Page 1 of 4 1234 LastLast
Results 1 to 10 of 31

Thread: All browsers hijacked - redirecting search links

  1. #1
    Junior Member
    Join Date
    Nov 2009
    Posts
    16

    Default

    Hi,

    I have gone nearly 2 years without any significant infection because I am usually pretty careful. I know the exact moment when my PC became infected and admittedly it is because I was stupid.

    I have a fair amount of up front info that may help narrow down the issue. I was opening a downloaded movie (yes, file sharing) and was prompted for a codec. I have had to get codecs before so I thought no big deal, it changed from 'codec needed' to 'licensing service' in the Windows Media status as the download/install started. I went to my task bar and tried to close the setup window but it wouldn't close until after several tries of stopping the setup.exe service.

    I can usually sort out bad things in the HJT log, but I am not seeing anything. Malwarebytes and Spybot each found a couple trackers and something they thought were trojans but fixing them did nothing for the problem. I also did a system restore, which is usually the failsafe but it didn't help.

    It appears to affect the 3 browsers I commonly use - IE8, Firefox, and Chrome. It mainly affects search engine result links. Even links to very well known sites like my personal home page get redirected to ad lists and other oddball searches. If I do a search and right click on the link and use open in new tab, I don't appear to get redirected in IE. It also doesn't do anything if the address is typed or pasted into the address bar.

    Here are a couple of the sites it redirects to:

    alibaba.com
    reliableheat.com

    I have read the "read this first" thread. I am running XP SP3. I use BitDefender 9 for Antivirus/Firewall (paid version). I have Spybot SD w/ TeaTimer but admittedly only picked it up after this problem occurred. I also have Kaspersky but only picked up the free virus scan to see if it would find something that bitdefender missed. I don't run them together.

    Here is my HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:29:37 PM, on 11/25/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\JL2005A\cam_mon.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Software_Downloads\Antivirus\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [CAMMON_JL2005A] C:\Program Files\JL2005A\cam_mon
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
    O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Startup: is-KKU82.lnk = Desktop\Virus Removal Tool\is-KKU82\startup.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
    O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coolsavings.coupons.smartsour...ad/cscmv5X.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147699052265
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing)
    O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service (file missing)
    O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
    O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
    O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
    O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
    O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe" /service (file missing)


    Any help is greatly appreciated. I thought I was pretty good at this stuff until now.

    Sorry, I just realized my HJT was out of date:

    Here's a scan with the new version ...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:52:28 PM, on 11/25/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\JL2005A\cam_mon.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\HijackThis2\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [CAMMON_JL2005A] C:\Program Files\JL2005A\cam_mon
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
    O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Policies\Explorer\Run: [{442E26B2-0AE9-1033-0203-060506210001}] "C:\Program Files\Common Files\{442E26B2-0AE9-1033-0203-060506210001}\Update.exe" te-110-12-0000213
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Startup: is-KKU82.lnk = Desktop\Virus Removal Tool\is-KKU82\startup.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
    O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coolsavings.coupons.smartsour...ad/cscmv5X.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147699052265
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
    O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

    --
    End of file - 10594 bytes
    Last edited by tashi; 2009-11-26 at 06:00. Reason: Merged two posts

  2. #2
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Hi j_global and welcome to the forums here at Spybot S&D.

    Based on what I see (or don't see) it's most likely a rootkit. Let's get a couple more scans.

    Download DDS and save it to your desktop from here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.

    ~~~~~~~~~~~~~~~~~~~~~~

    Download This file. Note its name and save it to your root folder, such as C:\.

    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
    • Click on this link to see a list of programs that should be disabled.
    • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
    • Allow the driver to load if asked.
    • You may be prompted to scan immediately if it detects rootkit activity.
    • If you are prompted to scan your system click "Yes" to begin the scan.
    • If not prompted, click the "Rootkit/Malware" tab.
    • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
    • Select all drives that are connected to your system to be scanned.
    • Click the Scan button to begin. (Please be patient as it can take some time to complete)
    • When the scan is finished, click Save to save the scan results to your Desktop.
    • Save the file as Results.log and copy/paste the contents in your next reply.
    • Exit the program and re-enable all active protection when done.
    Last edited by IndiGenus; 2009-11-28 at 02:16.

  3. #3
    Junior Member
    Join Date
    Nov 2009
    Posts
    16

    Default DDS and Attach

    Here's the DDS:


    DDS (Ver_09-11-24.02) - NTFSx86
    Run by Global at 9:02:03.13 on Sat 11/28/2009
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.298 [GMT -5:00]

    AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
    FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\JL2005A\cam_mon.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Global\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.bing.com/
    uSearch Bar =
    uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
    uInternet Settings,ProxyOverride = *.local
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
    TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\global\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
    mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
    mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [BDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [CAMMON_JL2005A] c:\program files\jl2005a\cam_mon
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
    mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
    mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    uExplorerRun: [{442E26B2-0AE9-1033-0203-060506210001}] "c:\program files\common files\{442e26b2-0ae9-1033-0203-060506210001}\Update.exe" te-110-12-0000213
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader.cab
    DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://coolsavings.coupons.smartsource.com/download/cscmv5X.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147699052265
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\global\applic~1\mozilla\firefox\profiles\kdpyzawl.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - component: c:\program files\mozilla firefox\components\FFComm.dll
    FF - plugin: c:\documents and settings\global\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    ============= SERVICES / DRIVERS ===============

