 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TrojanHunter
2010-06-22 15:36 . 2010-06-22 07:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-22 13:02 . 2010-06-22 13:02 -------- d-----w- c:\documents and settings\Jamie.BUNGALOW\Local Settings\Application Data\Opera
2010-06-22 07:28 . 2010-06-22 07:27 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-22 07:28 . 2010-06-22 07:28 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-22 07:17 . 2010-06-22 07:17 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-22 07:17 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-06-22 07:17 . 2010-06-22 07:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2010-06-22 07:17 . 2010-06-22 07:17 -------- d-----w- c:\program files\Lavasoft
2010-06-22 04:28 . 2010-06-22 04:28 -------- d-----w- c:\documents and settings\User.BUNGALOW\Application Data\Malwarebytes
2010-06-22 04:28 . 2010-06-22 04:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-06-22 04:28 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-22 04:28 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-15 02:46 . 2010-06-15 02:46 -------- d-----w- c:\program files\Opera
2010-06-15 02:40 . 2010-06-15 02:41 10367552 ----a-w- c:\documents and settings\User.BUNGALOW\Application Data\Opera\opera_1053\Opera_1053_en_Setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 03:08 . 2010-02-05 12:41 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-06-27 17:59 . 2010-01-14 16:22 1 ----a-w- c:\documents and settings\User.BUNGALOW\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-26 19:50 . 2010-01-26 17:11 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-21 23:26 . 2010-01-15 23:47 45 ----a-w- c:\documents and settings\User.BUNGALOW\jagex_runescape_preferences.dat
2010-06-21 23:21 . 2010-01-15 23:49 87 ----a-w- c:\documents and settings\User.BUNGALOW\jagex_runescape_preferences2.dat
2010-06-20 20:06 . 2010-02-05 03:27 1 ----a-w- c:\documents and settings\Jamie.BUNGALOW\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-16 20:47 . 2010-01-26 15:46 117760 ----a-w- c:\documents and settings\User.BUNGALOW\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-28 13:14 . 2010-05-28 13:14 503808 ----a-w- c:\documents and settings\Jamie.BUNGALOW\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5514b582-n\msvcp71.dll
2010-05-28 13:14 . 2010-05-28 13:14 499712 ----a-w- c:\documents and settings\Jamie.BUNGALOW\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5514b582-n\jmc.dll
2010-05-28 13:14 . 2010-05-28 13:14 348160 ----a-w- c:\documents and settings\Jamie.BUNGALOW\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5514b582-n\msvcr71.dll
2010-05-22 19:56 . 2010-05-15 19:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NCH Swift Sound
2010-05-15 19:56 . 2010-05-15 19:56 -------- d-----w- c:\documents and settings\User.BUNGALOW\Application Data\NCH Swift Sound
2010-05-15 19:56 . 2008-02-01 03:39 -------- d-----w- c:\program files\NCH Swift Sound
2010-05-04 17:20 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2006-02-28 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2006-02-28 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 18:55 . 2010-01-13 16:43 17672 ----a-w- c:\documents and settings\User.BUNGALOW\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-10 16:25 . 2010-04-10 16:24 3743944 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TaxCut\2009\Downloads\HRBlockCA.exe
2010-04-10 15:26 . 2010-04-10 15:22 21195208 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TaxCut\2009\Update\US30026901xupd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-06 13877248]
"THGuard"="e:\trojan_hunter\TrojanHunter 5.3\THGuard.exe" [2010-06-17 1070296]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-20 286720]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-06 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-06 86016]
"iTunesHelper"="c:\program files\iTunes2\iTunesHelper.exe" [2007-11-03 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\Jamie.BUNGALOW\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\User.BUNGALOW\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-17 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\WAMP\\bin\\apache\\apache2.2.8\\bin\\httpd.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes2\\iTunes.exe"=
"e:\\itunes\\iTunes.exe"=
"e:\\xenu\\Xenu.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/22/2010 12:28 AM 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/22/2010 5:32 PM 164048]
R1 SASDIFSV;SASDIFSV;e:\superantispyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;e:\superantispyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/22/2010 5:32 PM 19024]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352832]
S3 SASENUM;SASENUM;e:\superantispyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-06-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 07:26]

