Unable to open any exe files.

**arbypb** · 2009-10-10, 03:29

About 5 days ago I lost all my icons on the desktop and toolbar. I did a sytem retore and got everything back even though a warning came up saying the system restore did not work. Then as I used the internet any search is redirected to an advertisement. I ran a virus check and none were found. Then Spybot would not open. Then several other programs would not open saying I do not have permission to open. Some programs work like Microsoft word and others do not like Adobe Audition. Any help would be approciated. I have attached a WIN32kdiag.

**peku006** · 2009-10-11, 13:05

Hello and

to Safer Networking

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

If you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.

exeHelper

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Thanks peku006

**arbypb** · 2009-10-14, 03:10

Thanks for the help. From my research I think I may have the Virut virus. Most of my exe files do not work and internet searches are redirected. Here is the posting of the log you requested.

exeHelper by Raktor - 09
Build 20090925
Run at 21:06:24 on 10/13/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

**peku006** · 2009-10-14, 09:07

Hi arbypb

it is not necessarily "Virut virus"

Please download RootRepeal one of these locations and save it to your desktop
Here
Here
Here

Open on your desktop.
Click the tab.
Click the button.
Check just these boxes:
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.

Thanks peku006

**arbypb** · 2009-10-17, 05:08

Here is the RootRepeal log you requested.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/16 18:58
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF7677000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA632D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A03000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA40DC000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xb8073e6e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xb8073e64

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xb8073e73

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xb8073e7d

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xb8073e82

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xb8073e50

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xb8073e55

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xb8073e8c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xb8073e87

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xb8073e78

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xb8073e5f

==EOF==

**arbypb** · 2009-10-17, 05:15

I was getting help at another forum last week and after 6 days that person decided he was unable to figure out what was happening. He had me run Combfix and IObit security. Some other things that he tried such as hijack this would never work once downloaded.

**peku006** · 2009-10-17, 08:35

Hi arbypb

To remove all of the tools you have used and the files and folders they created do the following:

Download OTC by Old Timer and save it to your Desktop.

Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Thanks peku006

**arbypb** · 2009-10-17, 16:56

ComboFix 09-10-16.09 - Ball family 10/17/2009 10:29.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1348 [GMT -4:00]
Running from: c:\documents and settings\Ball family\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
ADS - system32: deleted 40 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\clrviddc.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-17 to 2009-10-17 )))))))))))))))))))))))))))))))
.