    R1 is-KKU82drv;is-KKU82drv;c:\windows\system32\drivers\39940974.sys [2009-11-22 148496]
    R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-10-6 82696]
    R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
    R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-10-17 104456]
    S2 Audiowerk;Emagic Audiowerk Kernel Mode Driver;c:\windows\system32\drivers\emagicaw.sys [2006-4-13 19816]
    S2 FILESpy;FILESpy;\??\c:\program files\softwin\bitdefender9\filespy.sys --> c:\program files\softwin\bitdefender9\filespy.sys [?]
    S2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2007-3-3 202096]
    S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
    S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;c:\windows\system32\drivers\usbmidim.sys --> c:\windows\system32\drivers\usbmidim.sys [?]
    S3 USBMM1X1;USB Midi 1x1 USB Driver;c:\windows\system32\drivers\usbmm1x1.sys --> c:\windows\system32\drivers\usbmm1x1.sys [?]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

    ============== File Associations ===============

    regfile="regedit.exe" "%1"

    =============== Created Last 30 ================

    2009-11-26 03:50:50 0 d-----w- c:\program files\HijackThis2
    2009-11-26 01:11:43 0 d-----w- c:\docume~1\global\applic~1\Malwarebytes
    2009-11-26 01:11:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-11-26 01:11:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-11-26 01:11:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-11-26 01:11:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-11-22 18:45:07 0 dc-h--w- c:\windows\ie8
    2009-11-22 16:03:47 0 d-----w- c:\program files\Spybot - Search & Destroy
    2009-11-22 16:03:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2009-11-22 14:48:26 44435488 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2009-11-22 14:48:26 397976 --sha-w- c:\windows\system32\drivers\fidbox.idx
    2009-11-22 14:48:01 148496 ----a-w- c:\windows\system32\drivers\39940974.sys
    2009-11-18 04:49:01 0 d-----w- c:\windows\system32\wbem\Repository
    2009-11-09 13:05:39 15204352 ----a-w- c:\documents and settings\global\ntuser.bak
    2009-11-06 05:50:30 0 d-----w- C:\avd
    2009-11-06 05:04:13 38 ----a-w- c:\windows\AviSplitter.INI

    ==================== Find3M ====================

    2009-11-25 08:22:58 81984 ----a-w- c:\windows\system32\bdod.bin
    2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
    2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-10-02 04:44:07 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
    2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
    2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
    2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
    2008-09-05 04:25:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

    ============= FINISH: 9:05:11.70 ===============


    Here's the attach:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-11-24.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 4/12/2006 9:46:04 PM
    System Uptime: 11/25/2009 8:57:01 PM (61 hours ago)

    Motherboard: Dell Inc. | | 0HJ054
    Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 70 GiB total, 1.633 GiB free.
    D: is CDROM ()
    F: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1221: 10/30/2009 10:05:54 AM - System Checkpoint
    RP1222: 11/2/2009 1:07:15 AM - System Checkpoint
    RP1223: 11/3/2009 1:55:34 AM - System Checkpoint
    RP1224: 11/4/2009 2:10:17 AM - System Checkpoint
    RP1225: 11/5/2009 12:44:31 AM - Software Distribution Service 3.0
    RP1226: 11/6/2009 5:28:57 AM - System Checkpoint
    RP1227: 11/7/2009 5:41:27 AM - System Checkpoint
    RP1228: 11/8/2009 4:53:12 AM - System Checkpoint
    RP1229: 11/8/2009 8:49:07 PM - Removed Sony Sound Forge 8.0b
    RP1230: 11/8/2009 8:55:30 PM - Installed Sound Forge Pro 10.0
    RP1231: 11/9/2009 8:05:52 AM - Software Distribution Service 3.0
    RP1232: 11/10/2009 10:11:27 AM - System Checkpoint
    RP1233: 11/11/2009 3:01:09 AM - Software Distribution Service 3.0
    RP1234: 11/12/2009 4:52:43 AM - System Checkpoint
    RP1235: 11/13/2009 6:11:33 AM - System Checkpoint
    RP1236: 11/14/2009 7:23:32 AM - System Checkpoint
    RP1237: 11/15/2009 7:47:35 AM - System Checkpoint
    RP1238: 11/16/2009 8:17:14 AM - System Checkpoint
    RP1239: 11/17/2009 8:52:51 AM - System Checkpoint
    RP1240: 11/17/2009 11:45:09 PM - Restore Operation
    RP1241: 11/18/2009 12:58:05 AM - Software Distribution Service 3.0
    RP1242: 11/19/2009 1:35:18 AM - System Checkpoint
    RP1243: 11/20/2009 4:35:26 AM - System Checkpoint
    RP1244: 11/21/2009 4:47:51 AM - System Checkpoint
    RP1245: 11/22/2009 6:59:04 AM - System Checkpoint
    RP1246: 11/22/2009 12:59:31 PM - Installed Java(TM) 6 Update 17
    RP1247: 11/22/2009 1:46:29 PM - Installed Windows Internet Explorer 8.
    RP1248: 11/22/2009 1:48:29 PM - Software Distribution Service 3.0
    RP1249: 11/22/2009 7:15:54 PM - Software Distribution Service 3.0
    RP1250: 11/22/2009 8:40:36 PM - Software Distribution Service 3.0
    RP1251: 11/23/2009 9:25:58 PM - System Checkpoint
    RP1252: 11/24/2009 9:46:47 PM - System Checkpoint
    RP1253: 11/25/2009 3:01:41 AM - Software Distribution Service 3.0
    RP1254: 11/26/2009 4:40:53 AM - System Checkpoint
    RP1255: 11/27/2009 5:20:46 AM - System Checkpoint
    RP1256: 11/28/2009 5:55:54 AM - System Checkpoint