2010-05-22 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-05-15 19:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://members.cox.net/strads/index.html
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - e:\superantispyware_2\SASSEH.DLL
Notify-!SASWinLogon - e:\superantispyware_2\SASWINLO.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-27 20:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-06-27 20:39:52
ComboFix-quarantined-files.txt 2010-06-28 03:39

Pre-Run: 36,111,773,696 bytes free
Post-Run: 38,071,205,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - F4A4786D20FB2A55A2889149903C422F

DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 21:29:44.54 on Sun 06/27/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1214 [GMT -7:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes2\iTunesHelper.exe
E:\avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\User.BUNGALOW\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://members.cox.net/strads/index.html
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [THGuard] "e:\trojan_hunter\trojanhunter 5.3\THGuard.exe"
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes2\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\user~1.bun\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-22 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-22 164048]
R1 SASDIFSV;SASDIFSV;e:\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;e:\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-22 19024]
R2 avast! Antivirus;avast! Antivirus;e:\avast\AvastSvc.exe [2010-6-22 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;e:\avast\AvastSvc.exe [2010-6-22 40384]
R3 avast! Web Scanner;avast! Web Scanner;e:\avast\AvastSvc.exe [2010-6-22 40384]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
S3 SASENUM;SASENUM;e:\superantispyware\SASENUM.SYS [2009-9-15 7408]

=============== Created Last 30 ================

2010-06-28 03:25:12 0 d-sha-r- C:\cmdcons
2010-06-28 03:15:44 98816 ----a-w- c:\windows\sed.exe
2010-06-28 03:15:44 77312 ----a-w- c:\windows\MBR.exe
2010-06-28 03:15:44 256512 ----a-w- c:\windows\PEV.exe
2010-06-28 03:15:44 161792 ----a-w- c:\windows\SWREG.exe
2010-06-23 00:32:34 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Alwil Software
2010-06-22 23:11:12 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-22 18:01:05 0 d-----w- c:\windows\pss
2010-06-22 17:25:54 0 d-----w- c:\docume~1\user~1.bun\applic~1\TrojanHunter
2010-06-22 16:22:56 0 d-----w- c:\docume~1\alluse~1.win\applic~1\TrojanHunter
2010-06-22 15:36:54 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-22 07:28:42 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-22 07:28:38 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-22 07:17:08 0 dc-h--w- c:\docume~1\alluse~1.win\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-22 07:17:00 0 d-----w- c:\program files\Lavasoft
2010-06-22 04:28:41 0 d-----w- c:\docume~1\user~1.bun\applic~1\Malwarebytes
2010-06-22 04:28:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-22 04:28:31 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-06-22 04:28:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

==================== Find3M ====================

2010-06-21 23:26:41 45 ----a-w- c:\documents and settings\user.bungalow\jagex_runescape_preferences.dat
2010-06-21 23:21:52 87 ----a-w- c:\documents and settings\user.bungalow\jagex_runescape_preferences2.dat
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 21:30:06.25 ===============

George San Marcos · Jun 28, 2010

Two More Viral Incidents

After running DDS, there were two viral events:

21:56 -- IE Window opened, message "navigation cancelled"
22:11 -- Unwanted audio ad

Blade81 · Jun 28, 2010

Hi,

Download and install update 9.3.2 for Adobe Reader here.

Does the system still have those earlier described symptoms left?

George San Marcos · Jun 28, 2010

Death By Reboot

The Adobe Reader patch 9.3.2 was downloaded and installed successfully.

The system reboot was a disaster.

As the computer attempts to start, it gets to the "Loading Windows" display ... the screen flashes ... then the computer begins the booting process all over again.

I was able to get out of the reboot loop by pressing F8, then starting in "Safe Mode With Networking".

