Win32.agent.ieu + Win32.fraudload.edt

**saultodd** · 2010-04-19, 12:12

Spybot search and destroy detects Win32.agent.ieu + Win32.fraudload.edt but cant destroy them.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 10:58:09, on 19/04/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Roxio 2010\5.0\CPMonitor.exe
C:\Program Files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\Awisaa.exe
C:\Program Files\Common Files\PX Storage Engine\VxBlockServer.exe
C:\Program Files\Registry Mechanic\regmech.exe
C:\Program Files\Lavasoft\Ad-aware\AAWTray.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe"
O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files\Roxio 2010\5.0\CPMonitor.exe"
O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\rmtray.exe /H
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [YVIBBBHA8C] C:\Users\SAULTO~1\AppData\Local\Temp\Afg.exe
O4 - HKCU\..\Run: [WEK9EMDHI9] C:\Windows\Awisaa.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.cinemanow.com
O15 - Trusted Zone: http://*.qflix.com
O15 - Trusted Zone: http://*.roxio.com
O15 - Trusted Zone: http://redirect.sonic.com
O15 - Trusted Zone: http://redirect2.sonic.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECDF404D-0F9A-4D9F-95B6-5C95A22E57AC}: NameServer = 93.188.165.124,93.188.161.141
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.124,93.188.161.141
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.165.124,93.188.161.141
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.124,93.188.161.141
O20 - AppInit_DLLs: acaptuser32.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-aware\AAWService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: RoxMediaDB12 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe
O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7122 bytes

**Blade81** · 2010-04-21, 15:33

Hi,

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent

I'd like you to read this thread.

Please go to Control Panel > Programs and Features and uninstall the programs listed above (in red).

After that:

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. Post them back to your topic.

**saultodd** · 2010-04-21, 21:30

DDS (Ver_10-03-17.01) - NTFSx86
Run by Saul Todd at 20:22:53.11 on 21/04/2010
Internet Explorer: 8.0.6001.18904
MicrosoftÆ Windows Vistaô Ultimate 6.0.6002.2.1252.1.1033.18.3071.2248 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Roxio 2010\5.0\CPMonitor.exe
C:\Program Files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\PX Storage Engine\VxBlockServer.exe
C:\Program Files\Registry Mechanic\regmech.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\conime.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Saul Todd\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [RegistryMechanic] c:\program files\registry mechanic\rmtray.exe /H
uRun: [YVIBBBHA8C] c:\users\saulto~1\appdata\local\temp\Afg.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatchTray12.exe"
mRun: [CPMonitor] "c:\program files\roxio 2010\5.0\CPMonitor.exe"
mRun: [Desktop Disc Tool] "c:\program files\roxio 2010\roxio burn\RoxioBurnLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab
TCP: NameServer = 93.188.165.124,93.188.161.141
TCP: {ECDF404D-0F9A-4D9F-95B6-5C95A22E57AC} = 93.188.165.124,93.188.161.141
AppInit_DLLs: acaptuser32.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2009-10-1 38432]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2009-10-30 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2009-10-30 15856]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2009-10-30 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]
R2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]
R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-6-29 153448]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2008-1-21 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2008-1-21 251904]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-6-25 183880]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656]

=============== Created Last 30 ================

2010-04-19 09:56:01 0 d-----w- c:\program files\TrendMicro
2010-04-19 09:22:52 0 d-----w- c:\users\saulto~1\appdata\roaming\Safer Networking
2010-04-18 08:37:10 37 ----a-w- c:\windows\wininit.ini
2010-04-17 15:02:38 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-17 15:02:38 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-17 14:28:40 58262028288 ----a-w- C:\bst1.tmp
2010-04-16 12:06:47 0 d-----w- c:\users\saulto~1\appdata\roaming\DameWare Development
2010-04-16 12:05:42 0 d-----w- c:\program files\DameWare Development
2010-04-14 13:38:19 64 ----a-w- c:\windows\system32\rp_stats.dat
2010-04-14 13:38:19 44 ----a-w- c:\windows\system32\statistics.dat
2010-04-14 13:38:19 44 ----a-w- c:\windows\system32\rp_rules.dat
2010-04-12 20:59:59 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-12 20:56:10 0 d-----w- c:\windows\pss