    ==== Installed Programs ======================

    µTorrent
    AAC Decoder
    Add or Remove Adobe Creative Suite 3 Master Collection
    Adobe Acrobat 8 Professional
    Adobe Acrobat 8.1.7 - CPSID_50029
    Adobe Acrobat 8.1.7 Professional
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe After Effects CS3
    Adobe After Effects CS3 Presets
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Audition 3.0
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe BridgeTalk Plugin CS3
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Contribute CS3
    Adobe Creative Suite 3 Master Collection
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe Dreamweaver CS3
    Adobe Encore CS3
    Adobe Encore CS3 Codecs
    Adobe ExtendScript Toolkit 2
    Adobe Extension Manager CS3
    Adobe Fireworks CS3
    Adobe Flash CS3
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Flash Video Encoder
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Illustrator CS3
    Adobe InDesign CS3
    Adobe InDesign CS3 Icon Handler
    Adobe Linguistics CS3
    Adobe MotionPicture Color Files
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Premiere Pro CS3
    Adobe Premiere Pro CS3 Functional Content
    Adobe Premiere Pro CS3 Third Party Content
    Adobe Reader 7.0
    Adobe Setup
    Adobe SING CS3
    Adobe Soundbooth CS3
    Adobe Soundbooth CS3 Codecs
    Adobe Stock Photos CS3
    Adobe SVG Viewer 3.0
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe Version Cue CS3 Server {ko_KR}
    Adobe Video Profiles
    Adobe WAS CS3
    Adobe WinSoft Linguistics Plugin
    Adobe XMP DVA Panels CS3
    Adobe XMP Panels CS3
    AHV content for Acrobat and Flash
    AiO_Scan_CDA
    AiOSoftwareNPI
    Amazon MP3 Downloader 1.0.3
    Antares Auto-Tune v1.3 DX
    Antares Autotune VST RTAS TDM v5.08
    AOLIcon
    Arturia Arp2600 V VSTi RTAS v1.6
    Arturia CS-80V v1.5
    Arturia Moog Modular V2 v1.0
    ATI Control Panel
    ATI Display Driver
    AutoUpdate
    BitDefender Internet Security 2009
    Boardmaker version 5
    BufferChm
    C3100
    c3100_Help
    Camel Audio Cameleon 5000 v1.7 VSTi
    CD - DVD Publishing Service
    Compatibility Pack for the 2007 Office system
    Conexant D850 56K V.9x DFVc Modem
    Coupon Printer for Windows
    Critical Update for Windows Media Player 11 (KB959772)
    CrunchDude 0.1
    db audioware mastering plugins 1.05c
    Dell CinePlayer
    Dell Driver Reset Tool
    Dell System Restore
    Destinations
    DeviceManagementQFolder
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    DocProc
    DocProcQFolder
    DSP/FX v6.2a
    Edirol HQ Orchestral v1.01
    ELIcon
    ERUNT 1.1j
    eSupportQFolder
    Fax_CDA
    FL Studio 6
    GDR 1406 for SQL Server Analysis Services 2005 ENU (KB932557)
    GDR 1406 for SQL Server Database Services 2005 ENU (KB932557)
    GDR 1406 for SQL Server Integration Services 2005 ENU (KB932557)
    GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
    GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892)
    Google Chrome
    H.264 Decoder
    High Definition Audio Driver Package - KB835221
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    HP Imaging Device Functions 7.0
    HP Photosmart and Deskjet 7.0.A
    HP Photosmart Essential
    HP Product Assistant
    HP Solution Center 7.0
    HP Update
    HPPhotoSmartExpress
    HPProductAssistant
    HPSSupply
    InstantShareDevicesMFC
    Intel(R) PRO Network Connections Drivers
    Intel(R) PROSet for Wired Connections
    Ipswitch WS_FTP Professional 2006
    IsoBuster 1.8
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 17
    LiquidInstrumentVst 1.1
    Lounge Lizard 1.0
    Mastering Edition 1.5
    MCU
    Microsoft .NET Compact Framework 1.0 SP3 Developer
    Microsoft .NET Compact Framework 2.0
    Microsoft .NET Framework 1.0 Hotfix (KB953295)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft ASP.NET 2.0 AJAX Extensions 1.0
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Device Emulator version 1.0 - ENU
    Microsoft Document Explorer 2005
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2003 Web Components
    Microsoft Office XP Professional with FrontPage
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Analysis Services
    Microsoft SQL Server 2005 Backward compatibility
    Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
    Microsoft SQL Server 2005 Integration Services
    Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
    Microsoft SQL Server 2005 Tools Express Edition
    Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual J# 2.0 Redistributable Package
    Microsoft Visual Studio 2005 Professional Edition - ENU
    Midisport 1x1 1.0.1.0
    MKV Splitter
    Mozilla Firefox (3.0.15)
    MSDN Library for Visual Studio 2005
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    MySQL Server 5.0
    Native Instruments Absynth 3
    Native Instruments FM8 v1.0.1.002 VSTi DXi RTAS
    Native Instruments Guitar Rig 3
    Native Instruments Reaktor 5
    Nero 6 Ultra Edition
    Nero Digital
    NewCopy_CDA
    Novation V-Station for Cubase SX3 VSTi v1.41
    OCR Software by I.R.I.S 7.0
    PanoStandAlone
    PDF Settings
    PicoZip Recovery Tool 1.02
    PowerISO
    ProductContextNPI
    Quicken 2007
    QuickTime
    Readme
    ReFX Beast VSTi v1.0
    Rob Papen Albino 3
    Rob Papen BLUE Version 1.7.0
    Rob Papen Predator V1.1.0
    Scan
    ScannerCopy
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB925674)
    Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937060)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953155)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970483)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Shop for HP Supplies
    SolutionCenter
    Sonic Activation Module
    Sonic Encoders
    Sonic Update Manager
    Sony ACID Pro 6.0
    Sony Media Manager 2.1
    Sony Media Manager 2.2
    Sound Forge Pro 10.0
    Space Synthesizer 1.2
    Spybot - Search & Destroy
    Status
    T-RackS 3 Deluxe
    Toolbox
    TrayApp
    Uninstall JL2005A Toy Camera
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Media Player 10 (KB910393)
    Update for Windows Media Player 10 (KB913800)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    URL Assistant
    VC80CRTRedist - 8.0.50727.762
    Vokko 1.67
    Waldorf.PPG.Wave2.V-OxYGeN
    Waves Diamond Bundle v5.2
    Waves L3 Multimaximizer v1.0
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
    Windows Media Player 11
    Windows XP Media Center Edition 2005 KB908246
    Windows XP Media Center Edition 2005 KB925766
    Windows XP Media Center Edition 2005 KB973768
    Windows XP Service Pack 3
    WinRAR archiver
    WinZip
    XML Paper Specification Shared Components Pack 1.0
    XP Codec Pack
    Xvid 1.1.2 final uninstall

