[RESOLVED] Unknown trojan, Malwarebytes executable deleted

**shazbot** · January 26th, 2010, 02:42 AM

I did delete the files with the exception of the first entry. I couldn't find a "Temporary Internet Files" folder in that directory, even with hidden files/folders in view.

Other than that, nothing seems to have changed. After a restart, I received the same warning from Adaware and the same problem with it. Earlier in the day, I ran a complete scan in Safe Mode with SUPERantispyware that turned up a number of different threats. When it came time to clean them up, it did its job, but I got one of those countdown to shutdown popups from windows. I managed to get through the final steps before the minute was up, but even that doesn't seem to have helped.

**crunchie** · January 26th, 2010, 02:54 AM

Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

==

You may not hear from me until tomorrow as I am on the way out to watch the fireworks. (Australia Day)

**shazbot** · January 26th, 2010, 03:38 AM

No worries, have fun watching the fireworks.

Log to follow...

**shazbot** · January 26th, 2010, 11:49 PM

Well I'd like to have a log for you, but after I click on "save" after the scan is finished, GMER locks up, with Windows locking up shortly thereafter.

Should I just run Combofix again?

**crunchie** · January 27th, 2010, 12:19 AM

Yeah, just give combofix another run

.

**shazbot** · January 27th, 2010, 01:40 AM

ComboFix 10-01-26.02 - John Bower 01/26/2010 21:14:51.10.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1562 [GMT -8:00]
Running from: c:\documents and settings\John Bower\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100126-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\posinobo.dll
c:\windows\system32\yamiluyu.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-26 01:26 . 2010-01-26 01:26 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-26 01:26 . 2010-01-26 01:26 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-01-24 08:57 . 2010-01-24 09:34 -------- d-----w- c:\program files\Common Files\BioWare
2010-01-24 08:44 . 2010-01-24 09:34 -------- d-----w- c:\program files\Mass Effect
2010-01-24 08:03 . 2010-01-26 06:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-23 02:55 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-23 01:20 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-23 01:19 . 2010-01-23 01:19 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-23 01:19 . 2010-01-23 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-23 01:19 . 2010-01-23 01:19 -------- d-----w- c:\program files\Lavasoft
2010-01-21 09:49 . 2010-01-21 09:49 -------- d-----w- c:\documents and settings\John Bower\Application Data\Leadertech
2010-01-21 09:40 . 2010-01-21 09:40 -------- d-----w- c:\program files\CAPCOM
2010-01-18 05:30 . 2010-01-18 05:30 1152563 ----a-w- C:\W1_2007_1920x1200.zip
2010-01-17 06:37 . 2010-01-17 06:37 -------- d-----w- c:\program files\Electronic Arts
2010-01-15 19:20 . 2010-01-15 19:20 -------- d-----w- c:\program files\PFPortChecker
2010-01-01 08:26 . 2010-01-01 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Divinity 2
2010-01-01 08:21 . 2010-01-01 08:26 -------- d-----w- c:\program files\Divinity II - Ego Draconis - Demo
2010-01-01 07:54 . 2010-01-01 07:53 16896 ----a-w- c:\windows\system32\grwinsthlp.exe
2009-12-30 05:40 . 2009-12-30 05:40 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SecuROM
2009-12-30 05:29 . 2009-12-30 05:29 -------- d-----w- c:\program files\2K Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 22:21 . 2009-05-22 19:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-24 09:12 . 2009-03-08 00:45 -------- d-----w- c:\documents and settings\John Bower\Application Data\IGN_DLM
2010-01-21 01:20 . 2009-03-06 07:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-21 00:42 . 2009-05-01 08:53 -------- d-----w- c:\program files\Steam
2010-01-17 06:55 . 2009-03-08 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-16 08:34 . 2009-03-08 01:18 -------- d-----w- c:\program files\MUSICMATCH
2010-01-16 06:48 . 2009-03-11 06:32 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-31 05:37 . 2009-05-12 06:04 -------- d-----w- c:\documents and settings\John Bower\Application Data\Broken Rules
2009-12-31 01:08 . 2009-03-06 08:01 82168 ----a-w- c:\documents and settings\John Bower\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 00:47 . 2009-09-16 06:58 -------- d-----w- c:\program files\Ja2 Demo
2009-12-23 23:35 . 2009-12-23 22:08 -------- d-----w- c:\documents and settings\John Bower\Application Data\Larva Mortus
2009-12-22 08:47 . 2009-12-22 08:47 -------- d-----w- c:\program files\GOG.com
2009-12-22 01:39 . 2009-12-22 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\media center programs
2009-12-22 01:07 . 2009-12-22 01:07 -------- d-----w- c:\program files\Funcom
2009-12-22 01:06 . 2009-12-22 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Funcom
2009-12-20 07:32 . 2009-11-13 06:34 -------- d-----w- c:\program files\Activision
2009-12-17 23:32 . 2009-03-29 06:02 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-12-17 23:08 . 2009-03-08 04:25 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
1601-01-01 00:03 . 1601-01-01 00:03 52224 --sha-w- c:\windows\system32\datijewo.dll
1601-01-01 00:03 . 1601-01-01 00:03 52224 --sha-w- c:\windows\system32\gefedore.dll
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\jebikono.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\tobuvuzi.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\tuhenato.dll.tmp
2009-06-07 22:35 . 2009-06-07 22:25 991264 --sha-w- c:\windows\system32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-09 36864]
"ussshreg"="c:\progra~1\ULEADS~1.0\Ussshreg.exe" [2000-04-21 32768]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"P17Helper"="P17.dll" [2005-05-03 64512]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2009-08-17 13877248]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2002-08-28 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
c:\combofix\CF20599.cfxxe [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Paradox Interactive\\Majesty 2 (Demo)\\Majesty2-Demo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aquaria\\Aquaria.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\time gentlemen, please! - demo\\TGP.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\tachyon the fringe\\Tachyon.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\shadowgrounds survivor\\survivor.exe"=
"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\oddworld abes oddysee\\AbeWin.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\serious sam hd the first encounter\\Bin\\SamHD.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\hammerfight\\Hammerfight.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashWebSv.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/22/2010 5:20 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/24/2009 7:54 PM 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/7/2009 9:43 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 1:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 1:22 PM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/7/2009 9:43 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 5:19 AM 1181328]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 1:22 PM 7408]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/7/2009 8:25 PM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:20]