2009-10-17 14:06 . 2009-10-17 14:06 -------- d-----w- c:\windows\LastGood
2009-10-11 21:06 . 2009-04-15 23:59 -------- d-sh--w- c:\documents and settings\LogMeInRemoteUser\IETldCache
2009-10-11 20:51 . 2009-10-11 20:51 -------- d-----w- c:\documents and settings\Ball family\Local Settings\Application Data\LogMeIn
2009-10-11 20:51 . 2009-10-11 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
2009-10-11 20:51 . 2009-10-11 20:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2009-10-11 20:51 . 2009-09-28 23:34 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-10-11 20:51 . 2009-09-28 23:34 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-10-11 20:51 . 2008-08-11 16:41 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2009-10-11 20:50 . 2009-09-28 23:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-10-11 20:50 . 2009-10-17 04:54 -------- d-----w- c:\program files\LogMeIn
2009-10-11 20:47 . 2009-10-11 20:48 -------- d-----w- c:\documents and settings\Ball family\Local Settings\Application Data\Deployment
2009-10-10 23:15 . 2009-10-10 23:15 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-10 23:11 . 2009-10-11 22:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-10 23:11 . 2009-10-10 23:11 -------- d-----w- c:\documents and settings\Ball family\Application Data\Malwarebytes
2009-10-10 23:11 . 2009-10-10 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-02 22:24 . 2009-10-02 22:24 -------- d-----w- c:\documents and settings\Administrator\IECompatCache
2009-10-01 23:53 . 2009-10-10 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes(2)
2009-09-29 22:53 . 2009-09-29 22:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\com.codeode
2009-09-29 22:50 . 2009-09-29 22:50 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-29 22:50 . 2009-09-29 22:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-28 23:27 . 2009-10-11 22:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-28 23:27 . 2009-09-28 23:27 -------- d-----w- c:\documents and settings\Ball family\Application Data\SUPERAntiSpyware.com
2009-09-28 01:56 . 2009-10-10 23:13 -------- d-----w- c:\documents and settings\Ball family\.housecall6.6
2009-09-27 20:15 . 2009-10-17 14:17 -------- d-----w- c:\program files\Panda Security
2009-09-27 19:07 . 2009-09-27 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-26 16:43 . 2009-09-26 16:43 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-22 00:05 . 2009-09-22 00:05 -------- d-----w- c:\documents and settings\Ball family\Application Data\ArcSoft
2009-09-21 23:51 . 2009-09-21 23:51 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-21 23:51 . 2009-10-17 13:30 -------- d-----w- c:\documents and settings\Ball family\Application Data\skypePM
2009-09-21 23:50 . 2009-10-17 14:25 -------- d-----w- c:\documents and settings\Ball family\Application Data\Skype
2009-09-21 23:47 . 2009-09-21 23:48 -------- d-----w- c:\program files\Common Files\Skype
2009-09-21 23:43 . 2009-09-21 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Philips
2009-09-21 23:42 . 2009-09-21 23:42 -------- d-----w- c:\program files\ArcSoft
2009-09-21 23:42 . 1995-08-01 08:44 212480 ----a-w- c:\windows\PCDLIB32.DLL
2009-09-21 23:40 . 2007-12-31 20:19 461056 ----a-w- c:\windows\system32\drivers\SPC230NC.SYS
2009-09-21 23:40 . 2007-09-26 18:28 8576 ----a-w- c:\windows\system32\drivers\PAEAFLT.sys
2009-09-21 23:40 . 2009-09-21 23:43 -------- d-----w- c:\program files\Philips
2009-09-21 23:40 . 2009-09-21 23:40 -------- d-----w- c:\windows\Philips
2009-09-21 23:40 . 2007-11-02 15:07 6656 ----a-w- c:\windows\system32\CoInst.dll
2009-09-19 17:41 . 2009-09-19 17:41 -------- d-----w- c:\program files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-17 14:17 . 2006-01-22 15:02 -------- d-----w- c:\program files\PcBugDoctor
2009-10-17 13:58 . 2005-10-02 19:28 -------- d-----w- c:\program files\CyberPower PowerPanel Personal Edition
2009-10-17 05:06 . 2007-09-02 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-12 19:21 . 2004-09-26 02:21 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-12 19:19 . 2007-01-24 21:18 -------- d-----w- c:\documents and settings\Ball family\Application Data\Viewpoint
2009-10-12 19:19 . 2004-03-31 23:54 -------- d-----w- c:\program files\Viewpoint
2009-10-12 03:03 . 2009-10-12 03:03 -------- d-----w- c:\documents and settings\Ball family\Application Data\IObit
2009-10-12 03:03 . 2009-10-11 21:14 -------- d-----w- c:\program files\IObit
2009-10-12 02:16 . 2009-10-12 02:16 -------- d-----w- c:\program files\Trend Micro
2009-10-12 02:09 . 2009-10-12 02:09 -------- d-----w- c:\program files\Avira
2009-10-12 02:09 . 2009-10-12 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-11 22:48 . 2009-02-08 01:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2009-10-11 22:39 . 2009-10-11 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-11 22:38 . 2006-02-28 01:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-11 21:40 . 2009-10-11 21:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-11 21:14 . 2009-10-11 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-10-10 23:57 . 2006-07-13 14:13 121008 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-10 23:13 . 2004-10-03 16:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-10 23:13 . 2004-10-03 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-10 23:08 . 2007-04-08 14:33 -------- d-----w- c:\documents and settings\Ball family\Application Data\uTorrent