    ==== Event Viewer Messages From Past Week ========

    11/25/2009 5:35:47 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the FLEXnet Licensing Service service to connect.
    11/25/2009 5:35:47 PM, error: Service Control Manager [7000] - The FLEXnet Licensing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/25/2009 5:18:31 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the COM+ System Application service to connect.
    11/25/2009 5:18:31 PM, error: Service Control Manager [7000] - The COM+ System Application service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/25/2009 5:18:31 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service COMSysApp with arguments "" in order to run the server: {ECABAFBC-7F19-11D2-978E-0000F8757E2A}
    11/25/2009 5:17:16 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the SQL Server Integration Services service to connect.
    11/25/2009 5:17:16 PM, error: Service Control Manager [7000] - The SQL Server Integration Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/25/2009 3:03:54 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    11/25/2009 3:03:54 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/22/2009 9:37:30 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: bdpredir
    11/22/2009 9:37:30 AM, error: Service Control Manager [7000] - The REGSpy service failed to start due to the following error: The system cannot find the path specified.
    11/22/2009 9:37:30 AM, error: Service Control Manager [7000] - The FILESpy service failed to start due to the following error: The system cannot find the path specified.
    11/22/2009 9:37:30 AM, error: Service Control Manager [7000] - The Emagic Audiowerk Kernel Mode Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/22/2009 9:37:30 AM, error: Service Control Manager [7000] - The BDRSDRV service failed to start due to the following error: The system cannot find the file specified.
    11/22/2009 9:36:23 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    11/22/2009 9:36:23 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

    ==== End Of File ===========================

    Thanks for the help. Running the other utility now ...

  4. #4
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Hi,

    Per the instructions at the following post you must uninstall any and all P2P/BitTorrent/File Sharing Software prior to getting help here.

    http://forums.spybot.info/showpost.p...03&postcount=4

    Please do so, then run DDS again and post the log.

  5. #5
    Junior Member
    Join Date
    Nov 2009
    Posts
    16

    Default Results.log

    Hi IndieGenus,

    I had uTorrent installed but as per the instructions, uninstalled it prior to starting the thread here. Are you seeing some other software? Or is there a file left over from uTorrent that is causing problems? Let me know and I'll take care of it.

    I have attached the results.log from the run of the other utility. I had to zip it up to meet the zise requirements.

    Regards,
    Jonathan

  6. #6
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Quote Originally Posted by j_global View Post
    Hi IndieGenus,

    I had uTorrent installed but as per the instructions, uninstalled it prior to starting the thread here. Are you seeing some other software? Or is there a file left over from uTorrent that is causing problems? Let me know and I'll take care of it.
    uTorrent still was showing in the list of programs from DDS, but if you uninstalled it then we can move on.


    Please read through the instructions to familiarize yourself with what to expect when the tool runs.

    It is vitally important that combofix is renamed before it is even started to download


    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    • If you are using Firefox, make sure that your download settings are as follows:
      -Tools->Options->Main tab
      -Set to "Always ask me where to Save the files".
    • During the download, rename Combofix to Combo-Fix as follows:






    • It is important you rename Combofix during the download, but not after.
    • Please do not rename Combofix to other names, but only to the one indicated.
    • Close any open browsers.
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
    • Double click on ComboFix.exe & follow the prompts.Close all other windows/browser first.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Notes:

    1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do Not run combofix more than once. If you have problems please post back for further instructions.
    3.CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Please post back with the combofix log.

