Malware/Virus disaster

[jeremyal]

DDS (Ver_09-02-01.01) - NTFSx86
Run by Jez at 13:13:49.87 on Wed 03/11/2009
Internet Explorer: 7.0.5730.13

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: &VSToolBar: {821f87ff-8245-4972-9e28-732e92ec2f51} - c:\program files\vstoolbar\VSToolBar.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [POINTER] point32.exe
mRun: [ohqd] c:\windows\ohqd.exe
mRun: [jsnwnyt] c:\windows\jsnwnyt.exe
mRun: [gngh] c:\windows\gngh.exe
mRun: [Gene USB Monitor] c:\windows\system32\UMonit2K.exe
mRun: [BDMCon] "c:\program files\softwin\bitdefender10\bdmcon.exe" /reg
mRun: [BDAgent] "c:\program files\softwin\bitdefender10\bdagent.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\PartyPoker.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
Trusted Zone: yahoo.com\sports
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Canasta - hxxp://download.games.yahoo.com/games/clients/y/yt1_x.cab
DPF: Yahoo! Cribbage - hxxp://download.games.yahoo.com/games/clients/y/it1_x.cab
DPF: Yahoo! Poker - hxxp://download.games.yahoo.com/games/clients/y/pt1_x.cab
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - hxxp://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
DPF: {96EEC7FF-106A-47F3-90D6-B4BB754AA40E} - hxxps://autxn.paywithpoli.com/ewcustomer/POLiPayOnline.cab
DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - hxxp://advnt01.com/dialer/int_ver34.CAB
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
Notify: mllji - c:\windows\system32\mllji.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-03-10 21:44 311 ---shr-- C:\autorun.inf
2009-03-10 16:01 <DIR> --d----- c:\docume~1\jez\applic~1\Malwarebytes
2009-03-10 15:50 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-10 15:50 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 15:50 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-10 15:50 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-03-10 15:28 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\SecTaskMan
2009-03-10 15:28 <DIR> --d----- c:\program files\Security Task Manager
2009-03-10 14:55 <DIR> --d----- c:\docume~1\jez\applic~1\Bitdefender
2009-03-10 12:48 81,984 a------- c:\windows\system32\bdod.bin
2009-03-10 12:41 <DIR> --d----- c:\program files\Softwin
2009-03-10 12:41 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\BitDefender
2009-03-10 12:39 <DIR> --d----- c:\program files\common files\Softwin

==================== Find3M ====================

2008-12-31 17:04 691,560 a------- c:\windows\system32\OGACheckControl.dll
2008-12-31 17:04 528,744 a------- c:\windows\system32\OGAVerify.exe
2008-12-31 17:04 502,120 a------- c:\windows\system32\OGAAddin.dll
2008-12-21 10:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-18 13:38 351,744 a------- c:\windows\system32\avisynth.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-09 13:35 25,808 a------- c:\docume~1\jez\applic~1\GDIPFONTCACHEV1.DAT
2007-07-13 16:36 92,064 a------- c:\documents and settings\jez\mqdmmdm.sys
2007-07-13 16:36 79,328 a------- c:\documents and settings\jez\mqdmserd.sys
2007-07-13 16:36 66,656 a------- c:\documents and settings\jez\mqdmbus.sys
2007-07-13 16:36 9,232 a------- c:\documents and settings\jez\mqdmmdfl.sys
2007-07-13 16:36 6,208 a------- c:\documents and settings\jez\mqdmcmnt.sys
2007-07-13 16:36 5,936 a------- c:\documents and settings\jez\mqdmwhnt.sys
2007-07-13 16:36 4,048 a------- c:\documents and settings\jez\mqdmcr.sys
2007-07-13 16:36 25,600 a------- c:\documents and settings\jez\usbsermptxp.sys
2007-07-13 16:36 22,768 a------- c:\documents and settings\jez\usbsermpt.sys
2006-10-02 22:43 833,408 a--sh--- c:\windows\system32\ijllm.bak1
2006-10-04 13:28 802,094 a--sh--- c:\windows\system32\ijllm.bak2
2006-10-04 17:14 802,454 a--sh--- c:\windows\system32\ijllm.ini2
2007-07-16 22:43 4,704 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-13 03:07 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101320081014\index.dat

