PDA

View Full Version : Virtumonde


boothby
2010-12-07, 11:36
Hi,

I have Virtumonde, I have read and tried suggestions on dozens of forums, but to no prevail, I tried ComboFix (before reading that I should wait for intruction to use it) but to no avail I still have it.

Programs I have used (that I remembered)

Spybot - it's the only software I've used that'll detect virtumonde and it'll remove two of the 3 infections, but obviously they come back upon reboot

Spyware doctor
Malewarebyte
Super-Antispyware
AVG
And as stated earlyer several others that I cant rememeber.

I'm not sure what a DDS log is, but I'll provide the log from Combofix

ComboFix 10-12-06.03 - lou 07/12/2010 9:30.1.4 - x86 NETWORK
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.3327.2112 [GMT 0:00]
Running from: c:\users\lou\Downloads\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
SP: ESET Smart Security 3.0 *enabled* (Outdated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.
ADS - Windows: deleted 128 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\scr\AppData\Roaming\drvxslek32k
c:\users\scr\AppData\Roaming\drvxslek32k\config.ini
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\sqlite3.dll
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
c:\windows\system32\muzapp.exe
c:\windows\system32\system
E:\uninstall.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-07 to 2010-12-07 )))))))))))))))))))))))))))))))
.

2010-12-07 09:38 . 2010-12-07 09:43 -------- d-----w- c:\users\lou\AppData\Local\temp
2010-12-07 09:38 . 2010-12-07 09:38 -------- d-----w- c:\users\scr\AppData\Local\temp
2010-12-07 09:23 . 2010-12-07 09:29 -------- d-----w- C:\32788R22FWJFW
2010-12-07 08:51 . 2010-12-07 08:51 -------- d-----w- c:\users\lou\AppData\Roaming\Malwarebytes
2010-12-07 08:50 . 2010-11-29 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-07 08:50 . 2010-12-07 08:50 -------- d-----w- c:\programdata\Malwarebytes
2010-12-07 08:50 . 2010-12-07 08:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-07 08:50 . 2010-11-29 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-07 01:48 . 2010-12-07 01:48 -------- d-----w- c:\users\lou\AppData\Roaming\Media Player Classic
2010-12-06 22:19 . 2010-12-06 22:19 -------- d-----w- C:\VundoFix Backups
2010-12-06 18:31 . 2010-12-06 18:31 -------- d-----w- c:\users\lou\AppData\Roaming\SUPERAntiSpyware.com
2010-12-06 18:31 . 2010-12-06 18:31 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-12-06 18:31 . 2010-12-06 18:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-06 18:13 . 2010-01-22 09:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-12-06 18:13 . 2010-01-22 09:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-12-06 18:13 . 2010-01-22 09:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-12-06 18:13 . 2010-01-22 09:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-12-06 18:11 . 2010-02-05 09:18 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-12-06 18:11 . 2010-02-05 09:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-12-06 18:11 . 2010-03-29 10:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-12-06 18:11 . 2009-11-23 13:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-12-06 18:11 . 2010-04-08 14:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-12-06 18:11 . 2010-12-07 09:41 -------- d-----w- c:\program files\Spyware Doctor
2010-12-06 18:11 . 2010-12-06 18:11 -------- d-----w- c:\users\lou\AppData\Roaming\PC Tools
2010-12-06 18:11 . 2010-12-06 18:11 -------- d-----w- c:\programdata\PC Tools
2010-12-06 06:05 . 2010-12-06 06:05 -------- d-----w- c:\users\lou\AppData\Roaming\Registry Mechanic