==================== Find3M ====================

2010-04-12 11:21:13 291352 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53:34 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-11 20:20:43 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-11 20:20:42 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-11-11 20:20:42 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-01 13:40:32 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:41:56 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-14 22:05:09 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-14 22:07:08 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 20:25:39.32 ===============

**Blade81** · 2010-04-21, 22:17

Hi again,

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

**saultodd** · 2010-04-22, 10:54

ComboFix 10-04-21.01 - Saul Todd 22/04/2010 9:24.1.2 - x86
MicrosoftÆ Windows Vistaô Ultimate 6.0.6002.2.1252.1.1033.18.3071.2165 [GMT 1:00]
Running from: c:\users\Saul Todd\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-682003330-1767777339-1644491937-1003

.
((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-22 08:37 . 2010-04-22 08:38 -------- d-----w- c:\users\Saul Todd\AppData\Local\temp
2010-04-22 08:37 . 2010-04-22 08:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-19 09:56 . 2010-04-19 09:56 388096 ----a-r- c:\users\Saul Todd\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-19 09:56 . 2010-04-19 09:56 -------- d-----w- c:\program files\TrendMicro
2010-04-19 09:22 . 2010-04-19 09:22 -------- d-----w- c:\users\Saul Todd\AppData\Roaming\Safer Networking
2010-04-17 15:02 . 2010-04-19 16:23 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-17 15:02 . 2010-04-17 15:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-16 12:06 . 2010-04-16 12:07 -------- d-----w- c:\users\Saul Todd\AppData\Roaming\DameWare Development
2010-04-16 12:05 . 2010-04-16 12:05 70144 ----a-r- c:\users\Saul Todd\AppData\Roaming\Microsoft\Installer\{EA98753C-CB1C-4216-AC09-7EC3D3F62BAF}\IconA2E65BCA.exe
2010-04-16 12:05 . 2010-04-16 12:05 39936 ----a-r- c:\users\Saul Todd\AppData\Roaming\Microsoft\Installer\{EA98753C-CB1C-4216-AC09-7EC3D3F62BAF}\Icon1DEF20221.exe
2010-04-16 12:05 . 2010-04-16 12:05 -------- d-----w- c:\program files\DameWare Development
2010-04-14 13:38 . 2010-04-14 14:35 64 ----a-w- c:\windows\system32\rp_stats.dat
2010-04-14 13:38 . 2010-04-14 14:35 44 ----a-w- c:\windows\system32\statistics.dat
2010-04-14 13:38 . 2010-04-14 14:35 44 ----a-w- c:\windows\system32\rp_rules.dat
2010-04-12 20:59 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 17:17 . 2009-10-08 22:04 -------- d-----w- c:\program files\Lavasoft
2010-04-19 13:48 . 2009-11-12 13:27 -------- d-----w- c:\users\Saul Todd\AppData\Roaming\uTorrent
2010-04-18 19:55 . 2009-10-30 14:39 -------- d-----w- c:\programdata\Sonic
2010-04-17 15:46 . 2010-04-17 14:28 58262028288 ----a-w- C:\bst1.tmp
2010-04-14 11:29 . 2009-10-08 22:04 -------- d-----w- c:\programdata\Lavasoft
2010-04-12 20:51 . 2009-10-08 21:50 165232 ---ha-w- c:\users\Saul Todd\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
2010-04-12 11:21 . 2009-07-24 11:26 291352 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-02-23 06:39 . 2010-04-12 10:55 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-12 10:55 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-04-12 10:55 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-04-12 10:55 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-20 10:37 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-20 10:37 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-20 10:37 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-09 12:44 . 2009-06-29 13:12 153448 ----a-w- c:\windows\system32\drivers\bdfm.sys
2010-02-09 12:44 . 2009-06-29 13:12 106464 ----a-w- c:\windows\system32\drivers\bdhv.sys
2010-02-08 13:10 . 2009-10-01 00:16 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2010-01-23 09:26 . 2010-02-24 12:59 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\rmtray.exe" [2008-07-03 812952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2009-11-03 71152]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-04-12 1123360]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112]
"CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464]
"Desktop Disc Tool"="c:\program files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe" [2009-06-23 494064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Saul Todd^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Virtual PC.lnk]
backup=c:\windows\pss\Microsoft Virtual PC.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d5,3a,e2,bd,9d,42,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-15349771-4125905718-287272030-1000]
"EnableNotificationsRef"=dword:00000001