============= FINISH: 13:14:43.51 ===============

*original post*

Well,

yesterday i began using google only to notice that when i clicked on any link, it went to a random redirected link where they would be selling something etc.

with that i went to avg and tried to update to test for viruses and the connection to updates was completely unavailable, i uninstalled avg and installed bitdefender for the same outcome.

today to address the problem i went on a forum much like this one and it tod me to use malwarebytes anti-malware, i did this and whatever i have also refused to allow me to even open this.

i then changed the names of all the .exe files in the program folder and was able to open and run the programs, i removed the threats as the forum advised me to do and now when i restart my desktop i am getting recurring svchost.exe application errors.

I attemtped a system restore but it appears to have gotten their to as it assures me that i need to restart my computer which inevitably leads me back to the same error message.

if anyone could talk me through the repair of my pc in terms that i am an outside chance of understanding that would be absolutely brilliant.

forgive my naivety in advance as i may struggle.

i cannot post the gmer log as the state that my window is in will not allow me to save the thing.

i believe in my attempts to fix it myself i might have compounded my issues enormously.

currently my biggest issue is the error 'svchost.exe -application error'
it explains.. "the instruction at "0x000008" (etc. that is an example only) The memory cannot be "read" click ok to terminate the program."

it does this repeatedly every time i attempt to use ie and jus repeats itself over and over

[1972vet]

Greetings jeremyal and Welcome to TechSupportForum,

Your system is badly infected...you have a Vundo infection among other things. Let's start by uninstalling some problem software. Some of these you may be able to reinstall later on when we are certain the system is clean.

Before we start however, I'd like you to take a look at The risks involved when playing online poker.

For the time being, let's uninstall these:
Adobe Acrobat 4.0 Way out of date...and exploited. We will install the latest version once we are convinced the system is clean
AdWare & SpyWare
dBpowerAMP Ogg Vorbis Codec
Full Tilt Poker
J2SE Runtime Environment 5.0 Update 10 All of these Java components are out of date...some are even exploited. Again, we will install the latest version when the system is cleaned
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Lesbian Carpet Munchers 18+ Screensaver
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Microsoft AntiSpyware
PokerStars
Soft & Wireless SMS Manager Viewer 1.1
Spybot - Search & Destroy 1.4 There's a newer version of this program that we can install later if you would like
SpyHunter
VSToolbar for Internet Explorer

When you finish uninstalling, please reboot the system to properly record the changes made to the hard disk.

When the system comes back up:
Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post that log back here on your next reply. Thanks!

[jeremyal]