  7. #7
    Junior Member
    Join Date
    Nov 2009
    Posts
    16

    Default Combofix Log

    Hi IndieGenus,

    Here's the log from Combo Fix:

    ComboFix 09-11-29.06 - Global 11/30/2009 8:09.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.446 [GMT -5:00]
    Running from: c:\documents and settings\Global\Desktop\Combo-Fix.exe
    AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
    FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Common Files\sstem~1
    C:\Thumbs.db
    c:\windows\Downloaded Program Files\CpnMgr.dll
    c:\windows\kb913800.exe
    c:\windows\stem~1
    c:\windows\system32\Cache
    c:\windows\system32\msvcsv60.dll
    c:\windows\system32\pppatc~1
    c:\windows\system32\twain_32.dll

    .
    ((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
    .

    2009-11-26 01:11 . 2009-11-26 01:11 -------- d-----w- c:\documents and settings\Global\Application Data\Malwarebytes
    2009-11-26 01:11 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-11-26 01:11 . 2009-11-26 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-11-26 01:11 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-11-26 01:11 . 2009-11-26 01:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-11-26 00:44 . 2009-11-26 00:44 -------- d-----w- C:\ERDNT
    2009-11-26 00:43 . 2009-11-26 00:43 -------- d-----w- c:\program files\ERUNT
    2009-11-22 18:45 . 2009-11-22 18:48 -------- dc-h--w- c:\windows\ie8
    2009-11-22 17:54 . 2009-11-22 17:54 152576 ----a-w- c:\documents and settings\Global\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2009-11-22 16:03 . 2009-11-22 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-11-22 16:03 . 2009-11-22 16:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-11-22 14:48 . 2009-11-30 13:41 52269088 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2009-11-22 14:48 . 2008-07-08 18:54 148496 ----a-w- c:\windows\system32\drivers\39940974.sys
    2009-11-22 14:09 . 2009-11-22 14:09 79488 ----a-w- c:\documents and settings\Global\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2009-11-18 04:49 . 2009-11-18 04:49 -------- d-----w- c:\windows\system32\wbem\Repository
    2009-11-10 14:26 . 2009-11-10 14:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2009-11-10 12:50 . 2009-11-10 12:50 -------- d-----w- c:\documents and settings\LocalService\IETldCache
    2009-11-09 02:25 . 2009-11-09 02:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Publish Providers
    2009-11-09 02:24 . 2009-11-09 02:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
    2009-11-09 02:24 . 2009-11-09 02:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
    2009-11-09 02:20 . 2009-11-09 02:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sony
    2009-11-09 02:20 . 2009-11-09 02:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony
    2009-11-09 02:16 . 2009-11-09 02:16 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2009-11-09 02:14 . 2009-11-09 02:14 37688 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-11-09 02:14 . 2009-11-09 02:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\HP
    2009-11-09 02:13 . 2009-11-09 02:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
    2009-11-09 02:11 . 2009-11-09 02:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitDefender
    2009-11-09 02:10 . 2009-11-09 02:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2009-11-06 05:50 . 2009-11-06 05:50 -------- d-----w- C:\avd

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-11-28 20:34 . 2009-11-28 20:34 23895 ----a-w- C:\Results.zip
    2009-11-28 20:14 . 2009-11-22 14:48 528872 --sha-w- c:\windows\system32\drivers\fidbox.idx
    2009-11-28 14:11 . 2009-11-28 14:11 292352 ----a-w- C:\b5cjwng8.exe
    2009-11-26 03:55 . 2009-11-26 03:50 -------- d-----w- c:\program files\HijackThis2
    2009-11-25 22:10 . 2007-01-03 22:31 -------- d-----w- c:\documents and settings\Global\Application Data\uTorrent
    2009-11-25 08:22 . 2006-05-13 13:56 81984 ----a-w- c:\windows\system32\bdod.bin
    2009-11-22 18:36 . 2006-04-08 21:00 -------- d-----w- c:\program files\Google
    2009-11-22 18:00 . 2006-04-08 20:44 -------- d-----w- c:\program files\Java
    2009-11-22 16:50 . 2009-03-24 03:25 -------- d-----w- c:\program files\WinMorse
    2009-11-18 04:48 . 2008-01-20 00:49 -------- d-----w- c:\program files\Bonjour
    2009-11-09 03:12 . 2006-04-13 19:47 -------- d-----w- c:\documents and settings\Global\Application Data\Sony
    2009-11-09 03:10 . 2009-03-28 20:55 16 ----a-w- c:\windows\msocreg32.dat
    2009-11-09 03:09 . 2006-04-13 19:47 -------- d-----w- c:\program files\VSTplugins
    2009-11-09 01:56 . 2006-04-13 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
    2009-11-09 01:55 . 2006-04-13 19:46 -------- d-----w- c:\program files\Sony
    2009-10-20 21:10 . 2006-04-26 03:19 -------- d-----w- c:\program files\Common Files\Adobe
    2009-10-16 07:17 . 2006-04-13 20:25 -------- d-----w- c:\program files\Microsoft SQL Server
    2009-10-11 09:17 . 2009-02-14 17:06 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-09-11 14:18 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-09-07 12:36 . 2009-09-07 12:36 152576 ----a-w- c:\documents and settings\Global\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
    2009-09-04 21:03 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\msasn1.dll
    2009-11-13 04:58 . 2008-10-30 22:34 65536 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\documents and settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-10 133104]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CAMMON_JL2005A"="c:\program files\JL2005A\cam_mon" [X]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
    "BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-11-13 782336]
    "BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-01 69632]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

