Hijacked...

**usil** · March 16th, 2010, 06:15 AM

Customers computer is hijacked by what I think is an undetectable rootkit. I've run a plethora of programs, none of which have come up with anything significant.
- ESET cannot update.
- No AV websites work. Hosts file was hijacked, but I managed to delete it and recreate a new one. Still can't access AV sites and can't do online scans (ESET, Symantec, Housecall, Kaspersky, Panda).
- Malwarebytes won't run. Shuts down after a few seconds without an error message.
- Superantispyware comes up clean.
- Combofix was run, still no change. I will post the log.
- I ran about 5 rootkit programs, all came up clean. Some won't run, such as rootkitbuster and rootkitrevealer which shuts down.
- HJT log was cleaned, nothing significant came up anyway

I am trying a few more things but would like some ideas simultaneously.

Cheers!

**usil** · March 16th, 2010, 06:46 AM

Combofix log attached

**Broni** · March 16th, 2010, 06:06 PM

Snapshot omitted....

ComboFix 10-03-15.05 - User 03/16/2010 11:37:29.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1255.972.1033.18.1471.899 [GMT 2:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Local Settings\Temporary Internet Files\AGForm.htm
c:\documents and settings\User\Local Settings\Temporary Internet Files\print.htm
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_addUserImage.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_AgatUserImage.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_Animated.htm
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_attachEmpty.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_attachFull.bmp
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_blue_bot_lft.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_bot_lft.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_bot_lft_dis.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_bot_rt.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_bot_rt_dis.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_bullet_blue.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_bullet_blue_eng.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_but_asher.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_but_close.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_but_remove.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_but_sgor.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_chazor.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_crnr_bot_left.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_crnr_bot_right.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_crnr_top_left.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_crnr_top_right.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_del_small.GIF
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_deleteSign.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_displayAttach.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_displaySignedForm.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_displaySignerDetails.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_displaySignerStatus.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_dot.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_drop2.GIF
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_englishBackgroundPopup.jpg
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_englishContent.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_exit.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_form1_main_bw.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_Hamshech.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_hebrewBackgroundPopup.jpg
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_hebrewContent.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_id_card.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_ikon_files.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_ikon_help.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_ikon_tohen.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_layout_an_send_end.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_left2.GIF
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_leftTop.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_line.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_line_dis.jpg
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_line_gray.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_line_stretch_across.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_line_stretch_down.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_lookUpWindow.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_lookUpWindowReadonly.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_main.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_mashov.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_mysave.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_office.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_pay_bt.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_payment_dr1.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_print.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_print11.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_PrintFile.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_printnush.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_right2.GIF
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_rightTop.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_sand_clock3.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_saveAllAttachments.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_saveAllAttachmentsENG.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_saveAttach.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_SaveToFile.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_saveToFileEach.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_shadow_bottom.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_shadow_bottom_dis.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_shadow_Rt.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_shadow_Rt_dis.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_sign.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_sign_unverified.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_signGrey.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_SignInQuestion.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_signYellow.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_square.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_status_Animated.htm
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_statusBar.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_title_with_line.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_titleBG.bmp
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_ToolbarP.png
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_top_lft_dis.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_top_rt_dis.gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_trash.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsImg_verifySignature.ico
c:\documents and settings\User\Local Settings\Temporary Internet Files\tfsStatusBar.gif
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\system32\zlibwapi.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-16 to 2010-03-16 )))))))))))))))))))))))))))))))
.