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:20]

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:20]

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:20]

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:20]

2010-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-01-27 c:\windows\Tasks\PandaUSBVaccine.job
- c:\program files\Panda USB Vaccine\RunInteractiveWin.exe [2009-11-07 00:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {F57130FC-9478-4985-B467-E0D2BA23FE67} = 209.18.47.61,209.18.47.62
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\John Bower\Application Data\Mozilla\Firefox\Profiles\n8mto4st.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{8673d8ae-d828-4498-bdf4-739279fad18d} - c:\windows\system32\sigibadi.dll
SSODL-lowimisew-{8673d8ae-d828-4498-bdf4-739279fad18d} - c:\windows\system32\sigibadi.dll
MSConfigStartUp-gimaloyan - c:\windows\system32\sigibadi.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 21:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-343818398-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:65,1a,70,77,e3,4d,2d,14,b2,9f,15,7e,e7,82,a1,c8,1f,16,66,f5,71,
ca,52,6c,ab,70,3d,57,ac,d6,ef,8a,82,2a,9d,cc,86,ac,04,77,93,ee,c8,04,f4,9a,\
"rkeysecu"=hex:65,31,53,92,56,32,11,4b,8e,a4,b1,cc,25,cd,ac,ba
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1136)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Panda USB Vaccine\USBVaccine.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\System32\StkASv2K.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-01-26 21:32:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-27 05:32
ComboFix2.txt 2010-01-23 19:10

Pre-Run: 50,501,238,784 bytes free
Post-Run: 50,464,546,816 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 008506B7622708D95D7F1652A2BF0F26

**shazbot** · January 27th, 2010, 01:41 AM

And here's a fresh HijackThis log, at the risk of getting ahead of myself:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:42 PM, on 1/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe
O4 - HKLM\..\Run: [ussshreg] C:\PROGRA~1\ULEADS~1.0\Ussshreg.exe /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.9.113.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1236324225929
O17 - HKLM\System\CCS\Services\Tcpip\..\{F57130FC-9478-4985-B467-E0D2BA23FE67}: NameServer = 209.18.47.61,209.18.47.62
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Syntek STK1150 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6784 bytes

**crunchie** · January 27th, 2010, 03:03 AM

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

c:\windows\system32\datijewo.dll
c:\windows\system32\gefedore.dll
c:\windows\system32\jebikono.dll.tmp
c:\windows\system32\tobuvuzi.dll.tmp
c:\windows\system32\tuhenato.dll.tmp

**shazbot** · January 27th, 2010, 03:16 AM

Wasn't sure how best to post these results, so I just put the positive hits from Jotti into Notepad and slapped them up here.