R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [2009-07-24 219632]
R3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [2009-11-03 183880]
R3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [2009-07-24 1116656]
S0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2007-04-27 38432]
S0 SahdIa32;HDD Filter Driver;c:\windows\System32\Drivers\SahdIa32.sys [2009-06-02 21488]
S0 SaibIa32;Volume Filter Driver;c:\windows\System32\Drivers\SaibIa32.sys [2009-06-02 15856]
S1 SaibVd32;Virtual Disk Driver;c:\windows\system32\Drivers\SaibVd32.sys [2009-06-02 25584]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [2009-06-02 457200]
S2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2009-06-23 127352]
S3 BDFM;BDFM;c:\windows\system32\DRIVERS\bdfm.sys [2010-02-09 153448]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2008-01-21 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2008-01-21 251904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\User_Feed_Synchronization-{1F1A6B42-92FD-4347-94DE-52F7AFB49F8E}.job
- c:\windows\system32\msfeedssync.exe [2010-04-12 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-22 09:38
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SahdIa32.sys acpi.sys hal.dll atapi.sys >>UNKNOWN [0x8602C8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8a9d8d24
\Driver\ACPI -> acpi.sys @ 0x8a24cd68
\Driver\atapi -> atapi.sys @ 0x8a3569b0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-22 09:43:23
ComboFix-quarantined-files.txt 2010-04-22 08:43

Pre-Run: 731,303,936 bytes free
Post-Run: 439,390,208 bytes free

- - End Of File - - C1F1F1D86273B251AE67D6DDF7129FF3

DDS (Ver_10-03-17.01) - NTFSx86
Run by Saul Todd at 9:50:28.04 on 22/04/2010
Internet Explorer: 8.0.6001.18904
MicrosoftÆ Windows Vistaô Ultimate 6.0.6002.2.1252.1.1033.18.3071.2230 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Saul Todd\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [RegistryMechanic] c:\program files\registry mechanic\rmtray.exe /H
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatchTray12.exe"
mRun: [CPMonitor] "c:\program files\roxio 2010\5.0\CPMonitor.exe"
mRun: [Desktop Disc Tool] "c:\program files\roxio 2010\roxio burn\RoxioBurnLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab
AppInit_DLLs: c:\windows\system32\acaptuser32.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2009-10-1 38432]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2009-10-30 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2009-10-30 15856]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2009-10-30 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]
R2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]
R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-6-29 153448]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2008-1-21 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2008-1-21 251904]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-6-25 183880]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656]

=============== Created Last 30 ================

2010-04-22 08:43:36 0 d-sh--w- C:\$RECYCLE.BIN
2010-04-22 08:18:09 98816 ----a-w- c:\windows\sed.exe
2010-04-22 08:18:09 77312 ----a-w- c:\windows\MBR.exe
2010-04-22 08:18:09 261632 ----a-w- c:\windows\PEV.exe
2010-04-22 08:18:09 161792 ----a-w- c:\windows\SWREG.exe
2010-04-22 08:17:56 0 d-----w- C:\ComboFix
2010-04-19 09:56:01 0 d-----w- c:\program files\TrendMicro
2010-04-19 09:22:52 0 d-----w- c:\users\saulto~1\appdata\roaming\Safer Networking
2010-04-18 08:37:10 37 ----a-w- c:\windows\wininit.ini
2010-04-17 15:02:38 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-17 15:02:38 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-17 14:28:40 58262028288 ----a-w- C:\bst1.tmp
2010-04-16 12:06:47 0 d-----w- c:\users\saulto~1\appdata\roaming\DameWare Development
2010-04-16 12:05:42 0 d-----w- c:\program files\DameWare Development
2010-04-14 13:38:19 64 ----a-w- c:\windows\system32\rp_stats.dat
2010-04-14 13:38:19 44 ----a-w- c:\windows\system32\statistics.dat
2010-04-14 13:38:19 44 ----a-w- c:\windows\system32\rp_rules.dat
2010-04-12 20:59:59 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-12 20:56:10 0 d-----w- c:\windows\pss