ComboFix 09-03-12.01 - Jez 2009-03-13 15:02:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.156 [GMT 11:00]
Running from: c:\documents and settings\Jez\Desktop\ComboFix.exe
AV: Bitdefender Antivirus *On-access scanning enabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\All Users.WINDOWS\Application Data\salesmonitor
c:\documents and settings\Jez\Application Data\searchtoolbarcorp
c:\documents and settings\Jez\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
c:\documents and settings\Jez\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
c:\documents and settings\Terry.HOME-AYDS4POTTY\Application Data\searchtoolbarcorp
c:\documents and settings\Terry.HOME-AYDS4POTTY\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
c:\documents and settings\Terry.HOME-AYDS4POTTY\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\kmd.exe
c:\program files\Common Files\{CCE00~1
c:\recycler\S-5-8-64-100024735-100014936-100013146-1134.com
c:\windows\IE4 Error Log.txt
c:\windows\system32\components
c:\windows\system32\drivers\gaopdxnsftirprrwbwhwixwdurldujpwciyqdg.sys
c:\windows\system32\drivers\gaopdxnvogrklfrmupmctnskapfmqxenquvmkm.sys
c:\windows\system32\drivers\gaopdxwfdiohcnurkhlkgworiycksjjjpirjkn.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxxeoofshqrcmrkomrfstwqyqdhpelwcjl.dll
c:\windows\system32\ijllm.bak1
c:\windows\system32\ijllm.bak2
c:\windows\system32\ijllm.ini
c:\windows\system32\ijllm.ini2
c:\windows\system32\ijllm.tmp
c:\windows\system32\mcrh.tmp
D:\Autorun.inf
d:\recycler\S-4-5-70-100013077-100029717-100018891-9302.com
d:\recycler\S-5-8-64-100024735-100014936-100013146-1134.com
E:\Autorun.inf
e:\recycler\S-4-5-70-100013077-100029717-100018891-9302.com
e:\recycler\S-5-8-64-100024735-100014936-100013146-1134.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2111-02-20 13:21 . 2111-02-20 13:21 3,120 --a--c--- c:\windows\MF_C421.lfa
2111-02-20 13:21 . 2111-02-20 13:21 3,120 --a--c--- c:\windows\MF_C420.lfa
2009-03-11 14:06 . 2009-03-11 14:06 <DIR> d-------- c:\program files\Common Files\DriveCleaner Freeware
2009-03-11 14:05 . 2009-03-11 14:05 16,384 --a------ c:\windows\system32\ustart.exe
2009-03-10 21:39 . 2009-03-10 21:39 <DIR> d-------- c:\documents and settings\Terry.HOME-AYDS4POTTY\Application Data\Bitdefender
2009-03-10 21:39 . 2009-03-10 21:39 <DIR> d-------- c:\documents and settings\kathy.HOME-AYDS4POTTY\Application Data\Bitdefender
2009-03-10 16:01 . 2009-03-10 16:01 <DIR> d-------- c:\documents and settings\Jez\Application Data\Malwarebytes
2009-03-10 15:50 . 2009-03-10 16:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-10 15:50 . 2009-03-10 15:50 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-03-10 15:50 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 15:50 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-10 15:28 . 2009-03-10 15:28 <DIR> d-------- c:\program files\Security Task Manager
2009-03-10 15:28 . 2009-03-10 15:32 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SecTaskMan
2009-03-10 14:55 . 2009-03-10 14:55 <DIR> d-------- c:\documents and settings\Jez\Application Data\Bitdefender
2009-03-10 12:48 . 2009-03-13 15:27 81,984 --a------ c:\windows\system32\bdod.bin
2009-03-10 12:41 . 2009-03-10 12:41 <DIR> d-------- c:\program files\Softwin
2009-03-10 12:41 . 2009-03-10 12:43 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\BitDefender
2009-03-10 12:39 . 2009-03-10 12:42 <DIR> d-------- c:\program files\Common Files\Softwin
2009-03-05 21:35 . 2009-03-05 21:35 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 03:29 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-13 03:26 --------- d-----w c:\program files\Enigma Software Group
2009-03-13 03:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-13 03:25 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-13 03:25 --------- d-----w c:\program files\PokerStars
2009-03-13 03:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-03-13 02:56 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-03-13 02:54 --------- d-----w c:\program files\Java
2009-03-13 02:39 --------- d-----w c:\program files\Full Tilt Poker
2009-03-13 02:30 --------- d-----w c:\program files\Common Files\Adobe
2009-03-11 01:49 --------- d-----w c:\program files\Instant CD & DVD Burner
2009-03-11 01:48 --------- d-----w c:\program files\BitComet
2009-03-10 04:32 --------- d-----w c:\program files\Google
2009-03-08 03:39 --------- d-----w c:\documents and settings\Jez\Application Data\FrostWire
2009-02-03 05:28 --------- d-----w c:\documents and settings\Jez\Application Data\Any Video Converter
2009-01-21 13:01 --------- d-----w c:\program files\PPStream
2009-01-21 13:01 --------- d-----w c:\documents and settings\Jez\Application Data\ppstream