Whatever the Adobe patch did, it made things much worse. That means we're on the right track, I think. :red:

George San Marcos · Jun 28, 2010

Back To ComboFix Restore Point

I have performed a System Restore to the restore point generated by ComboFix when it ran earlier today.

The reboot loop no longer occurs.

A check of Adobe Reader shows version 9.3.1 is now running instead of 9.3.2. There was a Windows box explaining that 9.3.1 was being "configured" when I started it. This configuration completed successfully.

Blade81 · Jun 28, 2010

Hi,

Do those other symptoms exist?

George San Marcos · Jun 28, 2010

Yes: Unwanted full-screen popup ads in IE7 windows still appear, unwanted audio ads still occur, iexplore.exe is still shown in the Windows Task Manager (Processes tab) even though Internet Explorer has not been started.

I'm keeping an incident log, showing five problems since the System Restore.

June 27, 2010
21:56 -- IE Window opened, message "navigation cancelled"
22:11 -- Unwanted audio ad
22:39 -- IE Window opened, "incomeWeb" advertisement
23:01 -- Adobe Reader 9.3.2 Update Installed
23:42 -- Activated ComboFix Restore Point to eliminate reboot loop. Adobe Reader 9.3.1 restored.
23:56 -- Unwanted audio ad

June 28, 2010
00:03 -- Unwanted audio ad
00:11 -- IE Window opened full screen, "Secret to Getting Ripped" ad
00:12 -- Unwanted audio ad
00:15 -- Unwanted audio ad

Blade81 · Jun 28, 2010

Hi,

1. Download Bootkit Remover (note: it's a RAR archived file so you have to install compatible program, like 7-Zip if there's not one installed).

2. Extract the contents to own folder (BRemover folder) on your desktop.

3. Click start->run->type cmd.exe and press enter.

4. In command prompt type this (I assume you extracted folder contents to BRemover folder on your desktop):

Code:

"%userprofile%\desktop\Bremover\remover.exe" >"%userprofile%\desktop\logit.txt"

5. Press enter once more to bring cursor back visible after entering the command above. After that operation there should be logit.txt file on your desktop. Attach it to your post, please.

George San Marcos · Jun 28, 2010

New Symptoms: Windows Won't Log Off; Login Password Required When Starting

There are two new symptoms that have appeared.

1. Windows won't shut down. "Start", "Turn Off Computer", "Turn Off" is ignored. CTRL-ALT-DEL, "Shut Down", "Turn Off" is also ignored. It is necessary to turn off the power to shut down the computer.

2. Windows now requires a password to log on ... sometimes. When a password is demanded, a normal reboot is performed. Sometimes it is necessary to reboot two times before the desktop appears.

Once the desktop appeared today, there was an immediate full-size advertisement in an IE window.

These symptoms are occurring before following instructions regarding the Bootkit remover.

George San Marcos · Jun 28, 2010

Unknown Boot Code Detected On All Physical Drives

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 94e5e037d499bc5ff7aaa3b2e9662600
\\.\D: -> \\.\PhysicalDrive1
MD5: 94e5e037d499bc5ff7aaa3b2e9662600
\\.\E: -> \\.\PhysicalDrive0
\\.\F: -> \\.\PhysicalDrive0
\\.\G: -> \\.\PhysicalDrive0
\\.\H: -> \\.\PhysicalDrive1
\\.\I: -> \\.\PhysicalDrive1
\\.\J: -> \\.\PhysicalDrive1

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown boot code
232 GB \\.\PhysicalDrive1 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Press any key to quit...

Blade81 · Jun 28, 2010

Hi,

Is D: drive also operating system partition or perhaps external hard drive?

George San Marcos · Jun 28, 2010

Installed Drives On System

There are two hard drives and one DVD Drive. All three of them are installed in the chassis and are not designed to be removable.

Strategy: Multiple partitions allow disk defragmentation to complete MUCH faster, plus it isolates the operating system from data files developed by programs and applications.