2009-09-27 23:09 . 2008-12-06 21:15 -------- d-----w- c:\program files\Windows Defender
2009-09-27 22:43 . 2004-09-26 02:43 121008 ----a-w- c:\documents and settings\Ball family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-27 19:32 . 2004-09-26 01:38 -------- d-----w- c:\program files\Microsoft Works
2009-09-26 03:25 . 2004-10-08 22:07 -------- d-----w- c:\program files\Yahoo!
2009-09-26 03:24 . 2004-12-31 20:42 -------- d-----w- c:\program files\Microsoft Games
2009-09-26 03:23 . 2004-03-31 23:59 -------- d-----w- c:\program files\Google
2009-09-21 23:48 . 2005-04-26 00:25 -------- d-----r- c:\program files\Skype
2009-09-21 23:47 . 2005-04-26 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-21 23:42 . 2004-03-31 21:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-20 02:57 . 2006-07-08 14:43 -------- d-----w- c:\program files\AudioLabel
2009-09-19 17:42 . 2004-09-30 02:52 -------- d-----w- c:\program files\Common Files\Real
2009-09-19 17:40 . 2004-09-30 02:52 -------- d-----w- c:\program files\Real
2009-09-08 22:05 . 2005-04-23 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-09-04 21:03 . 2004-03-31 19:59 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-02-06 23:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-03-31 19:59 247326 ------w- c:\windows\system32\strmdll.dll
2009-08-18 17:26 . 2009-08-18 17:19 -------- d-----w- c:\program files\DAK
2009-08-18 17:25 . 2009-08-18 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\DAK
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-05 18:01 . 2009-08-05 18:01 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-08-05 09:01 . 2002-12-12 08:14 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-03-31 19:59 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-28 20:33 . 2009-06-10 16:31 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-25 09:23 . 2008-10-25 17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-07-23 02:15 . 2008-07-23 02:15 17392 ----a-w- c:\program files\Common Files\avajuvi.dat
2008-07-23 02:15 . 2008-07-23 02:15 16428 ----a-w- c:\program files\Common Files\yjod.dat
2006-02-16 01:29 . 2006-01-25 23:48 955 ----a-w- c:\program files\lightssounds_a128.asx
2006-01-25 23:52 . 2006-01-25 23:52 1007 ----a-w- c:\program files\00_lo.asx
2006-01-16 18:35 . 2006-01-16 18:35 620710 ----a-w- c:\program files\framxpro.zip
2006-01-07 17:20 . 2005-09-03 17:35 108 ----a-w- c:\program files\c101.asx
2005-11-13 01:33 . 2005-11-13 01:33 27775 ----a-w- c:\program files\cooledit_filter.zip
2005-11-13 01:31 . 2005-11-13 01:31 180528 ----a-w- c:\program files\wavpack.zip
2005-11-06 14:06 . 2005-11-06 14:06 2124216 ----a-w- c:\program files\timebilt.zip
2005-10-29 03:18 . 2005-10-29 03:18 608283 ----a-w- c:\program files\lame3.97b1.zip
2005-10-06 19:25 . 2005-10-06 19:25 8715352 ----a-w- c:\program files\Install_AIM.exe
2005-06-18 00:05 . 2005-06-18 00:05 239616 ----a-w- c:\program files\BEFSR41V3_v1.05.00_code.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2005-05-09 262144]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"com.codeode.cactusspamfilter"="c:\program files\Cactus Spam Filter 2.13\cactusspamfilter.exe" [2006-04-30 749568]
"gStart"="c:\garmin\gStart.exe" [2008-08-13 1891416]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-08-08 2980800]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-21 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 135168]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-19 198160]
"SPC230NC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]
"SPC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2007-4-21 1757]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Digital Imaging Monitor.lnk.disabled [2007-4-28 1879]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
HP Photosmart Premier Fast Start.lnk.disabled [2007-4-28 869]
TrayMin230.lnk - c:\program files\Philips\Philips SPC230NC Webcam\TrayMin230.exe [2009-9-21 241664]
Windows Desktop Search.lnk.disabled [2007-9-2 1787]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-28 23:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" /s
"AGRSMMSG"=AGRSMMSG.exe
"dvd43"=c:\program files\dvd43\dvd43_tray.exe
"ezShieldProtector for Px"=c:\windows\System32\ezSP_Px.exe
"HP Software Update"=c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"Lexmark 2200 Series"="c:\program files\Lexmark 2200 Series\lxbvbmgr.exe"
"Picasa Media Detector"=c:\program files\Picasa2\PicasaMediaDetector.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdReg"=c:\windows\UpdReg.EXE
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\vaio media integrated server\\Platform\\SV_Httpd.exe"=
"c:\\Program Files\\Sony\\vaio media integrated server\\Platform\\UPnPFramework.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Cyberlink\\PowerDirector\\PDR.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56192:TCP"= 56192:TCP:PandoRest Listening Port