2009-01-13 12:24 --------- d-----w c:\program files\Bonjour
2009-01-13 12:24 --------- d-----w c:\program files\Apple Software Update
2009-01-13 12:22 --------- d-----w c:\program files\iTunes
2009-01-13 12:22 --------- d-----w c:\program files\iPod
2009-01-13 12:22 --------- d-----w c:\program files\Common Files\Apple
2009-01-13 12:22 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-13 12:19 --------- d-----w c:\program files\QuickTime Alternative
2009-01-13 12:03 --------- d-----w c:\program files\Safari
2008-12-09 02:35 25,808 ----a-w c:\documents and settings\Jez\Application Data\GDIPFONTCACHEV1.DAT
2008-03-28 06:31 21,920 -c--a-w c:\documents and settings\Terry.HOME-AYDS4POTTY\Application Data\GDIPFONTCACHEV1.DAT
2007-07-14 06:21 92,064 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\mqdmmdm.sys
2007-07-14 06:21 9,232 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\mqdmmdfl.sys
2007-07-14 06:21 79,328 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\mqdmserd.sys
2007-07-14 06:21 66,656 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\mqdmbus.sys
2007-07-14 06:21 6,208 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\mqdmcmnt.sys
2007-07-14 06:21 5,936 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\mqdmwhnt.sys
2007-07-14 06:21 4,048 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\mqdmcr.sys
2007-07-14 06:21 25,600 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\usbsermptxp.sys
2007-07-14 06:21 22,768 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\usbsermpt.sys
2007-07-13 05:36 92,064 ----a-w c:\documents and settings\Jez\mqdmmdm.sys
2007-07-13 05:36 9,232 ----a-w c:\documents and settings\Jez\mqdmmdfl.sys
2007-07-13 05:36 79,328 ----a-w c:\documents and settings\Jez\mqdmserd.sys
2007-07-13 05:36 66,656 ----a-w c:\documents and settings\Jez\mqdmbus.sys
2007-07-13 05:36 6,208 ----a-w c:\documents and settings\Jez\mqdmcmnt.sys
2007-07-13 05:36 5,936 ----a-w c:\documents and settings\Jez\mqdmwhnt.sys
2007-07-13 05:36 4,048 ----a-w c:\documents and settings\Jez\mqdmcr.sys
2007-07-13 05:36 25,600 ----a-w c:\documents and settings\Jez\usbsermptxp.sys
2007-07-13 05:36 22,768 ----a-w c:\documents and settings\Jez\usbsermpt.sys
2004-03-04 22:43 13,568 -c--a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\Application Data\GDIPFONTCACHEV1.DAT
2007-07-16 11:43 4,704 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-12 16:07 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101320081014\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"Gene USB Monitor"="c:\windows\system32\UMonit2K.exe" [2002-12-18 40960]
"BDMCon"="c:\program files\Softwin\BitDefender10\bdmcon.exe" [2007-04-02 290816]
"BDAgent"="c:\program files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 69632]
"SoundMan"="SOUNDMAN.EXE" [2003-12-19 c:\windows\SOUNDMAN.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.DivXa32"= DivXa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WD Backup Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WD Backup Monitor.lnk
backup=c:\windows\pss\WD Backup Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jez^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Jez\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^kathy.HOME-AYDS4POTTY^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\kathy.HOME-AYDS4POTTY\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Terry.HOME-AYDS4POTTY^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Terry.HOME-AYDS4POTTY\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1.WIN^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\docume~1\ALLUSE~1.WIN\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1.WIN^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\docume~1\ALLUSE~1.WIN\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1.WIN^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\docume~1\ALLUSE~1.WIN\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2005-06-07 00:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a--c--- 2005-01-12 03:01 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-28 00:08 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-08-25 17:38 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}]
-ra--c--- 2001-11-27 03:41 90112 c:\program files\Telstra\Signup\tbpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"MrobeService"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\StubInstaller.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23039:TCP"= 23039:TCP:BitComet 23039 TCP
"23039:UDP"= 23039:UDP:BitComet 23039 UDP
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{914beba2-770c-11dd-8e83-0004e20e02a8}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com
.
Contents of the 'Scheduled Tasks' folder