Originally, the factory-configured partition layout was:

Drive 1: C: E: F: G: (Note that D is used for the DVD drive)
Drive 2: H: I: J: K:
DVD: D:

Double-clicking on "My Computer" now reports:

Drive 1: C: D: E: F: (note that D is now on Drive 1)
Drive 2: G: H: I: J:
DVD: K:

Right-Clicking on "My Computer", then selecting the "System Restore" tab shows:

C: E: F: G: D: H: I: J:

Blade81 · Jun 28, 2010

Hi,

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter (answer yes to confirmation):

fixmbr

6. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading. Run ComboFix (let it update itself) and post back the report + fresh dds log.

George San Marcos · Jun 28, 2010

Recovery Console Not Installed, Please Advise

When the machine was backed-up to the restore point created by ComboFix, it eliminated the installation of the Microsoft Recovery Console that occurred afterwards.

The ComboFix instructions say the manual method of installing the Recovery Console requires the downloaded file to be drag-and-dropped onto ComboFix. But your instructions say to run the Recovery Console and fixmbr /before/ running ComboFix.

If it was my decision, I would:
a) Run ComboFix to install the Recovery Console
b) Follow the instructions to fix the master boot record
c) Follow the instructions to run ComboFix (again) and DDS

However, given all of the warnings and disclaimers about ComboFix I've decided to wait for further direction from you.

Please advise me on the steps to follow to reinstall the Recovery Console. I appreciate your understanding!

Blade81 · Jun 28, 2010

Didn't think rc would be removed too. Yes, please try that plan (a-c).

George San Marcos · Jun 28, 2010

Recovery Console Installed, Logs Attached

There was an error message when ComboFix was running:

Error saving file C:\combofix\HIV\system
RegSaveKeyEx: 1016 An I/O operation initiated by the registry failed unrecoverably.

