malware on system

baggyman1 · 11-12-2008, 11:25 AM

computer shutting down on its own. Also, wireless router not working and dozens of splash screens open unexpectedly.

I'm not a professional, and have some trouble understanding many of the instructions. Please, forgive my ignorance.
jim

Billy O'Neal · 12-09-2008, 08:35 PM

Hello, baggyman1
Welcome to TSF

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:

In the meantime, please refrain from making any changes to your computer.
Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
Finally, please reply using the button in the lower left hand corner of your screen.
Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" .

We need to run a Scan with DDS

Please download DDS, and save it to your desktop, from one of the following mirrors:
- This is a mirror
- This is another mirror
Disable any type of "Script Blockers" or "Script Protection" installed on your system.
Double click on your desktop.
If prompted by any script blocking tools, please allow any actions taken by DDS.
When prompted to preform an Optional Scan, please select
Two reports will open. Please reply with the generated reports:
- DDS.txt <-- Copy and paste into your next post
- Attach.txt <-- Attach to your next post

We need to scan for Rootkits with GMER

Please download GMER from one of the following mirrors:
Close any and all open programs, as this process may crash your computer.
Unzip the downloaded file to your desktop.
Double click on your desktop.
Allow the gmer.sys driver to load if asked.
You may see this window. If you do, click No.
Click on and wait for the scan to finish.
If you see a rootkit warning window, click OK.
Push and save the logfile to your desktop.
Copy and Paste the contents of that file in your next post.

In your next reply, please include the following:
DDS.txt

Attach.txt

GMER's Log

Billy3

baggyman1 · 12-12-2008, 04:09 AM

Billy,

Here is what you asked for...except the gmer log; don't know how to copy it to clipboard or desktop.
jim

Billy O'Neal · 12-12-2008, 06:05 PM

Hello, baggyman1
We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

How to run ComboFix:

Please download ComboFix from one of the following mirrors, and save it to your desktop.
Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
Double click on your desktop.
Read and accept (Press Yes) to the disclaimer.
For Windows XP Systems: Install the Recovery Console:
- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA, press OK.
- Accept Microsoft's EULA (Press Yes).
- When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
ComboFix will run. Simply wait for it to finish.
When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)

In your next reply, please include the following:
ComboFix.txt

BillyIII

baggyman1 · 12-13-2008, 03:49 AM

ComboFix 08-12-12.03 - jim m 2008-12-13 5:24:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2610 [GMT -5:00]
Running from: c:\documents and settings\jim m\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\_004737_.tmp.dll
c:\windows\system32\_004738_.tmp.dll
c:\windows\system32\_004739_.tmp.dll
c:\windows\system32\_004740_.tmp.dll
c:\windows\system32\_004741_.tmp.dll
c:\windows\system32\_004742_.tmp.dll
c:\windows\system32\_004743_.tmp.dll
c:\windows\system32\_004744_.tmp.dll
c:\windows\system32\_004747_.tmp.dll
c:\windows\system32\_004748_.tmp.dll
c:\windows\system32\_004749_.tmp.dll
c:\windows\system32\_004750_.tmp.dll
c:\windows\system32\_004752_.tmp.dll
c:\windows\system32\_004753_.tmp.dll
c:\windows\system32\_004756_.tmp.dll
c:\windows\system32\_004757_.tmp.dll
c:\windows\system32\_004759_.tmp.dll
c:\windows\system32\_004760_.tmp.dll
c:\windows\system32\_004761_.tmp.dll
c:\windows\system32\_004762_.tmp.dll
c:\windows\system32\_004763_.tmp.dll
c:\windows\system32\_004764_.tmp.dll
c:\windows\system32\_004765_.tmp.dll
c:\windows\system32\_004766_.tmp.dll
c:\windows\system32\_004767_.tmp.dll
c:\windows\system32\_004769_.tmp.dll
c:\windows\system32\_004770_.tmp.dll
c:\windows\system32\_004771_.tmp.dll
c:\windows\system32\_004772_.tmp.dll
c:\windows\system32\_004774_.tmp.dll
c:\windows\system32\_004776_.tmp.dll
c:\windows\system32\_004777_.tmp.dll
c:\windows\system32\_004778_.tmp.dll
c:\windows\system32\_004779_.tmp.dll
c:\windows\system32\_004780_.tmp.dll
c:\windows\system32\_004781_.tmp.dll
c:\windows\system32\_004782_.tmp.dll
c:\windows\system32\_004783_.tmp.dll
c:\windows\system32\_004784_.tmp.dll
c:\windows\system32\_004786_.tmp.dll
c:\windows\system32\_004787_.tmp.dll
c:\windows\system32\_004788_.tmp.dll
c:\windows\system32\_004789_.tmp.dll
c:\windows\system32\_004790_.tmp.dll
c:\windows\system32\_004791_.tmp.dll
c:\windows\system32\_004792_.tmp.dll
c:\windows\system32\_004793_.tmp.dll
c:\windows\system32\_004795_.tmp.dll
c:\windows\system32\_004796_.tmp.dll
c:\windows\system32\_004797_.tmp.dll
c:\windows\system32\_004798_.tmp.dll
c:\windows\system32\_004800_.tmp.dll
c:\windows\system32\_004801_.tmp.dll
c:\windows\system32\_004805_.tmp.dll
c:\windows\system32\_004806_.tmp.dll
c:\windows\system32\_004808_.tmp.dll
c:\windows\system32\_004811_.tmp.dll
c:\windows\system32\_004812_.tmp.dll
c:\windows\system32\_004813_.tmp.dll
c:\windows\system32\_004814_.tmp.dll
c:\windows\system32\_004815_.tmp.dll
c:\windows\system32\_004816_.tmp.dll
c:\windows\system32\_004819_.tmp.dll
c:\windows\system32\_004820_.tmp.dll
c:\windows\system32\_004821_.tmp.dll
c:\windows\system32\_004822_.tmp.dll
c:\windows\system32\_004823_.tmp.dll
c:\windows\system32\_004828_.tmp.dll
c:\windows\system32\_004830_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
.

2008-12-09 05:09 . 2008-12-09 05:12 <DIR> d-------- c:\documents and settings\jim m\Application Data\Hoyle FaceCreator
2008-12-09 05:09 . 2008-12-09 05:24 <DIR> d-------- c:\documents and settings\jim m\Application Data\Hoyle Casino
2008-12-09 05:05 . 2008-12-09 05:06 <DIR> d-------- c:\program files\Hoyle Casino 2008
2008-12-06 10:31 . 2008-12-06 10:31 <DIR> d-------- c:\program files\VisDir
2008-12-04 18:31 . 2008-12-04 18:34 104 --a------ C:\index.ini
2008-12-04 15:49 . 2008-12-08 12:07 <DIR> d-------- c:\program files\a-squared Anti-Malware
2008-12-04 15:16 . 2008-12-04 15:15 8,576 --a------ c:\windows\system32\drivers\nycifgnvlvss.sys
2008-12-04 15:13 . 2008-12-04 15:13 44,672 --a------ c:\windows\system32\drivers\SDTHOOK.SYS
2008-12-04 15:04 . 2008-12-04 15:15 <DIR> d-------- c:\documents and settings\jim m\Pavark
2008-12-04 14:51 . 2008-12-04 14:51 <DIR> d-------- c:\program files\Sunbelt Software
2008-12-04 14:51 . 2008-10-31 07:09 270,888 -ra------ c:\windows\system32\drivers\SbFw.sys
2008-12-04 14:51 . 2008-06-21 04:54 65,576 --a------ c:\windows\system32\drivers\SbFwIm.sys
2008-12-04 11:54 . 2008-12-04 12:45 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-04 11:43 . 2008-12-04 11:43 <DIR> d--hs---- c:\documents and settings\jim m\PrivacIE
2008-12-04 11:34 . 2008-12-04 11:39 <DIR> d--h-c--- c:\windows\ie8
2008-12-04 11:32 . 2008-12-04 11:32 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-02 15:50 . 2008-12-05 15:50 <DIR> d-------- c:\windows\system32\Adobe
2008-12-01 14:58 . 2008-12-01 15:14 <DIR> d-------- c:\program files\SBaGen
2008-12-01 14:48 . 2008-12-01 14:48 <DIR> d--h----- c:\windows\PIF
2008-11-29 17:45 . 2008-11-29 17:54 <DIR> d-------- c:\windows\SxsCaPendDel
2008-11-29 17:39 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-29 17:39 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-29 17:39 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-29 17:39 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-29 17:39 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-29 17:39 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-29 17:39 . 2008-08-14 05:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-11-29 17:38 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-11-29 11:23 . 2008-12-06 11:19 <DIR> d-------- c:\program files\NoAdware
2008-11-28 12:12 . 2008-11-28 12:12 <DIR> d-------- c:\documents and settings\Administrator.JIM\Application Data\Malwarebytes
2008-11-28 10:17 . 2008-11-28 10:17 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-28 09:52 . 1998-06-24 11:55 164,144 --a------ c:\windows\system32\COMCT232.OCX
2008-11-28 09:52 . 1998-05-05 17:35 112,640 --a------ c:\windows\system32\CMCTLde.DLL
2008-11-28 09:52 . 1998-07-06 18:55 33,792 --a------ c:\windows\system32\CMDLGDE.DLL
2008-11-28 09:52 . 1998-05-05 17:35 24,576 --a------ c:\windows\system32\CMCT2DE.dll
2008-11-28 09:22 . 2008-11-28 09:37 <DIR> d-------- c:\program files\CrossLoop
2008-11-27 20:23 . 2008-11-27 20:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\BitDefender
2008-11-27 19:07 . 2008-11-27 19:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-11-27 18:58 . 2008-11-27 18:58 <DIR> d-------- c:\program files\Alwil Software
2008-11-27 15:07 . 2008-11-27 15:07 <DIR> d-------- c:\documents and settings\jim m\Application Data\BitDefender
2008-11-27 14:53 . 2008-08-14 05:09 2,145,280 --a------ c:\windows\system32\ntoskrnl.exe
2008-11-27 14:39 . 2008-11-27 14:39 <DIR> d-------- C:\savcc20
2008-11-27 12:52 . 2008-11-28 10:09 <DIR> d-------- c:\program files\The Cleaner Demo
2008-11-26 17:32 . 2004-08-04 05:00 71,040 --------- c:\windows\system32\drivers\_004717_.tmp.dll
2008-11-26 16:17 . 2008-11-26 16:17 <DIR> d-------- c:\documents and settings\jim m\temp
2008-11-26 16:17 . 2008-11-26 16:17 <DIR> d-------- c:\documents and settings\jim m\Application Data\TeamViewer
2008-11-26 15:36 . 2008-04-13 19:12 1,306,624 -----c--- c:\windows\system32\dllcache\msxml6.dll
2008-11-26 15:36 . 2008-04-13 12:27 79,872 -----c--- c:\windows\system32\dllcache\msxml6r.dll
2008-11-26 15:35 . 2006-12-28 14:01 19,569 --a------ c:\windows\003324_.tmp
2008-11-26 15:11 . 2008-08-22 03:10 11,985,408 --a--c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-26 15:11 . 2008-07-29 22:58 3,670,112 --a--c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-26 15:11 . 2008-08-22 03:06 1,778,688 --a--c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-26 15:11 . 2008-08-22 03:15 1,216,512 --a--c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-26 15:11 . 2008-08-22 03:05 580,608 --a--c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-26 15:11 . 2008-08-22 02:42 443,392 --a--c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-26 15:11 . 2008-08-22 03:05 61,952 --a--c--- c:\windows\system32\dllcache\icardie.dll
2008-11-26 15:11 . 2008-08-22 03:05 53,760 --a--c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-26 15:10 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-26 15:10 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-26 15:10 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-11-26 15:05 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-11-26 15:00 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-11-26 12:59 . 2008-11-29 16:38 <DIR> d-------- c:\documents and settings\jim m\SecurityScans
2008-11-25 08:00 . 2008-11-25 08:00 <DIR> d-------- c:\documents and settings\Administrator.JIM\Application Data\SUPERAntiSpyware.com
2008-11-25 07:58 . 2008-05-06 21:41 <DIR> d-------- c:\documents and settings\Administrator.JIM\Application Data\InstallShield
2008-11-25 07:58 . 2008-05-06 21:49 <DIR> d-------- c:\documents and settings\Administrator.JIM\Application Data\CyberLink
2008-11-25 07:58 . 2008-11-29 18:15 <DIR> d-------- c:\documents and settings\Administrator.JIM
2008-11-24 17:06 . 2008-11-26 12:01 <DIR> d-------- c:\program files\Panda Security
2008-11-24 16:37 . 2008-12-12 05:18 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-24 16:37 . 2008-11-24 16:37 <DIR> d-------- c:\documents and settings\jim m\Application Data\SUPERAntiSpyware.com
2008-11-24 16:37 . 2008-11-24 16:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-20 10:26 . 2008-11-20 18:06 <DIR> d-------- c:\program files\MSECACHE
2008-11-17 15:57 . 2008-11-18 10:13 <DIR> d-------- c:\program files\Bazooka Scanner
2008-11-15 11:26 . 2008-11-17 14:47 <DIR> d-------- c:\program files\UPHClean
2008-11-14 14:08 . 2008-11-14 14:08 <DIR> d-------- C:\Archive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 15:11 --------- d-----w c:\program files\CyberLink
2008-12-06 16:19 --------- d-----w c:\program files\MUSICMATCH
2008-12-06 16:16 --------- d-----w c:\program files\Maxthon2
2008-12-06 02:21 --------- d-----w c:\documents and settings\jim m\Application Data\Orbit
2008-12-05 20:53 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-04 23:28 44,544 ----a-w c:\windows\system32\alg.exe
2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-02 16:53 --------- d-----w c:\documents and settings\jim m\Application Data\MxBoost
2008-11-30 03:12 --------- d-----w c:\program files\Common Files\Adobe
2008-11-29 16:46 81,984 ----a-w c:\windows\system32\bdod.bin
2008-11-28 15:17 --------- d-----w c:\program files\Java
2008-11-28 15:09 --------- d-----w c:\program files\ACAD2000
2008-11-28 15:09 --------- d-----w c:\documents and settings\jim m\Application Data\EmailNotifier
2008-11-28 01:22 --------- d-----w c:\program files\Common Files\BitDefender
2008-11-27 15:42 --------- d-----w c:\program files\SupportSoft
2008-11-24 21:37 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-20 23:07 --------- d-----w c:\program files\Windows Live
2008-11-20 23:05 --------- d-----w c:\program files\Trend Micro
2008-11-20 21:10 --------- d-----w c:\program files\CCleaner
2008-11-14 14:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-12 17:37 --------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 15:22 --------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2008-11-12 13:10 --------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2008-11-11 23:58 --------- d-----w c:\program files\Picasa2
2008-11-11 20:33 5 ----a-w c:\windows\system32\drivers\DELL_INS_530.MRK
2008-11-11 20:33 5 ----a-w c:\windows\system32\drivers\1028_Dell_INS_530.mrk
2008-11-11 20:31 --------- d-----w c:\program files\Dell
2008-11-11 20:01 --------- d-----w c:\program files\Orbitdownloader
2008-11-11 19:31 --------- d-----w c:\program files\Verizon
2008-11-11 18:35 --------- d-----w c:\program files\Common Files\supportsoft
2008-11-11 15:17 --------- d-----w c:\documents and settings\NetworkService\Application Data\Orbit
2008-11-10 18:06 --------- d-----w c:\documents and settings\NetworkService\Application Data\Yahoo!
2008-11-10 17:32 --------- d-----w c:\program files\Common Files\Scanner
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-18 17:50 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 00:12 --------- d-----w c:\program files\Common Files\Remote Control Software Common
2008-10-16 00:11 --------- d-----w c:\program files\Logitech
2008-10-14 16:11 --------- d-----w c:\program files\Yahoo!
2008-10-14 16:11 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-19 23:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-12 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"VX3000"="c:\windows\vVX3000.exe" [2006-06-29 707376]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-16 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-12 05:18 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FFDS"= -