    [HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "{442E26B2-0AE9-1033-0203-060506210001}"="c:\program files\Common Files\{442E26B2-0AE9-1033-0203-060506210001}\Update.exe te-110-12-0000213" [X]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "midi1"=usbmn1x1.dll
    "midi2"=usbmn1x1.dll
    "midi3"=usbmn1x1.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\javaw.exe"=
    "c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

    R1 is-KKU82drv;is-KKU82drv;c:\windows\system32\drivers\39940974.sys [11/22/2009 9:48 AM 148496]
    R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 5:16 PM 82696]
    R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 11:09 AM 111112]
    R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/17/2008 2:01 PM 104456]
    S2 Audiowerk;Emagic Audiowerk Kernel Mode Driver;c:\windows\system32\drivers\emagicaw.sys [4/13/2006 2:41 PM 19816]
    S2 FILESpy;FILESpy;\??\c:\program files\Softwin\BitDefender9\filespy.sys --> c:\program files\Softwin\BitDefender9\filespy.sys [?]
    S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [3/3/2007 10:12 PM 202096]
    S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [7/17/2008 12:06 PM 118784]
    S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;c:\windows\system32\drivers\usbmidim.sys --> c:\windows\system32\drivers\usbmidim.sys [?]
    S3 USBMM1X1;USB Midi 1x1 USB Driver;c:\windows\system32\drivers\usbmm1x1.sys --> c:\windows\system32\drivers\usbmm1x1.sys [?]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 6:01 AM 2799808]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - 9DE23BFB
    *Deregistered* - 9de23bfb

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan
    .
    Contents of the 'Scheduled Tasks' folder

    2009-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4171330342-2219528107-224207411-1005Core.job
    - c:\documents and settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-10 01:06]

    2009-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4171330342-2219528107-224207411-1005UA.job
    - c:\documents and settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-10 01:06]

    2009-11-30 c:\windows\Tasks\User_Feed_Synchronization-{CB68F05E-22E8-4B1A-88CA-B8953A2C5289}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com/
    uInternet Settings,ProxyOverride = *.local
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Global\Application Data\Mozilla\Firefox\Profiles\kdpyzawl.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
    FF - plugin: c:\documents and settings\Global\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    HKLM-Run-BDSwitchAgent - c:\progra~1\softwin\BITDEF~1\bdswitch.exe
    AddRemove-uTorrent - c:\program files\uTorrent\uninstall.exe
    AddRemove-Waldorf.PPG.Wave2.V-OxYGeN - c:\progra~1\VSTPLU~1\Audio\Waldorf\UNWISE.EXE



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-11-30 08:40
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86D53170]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf7696f28
    \Driver\ACPI -> ACPI.sys @ 0xf7529cb8
    \Driver\atapi -> atapi.sys @ 0xf74bb852
    IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
    \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
    NDIS: -> SendCompleteHandler -> 0x0
    PacketIndicateHandler -> 0x0
    SendHandler -> 0x0
    user & kernel MBR OK

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
    "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
    "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{66D2B6B0-0AC3-1D5E-AFE4FCFC2DBC1E0D}\{D0054572-6CDD-7E67-D144F5B82EF8A509}\{800AEEDD-FDE9-D9F6-54124DEBF6D799D2}*]
    "{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,91,ad,bb,
    d7,ad,ff,70,94,f4,b8,0c,ad,cd,f1,37,33,3c,a1,99,f3,46,77,c4,71,c9,ca,45,f6,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{945169D7-C27E-315B-97A3E6913A1C7622}\{06C63AB7-5C18-FA8E-E5D32118C99A5B59}\{F7BD6AFF-A45B-6FB8-BB91AB79C0A3DA53}*]
    "{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,91,ad,bb,
    d7,ad,ff,70,94,f4,b8,0c,ad,cd,f1,37,33,3c,a1,99,f3,46,77,c4,71,c9,ca,45,f6,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B2D6F484-260A-7B5D-9DECE03114A71318}\{16279713-416B-AABF-512733F99CDDA7F7}\{FB965560-4DCA-8EF0-2DC335C1EACB0D08}*]
    "SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
    5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C1D66034-199B-5834-FAD091A744E2DF52}\{A9398372-0762-3A7E-A7C8ABB3F38F2F6E}\{F18374B6-D35D-16D4-9DBDDA1016548C70}*]
    "SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
    5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
    "AB141C35E9F4BF344B9FC010BB17F68A"=""
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(668)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(732)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2009-11-30 08:51
    ComboFix-quarantined-files.txt 2009-11-30 13:51

    Pre-Run: 1,590,513,664 bytes free
    Post-Run: 4,611,928,064 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

    - - End Of File - - 38D1130E9399786F1D0C47488FF02C9B

  8. #8
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Please go to http://www.virustotal.com/en/indexf.html
    Click on Browse, and upload the following file for analysis:

    c:\windows\system32\drivers\39940974.sys

    Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. Or you can copy the link to the VT results page if that is easier.