2010-12-06 02:39 . 2010-09-16 12:26 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2010-12-06 02:39 . 2008-09-17 22:17 658432 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2010-12-06 02:39 . 2008-04-02 16:54 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-12-06 02:39 . 2008-04-02 16:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-12-06 02:39 . 2008-04-02 16:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-12-06 02:39 . 2004-08-04 08:00 506368 ----a-w- c:\windows\system32\msxml.dll
2010-12-06 02:39 . 2010-12-06 18:14 -------- d-----w- c:\program files\Common Files\PC Tools
2010-12-06 02:38 . 2010-12-06 02:38 -------- d-----w- C:\$AVG
2010-12-06 00:26 . 2010-12-06 00:26 -------- d-----w- c:\users\lou\AppData\Roaming\AVG10
2010-12-06 00:25 . 2010-12-06 00:25 -------- d--h--w- c:\programdata\Common Files
2010-12-06 00:24 . 2010-12-07 09:17 -------- d-----w- c:\programdata\AVG10
2010-12-06 00:23 . 2010-12-06 00:23 -------- d-----w- c:\program files\AVG
2010-12-05 23:20 . 2010-12-05 23:20 -------- dc----w- c:\windows\system32\DRVSTORE
2010-12-05 23:18 . 2010-12-05 23:18 -------- d-----w- c:\programdata\Applications
2010-12-05 23:09 . 2010-12-06 00:23 -------- d-----w- c:\programdata\MFAData
2010-12-04 17:25 . 2006-03-03 11:07 143360 ----a-w- c:\windows\system32\dunzip32.dll
2010-12-04 17:08 . 2006-12-22 16:02 37480 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-12-04 17:08 . 2006-12-22 16:02 32008 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-12-04 17:08 . 2006-12-22 16:02 34184 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-12-04 17:08 . 2006-12-22 16:02 170408 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-12-04 17:08 . 2006-12-22 16:02 71496 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-12-04 17:08 . 2007-01-09 16:44 107608 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-12-04 17:07 . 2010-12-04 17:09 -------- d-----w- c:\program files\Common Files\McAfee
2010-12-04 17:07 . 2010-12-04 17:16 -------- d-----w- c:\programdata\McAfee
2010-12-04 11:55 . 2010-12-04 21:28 -------- d-----w- c:\users\lou\AppData\Local\ElevatedDiagnostics
2010-12-03 15:42 . 2010-12-03 15:42 -------- d-----w- c:\program files\Toontrack
2010-12-03 10:11 . 2010-12-03 10:11 -------- d-----w- c:\users\scr\AppData\Roaming\pdftoepub
2010-12-03 09:29 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C669E543-A36E-4F9D-A77A-1B83A6230F5A}\mpengine.dll
2010-12-02 08:51 . 2010-12-02 08:51 -------- d-----w- c:\program files\Paradox Interactive
2010-11-26 16:17 . 2010-11-26 16:17 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-11-26 16:17 . 2010-10-16 18:55 888424 ----a-w- c:\windows\system32\nvdispco322050.dll
2010-11-26 16:17 . 2010-10-16 18:55 813672 ----a-w- c:\windows\system32\nvgenco322030.dll
2010-11-26 16:17 . 2010-10-16 18:55 57960 ----a-w- c:\windows\system32\OpenCL.dll
2010-11-26 16:17 . 2010-10-16 18:55 4837480 ----a-w- c:\windows\system32\nvcuda.dll
2010-11-26 16:17 . 2010-10-16 18:55 2912360 ----a-w- c:\windows\system32\nvcuvid.dll
2010-11-26 16:17 . 2010-10-16 18:55 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-11-26 16:17 . 2010-10-16 18:55 14899816 ----a-w- c:\windows\system32\nvoglv32.dll
2010-11-26 16:17 . 2010-10-16 18:55 13019752 ----a-w- c:\windows\system32\nvcompiler.dll
2010-11-26 16:17 . 2010-10-16 18:55 10084360 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-11-26 14:05 . 2010-11-26 14:05 -------- d-----w- c:\users\scr\AppData\Local\Aspyr
2010-11-24 22:18 . 2010-11-25 02:37 -------- d-----w- c:\users\scr\Calibre Library
2010-11-24 22:18 . 2010-11-24 22:19 -------- d-----w- c:\users\scr\AppData\Roaming\calibre
2010-11-24 22:17 . 2010-11-24 22:17 -------- d-----w- c:\program files\Calibre2
2010-11-23 19:54 . 2010-11-23 19:54 -------- d-----w- c:\program files\USB Wireless Keyboard Driver Ver1.2
2010-11-23 19:54 . 2003-03-28 17:24 524800 ----a-w- c:\windows\mHotkey.exe
2010-11-23 19:54 . 2002-11-21 10:00 747 ----a-w- c:\windows\LedHKey.reg
2010-11-23 19:54 . 2002-10-04 09:05 532992 ----a-w- c:\windows\CNYHKey.exe