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
backup=c:\windows\pss\Orbit.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^jim m^Start Menu^Programs^Startup^Adobe Media Player.lnk]
backup=c:\windows\pss\Adobe Media Player.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jim m^Start Menu^Programs^Startup^SpeedPlexer.lnk]
backup=c:\windows\pss\SpeedPlexer.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\PC2TV
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\pc2tv\TLA

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]
--a------ 2008-09-15 12:09 368640 c:\program files\BitDefender\BitDefender 2008\bdagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2004-02-19 06:23 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\pc2tv\TLA\PC2TVMonitorApp.exe]
--------- 2008-04-25 16:35 36864 c:\pc2tv\TLA\PC2TVMonitorApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2008-03-11 12:44 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HijackThis startup scan]
--a------ 2008-06-06 13:47 396288 c:\program files\Trend Micro\HijackThis\HijackThis.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 08:07 8491008 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2007-09-17 11:56 124200 c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 09:43 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-27 111184]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2008-12-04 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-06-21 66600]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-27 20560]
R2 SbPF.Launcher;SbPF.Launcher;"c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe" [2008-10-31 95528]
R2 SPF4;Sunbelt Personal Firewall 4;"c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe" [2008-10-31 1365288]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [2008-05-13 598856]
R3 EuMusDesignVirtualAudioCableWdm;PC2TV Audio;c:\windows\system32\DRIVERS\PC2TVAudio.sys [2007-04-04 38528]
R3 PC2TVMirror;PC2TVMirror_Display_Driver;c:\windows\system32\DRIVERS\PC2TVMirror.sys [2007-04-12 25344]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\sbfwim.sys [2008-12-04 65576]
S3 BQHOLMJ;BQHOLMJ;c:\docume~1\JIMM~1\LOCALS~1\Temp\BQHOLMJ.exe []
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2008-06-22 96256]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-07-20 38496]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\DRIVERS\SDTHOOK.sys [2008-12-04 44672]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys []
S4 tor;Tor Win32 Service;"c:\program files\Vidalia Bundle\Tor\tor.exe" --nt-service -f "c:\documents and settings\jim m\Application Data\Vidalia\torrc" ControlPort 9051 []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{787e13ae-1f99-11dd-a413-001d099ad52c}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-13 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2008-12-13 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe []

2008-12-13 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe []
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-SmcService - c:\progra~1\Sygate\SPF\smc.exe
MSConfigStartUp-DXDllRegExe - dxdllreg.exe
MSConfigStartUp-filehippo - (no file)

.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\jim m\Application Data\Mozilla\Firefox\Profiles\81in13xp.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 05:28:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(3156)
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\msi.dll
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
Completion time: 2008-12-13 5:30:55
ComboFix-quarantined-files.txt 2008-12-13 10:30:51

Pre-Run: 472,354,807,808 bytes free
Post-Run: 472,341,766,144 bytes free

375 --- E O F --- 2008-12-13 02:03:18

Billy O'Neal · 12-13-2008, 02:33 PM

Hello, baggyman1
We need to re-run ComboFix with some additonal directives.

Please disable any running anti-virus programs.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/topic114351.html
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

file::
c:\windows\system32\drivers\nycifgnvlvss.sys
c:\docume~1\JIMM~1\LOCALS~1\Temp\BQHOLMJ.exe
c:\windows\Tasks\XoftSpySE.job
c:\windows\Tasks\XoftSpySE 2.job
folder::
c:\program files\The Cleaner Demo
c:\documents and settings\jim m\Application Data\Orbit
c:\program files\XoftSpySE
c:\program files\Orbitdownloader
driver::
BQHOLMJ
DDS::
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
REGISTRY::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FFDS"=-

Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
ComboFix.txt

BillyIII

baggyman1 · 12-15-2008, 08:07 AM

Billy,

Not working. Text you sent does not interface with combofix. I get a message asking me if I am trying to run CFScritp and that it is spelt incorrectly. No number for error

Billy O'Neal · 12-15-2008, 12:45 PM

Hello :)

Make sure it is saved as "cfscript.txt", not "CFScritp".