  9. #9
    Junior Member
    Join Date
    Nov 2009
    Posts
    16

    Default

    Hi Indegenus ... not sure how much of this you need:


    Result: 0/41 (0%)


    Antivirus Version Last Update Result
    a-squared 4.5.0.43 2009.11.30 -
    AhnLab-V3 5.0.0.2 2009.11.30 -
    AntiVir 7.9.1.88 2009.11.30 -
    Antiy-AVL 2.0.3.7 2009.11.30 -
    Authentium 5.2.0.5 2009.11.30 -
    Avast 4.8.1351.0 2009.11.30 -
    AVG 8.5.0.426 2009.12.01 -
    BitDefender 7.2 2009.12.01 -
    CAT-QuickHeal 10.00 2009.11.30 -
    ClamAV 0.94.1 2009.11.30 -
    Comodo 3095 2009.12.01 -
    DrWeb 5.0.0.12182 2009.12.01 -
    eSafe 7.0.17.0 2009.11.30 -
    eTrust-Vet 35.1.7149 2009.12.01 -
    F-Prot 4.5.1.85 2009.11.30 -
    F-Secure 9.0.15370.0 2009.11.29 -
    Fortinet 4.0.14.0 2009.11.30 -
    GData 19 2009.12.01 -
    Ikarus T3.1.1.74.0 2009.11.30 -
    Jiangmin 11.0.800 2009.11.29 -
    K7AntiVirus 7.10.906 2009.11.27 -
    Kaspersky 7.0.0.125 2009.12.01 -
    McAfee 5818 2009.11.30 -
    McAfee+Artemis 5818 2009.11.30 -
    McAfee-GW-Edition 6.8.5 2009.11.30 -
    Microsoft 1.5302 2009.12.01 -
    NOD32 4650 2009.11.30 -
    Norman 6.03.02 2009.11.30 -
    nProtect 2009.1.8.0 2009.11.28 -
    Panda 10.0.2.2 2009.11.30 -
    PCTools 7.0.3.5 2009.12.01 -
    Prevx 3.0 2009.12.01 -
    Rising 22.24.00.09 2009.11.30 -
    Sophos 4.48.0 2009.12.01 -
    Sunbelt 3.2.1858.2 2009.12.01 -
    Symantec 1.4.4.12 2009.12.01 -
    TheHacker 6.5.0.2.082 2009.11.30 -
    TrendMicro 9.100.0.1001 2009.11.30 -
    VBA32 3.12.12.0 2009.11.30 -
    ViRobot 2009.11.30.2062 2009.11.30 -
    VirusBuster 5.0.21.0 2009.11.30 -
    Additional information
    File size: 148496 bytes
    MD5...: 0aa3ad071827118fcc8f37f7a6ab7aa1
    SHA1..: 59784c49ffe530931010070c8843366f9d7fa6f0
    SHA256: 3e893bcf9e3ec8fa44c8ef0cf7c2d269212651d65c16b30bd953cc3a54f3b2aa
    ssdeep: 3072:xoZsjyhxlNCet3MATPO1jUFLVFnRkPjcow9gT7wNwSk7Fa/4NJ:xnjyhx8A
    d6jcpgTsW/KqJ

    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x23010
    timedatestamp.....: 0x4873470a (Tue Jul 08 10:52:58 2008)
    machinetype.......: 0x14c (I386)

    ( 8 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x1a848 0x1aa00 6.38 ca8bbffb8c1aac75560de3ffede16f38
    NONPAGED 0x1c000 0x25 0x200 0.30 76fbfaa1c4997eccce3ca016c3b1345b
    .rdata 0x1d000 0x850 0xa00 4.25 6ffc26ac817e2ae1a1cf5ce42adc9f0b
    .data 0x1e000 0x1b00 0x600 6.42 2680643c152bf562cae4ab5d1ed2070c
    PAGE 0x20000 0x2cdc 0x2e00 6.28 7516763c152ec5b6c5df87c555fadbb5
    INIT 0x23000 0x1b88 0x1c00 5.96 4459dca4b85a564cb98f26cfbff36fbe
    .rsrc 0x25000 0x400 0x400 3.36 09f200edb8e02e6fa4ab2f6bc27ad921
    .reloc 0x26000 0x1b6e 0x1c00 6.47 5d73a4e2a3be56c2448dbd9511deefa3