ComboFix 10-06-27.06 - User 06/28/2010 14:38:09.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1637 [GMT -7:00]
Running from: c:\documents and settings\User.BUNGALOW\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-28 21:03 . 2010-06-28 21:04 -------- d-----w- c:\documents and settings\antivirus_logs\100628
2010-06-28 21:03 . 2010-06-28 21:03 -------- d-----w- c:\documents and settings\antivirus_logs
2010-06-28 15:02 . 2010-06-28 15:02 -------- d-----w- c:\documents and settings\User.BUNGALOW\Desktop]BRemover
2010-06-28 06:33 . 2010-06-28 06:33 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-28 05:59 . 2010-06-28 05:59 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Identities
2010-06-25 13:01 . 2010-06-25 13:01 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Sunbelt Software
2010-06-23 00:32 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-23 00:32 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-23 00:32 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-23 00:32 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-23 00:32 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-23 00:32 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-23 00:32 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-23 00:32 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-06-23 00:32 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-23 00:32 . 2010-06-23 00:32 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-06-22 23:11 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-22 20:47 . 2010-06-22 20:47 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-22 20:47 . 2010-06-22 20:47 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-22 20:45 . 2010-06-22 20:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-06-22 20:01 . 2010-06-22 20:01 17672 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-22 20:01 . 2010-06-22 20:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-06-22 19:55 . 2010-06-22 19:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-06-22 17:25 . 2010-06-22 17:25 -------- d-----w- c:\documents and settings\User.BUNGALOW\Application Data\TrojanHunter
2010-06-22 16:22 . 2010-06-22 16:23 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TrojanHunter
2010-06-22 15:36 . 2010-06-22 07:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-22 13:02 . 2010-06-22 13:02 -------- d-----w- c:\documents and settings\Jamie.BUNGALOW\Local Settings\Application Data\Opera
2010-06-22 07:28 . 2010-06-22 07:27 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-22 07:28 . 2010-06-22 07:28 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-22 07:17 . 2010-06-22 07:17 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-22 07:17 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-06-22 07:17 . 2010-06-22 07:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2010-06-22 07:17 . 2010-06-22 07:17 -------- d-----w- c:\program files\Lavasoft
2010-06-22 04:28 . 2010-06-22 04:28 -------- d-----w- c:\documents and settings\User.BUNGALOW\Application Data\Malwarebytes
2010-06-22 04:28 . 2010-06-22 04:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-06-22 04:28 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-22 04:28 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-15 02:46 . 2010-06-15 02:46 -------- d-----w- c:\program files\Opera
2010-06-15 02:40 . 2010-06-15 02:41 10367552 ----a-w- c:\documents and settings\User.BUNGALOW\Application Data\Opera\opera_1053\Opera_1053_en_Setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 17:55 . 2010-01-14 16:22 1 ----a-w- c:\documents and settings\User.BUNGALOW\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-28 15:32 . 2010-01-26 17:11 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-28 03:08 . 2010-02-05 12:41 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-06-21 23:26 . 2010-01-15 23:47 45 ----a-w- c:\documents and settings\User.BUNGALOW\jagex_runescape_preferences.dat
2010-06-21 23:21 . 2010-01-15 23:49 87 ----a-w- c:\documents and settings\User.BUNGALOW\jagex_runescape_preferences2.dat
2010-06-20 20:06 . 2010-02-05 03:27 1 ----a-w- c:\documents and settings\Jamie.BUNGALOW\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-16 20:47 . 2010-01-26 15:46 117760 ----a-w- c:\documents and settings\User.BUNGALOW\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-28 13:14 . 2010-05-28 13:14 503808 ----a-w- c:\documents and settings\Jamie.BUNGALOW\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5514b582-n\msvcp71.dll
2010-05-28 13:14 . 2010-05-28 13:14 499712 ----a-w- c:\documents and settings\Jamie.BUNGALOW\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5514b582-n\jmc.dll
2010-05-28 13:14 . 2010-05-28 13:14 348160 ----a-w- c:\documents and settings\Jamie.BUNGALOW\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5514b582-n\msvcr71.dll
2010-05-22 19:56 . 2010-05-15 19:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NCH Swift Sound
2010-05-15 19:56 . 2010-05-15 19:56 -------- d-----w- c:\documents and settings\User.BUNGALOW\Application Data\NCH Swift Sound
2010-05-15 19:56 . 2008-02-01 03:39 -------- d-----w- c:\program files\NCH Swift Sound
2010-05-04 17:20 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2006-02-28 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2006-02-28 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 18:55 . 2010-01-13 16:43 17672 ----a-w- c:\documents and settings\User.BUNGALOW\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-10 16:25 . 2010-04-10 16:24 3743944 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TaxCut\2009\Downloads\HRBlockCA.exe
2010-04-10 15:26 . 2010-04-10 15:22 21195208 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TaxCut\2009\Update\US30026901xupd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-06 13877248]
"THGuard"="e:\trojan_hunter\TrojanHunter 5.3\THGuard.exe" [2010-06-17 1070296]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-20 286720]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-06 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-06 86016]
"iTunesHelper"="c:\program files\iTunes2\iTunesHelper.exe" [2007-11-03 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\Jamie.BUNGALOW\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\User.BUNGALOW\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-17 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\superantispyware_2\SASSEH.DLL" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
e:\superantispyware_2\SASWINLO.dll [BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\WAMP\\bin\\apache\\apache2.2.8\\bin\\httpd.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes2\\iTunes.exe"=
"e:\\itunes\\iTunes.exe"=
"e:\\xenu\\Xenu.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/22/2010 12:28 AM 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/22/2010 5:32 PM 164048]
R1 SASDIFSV;SASDIFSV;e:\superantispyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;e:\superantispyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/22/2010 5:32 PM 19024]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352832]
S3 SASENUM;SASENUM;e:\superantispyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-06-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 07:26]

2010-05-22 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-05-15 19:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://members.cox.net/strads/index.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-28 14:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2252)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-06-28 14:49:08
ComboFix-quarantined-files.txt 2010-06-28 21:49
ComboFix2.txt 2010-06-28 21:30
ComboFix3.txt 2010-06-28 03:39