If it is renamed, CF won't know what to do with it :P

BillyIII

baggyman1 · 12-15-2008, 02:12 PM

ComboFix 08-12-14.04 - jim m 2008-12-15 15:47:13.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2436 [GMT -5:00]
Running from: c:\documents and settings\jim m\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jim m\Desktop\cfscript.txt.rtf
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2008-12-14 20:21 . 2008-10-31 07:09 270,888 -ra------ c:\windows\system32\drivers\SbFw.sys
2008-12-14 20:21 . 2008-06-21 04:54 65,576 --a------ c:\windows\system32\drivers\SbFwIm.sys
2008-12-09 05:09 . 2008-12-09 05:12 <DIR> d-------- c:\documents and settings\jim m\Application Data\Hoyle FaceCreator
2008-12-09 05:09 . 2008-12-09 05:24 <DIR> d-------- c:\documents and settings\jim m\Application Data\Hoyle Casino
2008-12-09 05:05 . 2008-12-09 05:06 <DIR> d-------- c:\program files\Hoyle Casino 2008
2008-12-06 10:31 . 2008-12-06 10:31 <DIR> d-------- c:\program files\VisDir
2008-12-04 18:31 . 2008-12-04 18:34 104 --a------ C:\index.ini
2008-12-04 15:49 . 2008-12-08 12:07 <DIR> d-------- c:\program files\a-squared Anti-Malware
2008-12-04 15:16 . 2008-12-04 15:15 8,576 --a------ c:\windows\system32\drivers\nycifgnvlvss.sys
2008-12-04 15:13 . 2008-12-04 15:13 44,672 --a------ c:\windows\system32\drivers\SDTHOOK.SYS
2008-12-04 15:04 . 2008-12-04 15:15 <DIR> d-------- c:\documents and settings\jim m\Pavark
2008-12-04 14:51 . 2008-12-04 14:51 <DIR> d-------- c:\program files\Sunbelt Software
2008-12-04 11:54 . 2008-12-04 12:45 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-04 11:43 . 2008-12-04 11:43 <DIR> d--hs---- c:\documents and settings\jim m\PrivacIE
2008-12-04 11:34 . 2008-12-04 11:39 <DIR> d--h-c--- c:\windows\ie8
2008-12-04 11:32 . 2008-12-04 11:32 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-02 15:50 . 2008-12-05 15:50 <DIR> d-------- c:\windows\system32\Adobe
2008-12-01 14:58 . 2008-12-01 15:14 <DIR> d-------- c:\program files\SBaGen
2008-12-01 14:48 . 2008-12-01 14:48 <DIR> d--h----- c:\windows\PIF
2008-11-29 17:45 . 2008-11-29 17:54 <DIR> d-------- c:\windows\SxsCaPendDel
2008-11-29 17:39 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-29 17:39 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-29 17:39 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-29 17:39 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-29 17:39 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-29 17:39 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-29 17:39 . 2008-08-14 05:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-11-29 17:38 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-11-29 11:23 . 2008-12-06 11:19 <DIR> d-------- c:\program files\NoAdware
2008-11-28 12:12 . 2008-11-28 12:12 <DIR> d-------- c:\documents and settings\Administrator.JIM\Application Data\Malwarebytes
2008-11-28 10:17 . 2008-11-28 10:17 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-28 09:52 . 1998-06-24 11:55 164,144 --a------ c:\windows\system32\COMCT232.OCX
2008-11-28 09:52 . 1998-05-05 17:35 112,640 --a------ c:\windows\system32\CMCTLde.DLL
2008-11-28 09:52 . 1998-07-06 18:55 33,792 --a------ c:\windows\system32\CMDLGDE.DLL
2008-11-28 09:52 . 1998-05-05 17:35 24,576 --a------ c:\windows\system32\CMCT2DE.dll
2008-11-28 09:22 . 2008-11-28 09:37 <DIR> d-------- c:\program files\CrossLoop
2008-11-27 20:23 . 2008-11-27 20:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\BitDefender
2008-11-27 19:07 . 2008-11-27 19:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-11-27 18:58 . 2008-11-27 18:58 <DIR> d-------- c:\program files\Alwil Software
2008-11-27 15:07 . 2008-11-27 15:07 <DIR> d-------- c:\documents and settings\jim m\Application Data\BitDefender
2008-11-27 14:53 . 2008-08-14 05:09 2,145,280 --a------ c:\windows\system32\ntoskrnl.exe
2008-11-27 14:39 . 2008-11-27 14:39 <DIR> d-------- C:\savcc20
2008-11-27 12:52 . 2008-11-28 10:09 <DIR> d-------- c:\program files\The Cleaner Demo
2008-11-26 17:32 . 2004-08-04 05:00 71,040 --------- c:\windows\system32\drivers\_004717_.tmp.dll
2008-11-26 16:17 . 2008-11-26 16:17 <DIR> d-------- c:\documents and settings\jim m\temp
2008-11-26 16:17 . 2008-11-26 16:17 <DIR> d-------- c:\documents and settings\jim m\Application Data\TeamViewer
2008-11-26 15:36 . 2008-04-13 19:12 1,306,624 -----c--- c:\windows\system32\dllcache\msxml6.dll
2008-11-26 15:36 . 2008-04-13 12:27 79,872 -----c--- c:\windows\system32\dllcache\msxml6r.dll
2008-11-26 15:35 . 2006-12-28 14:01 19,569 --a------ c:\windows\003324_.tmp
2008-11-26 15:11 . 2008-08-22 03:10 11,985,408 --a--c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-26 15:11 . 2008-07-29 22:58 3,670,112 --a--c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-26 15:11 . 2008-08-22 03:06 1,778,688 --a--c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-26 15:11 . 2008-08-22 03:15 1,216,512 --a--c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-26 15:11 . 2008-08-22 03:05 580,608 --a--c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-26 15:11 . 2008-08-22 02:42 443,392 --a--c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-26 15:11 . 2008-08-22 03:05 61,952 --a--c--- c:\windows\system32\dllcache\icardie.dll
2008-11-26 15:11 . 2008-08-22 03:05 53,760 --a--c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-26 15:10 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-26 15:10 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-26 15:10 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-11-26 15:05 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-11-26 15:00 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-11-26 12:59 . 2008-11-29 16:38 <DIR> d-------- c:\documents and settings\jim m\SecurityScans
2008-11-25 08:00 . 2008-11-25 08:00 <DIR> d-------- c:\documents and settings\Administrator.JIM\Application Data\SUPERAntiSpyware.com
2008-11-25 07:58 . 2008-05-06 21:41 <DIR> d-------- c:\documents and settings\Administrator.JIM\Application Data\InstallShield
2008-11-25 07:58 . 2008-05-06 21:49 <DIR> d-------- c:\documents and settings\Administrator.JIM\Application Data\CyberLink
2008-11-25 07:58 . 2008-11-29 18:15 <DIR> d-------- c:\documents and settings\Administrator.JIM
2008-11-24 17:06 . 2008-11-26 12:01 <DIR> d-------- c:\program files\Panda Security
2008-11-24 16:37 . 2008-12-12 05:18 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-24 16:37 . 2008-11-24 16:37 <DIR> d-------- c:\documents and settings\jim m\Application Data\SUPERAntiSpyware.com
2008-11-24 16:37 . 2008-11-24 16:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-20 10:26 . 2008-11-20 18:06 <DIR> d-------- c:\program files\MSECACHE
2008-11-17 15:57 . 2008-11-18 10:13 <DIR> d-------- c:\program files\Bazooka Scanner
2008-11-15 11:26 . 2008-11-17 14:47 <DIR> d-------- c:\program files\UPHClean

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 18:49 --------- d-----w c:\documents and settings\jim m\Application Data\Orbit
2008-12-12 15:11 --------- d-----w c:\program files\CyberLink
2008-12-06 16:19 --------- d-----w c:\program files\MUSICMATCH
2008-12-06 16:16 --------- d-----w c:\program files\Maxthon2
2008-12-05 20:53 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-04 23:28 44,544 ----a-w c:\windows\system32\alg.exe
2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-02 16:53 --------- d-----w c:\documents and settings\jim m\Application Data\MxBoost
2008-11-30 03:12 --------- d-----w c:\program files\Common Files\Adobe
2008-11-29 16:46 81,984 ----a-w c:\windows\system32\bdod.bin
2008-11-28 15:17 --------- d-----w c:\program files\Java
2008-11-28 15:09 --------- d-----w c:\program files\ACAD2000
2008-11-28 15:09 --------- d-----w c:\documents and settings\jim m\Application Data\EmailNotifier
2008-11-28 01:22 --------- d-----w c:\program files\Common Files\BitDefender
2008-11-27 15:42 --------- d-----w c:\program files\SupportSoft
2008-11-24 21:37 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-20 23:07 --------- d-----w c:\program files\Windows Live
2008-11-20 23:05 --------- d-----w c:\program files\Trend Micro
2008-11-20 21:10 --------- d-----w c:\program files\CCleaner
2008-11-14 14:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-12 17:37 --------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 15:22 --------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2008-11-12 13:10 --------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2008-11-11 23:58 --------- d-----w c:\program files\Picasa2
2008-11-11 20:33 5 ----a-w c:\windows\system32\drivers\DELL_INS_530.MRK
2008-11-11 20:33 5 ----a-w c:\windows\system32\drivers\1028_Dell_INS_530.mrk
2008-11-11 20:31 --------- d-----w c:\program files\Dell
2008-11-11 20:01 --------- d-----w c:\program files\Orbitdownloader
2008-11-11 19:31 --------- d-----w c:\program files\Verizon
2008-11-11 18:35 --------- d-----w c:\program files\Common Files\supportsoft
2008-11-11 15:17 --------- d-----w c:\documents and settings\NetworkService\Application Data\Orbit
2008-11-10 18:06 --------- d-----w c:\documents and settings\NetworkService\Application Data\Yahoo!
2008-11-10 17:32 --------- d-----w c:\program files\Common Files\Scanner
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-18 17:50 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 00:12 --------- d-----w c:\program files\Common Files\Remote Control Software Common
2008-10-16 00:11 --------- d-----w c:\program files\Logitech
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-19 23:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-13_ 5.12.45.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-04 19:51:45 18,718 ----a-r c:\windows\Installer\{82B1150E-9B37-49FC-83EB-D52197D900D0}\ARPPRODUCTICON.exe
+ 2008-12-15 01:21:15 18,718 ----a-r c:\windows\Installer\{82B1150E-9B37-49FC-83EB-D52197D900D0}\ARPPRODUCTICON.exe
- 2008-12-04 19:51:45 18,718 ----a-r c:\windows\Installer\{82B1150E-9B37-49FC-83EB-D52197D900D0}\NewShortcut1_E659E0EE10E649B7869660F38D0EB174.exe
+ 2008-12-15 01:21:15 18,718 ----a-r c:\windows\Installer\{82B1150E-9B37-49FC-83EB-D52197D900D0}\NewShortcut1_E659E0EE10E649B7869660F38D0EB174.exe
- 2008-12-04 19:51:45 57,344 ----a-r c:\windows\Installer\{82B1150E-9B37-49FC-83EB-D52197D900D0}\NewShortcut4_C665E66BE8EF49DBB30B81BB5E60462C.exe
+ 2008-12-15 01:21:15 57,344 ----a-r c:\windows\Installer\{82B1150E-9B37-49FC-83EB-D52197D900D0}\NewShortcut4_C665E66BE8EF49DBB30B81BB5E60462C.exe
+ 2008-12-15 17:15:12 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2f4.dat
- 2008-12-13 10:10:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4cc.dat
+ 2008-12-15 02:51:29 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4cc.dat
+ 2008-12-15 03:23:33 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_518.dat
+ 2008-12-15 03:23:36 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_728.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-12 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"VX3000"="c:\windows\vVX3000.exe" [2006-06-29 707376]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-16 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-12 05:18 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FFDS"= -

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
backup=c:\windows\pss\Orbit.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^jim m^Start Menu^Programs^Startup^Adobe Media Player.lnk]
backup=c:\windows\pss\Adobe Media Player.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jim m^Start Menu^Programs^Startup^SpeedPlexer.lnk]
backup=c:\windows\pss\SpeedPlexer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]
--a------ 2008-09-15 12:09 368640 c:\program files\BitDefender\BitDefender 2008\bdagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2004-02-19 06:23 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2008-03-11 12:44 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HijackThis startup scan]
--a------ 2008-06-06 13:47 396288 c:\program files\Trend Micro\HijackThis\HijackThis.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 08:07 8491008 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2007-09-17 11:56 124200 c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 09:43 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-27 111184]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2008-12-14 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-06-21 66600]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-27 20560]
R2 SbPF.Launcher;SbPF.Launcher;"c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe" [2008-10-31 95528]
R2 SPF4;Sunbelt Personal Firewall 4;"c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe" [2008-10-31 1365288]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [2008-05-13 598856]
R3 EuMusDesignVirtualAudioCableWdm;PC2TV Audio;c:\windows\system32\DRIVERS\PC2TVAudio.sys [2007-04-04 38528]
R3 PC2TVMirror;PC2TVMirror_Display_Driver;c:\windows\system32\DRIVERS\PC2TVMirror.sys [2007-04-12 25344]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\sbfwim.sys [2008-12-14 65576]
S3 BQHOLMJ;BQHOLMJ;c:\docume~1\JIMM~1\LOCALS~1\Temp\BQHOLMJ.exe []
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2008-06-22 96256]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\DRIVERS\SDTHOOK.sys [2008-12-04 44672]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys []
S4 tor;Tor Win32 Service;"c:\program files\Vidalia Bundle\Tor\tor.exe" --nt-service -f "c:\documents and settings\jim m\Application Data\Vidalia\torrc" ControlPort 9051 []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{787e13ae-1f99-11dd-a413-001d099ad52c}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6574ce1-1ea0-11dd-a409-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2008-12-15 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe []

2008-12-15 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe []
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\jim m\Application Data\Mozilla\Firefox\Profiles\81in13xp.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 15:51:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(3904)
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\msi.dll
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
Completion time: 2008-12-15 15:53:50
ComboFix-quarantined-files.txt 2008-12-15 20:53:46
ComboFix2.txt 2008-12-15 14:03:56
ComboFix3.txt 2008-12-13 10:30:58

Pre-Run: 472,145,260,544 bytes free
Post-Run: 472,132,055,040 bytes free

304 --- E O F --- 2008-12-13 02:03:18

Billy O'Neal · 12-15-2008, 05:30 PM

Hello, baggyman1
Alright.. something's not working right with that :(

Please try this method instead:

We need to execute an OTMoveIt3 script

Please download OTMoveIt3 by OldTimer and save it to your desktop.
Double click the icon on your desktop.

Paste the following code under the

area. Do not include the word "Code".

Code:

:files
c:\windows\system32\drivers\nycifgnvlvss.sys
c:\docume~1\JIMM~1\LOCALS~1\Temp\BQHOLMJ.exe
c:\windows\Tasks\XoftSpySE.job
c:\windows\Tasks\XoftSpySE 2.job
c:\program files\The Cleaner Demo
c:\documents and settings\jim m\Application Data\Orbit
c:\program files\XoftSpySE
c:\program files\Orbitdownloader
:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FFDS"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
"&Download by Orbit"=-
"&Grab video by Orbit"=-
"&Windows Live Search"=-
"Do&wnload selected by Orbit"=-
:services
BQHOLMJ

Push the large button.
OTMI3 may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the line here in your next reply.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

We need to run a Scan with DDS

Please download DDS, and save it to your desktop, from one of the following mirrors:
- This is a mirror
- This is another mirror
Disable any type of "Script Blockers" or "Script Protection" installed on your system.
Double click on your desktop.
If prompted by any script blocking tools, please allow any actions taken by DDS.
Two reports will open. Please reply with the generated reports:
- DDS.txt <-- Copy and paste into your next post
- Attach.txt <-- Attach to your next post

In your next reply, please include the following:
OTMoveIt3's Log

DDS.txt

Attach.txt

BillyIII

baggyman1 · 12-16-2008, 02:54 AM

Billy,
I attached two and copied one. If they don't come through it is my bad as the scans completed okay.
jim

========== FILES ==========
c:\windows\system32\drivers\nycifgnvlvss.sys moved successfully.
File/Folder c:\docume~1\JIMM~1\LOCALS~1\Temp\BQHOLMJ.exe not found.
c:\windows\Tasks\XoftSpySE.job moved successfully.
c:\windows\Tasks\XoftSpySE 2.job moved successfully.
c:\program files\The Cleaner Demo moved successfully.
c:\documents and settings\jim m\Application Data\Orbit\flink(2) moved successfully.
c:\documents and settings\jim m\Application Data\Orbit\flink moved successfully.
c:\documents and settings\jim m\Application Data\Orbit moved successfully.
File/Folder c:\program files\XoftSpySE not found.
c:\program files\Orbitdownloader\update moved successfully.
c:\program files\Orbitdownloader\language moved successfully.
c:\program files\Orbitdownloader\addons\orbitff\chrome moved successfully.
c:\program files\Orbitdownloader\addons\orbitff moved successfully.
c:\program files\Orbitdownloader\addons moved successfully.
c:\program files\Orbitdownloader moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\VIDC.FFDS deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\\&Download by Orbit not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\\&Grab video by Orbit not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\\&Windows Live Search not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\\Do&wnload selected by Orbit not found.
========== SERVICES/DRIVERS ==========
Service BQHOLMJ stopped successfully.
Service BQHOLMJ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12162008_044246

Billy O'Neal · 12-16-2008, 05:39 PM

Hello, baggyman1
I'm sorry.. I made a mistake in last script. One more time then. Please post a fresh DDS log after this :)

We need to execute an OTMoveIt3 script

Please download OTMoveIt3 by OldTimer and save it to your desktop.
Double click the icon on your desktop.

Paste the following code under the

area. Do not include the word "Code".

Code:

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt]
"&Download by Orbit"=-
"&Grab video by Orbit"=-
"&Windows Live Search"=-
"Do&wnload selected by Orbit"=-
:commands
[EmptyTemp]

Push the large button.
OTMI3 may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the line here in your next reply.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

I would like us to use ESET (NOD32)'s Online Scanner

Please go to ESET OnlineScan (NOD32)
You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
Now click Start
Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
Click Start
- Note: (the Onlinescanner will now prepare itself for running on your pc)
To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
Press Scan
The Onlinescan will now start and scan your pc (this could take a while)
When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
The Scanresults will now open in Notepad
Click into the text area, right-click and chose "select all" (or use <Control>+A)
Right-click again and chose "Copy" (or <Control>+C)
Close/Exit Notepad
Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.

Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
OTMoveIt3's Log

ESET OnlineScan's Log

A new DDS.txt

BillyIII

baggyman1 · 12-17-2008, 08:46 AM

Strange things happening since we started this stuff; program icons gone from desktop and folders, show up on scans but not in control panel - add/remove, unable to remove leftover program files like BitDefender...

Here is the stuff you asked for:

baggyman1 · 12-17-2008, 08:49 AM

one didn't post; the DDS log. So here it is:

DDS (Version 1.0.1) - NTFSx86
Run by jim m at 4:48:35.70 on Tue 12/16/2008
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2511 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\jim m\Desktop\OTMoveIt3.exe
C:\Documents and Settings\jim m\Desktop\dds.com

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {000123B4-9B42-4900-B3F7-F4B073EFC214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - c:\program files\bitdefender\bitdefender 2008\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jimm~1\applic~1\mozilla\firefox\profiles\81in13xp.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: network.proxy.type - 4

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-27 111184]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-11-17 55024]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2008-12-14 270888]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-5-12 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-27 20560]
R2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashServ.exe" [2008-11-27 155160]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2008-5-13 598856]
R3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashMaiSv.exe" /service [2008-11-27 254040]
R3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashWebSv.exe" /service [2008-11-27 352920]
R3 EuMusDesignVirtualAudioCableWdm;PC2TV Audio;c:\windows\system32\drivers\PC2TVAudio.sys [2007-4-4 38528]
R3 PC2TVMirror;PC2TVMirror_Display_Driver;c:\windows\system32\drivers\PC2TVMirror.sys [2007-4-12 25344]
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\sbfwim.sys [2008-12-14 65576]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2008-6-22 96256]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.sys [2008-12-4 44672]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys []
S4 tor;Tor Win32 Service;"c:\program files\vidalia bundle\tor\tor.exe" --nt-service -f "c:\documents and settings\jim m\application data\vidalia\torrc" ControlPort 9051 []

=============== Created Last 30 ================

2008-12-16 04:42 <DIR> --d----- C:\_OTMoveIt
2008-12-15 15:46 <DIR> --d----- C:\ComboFix
2008-12-14 20:21 270,888 a----r-- c:\windows\system32\drivers\SbFw.sys
2008-12-14 20:21 65,576 a------- c:\windows\system32\drivers\SbFwIm.sys
2008-12-14 15:13 161,792 a------- c:\windows\SWREG.exe
2008-12-14 15:13 98,816 a------- c:\windows\sed.exe
2008-12-13 04:59 <DIR> a-dshr-- C:\cmdcons
2008-12-09 05:09 <DIR> --d----- c:\docume~1\jimm~1\applic~1\Hoyle FaceCreator
2008-12-09 05:09 <DIR> --d----- c:\docume~1\jimm~1\applic~1\Hoyle Casino
2008-12-09 05:05 <DIR> --d----- c:\program files\Hoyle Casino 2008
2008-12-06 10:31 <DIR> --d----- c:\program files\VisDir
2008-12-04 18:31 104 a------- C:\index.ini
2008-12-04 15:49 <DIR> --d----- c:\program files\a-squared Anti-Malware
2008-12-04 15:13 44,672 a------- c:\windows\system32\drivers\SDTHOOK.SYS
2008-12-04 15:04 <DIR> --d----- c:\documents and settings\jim m\Pavark
2008-12-04 11:54 <DIR> --d----- c:\program files\EsetOnlineScanner
2008-12-04 11:43 <DIR> --dsh--- c:\documents and settings\jim m\PrivacIE
2008-12-04 11:34 <DIR> -cd-h--- c:\windows\ie8
2008-12-02 15:50 <DIR> --d----- c:\windows\system32\Adobe
2008-12-01 14:58 <DIR> --d----- c:\program files\SBaGen
2008-12-01 14:48 <DIR> --d-h--- c:\windows\PIF
2008-11-29 17:45 <DIR> --d----- c:\windows\SxsCaPendDel
2008-11-29 17:39 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2008-11-29 17:39 138,496 -c------ c:\windows\system32\dllcache\afd.sys
2008-11-29 17:39 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2008-11-29 17:39 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-29 17:39 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-29 17:39 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-29 17:39 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-29 17:38 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2008-11-29 11:23 <DIR> --d----- c:\program files\NoAdware
2008-11-28 10:17 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-28 09:52 164,144 a------- c:\windows\system32\COMCT232.OCX
2008-11-28 09:52 112,640 a------- c:\windows\system32\CMCTLde.DLL
2008-11-28 09:52 33,792 a------- c:\windows\system32\CMDLGDE.DLL
2008-11-28 09:52 24,576 a------- c:\windows\system32\CMCT2DE.dll
2008-11-28 09:22 <DIR> --d----- c:\program files\CrossLoop
2008-11-27 20:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2008-11-27 15:07 <DIR> --d----- c:\docume~1\jimm~1\applic~1\BitDefender
2008-11-27 14:53 1,106,944 ac------ c:\windows\system32\dllcache\msxml3.dll
2008-11-27 14:39 <DIR> --d----- C:\savcc20
2008-11-26 17:32 71,040 -------- c:\windows\system32\drivers\_004717_.tmp.dll
2008-11-26 16:17 <DIR> --d----- c:\docume~1\jimm~1\applic~1\TeamViewer
2008-11-26 16:17 <DIR> --d----- c:\documents and settings\jim m\temp
2008-11-26 15:36 1,306,624 -c------ c:\windows\system32\dllcache\msxml6.dll
2008-11-26 15:36 79,872 -c------ c:\windows\system32\dllcache\msxml6r.dll
2008-11-26 15:35 19,569 a------- c:\windows\003324_.tmp
2008-11-26 15:11 11,985,408 ac------ c:\windows\system32\dllcache\ieframe.dll
2008-11-26 15:11 3,670,112 ac------ c:\windows\system32\dllcache\ieapfltr.dat
2008-11-26 15:11 1,778,688 ac------ c:\windows\system32\dllcache\iertutil.dll
2008-11-26 15:11 1,216,512 ac------ c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-26 15:11 580,608 ac------ c:\windows\system32\dllcache\msfeeds.dll
2008-11-26 15:11 443,392 ac------ c:\windows\system32\dllcache\ieapfltr.dll
2008-11-26 15:11 61,952 ac------ c:\windows\system32\dllcache\icardie.dll
2008-11-26 15:11 53,760 ac------ c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-26 15:10 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2008-11-26 15:10 333,824 -c------ c:\windows\system32\dllcache\srv.sys
2008-11-26 15:10 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-26 15:05 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2008-11-26 15:00 23,576 a------- c:\windows\system32\wuapi.dll.mui
2008-11-26 12:59 <DIR> --d----- c:\documents and settings\jim m\SecurityScans
2008-11-24 17:06 <DIR> --d----- c:\program files\Panda Security
2008-11-24 16:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-11-24 16:37 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-11-24 16:37 <DIR> --d----- c:\docume~1\jimm~1\applic~1\SUPERAntiSpyware.com
2008-11-20 10:26 <DIR> --d----- c:\program files\MSECACHE
2008-11-17 15:57 <DIR> --d----- c:\program files\Bazooka Scanner