2010-11-23 19:54 . 2002-10-03 10:37 49152 ----a-w- c:\windows\CNYUSB.dll
2010-11-23 19:54 . 2002-09-26 16:07 5120 ----a-w- c:\windows\HKCYDLL.dll
2010-11-23 19:54 . 2001-10-11 16:51 11776 ----a-w- c:\windows\HIDMNT.dll
2010-11-18 17:53 . 2010-11-18 17:54 -------- d-----w- C:\df
2010-11-18 17:52 . 2010-11-18 17:53 -------- d-----w- C:\bab
2010-11-18 17:51 . 2002-09-03 13:02 72192 ----a-w- c:\windows\unlite3.exe
2010-11-18 17:51 . 2010-11-18 17:51 -------- d-----w- c:\program files\Bradbury
2010-11-18 17:50 . 2010-11-18 17:51 -------- d-----w- c:\program files\LogiXML IES Dev
2010-11-18 17:21 . 2010-11-18 17:21 -------- d-----w- c:\program files\NCH Software
2010-11-18 17:21 . 2010-11-18 17:21 -------- d-----w- c:\program files\Conduit
2010-11-18 17:21 . 2010-11-18 17:21 -------- d-----w- c:\program files\NCH_EN
2010-11-18 17:21 . 2010-11-18 17:21 -------- d-----w- c:\programdata\NCH Swift Sound
2010-11-18 17:21 . 2010-11-18 17:21 -------- d-----w- c:\program files\NCH Swift Sound
2010-11-18 17:21 . 2010-11-18 17:21 -------- d-----w- c:\users\scr\AppData\Roaming\NCH Swift Sound
2010-11-14 03:12 . 2010-11-14 03:13 -------- d-----w- c:\program files\AGEIA Technologies
2010-11-14 03:12 . 2010-11-14 03:12 -------- d-----w- c:\windows\system32\AGEIA
2010-11-14 03:10 . 2010-11-14 03:10 -------- d-----w- c:\users\scr\AppData\Local\Kerberos_Productions
2010-11-12 15:25 . 2010-11-12 15:25 -------- d-----w- c:\users\scr\AppData\Roaming\DTLink Software
2010-11-12 15:14 . 2010-11-12 15:14 -------- d-----w- c:\users\scr\AppData\Local\IsolatedStorage
2010-11-12 15:14 . 2010-11-12 15:25 -------- d-----w- c:\program files\Asteria
2010-11-12 00:32 . 2010-11-12 00:32 -------- d-----w- c:\users\scr\AppData\Local\Sports Interactive
2010-11-10 18:46 . 2010-11-10 18:46 -------- d-----w- c:\users\lou\AppData\Roaming\Sports Interactive
2010-11-10 18:46 . 2010-11-10 18:46 -------- d-----w- c:\users\lou\AppData\Local\Sports Interactive
2010-11-10 18:39 . 2010-11-10 18:39 -------- d--h--w- c:\users\lou\InstallAnywhere
2010-11-09 04:21 . 2010-11-09 04:21 -------- d-----w- c:\users\lou\AppData\Local\Apps
2010-11-09 04:21 . 2010-11-09 14:59 -------- d-----w- c:\users\lou\AppData\Local\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-20 00:21 . 2010-09-07 12:32 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-10-19 10:41 . 2010-05-19 19:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-16 18:55 . 2010-11-26 16:17 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2010-10-16 18:55 . 2010-05-19 18:55 1719912 ----a-w- c:\windows\system32\nvapi.dll
2010-10-16 18:55 . 2009-06-10 21:19 10023528 ----a-w- c:\windows\system32\nvd3dum.dll
2010-10-16 12:42 . 2010-10-16 12:42 600680 ----a-w- c:\windows\system32\nvvsvc.exe
2010-10-16 12:42 . 2010-10-16 12:42 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-16 12:42 . 2010-10-16 12:42 3420776 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-16 12:42 . 2010-10-16 12:42 2079336 ----a-w- c:\windows\system32\nvsvc.dll
2010-10-07 02:27 . 2010-10-07 02:27 279712 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-10-07 02:27 . 2010-10-07 02:27 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-10-01 01:52 . 2010-10-01 01:52 67904 ----a-w- c:\windows\system32\NLSSRV32.EXE
2010-10-01 01:50 . 2010-10-18 16:14 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2010-10-01 01:50 . 2010-10-18 16:14 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-13 21:58 3913000 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37483b40-c254-4a72-bda4-22ee90182c1e}]
2010-11-13 21:58 3913000 ----a-w- c:\program files\NCH_EN\tbNCH_.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{37483b40-c254-4a72-bda4-22ee90182c1e}"= "c:\program files\NCH_EN\tbNCH_.dll" [2010-11-13 3913000]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-13 3913000]