==================== Find3M ====================

2010-04-12 11:21:13 291352 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-11 20:20:43 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-11 20:20:42 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-11-11 20:20:42 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-01 13:40:32 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:41:56 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-14 22:05:09 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-14 22:07:08 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 9:51:15.47 ===============

**Blade81** · 2010-04-22, 17:56

Hi again,

Download GMER here by clicking download exe -button and then saving it your desktop:

Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

---

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
c:\windows\system32\rezumatenoi.dat
Folder::
c:\users\Saul Todd\AppData\Roaming\uTorrent
FileLook::
C:\bst1.tmp

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform a quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

**saultodd** · 2010-04-22, 21:32

Attached files

**Blade81** · 2010-04-22, 22:07

Hi,

1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe and wait for the process to finish.
3. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

**saultodd** · 2010-04-25, 14:53

My hard drive is full but i dont have anything on there, 93gig full

13:47:33:640 0836 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
13:47:33:641 0836 ================================================================================
13:47:33:641 0836 SystemInfo:

13:47:33:641 0836 OS Version: 6.0.6002 ServicePack: 2.0
13:47:33:641 0836 Product type: Workstation
13:47:33:642 0836 ComputerName: PC
13:47:33:642 0836 UserName: Saul Todd
13:47:33:642 0836 Windows directory: C:\Windows
13:47:33:642 0836 Processor architecture: Intel x86
13:47:33:642 0836 Number of processors: 2
13:47:33:642 0836 Page size: 0x1000
13:47:33:646 0836 Boot type: Normal boot
13:47:33:646 0836 ================================================================================
13:47:33:654 0836 UnloadDriverW: NtUnloadDriver error 2
13:47:33:654 0836 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
13:47:41:823 0836 wfopen_ex: Trying to open file C:\Windows\system32\config\system
13:47:41:824 0836 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:47:41:824 0836 wfopen_ex: Trying to KLMD file open
13:47:41:824 0836 wfopen_ex: File opened ok (Flags 2)
13:47:41:833 0836 wfopen_ex: Trying to open file C:\Windows\system32\config\software
13:47:41:833 0836 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:47:41:834 0836 wfopen_ex: Trying to KLMD file open