For datijewo.dll:

[G DATA]
2010-01-27 Trojan.Vundo.GSH

[ESET NOD32]
2010-01-26 Win32/Adware.SuperJuan.U

[Softwin BitDefender]
2010-01-27 Trojan.Vundo.GSH

[Sophos]
2010-01-27 Sus/UnkPack-C

**shazbot** · January 27th, 2010, 03:19 AM

For gefedore.dll:

[G DATA]
2010-01-27 Trojan.Vundo.GSH

[ESET NOD32]
2010-01-26 Win32/Adware.SuperJuan.U

[Softwin BitDefender]
2010-01-27 Trojan.Vundo.GSH

[Sophos]
2010-01-27 Sus/UnkPack-C

**shazbot** · January 27th, 2010, 03:23 AM

For jebijono.dll.tmp:

[Sophos]
2010-01-27 Troj/Virtum-Gen

**shazbot** · January 27th, 2010, 03:23 AM

For tobuvuzi.dll.tmp:

[Sophos]
2010-01-27 Troj/Virtum-Gen

**shazbot** · January 27th, 2010, 03:25 AM

For tuhenato.dll.tmp:

[Sophos]
2010-01-27 Troj/Virtum-Gen

**crunchie** · January 27th, 2010, 05:25 AM

1. Please open Notepad

Click Start , then Run
Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

KillAll::

File::
c:\windows\system32\datijewo.dll
c:\windows\system32\gefedore.dll
c:\windows\system32\jebikono.dll.tmp
c:\windows\system32\tobuvuzi.dll.tmp
c:\windows\system32\tuhenato.dll.tmp

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

Combofix.txt
A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

**shazbot** · January 27th, 2010, 04:22 PM

ComboFix 10-01-26.02 - John Bower 01/27/2010 11:59:43.11.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1537 [GMT -8:00]
Running from: c:\documents and settings\John Bower\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John Bower\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100127-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\system32\datijewo.dll"
"c:\windows\system32\gefedore.dll"
"c:\windows\system32\jebikono.dll.tmp"
"c:\windows\system32\tobuvuzi.dll.tmp"
"c:\windows\system32\tuhenato.dll.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\datijewo.dll
c:\windows\system32\gefedore.dll
c:\windows\system32\jebikono.dll.tmp
c:\windows\system32\tobuvuzi.dll.tmp
c:\windows\system32\tuhenato.dll.tmp