2010-03-16 08:54 . 2010-03-16 09:32 -------- d-----w- c:\program files\a-squared Free
2010-03-16 08:48 . 2010-03-16 09:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-16 08:48 . 2010-03-16 08:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-15 11:35 . 2010-03-15 11:35 -------- d-----w- c:\program files\Unlocker
2010-03-15 09:14 . 2010-03-15 09:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-15 08:27 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-03-15 08:03 . 2009-09-10 12:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-15 08:03 . 2009-09-10 12:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-15 08:03 . 2010-03-15 08:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 12:19 . 2010-03-14 12:19 -------- d-----w- c:\program files\ShowMyPCService
2010-02-18 11:25 . 2010-02-18 11:25 -------- d-----w- c:\program files\GIGABYTE
2010-02-18 11:25 . 2010-02-18 11:25 17488 ----a-w- c:\windows\gdrv.sys
2010-02-17 14:50 . 2010-02-17 14:50 1602184 ----a-w- c:\documents and settings\User\Application Data\Smilebox\SmileboxClient.exe
2010-02-17 14:10 . 2010-02-17 14:10 344712 ----a-w- c:\documents and settings\User\Application Data\Smilebox\SmileboxDvdEngine.dll
2010-02-17 14:10 . 2010-02-17 14:10 135816 ----a-w- c:\documents and settings\User\Application Data\Smilebox\SmileboxUpdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-16 09:45 . 2010-02-03 10:13 -------- d-----w- c:\program files\Common Files\Akamai
2010-03-16 08:11 . 2009-05-15 13:06 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent
2010-03-15 09:30 . 2009-11-23 14:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-15 09:14 . 2009-11-23 14:36 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2010-03-13 20:14 . 2009-06-03 10:46 -------- d-----w- c:\documents and settings\User\Application Data\Smilebox
2010-03-09 19:15 . 2009-05-12 13:33 287368 ----a-w- c:\documents and settings\User\Application Data\Smilebox\SmileboxTray.exe
2010-03-03 18:18 . 2006-08-08 19:53 -------- d-----w- c:\documents and settings\User\Application Data\OpenOffice.org2
2010-02-21 10:29 . 2009-11-20 22:54 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-18 11:25 . 2006-08-07 15:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-17 15:05 . 2009-05-12 23:26 397960 ----a-w- c:\documents and settings\User\Application Data\Smilebox\SmileboxStarter.exe
2010-02-17 15:05 . 2009-05-12 23:03 168584 ----a-w- c:\documents and settings\User\Application Data\Smilebox\SmileboxBrowserEngine.dll
2010-02-17 15:05 . 2009-05-12 13:33 217736 ----a-w- c:\documents and settings\User\Application Data\Smilebox\SmileboxDvd.exe
2010-01-21 19:49 . 2006-08-08 20:50 238256 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-19 17:33 . 2008-08-07 08:15 -------- d-----w- c:\documents and settings\User\Application Data\ICQ
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2006-08-07 16:10 343040 ----a-w- c:\windows\system32\mspaint.exe
2007-05-16 13:19 . 2006-08-09 09:29 135168 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2005-05-13 15:12 . 2005-05-13 15:12 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 09:13 . 2005-10-24 09:13 66560 --sha-r- c:\windows\MOTA113.exe
2005-10-13 19:27 . 2005-10-13 19:27 422400 --sha-r- c:\windows\x2.64.exe
2005-10-07 17:14 . 2005-10-07 17:14 308224 --sha-r- c:\windows\system32\avisynth.dll
2005-07-14 10:31 . 2005-07-14 10:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 13:32 . 2005-06-26 13:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-21 20:37 . 2005-06-21 20:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-24 22:00 . 2004-01-24 22:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2005-12-22 18:23 . 2005-12-22 18:23 816640 --sha-r- c:\windows\system32\smab.dll
2005-02-28 11:16 . 2005-02-28 11:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-24 22:00 . 2004-01-24 22:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