[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-22 202256]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-22 385024]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"CHotkey"="mHotkey.exe" [2003-03-28 524800]
"ledpointer"="CNYHKey.exe" [2002-10-04 532992]
"SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2010-11-15 112600]

c:\users\scr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-7-5 576000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BWMeterPro.lnk - c:\program files\BandwidthMeterPro\BWMeterPro.exe [2008-8-15 236032]
MBCameraMonitor.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2010-7-27 541976]
uTorrent.lnk - c:\program files\uTorrent\uTorrent.exe [2010-5-19 328056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer5"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-25 136176]
R3 cpuz130;cpuz130;c:\users\scr\AppData\Local\Temp\cpuz130\cpuz_x32.sys [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
R3 TASCAM_US1641;TASCAM US-1641 Audio Device driver;c:\windows\system32\Drivers\tus1641u.sys [2009-11-26 397888]
R3 TASCAM_US1641_MIDI;TASCAM US-1641 WDM MIDI Device;c:\windows\system32\drivers\tus1641m.sys [2009-11-26 26688]
R3 TASCAM_US1641_WDM;TASCAM US-1641 WDM;c:\windows\system32\drivers\tus1641a.sys [2009-11-26 39488]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-24 1343400]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-19 697328]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-02-24 185472]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-22 112592]
S2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
S2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [2010-10-01 196928]
S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2010-10-01 67904]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-10-01 632792]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2005-05-09 33792]

.
Contents of the 'Scheduled Tasks' folder

2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-25 19:49]

2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-25 19:49]

2010-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1064430074-1443224373-1957092225-1003Core.job
- c:\users\scr\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-26 16:54]

2010-12-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1064430074-1443224373-1957092225-1003UA.job
- c:\users\scr\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-26 16:54]

2010-12-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1064430074-1443224373-1957092225-1002.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-12-06 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2010-12-06 17:05]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\lou\AppData\Roaming\Mozilla\Firefox\Profiles\8czjsvj5.default\
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\windows\CNYHKey.exe
.
**************************************************************************
.
Completion time: 2010-12-07 09:49:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-07 09:49

Pre-Run: 1,354,866,688 bytes free
Post-Run: 959,369,216 bytes free

- - End Of File - - F5E37EC2F59C268E1F1F0E8B4FBD1201


Thank you, I hope somebody will be able to help
tashi
2010-12-07, 16:45
Hello boothby,


I'm not sure what a DDS log is, but I'll provide the log from Combofix


Please see post #2 in the "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) thread. ;)

Note:
Please back up your registry! <---

When Spybot-S&D is installed <---



DDS Log

Download to your desktop DDS from one of the links below:

Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://download.bleepingcomputer.com/sUBs/dds.com)


Double click the tool to run it.
If a black Screen opens, just read the contents and do nothing.
When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
Copy/Paste the contents of 'DDS.txt' into your post.
'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files) (http://windows.microsoft.com/en-us/windows-vista/Compress-and-uncompress-files-zip-files)

If the infection prevents DDS from running, please start a topic anyway and make note of the situation. Don't post other logs. :)
Then start a new topic providing a link back to this one.

Best regards.