13:47:41:834 0836 wfopen_ex: File opened ok (Flags 2)
13:47:41:834 0836 Initialize success
13:47:41:834 0836
13:47:41:834 0836 Scanning Services ...
13:47:42:591 0836 Raw services enum returned 425 services
13:47:42:604 0836
13:47:42:605 0836 Scanning Kernel memory ...
13:47:42:606 0836 Devices to scan: 6
13:47:42:607 0836
13:47:42:607 0836 Driver Name: USBSTOR
13:47:42:607 0836 IRP_MJ_CREATE : 8FE11FC8
13:47:42:607 0836 IRP_MJ_CREATE_NAMED_PIPE : 81CC9787
13:47:42:607 0836 IRP_MJ_CLOSE : 8FE12040
13:47:42:607 0836 IRP_MJ_READ : 8FE120B8
13:47:42:607 0836 IRP_MJ_WRITE : 8FE120B8
13:47:42:607 0836 IRP_MJ_QUERY_INFORMATION : 81CC9787
13:47:42:607 0836 IRP_MJ_SET_INFORMATION : 81CC9787
13:47:42:607 0836 IRP_MJ_QUERY_EA : 81CC9787
13:47:42:607 0836 IRP_MJ_SET_EA : 81CC9787
13:47:42:607 0836 IRP_MJ_FLUSH_BUFFERS : 81CC9787
13:47:42:608 0836 IRP_MJ_QUERY_VOLUME_INFORMATION : 81CC9787
13:47:42:608 0836 IRP_MJ_SET_VOLUME_INFORMATION : 81CC9787
13:47:42:608 0836 IRP_MJ_DIRECTORY_CONTROL : 81CC9787
13:47:42:608 0836 IRP_MJ_FILE_SYSTEM_CONTROL : 81CC9787
13:47:42:608 0836 IRP_MJ_DEVICE_CONTROL : 8FE11BC4
13:47:42:608 0836 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8FE057E4
13:47:42:608 0836 IRP_MJ_SHUTDOWN : 81CC9787
13:47:42:608 0836 IRP_MJ_LOCK_CONTROL : 81CC9787
13:47:42:608 0836 IRP_MJ_CLEANUP : 81CC9787
13:47:42:608 0836 IRP_MJ_CREATE_MAILSLOT : 81CC9787
13:47:42:608 0836 IRP_MJ_QUERY_SECURITY : 81CC9787
13:47:42:608 0836 IRP_MJ_SET_SECURITY : 81CC9787
13:47:42:608 0836 IRP_MJ_POWER : 8FE1059C
13:47:42:608 0836 IRP_MJ_SYSTEM_CONTROL : 8FE0D7A2
13:47:42:608 0836 IRP_MJ_DEVICE_CHANGE : 81CC9787
13:47:42:608 0836 IRP_MJ_QUERY_QUOTA : 81CC9787
13:47:42:608 0836 IRP_MJ_SET_QUOTA : 81CC9787
13:47:42:629 0836 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:47:42:629 0836
13:47:42:629 0836 Driver Name: USBSTOR
13:47:42:629 0836 IRP_MJ_CREATE : 8FE11FC8
13:47:42:629 0836 IRP_MJ_CREATE_NAMED_PIPE : 81CC9787
13:47:42:629 0836 IRP_MJ_CLOSE : 8FE12040
13:47:42:629 0836 IRP_MJ_READ : 8FE120B8
13:47:42:630 0836 IRP_MJ_WRITE : 8FE120B8
13:47:42:630 0836 IRP_MJ_QUERY_INFORMATION : 81CC9787
13:47:42:630 0836 IRP_MJ_SET_INFORMATION : 81CC9787
13:47:42:630 0836 IRP_MJ_QUERY_EA : 81CC9787
13:47:42:630 0836 IRP_MJ_SET_EA : 81CC9787
13:47:42:630 0836 IRP_MJ_FLUSH_BUFFERS : 81CC9787
13:47:42:630 0836 IRP_MJ_QUERY_VOLUME_INFORMATION : 81CC9787
13:47:42:630 0836 IRP_MJ_SET_VOLUME_INFORMATION : 81CC9787
13:47:42:630 0836 IRP_MJ_DIRECTORY_CONTROL : 81CC9787
13:47:42:630 0836 IRP_MJ_FILE_SYSTEM_CONTROL : 81CC9787
13:47:42:630 0836 IRP_MJ_DEVICE_CONTROL : 8FE11BC4
13:47:42:630 0836 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8FE057E4