==================== Find3M ====================

2008-12-04 18:28 44,544 a------- c:\windows\system32\alg.exe
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-29 16:54 77,859 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-29 11:46 81,984 a------- c:\windows\system32\bdod.bin
2008-11-11 15:33 5 a------- c:\windows\system32\drivers\DELL_INS_530.MRK
2008-11-11 15:33 5 a------- c:\windows\system32\drivers\1028_Dell_INS_530.mrk
2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-24 07:48 18,530 a------- c:\windows\system32\MyApplicationData.dat
2008-08-19 18:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 4:48:45.64 ===============

Billy O'Neal · 12-17-2008, 06:13 PM

Hello, baggyman1
Congratulations! You now appear clean!

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix

Please go to Start -> Run
Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
Press OK (Or hit enter).
Allow ComboFix to remove itself.

We Need to Clean Up Our Mess

Please download OTCleanIt from one of the following mirrors and save it to your desktop:
- Mirror 1
- Mirror A
Double click the icon.
Push the large "Cleanup" button.
Allow your system to reboot.

Recommendations
Below are some recommendations to lower your chances of (re)infection.

Install Spyware Blaster and update it regularly
If you wish, the commercial version provides automatic updating.
Install the MVPs hosts file, and update it regularly
You can use the HostMan host file manager to do this automaticly if you wish.
For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
Install an Anti-Spyware program, and update it regularly
Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SUPERAntiSpyware is another good scanner with high detection and removal rates.
Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
Keep Windows (and your other Microsoft software) up to date!
I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

If you are using Windows XP or earlier
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

If you are using Windows Vista
1. Click the "Start Menu" (or Windows Orb)
2. Click "All Programs"
3. Click "Windows Update"
4. On the left, choose "Change Settings"
5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
6. Press OK and accept the UAC prompt.
  Note: You shouldn't need to check this checkbox every single time you update, only the first time.
7. Click "Check for Updates" in the upper left corner.
8. Follow the instructions to install the latest updates.
9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install
Keep your other software up to date as well
Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
Stay up to date!
The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

BillyIII

baggyman1 · 12-18-2008, 06:26 AM

Hi Billy,

Thank you so much for cleaning up my computer. It is running well, now. I am still showing files for BitDefender, (ehich I revoved weeks ago in control panel. But they don't seem to be causing a prob.

As for antivirus and malware programs...I have Avast free, home addition, CCleaner, Malwarebytes and SuperAntiSpyware already on the system.

Is windows xp firewall efficient enough or should I get another and disable the first? Sunbelt seemed to conflict with the other stuff.

Windows is blocking my opening of HostMan. ???

Do I need anything else?

Billy O'Neal · 12-18-2008, 04:52 PM

Quote:

Is windows xp firewall efficient enough or should I get another and disable the first? Sunbelt seemed to conflict with the other stuff.

Windows' firewall should be sufficient :)

Quote:

Windows is blocking my opening of HostMan. ???

Could you please elaborate a little further? Do you get an error message? What is the exact text? Are you running HostMan with administrative rights?

Sometimes AV programs will attempt to block access to the hosts file because it can be used for bad as well as for good. I.e. if I did something like
google.com 1.2.3.4 #some bad IP address...

Disabling your AV while you install the HOSTS file may help :)

Billy3

baggyman1 · 12-20-2008, 08:17 AM

Hi! Billy,

My machine is running fine right now, and I shall leave well enough alone.

However...my wife's is not. There appears to be an IRP stack shortage. I have changed the registry by increasing the quantity of available stacks, but it has done no good.

Here is what's happening:

"Windows has shut down....not enough IRP stacks available...", all on a blue screen. Begins dumping memory.

Once this happens (within 60 secs of boot up) I am unable to run any applications. When I boot in safe mode, I am unable to remove any newly installed software. I get a msg that Windows install is not avail. I checked in services and found it on manual and off. Changed it to automatic and tried to start it. would not start.

Another thing that I noticed is that almost all the memory on the HD is used up. only 3% of 80 gig is available.

Any ideas?
jim

Billy O'Neal · 12-20-2008, 09:20 AM

I'm confused.. is this on a different machine?

Billy3

baggyman1 · 12-20-2008, 10:11 AM

Yes, it is, and it just occurred to me that I probably need to post it as a separate issue. Correct?

12-09-2008, 08:35 PM	#2 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: malware on system Hello, baggyman1 Welcome to TSF My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.) Please give me some time to look over your computer's log(s). Please take note of the following: In the meantime, please refrain from making any changes to your computer. Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :) If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken. Finally, please reply using the button in the lower left hand corner of your screen. Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" . We need to run a Scan with DDS Please download DDS, and save it to your desktop, from one of the following mirrors: This is a mirror This is another mirror Disable any type of "Script Blockers" or "Script Protection" installed on your system. Double click on your desktop. If prompted by any script blocking tools, please allow any actions taken by DDS. When prompted to preform an Optional Scan, please select Two reports will open. Please reply with the generated reports: DDS.txt <-- Copy and paste into your next post Attach.txt <-- Attach to your next post We need to scan for Rootkits with GMER Please download GMER from one of the following mirrors: This is the Primary mirror This is a Secondary mirror This is a Secondary mirror Close any and all open programs, as this process may crash your computer. Unzip the downloaded file to your desktop. Double click on your desktop. Allow the gmer.sys driver to load if asked. You may see this window. If you do, click No. Click on and wait for the scan to finish. If you see a rootkit warning window, click OK. Push and save the logfile to your desktop. Copy and Paste the contents of that file in your next post. In your next reply, please include the following: DDS.txt Attach.txt GMER's Log Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

12-12-2008, 06:05 PM	#4 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: malware on system Hello, baggyman1 We Need to Run ComboFix Note to readers of this post other than the starter of this thread: ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert. How to run ComboFix: Please download ComboFix from one of the following mirrors, and save it to your desktop. This is a mirror. This is another mirror. This is yet another mirror. Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix. Double click on your desktop. Read and accept (Press Yes) to the disclaimer. For Windows XP Systems: Install the Recovery Console: If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted. When prompted to accept the EULA, press OK. Accept Microsoft's EULA (Press Yes). When you are told that the RC is installed correctly, please press YES to continue scanning for malware. ComboFix will run. Simply wait for it to finish. When it finishes, ComboFix will produce a log. Please post that log in your next reply here :) In your next reply, please include the following: ComboFix.txt BillyIII __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