.
((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-26 01:26 . 2010-01-26 01:26 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-26 01:26 . 2010-01-26 01:26 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-01-24 08:57 . 2010-01-24 09:34 -------- d-----w- c:\program files\Common Files\BioWare
2010-01-24 08:44 . 2010-01-24 09:34 -------- d-----w- c:\program files\Mass Effect
2010-01-24 08:03 . 2010-01-26 06:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-23 02:55 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-23 01:20 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-23 01:19 . 2010-01-23 01:19 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-23 01:19 . 2010-01-23 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-23 01:19 . 2010-01-23 01:19 -------- d-----w- c:\program files\Lavasoft
2010-01-21 09:49 . 2010-01-21 09:49 -------- d-----w- c:\documents and settings\John Bower\Application Data\Leadertech
2010-01-21 09:40 . 2010-01-21 09:40 -------- d-----w- c:\program files\CAPCOM
2010-01-18 05:30 . 2010-01-18 05:30 1152563 ----a-w- C:\W1_2007_1920x1200.zip
2010-01-17 06:37 . 2010-01-17 06:37 -------- d-----w- c:\program files\Electronic Arts
2010-01-15 19:20 . 2010-01-15 19:20 -------- d-----w- c:\program files\PFPortChecker
2010-01-01 08:26 . 2010-01-01 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Divinity 2
2010-01-01 08:21 . 2010-01-01 08:26 -------- d-----w- c:\program files\Divinity II - Ego Draconis - Demo
2010-01-01 07:54 . 2010-01-01 07:53 16896 ----a-w- c:\windows\system32\grwinsthlp.exe
2009-12-30 05:40 . 2009-12-30 05:40 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SecuROM
2009-12-30 05:29 . 2009-12-30 05:29 -------- d-----w- c:\program files\2K Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 22:21 . 2009-05-22 19:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-24 09:12 . 2009-03-08 00:45 -------- d-----w- c:\documents and settings\John Bower\Application Data\IGN_DLM
2010-01-21 01:20 . 2009-03-06 07:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-21 00:42 . 2009-05-01 08:53 -------- d-----w- c:\program files\Steam
2010-01-17 06:55 . 2009-03-08 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-16 08:34 . 2009-03-08 01:18 -------- d-----w- c:\program files\MUSICMATCH
2010-01-16 06:48 . 2009-03-11 06:32 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-31 05:37 . 2009-05-12 06:04 -------- d-----w- c:\documents and settings\John Bower\Application Data\Broken Rules
2009-12-31 01:08 . 2009-03-06 08:01 82168 ----a-w- c:\documents and settings\John Bower\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 00:47 . 2009-09-16 06:58 -------- d-----w- c:\program files\Ja2 Demo
2009-12-23 23:35 . 2009-12-23 22:08 -------- d-----w- c:\documents and settings\John Bower\Application Data\Larva Mortus
2009-12-22 08:47 . 2009-12-22 08:47 -------- d-----w- c:\program files\GOG.com
2009-12-22 01:39 . 2009-12-22 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\media center programs
2009-12-22 01:07 . 2009-12-22 01:07 -------- d-----w- c:\program files\Funcom
2009-12-22 01:06 . 2009-12-22 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Funcom
2009-12-20 07:32 . 2009-11-13 06:34 -------- d-----w- c:\program files\Activision
2009-12-17 23:32 . 2009-03-29 06:02 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-12-17 23:08 . 2009-03-08 04:25 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-07 22:35 . 2009-06-07 22:25 991264 --sha-w- c:\windows\system32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-01-27_05.23.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-27 20:06 . 2010-01-27 20:06 16384 c:\windows\temp\Perflib_Perfdata_5a8.dat
+ 2010-01-27 20:06 . 2010-01-27 20:06 16384 c:\windows\temp\Perflib_Perfdata_170.dat
+ 2009-06-12 08:14 . 2010-01-27 19:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-12 08:14 . 2010-01-20 16:33 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-06 07:18 . 2010-01-27 19:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-06 07:18 . 2010-01-20 16:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-01-27 19:50 . 2010-01-27 19:50 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-09 36864]
"ussshreg"="c:\progra~1\ULEADS~1.0\Ussshreg.exe" [2000-04-21 32768]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"P17Helper"="P17.dll" [2005-05-03 64512]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2009-08-17 13877248]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2002-08-28 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
c:\combofix\CF20599.cfxxe [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Paradox Interactive\\Majesty 2 (Demo)\\Majesty2-Demo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aquaria\\Aquaria.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\time gentlemen, please! - demo\\TGP.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\tachyon the fringe\\Tachyon.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\shadowgrounds survivor\\survivor.exe"=
"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\oddworld abes oddysee\\AbeWin.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\serious sam hd the first encounter\\Bin\\SamHD.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\hammerfight\\Hammerfight.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashWebSv.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/22/2010 5:20 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/24/2009 7:54 PM 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/7/2009 9:43 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 1:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 1:22 PM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/7/2009 9:43 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 5:19 AM 1181328]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 1:22 PM 7408]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/7/2009 8:25 PM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:20]

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:20]

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:20]

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:20]

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:20]

2010-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-01-27 c:\windows\Tasks\PandaUSBVaccine.job
- c:\program files\Panda USB Vaccine\RunInteractiveWin.exe [2009-11-07 00:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {F57130FC-9478-4985-B467-E0D2BA23FE67} = 209.18.47.61,209.18.47.62
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\John Bower\Application Data\Mozilla\Firefox\Profiles\n8mto4st.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-27 12:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-343818398-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:65,1a,70,77,e3,4d,2d,14,b2,9f,15,7e,e7,82,a1,c8,1f,16,66,f5,71,
ca,52,6c,ab,70,3d,57,ac,d6,ef,8a,82,2a,9d,cc,86,ac,04,77,93,ee,c8,04,f4,9a,\
"rkeysecu"=hex:65,31,53,92,56,32,11,4b,8e,a4,b1,cc,25,cd,ac,ba
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\StkASv2K.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Panda USB Vaccine\USBVaccine.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-01-27 12:12:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-27 20:12
ComboFix2.txt 2010-01-27 05:32
ComboFix3.txt 2010-01-23 19:10

Pre-Run: 50,458,136,576 bytes free
Post-Run: 50,419,748,864 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 8359350A1C9EC1BAD741DA601AF17365

Thread: [RESOLVED] Unknown trojan, Malwarebytes executable deleted

Thread Tools

Search Thread

Display

Thread Information

Users Browsing this Thread

Posting Permissions