13:47:42:630 0836 IRP_MJ_SHUTDOWN : 81CC9787
13:47:42:630 0836 IRP_MJ_LOCK_CONTROL : 81CC9787
13:47:42:631 0836 IRP_MJ_CLEANUP : 81CC9787
13:47:42:631 0836 IRP_MJ_CREATE_MAILSLOT : 81CC9787
13:47:42:631 0836 IRP_MJ_QUERY_SECURITY : 81CC9787
13:47:42:631 0836 IRP_MJ_SET_SECURITY : 81CC9787
13:47:42:631 0836 IRP_MJ_POWER : 8FE1059C
13:47:42:631 0836 IRP_MJ_SYSTEM_CONTROL : 8FE0D7A2
13:47:42:631 0836 IRP_MJ_DEVICE_CHANGE : 81CC9787
13:47:42:631 0836 IRP_MJ_QUERY_QUOTA : 81CC9787
13:47:42:631 0836 IRP_MJ_SET_QUOTA : 81CC9787
13:47:42:636 0836 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:47:42:637 0836
13:47:42:637 0836 Driver Name: USBSTOR
13:47:42:637 0836 IRP_MJ_CREATE : 8FE11FC8
13:47:42:637 0836 IRP_MJ_CREATE_NAMED_PIPE : 81CC9787
13:47:42:637 0836 IRP_MJ_CLOSE : 8FE12040
13:47:42:637 0836 IRP_MJ_READ : 8FE120B8
13:47:42:637 0836 IRP_MJ_WRITE : 8FE120B8
13:47:42:637 0836 IRP_MJ_QUERY_INFORMATION : 81CC9787
13:47:42:637 0836 IRP_MJ_SET_INFORMATION : 81CC9787
13:47:42:637 0836 IRP_MJ_QUERY_EA : 81CC9787
13:47:42:637 0836 IRP_MJ_SET_EA : 81CC9787
13:47:42:637 0836 IRP_MJ_FLUSH_BUFFERS : 81CC9787
13:47:42:637 0836 IRP_MJ_QUERY_VOLUME_INFORMATION : 81CC9787
13:47:42:638 0836 IRP_MJ_SET_VOLUME_INFORMATION : 81CC9787
13:47:42:638 0836 IRP_MJ_DIRECTORY_CONTROL : 81CC9787
13:47:42:638 0836 IRP_MJ_FILE_SYSTEM_CONTROL : 81CC9787
13:47:42:638 0836 IRP_MJ_DEVICE_CONTROL : 8FE11BC4
13:47:42:638 0836 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8FE057E4
13:47:42:638 0836 IRP_MJ_SHUTDOWN : 81CC9787
13:47:42:638 0836 IRP_MJ_LOCK_CONTROL : 81CC9787
13:47:42:638 0836 IRP_MJ_CLEANUP : 81CC9787
13:47:42:638 0836 IRP_MJ_CREATE_MAILSLOT : 81CC9787
13:47:42:638 0836 IRP_MJ_QUERY_SECURITY : 81CC9787
13:47:42:638 0836 IRP_MJ_SET_SECURITY : 81CC9787
13:47:42:638 0836 IRP_MJ_POWER : 8FE1059C
13:47:42:638 0836 IRP_MJ_SYSTEM_CONTROL : 8FE0D7A2
13:47:42:638 0836 IRP_MJ_DEVICE_CHANGE : 81CC9787
13:47:42:638 0836 IRP_MJ_QUERY_QUOTA : 81CC9787
13:47:42:638 0836 IRP_MJ_SET_QUOTA : 81CC9787
13:47:42:644 0836 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:47:42:644 0836
13:47:42:644 0836 Driver Name: USBSTOR
13:47:42:644 0836 IRP_MJ_CREATE : 8FE11FC8
13:47:42:644 0836 IRP_MJ_CREATE_NAMED_PIPE : 81CC9787
13:47:42:644 0836 IRP_MJ_CLOSE : 8FE12040
13:47:42:644 0836 IRP_MJ_READ : 8FE120B8
13:47:42:644 0836 IRP_MJ_WRITE : 8FE120B8
13:47:42:644 0836 IRP_MJ_QUERY_INFORMATION : 81CC9787
13:47:42:644 0836 IRP_MJ_SET_INFORMATION : 81CC9787
13:47:42:644 0836 IRP_MJ_QUERY_EA : 81CC9787
13:47:42:645 0836 IRP_MJ_SET_EA : 81CC9787
13:47:42:645 0836 IRP_MJ_FLUSH_BUFFERS : 81CC9787
13:47:42:645 0836 IRP_MJ_QUERY_VOLUME_INFORMATION : 81CC9787