Pre-Run: 37,830,135,808 bytes free
Post-Run: 37,811,761,152 bytes free

- - End Of File - - F7A3A7AE2DF162CF3648F963F509A2A5

DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 14:53:57.09 on Mon 06/28/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1586 [GMT -7:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes2\iTunesHelper.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User.BUNGALOW\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://members.cox.net/strads/index.html
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [THGuard] "e:\trojan_hunter\trojanhunter 5.3\THGuard.exe"
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes2\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\user~1.bun\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: !SASWinLogon - e:\superantispyware_2\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\superantispyware_2\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-22 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-22 164048]
R1 SASDIFSV;SASDIFSV;e:\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;e:\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-22 19024]
R2 avast! Antivirus;avast! Antivirus;e:\avast\AvastSvc.exe [2010-6-22 40384]
S3 avast! Mail Scanner;avast! Mail Scanner;e:\avast\AvastSvc.exe [2010-6-22 40384]
S3 avast! Web Scanner;avast! Web Scanner;e:\avast\AvastSvc.exe [2010-6-22 40384]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
S3 SASENUM;SASENUM;e:\superantispyware\SASENUM.SYS [2009-9-15 7408]

=============== Created Last 30 ================

2010-06-28 21:20:10 0 d-sha-r- C:\cmdcons
2010-06-28 15:02:54 0 d-----w- c:\documents and settings\user.bungalow\Desktop]BRemover
2010-06-28 06:33:55 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-28 03:15:44 98816 ----a-w- c:\windows\sed.exe
2010-06-28 03:15:44 77312 ----a-w- c:\windows\MBR.exe
2010-06-28 03:15:44 256512 ----a-w- c:\windows\PEV.exe
2010-06-28 03:15:44 161792 ----a-w- c:\windows\SWREG.exe
2010-06-23 00:32:34 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Alwil Software
2010-06-22 23:11:12 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-22 18:01:05 0 d-----w- c:\windows\pss
2010-06-22 17:25:54 0 d-----w- c:\docume~1\user~1.bun\applic~1\TrojanHunter
2010-06-22 16:22:56 0 d-----w- c:\docume~1\alluse~1.win\applic~1\TrojanHunter
2010-06-22 15:36:54 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-22 07:28:42 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-22 07:28:38 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-22 07:17:08 0 dc-h--w- c:\docume~1\alluse~1.win\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-22 07:17:00 0 d-----w- c:\program files\Lavasoft
2010-06-22 04:28:41 0 d-----w- c:\docume~1\user~1.bun\applic~1\Malwarebytes
2010-06-22 04:28:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-22 04:28:31 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-06-22 04:28:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

==================== Find3M ====================

2010-06-28 15:32:17 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-21 23:26:41 45 ----a-w- c:\documents and settings\user.bungalow\jagex_runescape_preferences.dat
2010-06-21 23:21:52 87 ----a-w- c:\documents and settings\user.bungalow\jagex_runescape_preferences2.dat
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 14:54:16.46 ===============

Blade81 · Jun 29, 2010

Hi,

Please follow the instructions in post #10 again.

Issues still showing up?

George San Marcos · Jun 29, 2010

No Issues For Six Hours

There has been no unwanted audio ads and no full-screen ad windows during the last six hours of operation. Functions checked include video streaming, audio streaming, and the playing of local audio files. It would appear that fixing the master boot record cleared the problem on the primary drive.

Should I worry about the "unknown boot code" on the secondary drive?

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\D: -> \\.\PhysicalDrive1
MD5: 94e5e037d499bc5ff7aaa3b2e9662600
\\.\E: -> \\.\PhysicalDrive0
\\.\F: -> \\.\PhysicalDrive0
\\.\G: -> \\.\PhysicalDrive0
\\.\H: -> \\.\PhysicalDrive1
\\.\I: -> \\.\PhysicalDrive1
\\.\J: -> \\.\PhysicalDrive1

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
232 GB \\.\PhysicalDrive1 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Press any key to quit...

Virus Runs As iexplore.exe ; Full Screen Popup Ads ; Unwanted Sounds In Video Streams

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member