2009-03-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-10 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-03-13 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-_{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
Toolbar-{821F87FF-8245-4972-9E28-732E92EC2F51} - c:\program files\VSToolbar\VSToolBar.dll
WebBrowser-{821F87FF-8245-4972-9E28-732E92EC2F51} - c:\program files\VSToolbar\VSToolBar.dll
HKLM-Run-ohqd - c:\windows\ohqd.exe
HKLM-Run-jsnwnyt - c:\windows\jsnwnyt.exe
HKLM-Run-gngh - c:\windows\gngh.exe
HKLM-Run-POINTER - point32.exe
Notify-mllji - c:\windows\system32\mllji.dll
Notify-winyme32 - winyme32.dll
MSConfigStartUp-180sa - c:\program files\180search assistant\180sa.exe
MSConfigStartUp-AdStatus Service - c:\program files\AdStatus Service\AdStatServ.exe
MSConfigStartUp-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
MSConfigStartUp-DataLayer - c:\progra~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
MSConfigStartUp-gcasServ - c:\program files\Microsoft AntiSpyware\gcasServ.exe
MSConfigStartUp-Internet Optimizer - c:\program files\Internet Optimizer\optimize.exe
MSConfigStartUp-PCSuiteTrayApplication - c:\program files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
MSConfigStartUp-ProSiteFinder - c:\program files\ProSiteFinder\ProSiteFinder.exe
MSConfigStartUp-Salestart - c:\program files\Common Files\DriveCleaner Freeware\dcsm.exe
MSConfigStartUp-SpyHunter - c:\program files\Enigma Software Group\SpyHunter\SpyHunter.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_02\bin\jusched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
Trusted Zone: yahoo.com\sports
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {00000000-0000-0000-0000-000020040000} - hxxp://207.234.185.217/ABoxInst_int14.exe
DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - hxxp://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
DPF: {96EEC7FF-106A-47F3-90D6-B4BB754AA40E} - hxxps://autxn.paywithpoli.com/ewcustomer/POLiPayOnline.cab
DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - hxxp://advnt01.com/dialer/int_ver34.CAB
DPF: {b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} - hxxp://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/ErrorSafeNewReleaseInstall.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 15:27:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-03-13 15:32:51
ComboFix-quarantined-files.txt 2009-03-13 04:31:31