13:47:42:645 0836 IRP_MJ_SET_VOLUME_INFORMATION : 81CC9787
13:47:42:645 0836 IRP_MJ_DIRECTORY_CONTROL : 81CC9787
13:47:42:645 0836 IRP_MJ_FILE_SYSTEM_CONTROL : 81CC9787
13:47:42:645 0836 IRP_MJ_DEVICE_CONTROL : 8FE11BC4
13:47:42:645 0836 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8FE057E4
13:47:42:645 0836 IRP_MJ_SHUTDOWN : 81CC9787
13:47:42:645 0836 IRP_MJ_LOCK_CONTROL : 81CC9787
13:47:42:645 0836 IRP_MJ_CLEANUP : 81CC9787
13:47:42:645 0836 IRP_MJ_CREATE_MAILSLOT : 81CC9787
13:47:42:645 0836 IRP_MJ_QUERY_SECURITY : 81CC9787
13:47:42:645 0836 IRP_MJ_SET_SECURITY : 81CC9787
13:47:42:646 0836 IRP_MJ_POWER : 8FE1059C
13:47:42:646 0836 IRP_MJ_SYSTEM_CONTROL : 8FE0D7A2
13:47:42:646 0836 IRP_MJ_DEVICE_CHANGE : 81CC9787
13:47:42:646 0836 IRP_MJ_QUERY_QUOTA : 81CC9787
13:47:42:646 0836 IRP_MJ_SET_QUOTA : 81CC9787
13:47:42:651 0836 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:47:42:651 0836
13:47:42:652 0836 Driver Name: USBSTOR
13:47:42:652 0836 IRP_MJ_CREATE : 8FE11FC8
13:47:42:652 0836 IRP_MJ_CREATE_NAMED_PIPE : 81CC9787
13:47:42:652 0836 IRP_MJ_CLOSE : 8FE12040
13:47:42:652 0836 IRP_MJ_READ : 8FE120B8
13:47:42:652 0836 IRP_MJ_WRITE : 8FE120B8
13:47:42:652 0836 IRP_MJ_QUERY_INFORMATION : 81CC9787
13:47:42:652 0836 IRP_MJ_SET_INFORMATION : 81CC9787
13:47:42:652 0836 IRP_MJ_QUERY_EA : 81CC9787
13:47:42:652 0836 IRP_MJ_SET_EA : 81CC9787
13:47:42:652 0836 IRP_MJ_FLUSH_BUFFERS : 81CC9787
13:47:42:652 0836 IRP_MJ_QUERY_VOLUME_INFORMATION : 81CC9787
13:47:42:652 0836 IRP_MJ_SET_VOLUME_INFORMATION : 81CC9787
13:47:42:652 0836 IRP_MJ_DIRECTORY_CONTROL : 81CC9787
13:47:42:652 0836 IRP_MJ_FILE_SYSTEM_CONTROL : 81CC9787
13:47:42:652 0836 IRP_MJ_DEVICE_CONTROL : 8FE11BC4
13:47:42:652 0836 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8FE057E4
13:47:42:653 0836 IRP_MJ_SHUTDOWN : 81CC9787
13:47:42:653 0836 IRP_MJ_LOCK_CONTROL : 81CC9787
13:47:42:653 0836 IRP_MJ_CLEANUP : 81CC9787
13:47:42:653 0836 IRP_MJ_CREATE_MAILSLOT : 81CC9787
13:47:42:653 0836 IRP_MJ_QUERY_SECURITY : 81CC9787
13:47:42:653 0836 IRP_MJ_SET_SECURITY : 81CC9787
13:47:42:653 0836 IRP_MJ_POWER : 8FE1059C
13:47:42:653 0836 IRP_MJ_SYSTEM_CONTROL : 8FE0D7A2
13:47:42:653 0836 IRP_MJ_DEVICE_CHANGE : 81CC9787
13:47:42:653 0836 IRP_MJ_QUERY_QUOTA : 81CC9787
13:47:42:653 0836 IRP_MJ_SET_QUOTA : 81CC9787
13:47:42:658 0836 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:47:42:659 0836
13:47:42:659 0836 Driver Name: atapi
13:47:42:659 0836 IRP_MJ_CREATE : 8A3569B0
13:47:42:659 0836 IRP_MJ_CREATE_NAMED_PIPE : 8A3569B0
13:47:42:659 0836 IRP_MJ_CLOSE : 8A3569B0
13:47:42:659 0836 IRP_MJ_READ : 8A3569B0
13:47:42:659 0836 IRP_MJ_WRITE : 8A3569B0