12-13-2008, 03:49 AM	#5 (permalink)
baggyman1 Registered User Join Date: Oct 2007 Posts: 11 OS: xp	malware on system ComboFix 08-12-12.03 - jim m 2008-12-13 5:24:15.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2610 [GMT -5:00] Running from: c:\documents and settings\jim m\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\windows\Downloaded Program Files\ODCTOOLS c:\windows\system32\_004737_.tmp.dll c:\windows\system32\_004738_.tmp.dll c:\windows\system32\_004739_.tmp.dll c:\windows\system32\_004740_.tmp.dll c:\windows\system32\_004741_.tmp.dll c:\windows\system32\_004742_.tmp.dll c:\windows\system32\_004743_.tmp.dll c:\windows\system32\_004744_.tmp.dll c:\windows\system32\_004747_.tmp.dll c:\windows\system32\_004748_.tmp.dll c:\windows\system32\_004749_.tmp.dll c:\windows\system32\_004750_.tmp.dll c:\windows\system32\_004752_.tmp.dll c:\windows\system32\_004753_.tmp.dll c:\windows\system32\_004756_.tmp.dll c:\windows\system32\_004757_.tmp.dll c:\windows\system32\_004759_.tmp.dll c:\windows\system32\_004760_.tmp.dll c:\windows\system32\_004761_.tmp.dll c:\windows\system32\_004762_.tmp.dll c:\windows\system32\_004763_.tmp.dll c:\windows\system32\_004764_.tmp.dll c:\windows\system32\_004765_.tmp.dll c:\windows\system32\_004766_.tmp.dll c:\windows\system32\_004767_.tmp.dll c:\windows\system32\_004769_.tmp.dll c:\windows\system32\_004770_.tmp.dll c:\windows\system32\_004771_.tmp.dll c:\windows\system32\_004772_.tmp.dll c:\windows\system32\_004774_.tmp.dll c:\windows\system32\_004776_.tmp.dll c:\windows\system32\_004777_.tmp.dll c:\windows\system32\_004778_.tmp.dll c:\windows\system32\_004779_.tmp.dll c:\windows\system32\_004780_.tmp.dll c:\windows\system32\_004781_.tmp.dll c:\windows\system32\_004782_.tmp.dll c:\windows\system32\_004783_.tmp.dll c:\windows\system32\_004784_.tmp.dll c:\windows\system32\_004786_.tmp.dll c:\windows\system32\_004787_.tmp.dll c:\windows\system32\_004788_.tmp.dll c:\windows\system32\_004789_.tmp.dll c:\windows\system32\_004790_.tmp.dll c:\windows\system32\_004791_.tmp.dll c:\windows\system32\_004792_.tmp.dll c:\windows\system32\_004793_.tmp.dll c:\windows\system32\_004795_.tmp.dll c:\windows\system32\_004796_.tmp.dll c:\windows\system32\_004797_.tmp.dll c:\windows\system32\_004798_.tmp.dll c:\windows\system32\_004800_.tmp.dll c:\windows\system32\_004801_.tmp.dll c:\windows\system32\_004805_.tmp.dll c:\windows\system32\_004806_.tmp.dll c:\windows\system32\_004808_.tmp.dll c:\windows\system32\_004811_.tmp.dll c:\windows\system32\_004812_.tmp.dll c:\windows\system32\_004813_.tmp.dll c:\windows\system32\_004814_.tmp.dll c:\windows\system32\_004815_.tmp.dll c:\windows\system32\_004816_.tmp.dll c:\windows\system32\_004819_.tmp.dll c:\windows\system32\_004820_.tmp.dll c:\windows\system32\_004821_.tmp.dll c:\windows\system32\_004822_.tmp.dll c:\windows\system32\_004823_.tmp.dll c:\windows\system32\_004828_.tmp.dll c:\windows\system32\_004830_.tmp.dll . ((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 ))))))))))))))))))))))))))))))) . 2008-12-09 05:09 . 2008-12-09 05:12 <DIR> d-------- c:\documents and settings\jim m\Application Data\Hoyle FaceCreator 2008-12-09 05:09 . 2008-12-09 05:24 <DIR> d-------- c:\documents and settings\jim m\Application Data\Hoyle Casino 2008-12-09 05:05 . 2008-12-09 05:06 <DIR> d-------- c:\program files\Hoyle Casino 2008 2008-12-06 10:31 . 2008-12-06 10:31 <DIR> d-------- c:\program files\VisDir 2008-12-04 18:31 . 2008-12-04 18:34 104 --a------ C:\index.ini 2008-12-04 15:49 . 2008-12-08 12:07 <DIR> d-------- c:\program files\a-squared Anti-Malware 2008-12-04 15:16 . 2008-12-04 15:15 8,576 --a------ c:\windows\system32\drivers\nycifgnvlvss.sys 2008-12-04 15:13 . 2008-12-04 15:13 44,672 --a------ c:\windows\system32\drivers\SDTHOOK.SYS 2008-12-04 15:04 . 2008-12-04 15:15 <DIR> d-------- c:\documents and settings\jim m\Pavark 2008-12-04 14:51 . 2008-12-04 14:51 <DIR> d-------- c:\program files\Sunbelt Software 2008-12-04 14:51 . 2008-10-31 07:09 270,888 -ra------ c:\windows\system32\drivers\SbFw.sys 2008-12-04 14:51 . 2008-06-21 04:54 65,576 --a------ c:\windows\system32\drivers\SbFwIm.sys 2008-12-04 11:54 . 2008-12-04 12:45 <DIR> d-------- c:\program files\EsetOnlineScanner 2008-12-04 11:43 . 2008-12-04 11:43 <DIR> d--hs---- c:\documents and settings\jim m\PrivacIE 2008-12-04 11:34 . 2008-12-04 11:39 <DIR> d--h-c--- c:\windows\ie8 2008-12-04 11:32 . 2008-12-04 11:32 <DIR> d-------- c:\program files\Microsoft Silverlight 2008-12-02 15:50 . 2008-12-05 15:50 <DIR> d-------- c:\windows\system32\Adobe 2008-12-01 14:58 . 2008-12-01 15:14 <DIR> d-------- c:\program files\SBaGen 2008-12-01 14:48 . 2008-12-01 14:48 <DIR> d--h----- c:\windows\PIF 2008-11-29 17:45 . 2008-11-29 17:54 <DIR> d-------- c:\windows\SxsCaPendDel 2008-11-29 17:39 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-11-29 17:39 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-11-29 17:39 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-11-29 17:39 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-11-29 17:39 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-11-29 17:39 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys 2008-11-29 17:39 . 2008-08-14 05:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys 2008-11-29 17:38 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-11-29 11:23 . 2008-12-06 11:19 <DIR> d-------- c:\program files\NoAdware 2008-11-28 12:12 . 2008-11-28 12:12 <DIR> d-------- c:\documents and settings\Administrator.JIM\Application Data\Malwarebytes 2008-11-28 10:17 . 2008-11-28 10:17 410,976 --a------ c:\windows\system32\deploytk.dll 2008-11-28 09:52 . 1998-06-24 11:55 164,144 --a------ c:\windows\system32\COMCT232.OCX 2008-11-28 09:52 . 1998-05-05 17:35 112,640 --a------ c:\windows\system32\CMCTLde.DLL 2008-11-28 09:52 . 1998-07-06 18:55 33,792 --a------ c:\windows\system32\CMDLGDE.DLL 2008-11-28 09:52 . 1998-05-05 17:35 24,576 --a------ c:\windows\system32\CMCT2DE.dll 2008-11-28 09:22 . 2008-11-28 09:37 <DIR> d-------- c:\program files\CrossLoop 2008-11-27 20:23 . 2008-11-27 20:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\BitDefender 2008-11-27 19:07 . 2008-11-27 19:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET 2008-11-27 18:58 . 2008-11-27 18:58 <DIR> d-------- c:\program files\Alwil Software 2008-11-27 15:07 . 2008-11-27 15:07 <DIR> d-------- c:\documents and settings\jim m\Application Data\BitDefender 2008-11-27 14:53 . 2008-08-14 05:09 2,145,280 --a------ c:\windows\system32\ntoskrnl.exe 2008-11-27 14:39 . 2008-11-27 14:39 <DIR> d-------- C:\savcc20 2008-11-27 12:52 . 2008-11-28 10:09 <DIR> d-------- c:\program files\The Cleaner Demo 2008-11-26 17:32 . 2004-08-04 05:00 71,040 --------- c:\windows\system32\drivers\_004717_.tmp.dll 2008-11-26 16:17 . 2008-11-26 16:17 <DIR> d-------- c:\documents and settings\jim m\temp 2008-11-26 16:17 . 2008-11-26 16:17 <DIR> d-------- c:\documents and settings\jim m\Application Data\TeamViewer 2008-11-26 15:36 . 2008-04-13 19:12 1,306,624 -----c--- c:\windows\system32\dllcache\msxml6.dll 2008-11-26 15:36 . 2008-04-13 12:27 79,872 -----c--- c:\windows\system32\dllcache\msxml6r.dll 2008-11-26 15:35 . 2006-12-28 14:01 19,569 --a------ c:\windows\003324_.tmp 2008-11-26 15:11 . 2008-08-22 03:10 11,985,408 --a--c--- c:\windows\system32\dllcache\ieframe.dll 2008-11-26 15:11 . 2008-07-29 22:58 3,670,112 --a--c--- c:\windows\system32\dllcache\ieapfltr.dat 2008-11-26 15:11 . 2008-08-22 03:06 1,778,688 --a--c--- c:\windows\system32\dllcache\iertutil.dll 2008-11-26 15:11 . 2008-08-22 03:15 1,216,512 --a--c--- c:\windows\system32\dllcache\ieframe.dll.mui 2008-11-26 15:11 . 2008-08-22 03:05 580,608 --a--c--- c:\windows\system32\dllcache\msfeeds.dll 2008-11-26 15:11 . 2008-08-22 02:42 443,392 --a--c--- c:\windows\system32\dllcache\ieapfltr.dll 2008-11-26 15:11 . 2008-08-22 03:05 61,952 --a--c--- c:\windows\system32\dllcache\icardie.dll 2008-11-26 15:11 . 2008-08-22 03:05 53,760 --a--c--- c:\windows\system32\dllcache\msfeedsbs.dll 2008-11-26 15:10 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-26 15:10 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys 2008-11-26 15:10 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys 2008-11-26 15:05 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll 2008-11-26 15:00 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui 2008-11-26 12:59 . 2008-11-29 16:38 <DIR> d-------- c:\documents and settings\jim m\SecurityScans 2008-11-25 08:00 . 2008-11-25 08:00 <DIR> d-------- c:\documents and settings\Administrator.JIM\Application Data\SUPERAntiSpyware.com 2008-11-25 07:58 . 2008-05-06 21:41 <DIR> d-------- c:\documents and settings\Administrator.JIM\Application Data\InstallShield 2008-11-25 07:58 . 2008-05-06 21:49 <DIR> d-------- c:\documents and settings\Administrator.JIM\Application Data\CyberLink 2008-11-25 07:58 . 2008-11-29 18:15 <DIR> d-------- c:\documents and settings\Administrator.JIM 2008-11-24 17:06 . 2008-11-26 12:01 <DIR> d-------- c:\program files\Panda Security 2008-11-24 16:37 . 2008-12-12 05:18 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-11-24 16:37 . 2008-11-24 16:37 <DIR> d-------- c:\documents and settings\jim m\Application Data\SUPERAntiSpyware.com 2008-11-24 16:37 . 2008-11-24 16:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-11-20 10:26 . 2008-11-20 18:06 <DIR> d-------- c:\program files\MSECACHE 2008-11-17 15:57 . 2008-11-18 10:13 <DIR> d-------- c:\program files\Bazooka Scanner 2008-11-15 11:26 . 2008-11-17 14:47 <DIR> d-------- c:\program files\UPHClean 2008-11-14 14:08 . 2008-11-14 14:08 <DIR> d-------- C:\Archive . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-12 15:11 --------- d-----w c:\program files\CyberLink 2008-12-06 16:19 --------- d-----w c:\program files\MUSICMATCH 2008-12-06 16:16 --------- d-----w c:\program files\Maxthon2 2008-12-06 02:21 --------- d-----w c:\documents and settings\jim m\Application Data\Orbit 2008-12-05 20:53 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2008-12-04 23:28 44,544 ----a-w c:\windows\system32\alg.exe 2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2008-12-02 16:53 --------- d-----w c:\documents and settings\jim m\Application Data\MxBoost 2008-11-30 03:12 --------- d-----w c:\program files\Common Files\Adobe 2008-11-29 16:46 81,984 ----a-w c:\windows\system32\bdod.bin 2008-11-28 15:17 --------- d-----w c:\program files\Java 2008-11-28 15:09 --------- d-----w c:\program files\ACAD2000 2008-11-28 15:09 --------- d-----w c:\documents and settings\jim m\Application Data\EmailNotifier 2008-11-28 01:22 --------- d-----w c:\program files\Common Files\BitDefender 2008-11-27 15:42 --------- d-----w c:\program files\SupportSoft 2008-11-24 21:37 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-11-20 23:07 --------- d-----w c:\program files\Windows Live 2008-11-20 23:05 --------- d-----w c:\program files\Trend Micro 2008-11-20 21:10 --------- d-----w c:\program files\CCleaner 2008-11-14 14:33 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-12 17:37 --------- d-----w c:\documents and settings\All Users\Application Data\TEMP 2008-11-12 15:22 --------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla! 2008-11-12 13:10 --------- d-----w c:\documents and settings\All Users\Application Data\SITEguard 2008-11-11 23:58 --------- d-----w c:\program files\Picasa2 2008-11-11 20:33 5 ----a-w c:\windows\system32\drivers\DELL_INS_530.MRK 2008-11-11 20:33 5 ----a-w c:\windows\system32\drivers\1028_Dell_INS_530.mrk 2008-11-11 20:31 --------- d-----w c:\program files\Dell 2008-11-11 20:01 --------- d-----w c:\program files\Orbitdownloader 2008-11-11 19:31 --------- d-----w c:\program files\Verizon 2008-11-11 18:35 --------- d-----w c:\program files\Common Files\supportsoft 2008-11-11 15:17 --------- d-----w c:\documents and settings\NetworkService\Application Data\Orbit 2008-11-10 18:06 --------- d-----w c:\documents and settings\NetworkService\Application Data\Yahoo! 2008-11-10 17:32 --------- d-----w c:\program files\Common Files\Scanner 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-18 17:50 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-16 00:12 --------- d-----w c:\program files\Common Files\Remote Control Software Common 2008-10-16 00:11 --------- d-----w c:\program files\Logitech 2008-10-14 16:11 --------- d-----w c:\program files\Yahoo! 2008-10-14 16:11 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! 2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll 2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-08-19 23:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-12 1809648] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "VX3000"="c:\windows\vVX3000.exe" [2006-06-29 707376] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200] "RTHDCPL"="RTHDCPL.EXE" [2007-07-16 c:\windows\RTHDCPL.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-12 05:18 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.FFDS"= - [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk] backup=c:\windows\pss\Orbit.lnkCommon Startup path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk [HKLM\~\startupfolder\C:^Documents and Settings^jim m^Start Menu^Programs^Startup^Adobe Media Player.lnk] backup=c:\windows\pss\Adobe Media Player.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^jim m^Start Menu^Programs^Startup^SpeedPlexer.lnk] backup=c:\windows\pss\SpeedPlexer.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C: HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\PC2TV HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\pc2tv\TLA [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent] --a------ 2008-09-15 12:09 368640 c:\program files\BitDefender\BitDefender 2008\bdagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU] --a------ 2004-02-19 06:23 61440 c:\dell\bldbubg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\pc2tv\TLA\PC2TVMonitorApp.exe] --------- 2008-04-25 16:35 36864 c:\pc2tv\TLA\PC2TVMonitorApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate] --a------ 2008-03-11 12:44 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HijackThis startup scan] --a------ 2008-06-06 13:47 396288 c:\program files\Trend Micro\HijackThis\HijackThis.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2007-09-17 08:07 8491008 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv] --------- 2007-09-17 11:56 124200 c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] --a------ 2005-05-03 09:43 69632 c:\windows\ALCMTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Orbitdownloader\\orbitdm.exe"= "c:\\Program Files\\Orbitdownloader\\orbitnet.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "135:TCP"= 135:TCP:DCOM(135) R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-27 111184] R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944] R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024] R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2008-12-04 270888] R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-06-21 66600] R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-27 20560] R2 SbPF.Launcher;SbPF.Launcher;"c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe" [2008-10-31 95528] R2 SPF4;Sunbelt Personal Firewall 4;"c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe" [2008-10-31 1365288] R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [2008-05-13 598856] R3 EuMusDesignVirtualAudioCableWdm;PC2TV Audio;c:\windows\system32\DRIVERS\PC2TVAudio.sys [2007-04-04 38528] R3 PC2TVMirror;PC2TVMirror_Display_Driver;c:\windows\system32\DRIVERS\PC2TVMirror.sys [2007-04-12 25344] R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408] R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\sbfwim.sys [2008-12-04 65576] S3 BQHOLMJ;BQHOLMJ;c:\docume~1\JIMM~1\LOCALS~1\Temp\BQHOLMJ.exe [] S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2008-06-22 96256] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-07-20 38496] S3 SDTHOOK;SDTHOOK;c:\windows\system32\DRIVERS\SDTHOOK.sys [2008-12-04 44672] S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys [] S4 tor;Tor Win32 Service;"c:\program files\Vidalia Bundle\Tor\tor.exe" --nt-service -f "c:\documents and settings\jim m\Application Data\Vidalia\torrc" ControlPort 9051 [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bdx REG_MULTI_SZ scan [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{787e13ae-1f99-11dd-a413-001d099ad52c}] \Shell\AutoRun\command - E:\setupSNK.exe . Contents of the 'Scheduled Tasks' folder 2008-12-13 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20] 2008-12-13 c:\windows\Tasks\XoftSpySE 2.job - c:\program files\XoftSpySE\XoftSpy.exe [] 2008-12-13 c:\windows\Tasks\XoftSpySE.job - c:\program files\XoftSpySE\XoftSpy.exe [] . - - - - ORPHANS REMOVED - - - - Toolbar-SITEguard - (no file) MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe MSConfigStartUp-SmcService - c:\progra~1\Sygate\SPF\smc.exe MSConfigStartUp-DXDllRegExe - dxdllreg.exe MSConfigStartUp-filehippo - (no file) . ------- Supplementary Scan ------- . uLocal Page = \blank.htm uStart Page = hxxp://yahoo.com/ uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} uDefault_Search_URL = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201 IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204 IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203 IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202 IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\jim m\Application Data\Mozilla\Firefox\Profiles\81in13xp.default\ FF - prefs.js: browser.startup.homepage - yahoo.com FF - prefs.js: network.proxy.type - 4 FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll FF - plugin: c:\program files\Picasa2\npPicasa2.dll FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-13 05:28:38 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1028) c:\program files\SUPERAntiSpyware\SASWINLO.DLL - - - - - - - > 'explorer.exe'(3156) c:\windows\IME\SPGRMR.DLL c:\windows\system32\msi.dll c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL . Completion time: 2008-12-13 5:30:55 ComboFix-quarantined-files.txt 2008-12-13 10:30:51 Pre-Run: 472,354,807,808 bytes free Post-Run: 472,341,766,144 bytes free 375 --- E O F --- 2008-12-13 02:03:18

12-13-2008, 02:33 PM	#6 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: malware on system Hello, baggyman1 We need to re-run ComboFix with some additonal directives. Please disable any running anti-virus programs. If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/topic114351.html Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open notepad and copy/paste the text in the quotebox below into it: Code: file:: c:\windows\system32\drivers\nycifgnvlvss.sys c:\docume~1\JIMM~1\LOCALS~1\Temp\BQHOLMJ.exe c:\windows\Tasks\XoftSpySE.job c:\windows\Tasks\XoftSpySE 2.job folder:: c:\program files\The Cleaner Demo c:\documents and settings\jim m\Application Data\Orbit c:\program files\XoftSpySE c:\program files\Orbitdownloader driver:: BQHOLMJ DDS:: IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201 IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204 IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203 IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202 REGISTRY:: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.FFDS"=- Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. In your next reply, please include the following: ComboFix.txt BillyIII __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

12-15-2008, 08:07 AM	#7 (permalink)
baggyman1 Registered User Join Date: Oct 2007 Posts: 11 OS: xp	Re: malware on system Billy, Not working. Text you sent does not interface with combofix. I get a message asking me if I am trying to run CFScritp and that it is spelt incorrectly. No number for error

12-15-2008, 12:45 PM	#8 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: malware on system Hello :) Make sure it is saved as "cfscript.txt", not "CFScritp". If it is renamed, CF won't know what to do with it :P BillyIII __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

12-15-2008, 05:30 PM	#10 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: malware on system Hello, baggyman1 Alright.. something's not working right with that :( Please try this method instead: We need to execute an OTMoveIt3 script Please download OTMoveIt3 by OldTimer and save it to your desktop. Double click the icon on your desktop. Paste the following code under the area. Do not include the word "Code". Code: :files c:\windows\system32\drivers\nycifgnvlvss.sys c:\docume~1\JIMM~1\LOCALS~1\Temp\BQHOLMJ.exe c:\windows\Tasks\XoftSpySE.job c:\windows\Tasks\XoftSpySE 2.job c:\program files\The Cleaner Demo c:\documents and settings\jim m\Application Data\Orbit c:\program files\XoftSpySE c:\program files\Orbitdownloader :reg [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.FFDS"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions] "&Download by Orbit"=- "&Grab video by Orbit"=- "&Windows Live Search"=- "Do&wnload selected by Orbit"=- :services BQHOLMJ Push the large button. OTMI3 may ask to reboot the machine. Please do so if asked. Copy/Paste the contents under the line here in your next reply. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter .log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. We need to run a Scan with DDS Please download DDS, and save it to your desktop, from one of the following mirrors: This is a mirror This is another mirror Disable any type of "Script Blockers" or "Script Protection" installed on your system. Double click on your desktop. If prompted by any script blocking tools, please allow any actions taken by DDS. Two reports will open. Please reply with the generated reports: DDS.txt <-- Copy and paste into your next post Attach.txt <-- Attach to your next post In your next reply, please include the following: OTMoveIt3's Log DDS.txt Attach.txt BillyIII __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

12-16-2008, 05:39 PM	#12 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: malware on system Hello, baggyman1 I'm sorry.. I made a mistake in last script. One more time then. Please post a fresh DDS log after this :) We need to execute an OTMoveIt3 script Please download OTMoveIt3 by OldTimer and save it to your desktop. Double click the icon on your desktop. Paste the following code under the area. Do not include the word "Code". Code: :reg [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt] "&Download by Orbit"=- "&Grab video by Orbit"=- "&Windows Live Search"=- "Do&wnload selected by Orbit"=- :commands [EmptyTemp] Push the large button. OTMI3 may ask to reboot the machine. Please do so if asked. Copy/Paste the contents under the line here in your next reply. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter .log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. I would like us to use ESET (NOD32)'s Online Scanner Please go to ESET OnlineScan (NOD32) You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use Now click Start Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes Click Start Note: (the Onlinescanner will now prepare itself for running on your pc) To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications" Press Scan The Onlinescan will now start and scan your pc (this could take a while) When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt The Scanresults will now open in Notepad Click into the text area, right-click and chose "select all" (or use <Control>+A) Right-click again and chose "Copy" (or <Control>+C) Close/Exit Notepad Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created. Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.) In your next reply, please include the following: OTMoveIt3's Log ESET OnlineScan's Log A new DDS.txt BillyIII __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