    ( 3 imports )
    > ntoskrnl.exe: IoAllocateWorkItem, RtlDeleteElementGenericTableAvl, RtlGetElementGenericTableAvl, FsRtlIsNameInExpression, RtlInsertElementGenericTableAvl, InitSafeBootMode, InterlockedPopEntrySList, InterlockedPushEntrySList, ExInitializeNPagedLookasideList, ExDeleteNPagedLookasideList, SeTokenType, SeCreateClientSecurity, SeImpersonateClientEx, IoVerifyVolume, IoDeviceObjectType, IoBuildSynchronousFsdRequest, IoDeleteDevice, IoDeleteSymbolicLink, IoUnregisterShutdownNotification, MmIsAddressValid, IoFreeMdl, MmUnlockPages, MmProbeAndLockPages, IoAllocateMdl, IoRegisterShutdownNotification, IoCreateSymbolicLink, IoCreateDevice, RtlAppendUnicodeToString, KeDelayExecutionThread, KeQuerySystemTime, strncmp, IoGetCurrentProcess, ExGetPreviousMode, SeReleaseSubjectContext, IoQueueWorkItem, SeCaptureSubjectContext, PsDereferenceImpersonationToken, RtlCopySid, RtlLengthSid, SeQueryInformationToken, PsReferencePrimaryToken, PsReferenceImpersonationToken, PsIsThreadTerminating, IoThreadToProcess, RtlInitializeGenericTableAvl, READ_REGISTER_UCHAR, ProbeForRead, RtlLookupElementGenericTableAvl, ObQueryNameString, CmUnRegisterCallback, MmUserProbeAddress, CmRegisterCallback, ZwEnumerateValueKey, ZwDeleteValueKey, ZwQueryKey, wcsrchr, NtBuildNumber, KeClearEvent, ExInitializePagedLookasideList, ExDeletePagedLookasideList, PsLookupProcessByProcessId, RtlCopyUnicodeString, RtlNumberGenericTableElementsAvl, RtlEnumerateGenericTableAvl, PsSetLoadImageNotifyRoutine, PsSetCreateThreadNotifyRoutine, PsSetCreateProcessNotifyRoutine, PsRemoveCreateThreadNotifyRoutine, PsRemoveLoadImageNotifyRoutine, IoFreeWorkItem, IofCompleteRequest, IoWMIRegistrationControl, MmGetSystemRoutineAddress, RtlCompareMemory, IoWMIWriteEvent, ZwQueryInformationProcess, KeStackAttachProcess, _wcsicmp, KeUnstackDetachProcess, ZwOpenKey, ZwEnumerateKey, RtlUnicodeStringToInteger, ZwQueryValueKey, ZwCreateKey, RtlIntegerToUnicodeString, ZwSetValueKey, RtlAppendUnicodeStringToString, ZwDeleteKey, DbgBreakPoint, ZwCreateFile, IoGetRelatedDeviceObject, _vsnwprintf, KeQueryInterruptTime, strncpy, RtlInitUnicodeString, RtlCompareUnicodeString, IoFileObjectType, ObReferenceObjectByPointer, _allmul, KeWaitForMultipleObjects, KeSetEvent, ExDeleteResourceLite, ExInitializeResourceLite, memcpy, _except_handler3, ZwOpenProcess, ZwTerminateProcess, PsCreateSystemThread, ObReferenceObjectByHandle, ZwClose, PsTerminateSystemThread, ObfDereferenceObject, KeGetCurrentThread, PsGetCurrentProcessId, PsGetCurrentThreadId, RtlUpcaseUnicodeChar, RtlUpperChar, memset, ExAllocatePoolWithTag, KeInitializeEvent, IoBuildDeviceIoControlRequest, IofCallDriver, KeWaitForSingleObject, SeQueryAuthenticationIdToken, ExFreePoolWithTag
    > HAL.dll: KfReleaseSpinLock, KeGetCurrentIrql, ExAcquireFastMutex, ExReleaseFastMutex, KfAcquireSpinLock
    > FLTMGR.SYS: FltQueryInformationFile, FltGetRoutineAddress, FltIsDirectory, FltGetFileNameInformation, FltParseFileNameInformation, FltAllocateCallbackData, FltPerformSynchronousIo, FltFreeCallbackData, FltReferenceFileNameInformation, FltReleaseFileNameInformation, FltGetStreamHandleContext, FltGetStreamContext, FltEnumerateVolumeInformation, FltRegisterFilter, FltStartFiltering, FltSetCallbackDataDirty, FltGetDestinationFileNameInformation, FltSetStreamHandleContext, FltCancelFileOpen, FltSetStreamContext, FltReleaseContext, FltGetVolumeProperties, FltAllocateContext, FltQueryVolumeInformation, FltGetVolumeName, FltSetInstanceContext, FltSetVolumeContext, FltUnregisterFilter, FltFsControlFile, FltGetVolumeFromFileObject, FltGetVolumeContext, FltGetInstanceContext, FltCreateFile, FltClose, FltFlushBuffers, FltSetInformationFile, FltWriteFile, FltBuildDefaultSecurityDescriptor, FltCreateCommunicationPort, FltFreeSecurityDescriptor, FltObjectReference, FltAllocatePoolAlignedWithTag, FltReadFile, FltFreePoolAlignedWithTag, FltObjectDereference, FltSendMessage, FltCloseClientPort, FltCloseCommunicationPort, FltReleaseResource, FltAcquireResourceShared, FltAcquireResourceExclusive, FltGetFileNameInformationUnsafe

    ( 0 exports )

    RDS...: NSRL Reference Data Set
    -
    pdfid.: -
    trid..: Win32 Executable Generic (68.0%)
    Generic Win/DOS Executable (15.9%)
    DOS Executable Generic (15.9%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    sigcheck:
    publisher....: Kaspersky Lab
    copyright....: Copyright (c) Kaspersky Lab 1996-2008.
    product......: Kaspersky Anti-Virus
    description..: Klif Mini-Filter
    original name: KLIF.SYS
    internal name: KLIF
    file version.: 7.0.0.312
    comments.....: n/a
    signers......: Kaspersky Lab
    VeriSign Class 3 Code Signing 2004 CA
    Class 3 Public Primary Certification Authority
    signing date.: 11:54 AM 7/8/2008
    verified.....: -

  10. #10
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Hi,

    It looks like that file might be part of a removal tool from Kaspersky. Are you familiar with anything like that?

    Use ATF Cleaner to remove temp files, cookies, cache, ect...
    Please download ATF Cleaner by Atribune.
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.


    Please download Malwarebytes' Anti-Malware from Here
    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and Paste the entire report in your next reply along with a Hijackthis log.


    Please let me know how it's running also.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •