Got hit with win32/swimnag...

[stokepogue]

And no, the usual SUPERAntiSpyware/Malwarebytes technique didn't work on my system...

I unplugged the internet, did safe mode, checked those three boxes, unchecked the others, scanned everything...the problem at this point was though, after SUPER asked me to reboot, I reopened the program but the log wasn't listed, what did I do wrong there?

Isn't there another way to get rid of this? I have XP Pro SP3.

st.

[fink]

Did you continue on with the rest of the scans? Do try that first.. if there's still no success then try the following...



Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   
   NOTE. If Combofix asks you to install Recovery Console, please allow it.
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Above combofix instructions courtesy of Broni

[stokepogue]

Thank you.

BTW, when I try the regular SUPERAntiSpyware way, about half-way down the instructions it says to relaunch SAS after it reboots your computer after the main scan. But do I launch it in safe mode again to retrieve the logs?

[Broni]

Proceed with Combofix.

[stokepogue]

OK but my antivirus is very busy because of what swimnag is doing, constantly releasing these annoying files so I'm kinda hesitant to turn off real-time protection.

[Broni]

Turn it off anyway. Combofix should take care of that problem.

[stokepogue]

I followed the ComboFix instructions to the letter and attached the log since it's too long to post...though I'm not sure how to post a HijackThis log. By the way, it's been ten minutes and for some reason the ESET NOD32 icon in the system tray dissappeared after I turned everything back on. Any ideas?

[Broni]

In case, the log doesn't fit into one reply, split it between couple of replies.
Don't worry about Eset for now.
Sorry about HJT. Here you go...

Download HijackThis:
http://www.trendsecure.com/portal/en...kthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

You don't have to post it now. Post it with my next insrtuctions.

I'll paste your Combofix log now.

ComboFix 10-01-13.06 - Robin Smith 01/13/2010 12:45:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2485 [GMT -8:00]
Running from: c:\documents and settings\Robin Smith\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf
c:\windows\system32\Data
c:\windows\system32\Data\CT0060W.DAT
c:\windows\system32\Data\ctd20x.dat
c:\windows\system32\Data\CTEAPSW.DAT
c:\windows\system32\Data\CTEDSP2W.DAT
c:\windows\system32\Data\CTEDSPKW.DAT
c:\windows\system32\Data\CTEDSPLW.DAT
c:\windows\system32\Data\CTEDSPPW.DAT
c:\windows\system32\Data\CTEDSPTW.DAT
c:\windows\system32\Data\CTEDSPUW.DAT
c:\windows\system32\Data\CTEDSPW.DAT
c:\windows\system32\Data\CTP0060W.DAT
c:\windows\system32\Data\CTP0061W.DAT
c:\windows\system32\Data\CTP0070W.DAT
c:\windows\system32\Data\CTP0073W.DAT
c:\windows\system32\Data\CTP0090W.DAT
c:\windows\system32\Data\CTP0091W.DAT
c:\windows\system32\Data\CTP0092W.DAT
c:\windows\system32\Data\CTP0095W.DAT
c:\windows\system32\Data\CTP0100W.DAT
c:\windows\system32\Data\CTP0101W.DAT
c:\windows\system32\Data\CTP0102W.DAT
c:\windows\system32\Data\CTP0103W.DAT
c:\windows\system32\Data\CTP0105W.DAT
c:\windows\system32\Data\CTP0150W.DAT
c:\windows\system32\Data\CTP0161W.DAT
c:\windows\system32\Data\CTP0162W.DAT
c:\windows\system32\Data\CTP0170W.DAT
c:\windows\system32\Data\CTP017AW.DAT
c:\windows\system32\Data\CTP017BW.DAT
c:\windows\system32\Data\CTP017CW.DAT
c:\windows\system32\Data\CTP017DW.DAT
c:\windows\system32\Data\CTP017EW.DAT
c:\windows\system32\Data\CTP017FW.DAT
c:\windows\system32\Data\CTP017GW.DAT
c:\windows\system32\Data\CTP017HW.DAT
c:\windows\system32\Data\CTP0191W.DAT
c:\windows\system32\Data\CTP0192W.DAT
c:\windows\system32\Data\CTP0221W.DAT
c:\windows\system32\Data\CTP0222W.DAT
c:\windows\system32\Data\CTP0230W.DAT
c:\windows\system32\Data\CTP0231W.DAT
c:\windows\system32\Data\CTP0232W.DAT
c:\windows\system32\Data\CTP0238W.DAT
c:\windows\system32\Data\CTP0240W.DAT
c:\windows\system32\Data\CTP0242W.DAT
c:\windows\system32\Data\CTP0243W.DAT
c:\windows\system32\Data\CTP0244W.DAT
c:\windows\system32\Data\CTP0245W.DAT
c:\windows\system32\Data\CTP0249W.DAT
c:\windows\system32\Data\CTP0280W.DAT
c:\windows\system32\Data\CTP0320W.DAT
c:\windows\system32\Data\CTP0350W.DAT
c:\windows\system32\Data\CTP0352W.DAT
c:\windows\system32\Data\CTP0360W.DAT
c:\windows\system32\Data\CTP0380W.DAT
c:\windows\system32\Data\CTP0400W.DAT
c:\windows\system32\Data\CTP0460W.DAT
c:\windows\system32\Data\CTP0463W.DAT
c:\windows\system32\Data\CTP0464W.DAT
c:\windows\system32\Data\CTP0466W.DAT
c:\windows\system32\Data\CTP0468W.DAT
c:\windows\system32\Data\CTP0530L.DAT
c:\windows\system32\Data\CTP0530W.DAT
c:\windows\system32\Data\CTP0531L.DAT
c:\windows\system32\Data\CTP0531W.DAT
c:\windows\system32\Data\CTP0550W.DAT
c:\windows\system32\Data\CTP0600W.DAT
c:\windows\system32\Data\CTP0610W.DAT
c:\windows\system32\Data\CTP0679W.DAT
c:\windows\system32\Data\CTP1140W.DAT
c:\windows\system32\Data\CTP4620W.DAT
c:\windows\system32\Data\CTP4670W.DAT
c:\windows\system32\Data\CTP4760W.DAT
c:\windows\system32\Data\CTP4780W.DAT
c:\windows\system32\Data\CTP4790W.DAT
c:\windows\system32\Data\CTP4820W.DAT
c:\windows\system32\Data\CTP4830W.DAT
c:\windows\system32\Data\CTP4831W.DAT
c:\windows\system32\Data\CTP4832W.DAT
c:\windows\system32\Data\CTP4840W.DAT
c:\windows\system32\Data\CTP4850W.DAT
c:\windows\system32\Data\CTP4870W.DAT
c:\windows\system32\Data\CTP4871W.DAT
c:\windows\system32\Data\CTP4872W.DAT
c:\windows\system32\Data\CTP4875W.DAT
c:\windows\system32\Data\CTP4890W.DAT
c:\windows\system32\Data\CTP4891W.DAT
c:\windows\system32\Data\CTP4893W.DAT
c:\windows\system32\Data\CTPDXW.DAT
c:\windows\system32\Data\CTPM002W.DAT
c:\windows\system32\Data\cts20x.dat
c:\windows\system32\Data\CTXFICBM.RFX
c:\windows\system32\Data\CTXFICM.RFX
c:\windows\system32\Data\CTXFIEM.RFX
c:\windows\system32\Data\CTXFIGM.RFX

.
((((((((((((((((((((((((( Files Created from 2009-12-13 to 2010-01-13 )))))))))))))))))))))))))))))))
.

2010-01-13 20:40 . 2010-01-13 00:29 193568 ----a-w- c:\windows\dbddffecade.exe
2010-01-13 18:39 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 08:37 . 2010-01-13 08:37 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-13 08:32 . 2010-01-13 18:45 77344 ----a-w- c:\windows\system32\dbddffecade.dll
2010-01-13 05:18 . 2010-01-13 05:18 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-13 05:18 . 2010-01-13 05:18 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-13 05:17 . 2010-01-13 05:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-01-13 05:08 . 2010-01-13 05:08 52224 ----a-w- c:\documents and settings\Robin Smith\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-13 05:08 . 2010-01-13 05:08 117760 ----a-w- c:\documents and settings\Robin Smith\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-13 05:05 . 2010-01-13 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-13 05:05 . 2010-01-13 05:05 65024 ----a-r- c:\documents and settings\Robin Smith\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2010-01-13 05:05 . 2010-01-13 05:05 5120 ----a-r- c:\documents and settings\Robin Smith\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2010-01-13 05:05 . 2010-01-13 05:05 18944 ----a-r- c:\documents and settings\Robin Smith\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2010-01-13 05:05 . 2010-01-13 05:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-13 05:05 . 2010-01-13 05:05 -------- d-----w- c:\documents and settings\Robin Smith\Application Data\SUPERAntiSpyware.com
2010-01-13 05:04 . 2010-01-13 05:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-13 00:29 . 2010-01-13 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2010-01-13 00:29 . 2010-01-13 00:30 -------- d-----w- c:\documents and settings\Robin Smith\Application Data\Multi File Downloader
2010-01-10 18:56 . 2010-01-10 18:56 -------- d-----w- c:\program files\Veoh Networks
2009-12-25 00:11 . 2009-12-25 00:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-12-24 03:34 . 2009-12-21 19:11 14336 ----a-w- c:\documents and settings\Robin Smith\Application Data\Mozilla\Firefox\Profiles\jxqsud7u.default\extensions\thepiratebay@toolbar\components\toolbarhomewmp.dll
2009-12-23 18:40 . 2009-12-23 18:40 -------- d-----w- c:\program files\Pixologic
2009-12-22 22:01 . 2009-12-22 22:01 -------- d-----w- c:\documents and settings\Robin Smith\Local Settings\Application Data\Ahead
2009-12-17 18:06 . 2009-12-17 18:06 -------- d-----w- c:\documents and settings\Robin Smith\Application Data\Amazon
2009-12-17 18:06 . 2009-12-17 18:06 -------- d-----w- c:\program files\Amazon

[Broni]

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 20:45 . 2009-12-09 00:52 -------- d-----w- c:\program files\Common Files\Akamai
2010-01-13 18:45 . 2009-10-15 01:38 -------- d-----w- c:\documents and settings\Robin Smith\Application Data\WTablet
2010-01-13 08:37 . 2009-10-15 02:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 00:59 . 2009-11-06 21:33 -------- d-----w- c:\documents and settings\Robin Smith\Application Data\uTorrent
2010-01-11 06:45 . 2009-10-19 20:23 -------- d-----w- c:\documents and settings\Robin Smith\Application Data\Smart Recorder
2010-01-08 00:07 . 2009-10-15 02:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2009-10-15 02:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 02:37 . 2009-12-02 00:05 -------- d-----w- c:\program files\Google
2009-12-26 19:48 . 2009-11-15 00:13 -------- d-----w- c:\program files\JetAudio
2009-12-21 18:13 . 2009-11-28 03:22 -------- d-----w- c:\program files\XSitePro2
2009-12-20 19:41 . 2009-11-28 03:24 1444492 ----a-w- c:\windows\XSitePro2 Uninstaller.exe
2009-12-16 16:24 . 2009-10-16 00:17 -------- d-----w- c:\documents and settings\Robin Smith\Application Data\AdobeUM
2009-12-15 19:05 . 2009-10-15 23:23 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-14 01:32 . 2009-11-15 04:14 -------- d-----w- c:\documents and settings\Robin Smith\Application Data\Skype
2009-12-07 19:54 . 2009-11-03 04:55 -------- d-----w- c:\documents and settings\Robin Smith\Application Data\Stamps.com Internet Postage
2009-12-07 19:54 . 2009-11-03 04:54 36 ---ha-w- c:\windows\system32\f9t.dat
2009-12-03 06:07 . 2009-12-03 06:07 -------- d-----w- c:\program files\Common Files\Nero
2009-12-03 06:06 . 2009-12-03 06:05 -------- d-----w- c:\program files\Ahead
2009-12-03 06:05 . 2009-12-03 06:05 -------- d-----w- c:\program files\Common Files\Ahead
2009-12-02 04:31 . 2009-12-02 04:31 -------- d-----w- c:\documents and settings\Robin Smith\Application Data\Ipswitch
2009-12-02 04:31 . 2009-12-02 04:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Ipswitch
2009-12-02 04:30 . 2009-12-02 04:30 -------- d-----w- c:\program files\Ipswitch
2009-12-02 04:30 . 2009-10-15 02:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-02 04:30 . 2009-12-02 04:30 -------- d-----w- c:\documents and settings\Robin Smith\Application Data\InstallShield
2009-12-02 03:46 . 2009-10-15 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-12-02 02:35 . 2009-12-02 02:35 -------- d-----w- c:\program files\imgv
2009-11-29 19:28 . 2009-11-29 19:28 -------- d-----w- c:\documents and settings\Robin Smith\Application Data\IrfanView
2009-11-29 08:35 . 2009-11-29 08:35 2448402 ----a-w- c:\windows\The HAL 9000 Screensaver.scr
2009-11-28 03:22 . 2009-11-28 03:22 -------- d-----w- c:\program files\Common Files\Thraex Software
2009-11-22 20:17 . 2009-11-22 20:17 -------- d-----w- c:\documents and settings\Robin Smith\Application Data\CyberLink
2009-11-22 20:14 . 2009-11-22 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-11-22 20:14 . 2009-11-22 20:14 -------- d-----w- c:\program files\CyberLink
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 09:15 . 2009-10-18 03:34 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-11-19 19:48 . 2009-12-01 20:48 872960 ----a-w- c:\documents and settings\Robin Smith\Application Data\Mozilla\Firefox\Profiles\jxqsud7u.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 19:48 . 2009-12-01 20:48 43008 ----a-w- c:\documents and settings\Robin Smith\Application Data\Mozilla\Firefox\Profiles\jxqsud7u.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 19:48 . 2009-12-01 20:48 340480 ----a-w- c:\documents and settings\Robin Smith\Application Data\Mozilla\Firefox\Profiles\jxqsud7u.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 19:48 . 2009-12-01 20:48 346624 ----a-w- c:\documents and settings\Robin Smith\Application Data\Mozilla\Firefox\Profiles\jxqsud7u.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-18 02:15 . 2009-10-15 06:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI MMC
2009-11-15 04:14 . 2009-11-15 04:14 -------- d-----w- c:\program files\Skype
2009-11-15 03:42 . 2009-10-15 06:39 -------- d-----w- c:\documents and settings\Robin Smith\Application Data\Creative
2009-11-15 00:15 . 2009-11-15 00:15 -------- d-----w- c:\documents and settings\Robin Smith\Application Data\COWON
2009-11-15 00:14 . 2009-11-15 00:13 -------- d-----w- c:\program files\Common Files\COWON
2009-11-10 10:52 . 2009-10-19 05:21 56884 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-03 05:43 . 2009-10-15 04:37 70016 ----a-w- c:\documents and settings\Robin Smith\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 05:38 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-18 21:08 . 2009-10-15 01:26 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-16 20:32 . 2009-10-16 19:15 137678 ----a-w- c:\windows\HPHins15.dat
2009-10-16 19:51 . 2009-10-16 19:49 116839 ----a-w- c:\windows\hpqins00.dat
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-08-02 53248]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 1410304]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-07-28 32768]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"CTHelper"="CTHELPER.EXE" [2005-08-07 16384]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 18944]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-25 198160]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2005-06-10 184408]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-10-15 25214]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Robin Smith^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Robin Smith\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 10:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-07-28 04:00 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 08:00 45056 ------w- c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 04:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 23:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [11/14/2007 2:06 PM 30728]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 4:00 AM 14336]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/14/2007 2:05 PM 455936]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [10/14/2009 5:37 PM 1373480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S2 dbddffecade;ef5bd8a245c0716ea1ce0e15c2ca7239;c:\windows\dbddffecade.exe [1/13/2010 12:40 PM 193568]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/1/2009 4:05 PM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-02 00:05]

2010-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-02 00:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Robin Smith\Application Data\Mozilla\Firefox\Profiles\jxqsud7u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Robin Smith\Application Data\Mozilla\Firefox\Profiles\jxqsud7u.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Robin Smith\Application Data\Mozilla\Firefox\Profiles\jxqsud7u.default\extensions\thepiratebay@toolbar\components\toolbarhomewmp.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-VeohPlugin - c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-13 12:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\dbddffecade.dll
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-01-13 12:49:39
ComboFix-quarantined-files.txt 2010-01-13 20:49

Pre-Run: 84,942,422,016 bytes free
Post-Run: 86,351,093,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0169EA2DD271810976A207D3CD8A2D1D

[Broni]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\windows\dbddffecade.exe
c:\windows\system32\dbddffecade.dll
c:\windows\system32\f9t.dat


Folder::

Driver::
dbddffecade


Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[stokepogue]

Broni, when I click that link to get the hijack this, my Firefox browser suddenly disappears. I tried it on IE and the browser went crazy opening multiple windows.

So I try to download it on my Mac (in order to email it to the PC) and the download got stuck...

[Broni]

Run Combofix script first.

Zipped HJT file attached.

[stokepogue]

I don't know what you mean by the CF script....

[stokepogue]

BTW, I downloaded the HJT zip but when I open the winzip window to extract it, the window immediately disappears. There's something in my system that is stopping HJT from loading in every way...

[Broni]

Run the instructions from my reply #10 first.