Pre-Run: 5,340,688,384 bytes free
Post-Run: 12,395,114,496 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=2,3,4,5
268 --- E O F --- 2009-03-05 10:02:01


looks to be on the improve already, atleast the svchost errors have disappeared

[1972vet]

Some of the programs below were already listed as programs that should be removed. It's not uncommon that poorly written software either has no uninstall string or else may not uninstall properly if it does...but let's take another look and see if you can find an uninstall string for the following software:
BitComet
DriveCleaner Freeware
FrostWire
Full Tilt Poker
LimeWire
PokerStars
PPStream
utorrent
...and I doubt you will find one for all of those but for any of them listed in your add/remove programs, please try to run the uninstaller to remove them. When finished, please reboot the system.

When the system comes back up, please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in the quote box and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file. Please post back the new log that will be generated. Thanks!

Quote:

http://www.techsupportforum.com/secu...ml#post2018152

KILLALL::


File::
c:\windows\system32\ntde1ect.com


Collect::
c:\windows\system32\ustart.exe


Folder::
c:\program files\Common Files\DriveCleaner Freeware
c:\program files\PokerStars
c:\program files\Full Tilt Poker
c:\program files\BitComet
c:\documents and settings\Jez\Application Data\FrostWire
c:\program files\PPStream
c:\documents and settings\Jez\Application Data\ppstream
c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
c:\windows\pss\LimeWire
c:\documents and settings\Terry.HOME-AYDS4POTTY\Start Menu\Programs\Startup\LimeWire
c:\Program Files\utorrent


Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^kathy.HOME-AYDS4POTTY^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^Terry.HOME-AYDS4POTTY^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\Program Files\utorrent\utorrent.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23039:TCP"=-
"23039:UDP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{914beba2-770c-11dd-8e83-0004e20e02a8}]

[jeremyal]

I left the room while combofix was running and my computer restarted, when i logged back on combofix was preparing the log.