13:47:42:659 0836 IRP_MJ_QUERY_INFORMATION : 8A3569B0
13:47:42:659 0836 IRP_MJ_SET_INFORMATION : 8A3569B0
13:47:42:659 0836 IRP_MJ_QUERY_EA : 8A3569B0
13:47:42:659 0836 IRP_MJ_SET_EA : 8A3569B0
13:47:42:659 0836 IRP_MJ_FLUSH_BUFFERS : 8A3569B0
13:47:42:659 0836 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A3569B0
13:47:42:659 0836 IRP_MJ_SET_VOLUME_INFORMATION : 8A3569B0
13:47:42:659 0836 IRP_MJ_DIRECTORY_CONTROL : 8A3569B0
13:47:42:660 0836 IRP_MJ_FILE_SYSTEM_CONTROL : 8A3569B0
13:47:42:660 0836 IRP_MJ_DEVICE_CONTROL : 8A3569B0
13:47:42:660 0836 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A3569B0
13:47:42:660 0836 IRP_MJ_SHUTDOWN : 8A3569B0
13:47:42:660 0836 IRP_MJ_LOCK_CONTROL : 8A3569B0
13:47:42:660 0836 IRP_MJ_CLEANUP : 8A3569B0
13:47:42:660 0836 IRP_MJ_CREATE_MAILSLOT : 8A3569B0
13:47:42:660 0836 IRP_MJ_QUERY_SECURITY : 8A3569B0
13:47:42:660 0836 IRP_MJ_SET_SECURITY : 8A3569B0
13:47:42:660 0836 IRP_MJ_POWER : 8A3569B0
13:47:42:660 0836 IRP_MJ_SYSTEM_CONTROL : 8A3569B0
13:47:42:660 0836 IRP_MJ_DEVICE_CHANGE : 8A3569B0
13:47:42:660 0836 IRP_MJ_QUERY_QUOTA : 8A3569B0
13:47:42:660 0836 IRP_MJ_SET_QUOTA : 8A3569B0
13:47:42:660 0836 Driver "atapi" infected by TDSS rootkit!
13:47:42:673 0836 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
13:47:42:674 0836 File "C:\Windows\system32\drivers\atapi.sys" infected by TDSS rootkit ... 13:47:42:675 0836 Processing driver file: C:\Windows\system32\drivers\atapi.sys
13:47:42:990 0836 vfvi6
13:47:43:147 0836 dsvbh1
13:47:43:368 0836 fdfb1
13:47:43:368 0836 Backup copy found, using it..
13:47:43:378 0836 will be cured on next reboot
13:47:43:379 0836 Reboot required for cure complete..
13:47:43:389 0836 Cure on reboot scheduled successfully
13:47:43:390 0836
13:47:43:390 0836 Completed
13:47:43:390 0836
13:47:43:391 0836 Results:
13:47:43:391 0836 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
13:47:43:392 0836 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
13:47:43:392 0836 File objects infected / cured / cured on reboot: 1 / 0 / 1
13:47:43:393 0836
13:47:43:394 0836 fclose_ex: Trying to close file C:\Windows\system32\config\system
13:47:43:395 0836 fclose_ex: Trying to close file C:\Windows\system32\config\software
13:47:43:395 0836 UnloadDriverW: NtUnloadDriver error 1
13:47:43:397 0836 KLMD(ARK) unloaded successfully

**Blade81** · 2010-04-25, 15:49

Hi,

Reboot and run GMER again.

Are you familiar with C:\bst1.tmp file? It seems to take well over a half of your C: drive space.

Thread: Win32.agent.ieu + Win32.fraudload.edt

Thread Tools

Display

Win32.agent.ieu + Win32.fraudload.edt

As requested

as requested

As Requested

as requested

Posting Permissions