12-17-2008, 08:49 AM	#14 (permalink)
baggyman1 Registered User Join Date: Oct 2007 Posts: 11 OS: xp	Re: malware on system one didn't post; the DDS log. So here it is: DDS (Version 1.0.1) - NTFSx86 Run by jim m at 4:48:35.70 on Tue 12/16/2008 Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_10 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2511 [GMT -5:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\System32\svchost.exe -k eapsvcs C:\WINDOWS\System32\svchost.exe -k dot3svc C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft LifeCam\MSCamSvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Windows Live\installer\WLSetupSvc.exe C:\Program Files\Webroot\Washer\WasherSvc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\vVX3000.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\jim m\Desktop\OTMoveIt3.exe C:\Documents and Settings\jim m\Desktop\dds.com ============== Pseudo HJT Report =============== uLocal Page = \blank.htm uStart Page = hxxp://yahoo.com/ uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} uDefault_Search_URL = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll BHO: {000123B4-9B42-4900-B3F7-F4B073EFC214} - c:\program files\orbitdownloader\orbitcth.dll BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll TB: {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - c:\program files\bitdefender\bitdefender 2008\IEToolbar.dll TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [RTHDCPL] RTHDCPL.EXE mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [VX3000] c:\windows\vVX3000.exe mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe" dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201 IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204 IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203 IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202 IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\jimm~1\applic~1\mozilla\firefox\profiles\81in13xp.default\ FF - prefs.js: browser.startup.homepage - yahoo.com FF - prefs.js: network.proxy.type - 4 ============= SERVICES / DRIVERS =============== R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-27 111184] R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-11-17 8944] R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-11-17 55024] R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2008-12-14 270888] R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-5-12 611664] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-27 20560] R2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashServ.exe" [2008-11-27 155160] R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2008-5-13 598856] R3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashMaiSv.exe" /service [2008-11-27 254040] R3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashWebSv.exe" /service [2008-11-27 352920] R3 EuMusDesignVirtualAudioCableWdm;PC2TV Audio;c:\windows\system32\drivers\PC2TVAudio.sys [2007-4-4 38528] R3 PC2TVMirror;PC2TVMirror_Display_Driver;c:\windows\system32\drivers\PC2TVMirror.sys [2007-4-12 25344] R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408] R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\sbfwim.sys [2008-12-14 65576] S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2008-6-22 96256] S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.sys [2008-12-4 44672] S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [] S4 tor;Tor Win32 Service;"c:\program files\vidalia bundle\tor\tor.exe" --nt-service -f "c:\documents and settings\jim m\application data\vidalia\torrc" ControlPort 9051 [] =============== Created Last 30 ================ 2008-12-16 04:42 <DIR> --d----- C:\_OTMoveIt 2008-12-15 15:46 <DIR> --d----- C:\ComboFix 2008-12-14 20:21 270,888 a----r-- c:\windows\system32\drivers\SbFw.sys 2008-12-14 20:21 65,576 a------- c:\windows\system32\drivers\SbFwIm.sys 2008-12-14 15:13 161,792 a------- c:\windows\SWREG.exe 2008-12-14 15:13 98,816 a------- c:\windows\sed.exe 2008-12-13 04:59 <DIR> a-dshr-- C:\cmdcons 2008-12-09 05:09 <DIR> --d----- c:\docume~1\jimm~1\applic~1\Hoyle FaceCreator 2008-12-09 05:09 <DIR> --d----- c:\docume~1\jimm~1\applic~1\Hoyle Casino 2008-12-09 05:05 <DIR> --d----- c:\program files\Hoyle Casino 2008 2008-12-06 10:31 <DIR> --d----- c:\program files\VisDir 2008-12-04 18:31 104 a------- C:\index.ini 2008-12-04 15:49 <DIR> --d----- c:\program files\a-squared Anti-Malware 2008-12-04 15:13 44,672 a------- c:\windows\system32\drivers\SDTHOOK.SYS 2008-12-04 15:04 <DIR> --d----- c:\documents and settings\jim m\Pavark 2008-12-04 11:54 <DIR> --d----- c:\program files\EsetOnlineScanner 2008-12-04 11:43 <DIR> --dsh--- c:\documents and settings\jim m\PrivacIE 2008-12-04 11:34 <DIR> -cd-h--- c:\windows\ie8 2008-12-02 15:50 <DIR> --d----- c:\windows\system32\Adobe 2008-12-01 14:58 <DIR> --d----- c:\program files\SBaGen 2008-12-01 14:48 <DIR> --d-h--- c:\windows\PIF 2008-11-29 17:45 <DIR> --d----- c:\windows\SxsCaPendDel 2008-11-29 17:39 272,128 -c------ c:\windows\system32\dllcache\bthport.sys 2008-11-29 17:39 138,496 -c------ c:\windows\system32\dllcache\afd.sys 2008-11-29 17:39 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys 2008-11-29 17:39 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe 2008-11-29 17:39 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe 2008-11-29 17:39 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe 2008-11-29 17:39 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe 2008-11-29 17:38 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll 2008-11-29 11:23 <DIR> --d----- c:\program files\NoAdware 2008-11-28 10:17 410,976 a------- c:\windows\system32\deploytk.dll 2008-11-28 09:52 164,144 a------- c:\windows\system32\COMCT232.OCX 2008-11-28 09:52 112,640 a------- c:\windows\system32\CMCTLde.DLL 2008-11-28 09:52 33,792 a------- c:\windows\system32\CMDLGDE.DLL 2008-11-28 09:52 24,576 a------- c:\windows\system32\CMCT2DE.dll 2008-11-28 09:22 <DIR> --d----- c:\program files\CrossLoop 2008-11-27 20:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender 2008-11-27 15:07 <DIR> --d----- c:\docume~1\jimm~1\applic~1\BitDefender 2008-11-27 14:53 1,106,944 ac------ c:\windows\system32\dllcache\msxml3.dll 2008-11-27 14:39 <DIR> --d----- C:\savcc20 2008-11-26 17:32 71,040 -------- c:\windows\system32\drivers\_004717_.tmp.dll 2008-11-26 16:17 <DIR> --d----- c:\docume~1\jimm~1\applic~1\TeamViewer 2008-11-26 16:17 <DIR> --d----- c:\documents and settings\jim m\temp 2008-11-26 15:36 1,306,624 -c------ c:\windows\system32\dllcache\msxml6.dll 2008-11-26 15:36 79,872 -c------ c:\windows\system32\dllcache\msxml6r.dll 2008-11-26 15:35 19,569 a------- c:\windows\003324_.tmp 2008-11-26 15:11 11,985,408 ac------ c:\windows\system32\dllcache\ieframe.dll 2008-11-26 15:11 3,670,112 ac------ c:\windows\system32\dllcache\ieapfltr.dat 2008-11-26 15:11 1,778,688 ac------ c:\windows\system32\dllcache\iertutil.dll 2008-11-26 15:11 1,216,512 ac------ c:\windows\system32\dllcache\ieframe.dll.mui 2008-11-26 15:11 580,608 ac------ c:\windows\system32\dllcache\msfeeds.dll 2008-11-26 15:11 443,392 ac------ c:\windows\system32\dllcache\ieapfltr.dll 2008-11-26 15:11 61,952 ac------ c:\windows\system32\dllcache\icardie.dll 2008-11-26 15:11 53,760 ac------ c:\windows\system32\dllcache\msfeedsbs.dll 2008-11-26 15:10 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys 2008-11-26 15:10 333,824 -c------ c:\windows\system32\dllcache\srv.sys 2008-11-26 15:10 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys 2008-11-26 15:05 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll 2008-11-26 15:00 23,576 a------- c:\windows\system32\wuapi.dll.mui 2008-11-26 12:59 <DIR> --d----- c:\documents and settings\jim m\SecurityScans 2008-11-24 17:06 <DIR> --d----- c:\program files\Panda Security 2008-11-24 16:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2008-11-24 16:37 <DIR> --d----- c:\program files\SUPERAntiSpyware 2008-11-24 16:37 <DIR> --d----- c:\docume~1\jimm~1\applic~1\SUPERAntiSpyware.com 2008-11-20 10:26 <DIR> --d----- c:\program files\MSECACHE 2008-11-17 15:57 <DIR> --d----- c:\program files\Bazooka Scanner ==================== Find3M ==================== 2008-12-04 18:28 44,544 a------- c:\windows\system32\alg.exe 2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys 2008-11-29 16:54 77,859 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2008-11-29 11:46 81,984 a------- c:\windows\system32\bdod.bin 2008-11-11 15:33 5 a------- c:\windows\system32\drivers\DELL_INS_530.MRK 2008-11-11 15:33 5 a------- c:\windows\system32\drivers\1028_Dell_INS_530.mrk 2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys 2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll 2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll 2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll 2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll 2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll 2008-09-24 07:48 18,530 a------- c:\windows\system32\MyApplicationData.dat 2008-08-19 18:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat ============= FINISH: 4:48:45.64 ===============

12-17-2008, 06:13 PM	#15 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: malware on system Hello, baggyman1 Congratulations! You now appear clean! Are things running okay? Do you have any more questions? System Still Slow? You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware We Need to Remove ComboFix Please go to Start -> Run Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there. Press OK (Or hit enter). Allow ComboFix to remove itself. We Need to Clean Up Our Mess Please download OTCleanIt from one of the following mirrors and save it to your desktop: Mirror 1 Mirror A Double click the icon. Push the large "Cleanup" button. Allow your system to reboot. Recommendations Below are some recommendations to lower your chances of (re)infection. Install Spyware Blaster and update it regularly If you wish, the commercial version provides automatic updating. Install the MVPs hosts file, and update it regularly You can use the HostMan host file manager to do this automaticly if you wish. For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file Install an Anti-Spyware program, and update it regularly Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates. SUPERAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions. Keep Windows (and your other Microsoft software) up to date! I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer. If you are using Windows XP or earlier Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!! If you are using Windows Vista Click the "Start Menu" (or Windows Orb) Click "All Programs" Click "Windows Update" On the left, choose "Change Settings" Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked. Press OK and accept the UAC prompt. Note: You shouldn't need to check this checkbox every single time you update, only the first time. Click "Check for Updates" in the upper left corner. Follow the instructions to install the latest updates. Reboot and repeat the "Check for Updates" until there are no more critical updates to install Keep your other software up to date as well Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine. Stay up to date! The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(. BillyIII __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

12-18-2008, 06:26 AM	#16 (permalink)
baggyman1 Registered User Join Date: Oct 2007 Posts: 11 OS: xp	Re: malware on system Hi Billy, Thank you so much for cleaning up my computer. It is running well, now. I am still showing files for BitDefender, (ehich I revoved weeks ago in control panel. But they don't seem to be causing a prob. As for antivirus and malware programs...I have Avast free, home addition, CCleaner, Malwarebytes and SuperAntiSpyware already on the system. Is windows xp firewall efficient enough or should I get another and disable the first? Sunbelt seemed to conflict with the other stuff. Windows is blocking my opening of HostMan. ??? Do I need anything else?

12-20-2008, 08:17 AM	#18 (permalink)
baggyman1 Registered User Join Date: Oct 2007 Posts: 11 OS: xp	Re: malware on system Hi! Billy, My machine is running fine right now, and I shall leave well enough alone. However...my wife's is not. There appears to be an IRP stack shortage. I have changed the registry by increasing the quantity of available stacks, but it has done no good. Here is what's happening: "Windows has shut down....not enough IRP stacks available...", all on a blue screen. Begins dumping memory. Once this happens (within 60 secs of boot up) I am unable to run any applications. When I boot in safe mode, I am unable to remove any newly installed software. I get a msg that Windows install is not avail. I checked in services and found it on manual and off. Changed it to automatic and tried to start it. would not start. Another thing that I noticed is that almost all the memory on the HD is used up. only 3% of 80 gig is available. Any ideas? jim

12-20-2008, 09:20 AM	#19 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: malware on system I'm confused.. is this on a different machine? Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

12-20-2008, 10:11 AM	#20 (permalink)
baggyman1 Registered User Join Date: Oct 2007 Posts: 11 OS: xp	Re: malware on system Yes, it is, and it just occurred to me that I probably need to post it as a separate issue. Correct?