no ie window opened to my knowledge,

here is the log that eventuated

FILE ::
c:\windows\system32\ntde1ect.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DIFxAPI.dll
c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe
c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\GEARAspiWDM.inf
c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\gearaspiwdmx86.cat
c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll
c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspiWDM.sys
c:\program files\Full Tilt Poker
c:\program files\Full Tilt Poker\10296.xml
c:\program files\Full Tilt Poker\application.prefs
c:\program files\Full Tilt Poker\Cache\42D4EB830001.dc
c:\program files\PokerStars
c:\program files\PokerStars\_update2.dat
c:\program files\PokerStars\_update2black.dat
c:\program files\PokerStars\_update2gf.dat
c:\program files\PokerStars\notes.txt
c:\program files\PokerStars\notes.txt.0
c:\program files\PokerStars\stub.log.0
c:\program files\PokerStars\Uninstall.DAT
c:\program files\PokerStars\Uninstall.EXE
c:\program files\PokerStars\user.ini
c:\program files\PokerStars\user.ini.bak
c:\program files\PPStream
c:\program files\PPStream\1.1.0.2621\fds.dll
c:\program files\PPStream\1.1.0.2621\fds.dll.tmp
c:\program files\PPStream\1.1.0.2621\livenet.dll.tmp
c:\program files\PPStream\1.1.0.2621\powerlist.ocx
c:\program files\PPStream\1.1.0.2621\powerplayer.dll
c:\program files\PPStream\1.1.0.2621\pp2play.dll
c:\program files\PPStream\1.1.0.2621\ppsimage.dll
c:\program files\PPStream\1.1.0.2621\psclg.dll.tmp
c:\program files\PPStream\1.1.0.2621\psnetwork.dll
c:\program files\PPStream\1.1.0.2627\pp2play.dll.tmp
c:\program files\PPStream\1.1.0.2627\psclg.dll
c:\windows\system32\ustart.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2111-02-20 13:21 . 2111-02-20 13:21 3,120 --a--c--- c:\windows\MF_C421.lfa
2111-02-20 13:21 . 2111-02-20 13:21 3,120 --a--c--- c:\windows\MF_C420.lfa
2009-03-10 16:01 . 2009-03-10 16:01 <DIR> d-------- c:\documents and settings\Jez\Application Data\Malwarebytes
2009-03-10 15:50 . 2009-03-10 16:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-10 15:50 . 2009-03-10 15:50 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-03-10 15:50 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 15:50 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-10 15:28 . 2009-03-10 15:28 <DIR> d-------- c:\program files\Security Task Manager
2009-03-10 15:28 . 2009-03-10 15:32 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SecTaskMan
2009-03-10 12:48 . 2009-03-15 21:19 81,984 --a------ c:\windows\system32\bdod.bin
2009-03-10 12:41 . 2009-03-15 21:19 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\BitDefender
2009-03-10 12:39 . 2009-03-15 21:20 <DIR> d-------- c:\program files\Common Files\Softwin
2009-03-05 21:35 . 2009-03-05 21:35 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 03:29 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-13 03:26 --------- d-----w c:\program files\Enigma Software Group
2009-03-13 03:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-13 03:25 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-13 03:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-03-13 02:56 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-03-13 02:54 --------- d-----w c:\program files\Java
2009-03-13 02:30 --------- d-----w c:\program files\Common Files\Adobe
2009-03-11 01:49 --------- d-----w c:\program files\Instant CD & DVD Burner
2009-03-10 04:32 --------- d-----w c:\program files\Google
2009-02-03 05:28 --------- d-----w c:\documents and settings\Jez\Application Data\Any Video Converter
2008-12-09 02:35 25,808 ----a-w c:\documents and settings\Jez\Application Data\GDIPFONTCACHEV1.DAT
2008-03-28 06:31 21,920 -c--a-w c:\documents and settings\Terry.HOME-AYDS4POTTY\Application Data\GDIPFONTCACHEV1.DAT
2007-07-14 06:21 92,064 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\mqdmmdm.sys
2007-07-14 06:21 9,232 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\mqdmmdfl.sys
2007-07-14 06:21 79,328 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\mqdmserd.sys
2007-07-14 06:21 66,656 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\mqdmbus.sys
2007-07-14 06:21 6,208 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\mqdmcmnt.sys
2007-07-14 06:21 5,936 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\mqdmwhnt.sys
2007-07-14 06:21 4,048 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\mqdmcr.sys
2007-07-14 06:21 25,600 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\usbsermptxp.sys
2007-07-14 06:21 22,768 ----a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\usbsermpt.sys
2007-07-13 05:36 92,064 ----a-w c:\documents and settings\Jez\mqdmmdm.sys
2007-07-13 05:36 9,232 ----a-w c:\documents and settings\Jez\mqdmmdfl.sys
2007-07-13 05:36 79,328 ----a-w c:\documents and settings\Jez\mqdmserd.sys
2007-07-13 05:36 66,656 ----a-w c:\documents and settings\Jez\mqdmbus.sys
2007-07-13 05:36 6,208 ----a-w c:\documents and settings\Jez\mqdmcmnt.sys
2007-07-13 05:36 5,936 ----a-w c:\documents and settings\Jez\mqdmwhnt.sys
2007-07-13 05:36 4,048 ----a-w c:\documents and settings\Jez\mqdmcr.sys
2007-07-13 05:36 25,600 ----a-w c:\documents and settings\Jez\usbsermptxp.sys
2007-07-13 05:36 22,768 ----a-w c:\documents and settings\Jez\usbsermpt.sys
2004-03-04 22:43 13,568 -c--a-w c:\documents and settings\kathy.HOME-AYDS4POTTY\Application Data\GDIPFONTCACHEV1.DAT
2007-07-16 11:43 4,704 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-12 16:07 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101320081014\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-13_15.30.01.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-09 11:08:53 1,847,552 ----a-w c:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB958690\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB958690\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB958690\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB958690\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958690\update\updspapi.dll
+ 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll
+ 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll
+ 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll
- 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys
- 2008-10-15 22:27:50 142,832 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-13 16:03:25 142,832 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2009-02-03 23:21:12 21,244,864 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-25 01:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe
- 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
- 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2007-08-10 09:46:18 26,488 ----a-w c:\windows\system32\spupdsvc.exe
+ 2007-07-26 22:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe
- 2008-09-15 12:12:56 1,846,400 ----a-w c:\windows\system32\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\system32\win32k.sys
- 2007-06-11 13:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
+ 2008-11-11 07:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
+ 2008-04-15 17:47:33 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"Gene USB Monitor"="c:\windows\system32\UMonit2K.exe" [2002-12-18 40960]
"SoundMan"="SOUNDMAN.EXE" [2003-12-19 c:\windows\SOUNDMAN.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.DivXa32"= DivXa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WD Backup Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WD Backup Monitor.lnk
backup=c:\windows\pss\WD Backup Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jez^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Jez\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1.WIN^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\docume~1\ALLUSE~1.WIN\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1.WIN^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\docume~1\ALLUSE~1.WIN\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1.WIN^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\docume~1\ALLUSE~1.WIN\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2005-06-07 00:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a--c--- 2005-01-12 03:01 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-28 00:08 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-08-25 17:38 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}]
-ra--c--- 2001-11-27 03:41 90112 c:\program files\Telstra\Signup\tbpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"MrobeService"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\StubInstaller.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