R0 MrFilter;EasyWrite Driver;c:\windows\system32\drivers\MRFilter.sys [4/21/2005 9:59 PM 12992]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 11:06 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05 AM 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/11/2009 10:10 PM 108289]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [10/11/2009 4:51 PM 47640]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [9/25/2004 9:32 PM 86098]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/17/2008 5:31 PM 24652]
S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\ppscan.sys [10/2/2004 11:13 AM 91520]
S3 cmvad;Linksys Wireless-G Music Bridge Interface;c:\windows\system32\drivers\cmudaxv.sys --> c:\windows\system32\drivers\cmudaxv.sys [?]
S3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\drivers\PAEAFLT.sys [9/21/2009 7:40 PM 8576]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06 AM 7408]
S3 SPC230NC;Philips SPC230NC Webcam;c:\windows\system32\drivers\SPC230NC.SYS [9/21/2009 7:40 PM 461056]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2004-09-26 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-03-31 00:12]

2009-10-17 c:\windows\Tasks\User_Feed_Synchronization-{21517F93-2FBA-4D13-9B98-814A01267605}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

2009-10-17 c:\windows\Tasks\User_Feed_Synchronization-{80CE167D-3DF2-4CB3-A600-0446C15F50BC}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

2009-10-17 c:\windows\Tasks\User_Feed_Synchronization-{FF07235B-306A-4CAF-93B7-490EF07E0E2A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/home/home
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download All by FlashGet - c:\documents and settings\Ball family\Desktop\jc_all.htm
IE: Download using FlashGet - c:\documents and settings\Ball family\Desktop\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {03177121-226B-11D4-B0BE-005004AD3039} - hxxp://members5.clubphoto.com/_img/uploader/atl_uploader.cab
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {D00E9550-440D-4EF8-BFCE-174300890C05} - hxxp://www.gomusic.ru/cabs/xdownloader.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Bias Sound Soap 2 v2.0 - c:\progra~1\BIAS\BIASSO~1\UNWISE.EXE
AddRemove-{F46BF5EA-0B4E-4A41-8C4B-3B127346E30F} - c:\documents and settings\Ball family\Local Settings\Application Data\{62C861C3-9386-4C5A-B6E4-76156F577BFF}\NBCDirectInstaller.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-17 10:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2285680581-2100939256-2323919612-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2285680581-2100939256-2323919612-1005\9 *]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2285680581-2100939256-2323919612-1005\9 *\Preferences]
"Use Hardware Scroll"=dword:00000001
"UITransitions"=dword:00000001
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-10-17 10:49
ComboFix-quarantined-files.txt 2009-10-17 14:48

Pre-Run: 28,862,107,648 bytes free
Post-Run: 28,850,757,632 bytes free

314 --- E O F --- 2009-10-17 05:24

**peku006** · 2009-10-17, 17:19

Hi arbypb

1 - Run Malwarebytes' Anti-Malware

Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
On the Scanner tab:
- Make sure the "Perform Full Scan" option is selected.
- Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2 - Status Check
Please reply with

the Malwarebytes' Anti-Malware Log
description of any problems you are having with your PC

Thanks peku006

**arbypb** · 2009-10-17, 23:11

Malwarebytes' Anti-Malware 1.41
Database version: 2976
Windows 5.1.2600 Service Pack 3

10/17/2009 5:08:53 PM
mbam-log-2009-10-17 (17-08-53).txt

Scan type: Full Scan (C:\|I:\|)
Objects scanned: 306270
Time elapsed: 3 hour(s), 34 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP365\A0080851.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.

Thread: Unable to open any exe files.

Thread Tools

Display

Unable to open any exe files.

Combofix log

Posting Permissions