.
Contents of the 'Scheduled Tasks' folder

2009-03-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-15 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-03-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
Trusted Zone: yahoo.com\sports
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {96EEC7FF-106A-47F3-90D6-B4BB754AA40E} - hxxps://autxn.paywithpoli.com/ewcustomer/POLiPayOnline.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 21:28:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
.
**************************************************************************
.
Completion time: 2009-03-15 21:36:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-15 10:35:26
ComboFix2.txt 2009-03-13 04:32:53

Pre-Run: 13,008,596,992 bytes free
Post-Run: 13,005,058,048 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=2,3,4,5
255 --- E O F --- 2009-03-14 13:27:07

[1972vet]

Quote:

...no ie window opened to my knowledge

It must have because the suspect file is now gone. The log looks clean. How's it running for you now?

[jeremyal]

brilliantly to be honest, im thrilled with the result.

[1972vet]

Great! Now let's install the latest versions of the outdated software we removed.

You can install the latest Adobe Acrobat Here.

Download the latest Java version Here.

Scroll down to the first download link, "Java SE Runtime Environment (JRE) 6 Update 12" and click the "Download" button to the right. Select the platform for "Windows".

• Check the box that says: "I agree to the Java SE Runtime Environment # License Agreement", then click Continue...The page will refresh

Then, click on the link to download Windows Offline Installation. Save it to your desktop.
Now, from your desktop, double-click on the executable to install the newest version.

Were you interested in installing the latest Spybot Version? If so, download version 1.6.2 Here.

After installation, Go to Start-->Programs-->Spybot - Search & Destroy and when the program opens, click on the mode tab at the top left of the application window and select "advanced". Notice the additional options that now appear in the left pane (column of buttons).

Next, in the left pane, click on the Tools button (near the bottom). In the right pane, you'll see a listing of options...make sure these are checked:
Resident
Browser Pages
IE tweaks
Hosts Files
...there may be others checked (which is fine by the way), but make sure that at least those mentioned above all have checks in the box next to them.

In the menu on the left hand side you should see "Resident", click there then in the right pane under "resident protection status" put a check mark in the box next to "resident SD helper (Internet explorer bad download blocker) and Remove the check from the box for Resident Tea Timer" (Protection of over-all system settings) active.

Look again to the left pane under the Tools section. From the left pane, click the Hosts File button. Now in the right pane, click the green + Add Spybot-S&D hosts list button.

Next, from the left pane, please click the Spybot-S&D button. From the right side pane, click the button to ‘Search for Updates’ and download and install the Updates (make sure all the updates it found has a check in the box).

When the updates complete, please click "immunize" from the menu on the left. Then in the right pane click the +immunize button...you should see a progress bar as the application begins to immunize the system.

When the progress bar completes, you should see "0" in the Unprotected heading. If you do not, then click the green + Immunize button at the top just above that progress bar. You will see the numbers roll back until it reaches "0".

Next click the "Search and Destroy" button from the left pane menu then click the "check for Problems" button in the right pane.

Spybot will now scan your computer and display in the "problem" window any bad programs it finds. When the scan completes, it may show red, black, and green entries. Please put a check mark next to all the RED entries and click "fix selected problems". When finished, close the application.

Next, please click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /u

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?

• Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
• Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
• Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:
Kerio Personal Firewall
Zone Alarm
Outpost Free
Comodo Beware of the "Ask" tool bar that's now included. If you don't want it, remove the check from the box during installation

Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Become familiar with the MalwareBytes anti-malware application. Use it often especially if you begin to notice the system performance behavior is not what it should be. Learn more about the program Here where you can also request assistance if you have some concerns about the programs findings.
***Note***
The licensed version provides real time protection and other automatic features otherwise not available.

Comodo's BOClean utility is another very good "Free" malware cleaner that runs in the background