**Broni** · March 16th, 2010, 06:06 PM

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-11-07 289072]
"SmileboxTray"="c:\documents and settings\User\Application Data\Smilebox\SmileboxTray.exe" [2010-03-09 287368]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 1318912]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" [2005-01-11 143360]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-16 1831936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-13 136600]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-03-19 2029640]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-11 282624]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\User\Start Menu\Programs\Startup\
Adobe Media Player.lnk - c:\program files\Adobe Media Player\Adobe Media Player.exe [2009-5-21 261632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 11:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Adobe Media Player.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Adobe Media Player.lnk
backup=c:\windows\pss\Adobe Media Player.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
2002-08-22 08:51 45056 ----a-w- c:\windows\Vm_sti.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DropBoxUtility]
2006-10-15 00:29 139264 ----a-w- c:\program files\DropBox\DropBox\DropBox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-06-14 14:24 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-11 16:24 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
2005-04-21 16:19 589824 ----a-r- c:\program files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
2010-03-09 19:15 287368 ----a-w- c:\documents and settings\User\Application Data\Smilebox\SmileboxTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-04-03 16:12 777424 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2008-11-10 10:23 157312 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Reallusion\\CrazyTalk for Skype\\CT4Skype.exe"=
"c:\\Program Files\\DropBox\\DropBox\\DropBox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6081:TCP"= 6081:TCP:RPC
"3389:TCP"= 3389:TCP:Remote Desktop
"4395:TCP"= 4395:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [19/03/2009 10:44 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [18/08/2008 13:27 93848]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 13:53 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27/02/2007 12:39 32256]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [16/03/2010 10:54 1858144]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 14:00 14336]
R2 ekrn;ESET Service;c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe [19/03/2009 10:44 731840]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 17:51 4096]
S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [07/08/2008 10:16 222968]
S3 EJGRU;EJGRU;c:\docume~1\User\LOCALS~1\Temp\EJGRU.exe --> c:\docume~1\User\LOCALS~1\Temp\EJGRU.exe [?]
S3 IXWDHO;IXWDHO;c:\docume~1\User\LOCALS~1\Temp\IXWDHO.exe --> c:\docume~1\User\LOCALS~1\Temp\IXWDHO.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\291.tmp --> c:\windows\system32\291.tmp [?]
S3 SIGPMIERHR;SIGPMIERHR;c:\docume~1\User\LOCALS~1\Temp\SIGPMIERHR.exe --> c:\docume~1\User\LOCALS~1\Temp\SIGPMIERHR.exe [?]
S4 NQNTZTTNNMVOO;NQNTZTTNNMVOO;c:\docume~1\User\LOCALS~1\Temp\NQNTZTTNNMVOO.exe --> c:\docume~1\User\LOCALS~1\Temp\NQNTZTTNNMVOO.exe [?]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [03/04/2006 18:12 14032]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - A2FREE
*NewlyCreated* - FSBL-STANDALONE
*NewlyCreated* - ISDRV118
*NewlyCreated* - SIGPMIERHR
*Deregistered* - fsbl-standalone
*Deregistered* - IsDrv118
*Deregistered* - PROCEXP100
*Deregistered* - RKREVEAL150

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\User_Feed_Synchronization-{EBBD3E84-5707-4C24-8FD6-915B8F416CD1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 01:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
Trusted Zone: plaxo.com\www
DPF: {9100BA25-85A6-4C80-86E9-426D2899F8EF} - hxxp://xtraz.icq.com/xtraz/products/wirelesscl/WirelessContact.cab
DPF: {C42B23DF-334C-4AD0-9AB4-91FF53D04239} - file:///C:/Documents%20and%20Settings/User/Application%20Data/Smilebox/OzDesktopImporter.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\fln44x6l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-HijackThis - e:\spyware\HijackThis.exe
AddRemove-KB913433 - c:\windows\system32\MacroMed\Flash\genuinst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-16 11:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\291.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\wininet.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2010-03-16 11:49:50
ComboFix-quarantined-files.txt 2010-03-16 09:49
ComboFix2.txt 2009-09-23 13:10

Pre-Run: 41,781,956,608 bytes free
Post-Run: 41,775,140,864 bytes free

- - End Of File - - 5AF0BAB2C8E5A9374BDA28E9982FDBF0

**Broni** · March 16th, 2010, 06:20 PM

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\docume~1\User\LOCALS~1\Temp\EJGRU.exe
c:\docume~1\User\LOCALS~1\Temp\IXWDHO.exe
c:\windows\system32\291.tmp
c:\docume~1\User\LOCALS~1\Temp\SIGPMIERHR.exe
c:\docume~1\User\LOCALS~1\Temp\NQNTZTTNNMVOO.exe


Folder::

Driver::
EJGRU
IXWDHO
MEMSWEEP2
SIGPMIERHR
NQNTZTTNNMVOO


Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

**usil** · March 17th, 2010, 03:21 AM

Update...

Before I saw your response Broni, I took the hard disk out and put it into another computer with an up to date Nod32 running. The scan came up with a single virus, Win32/Daonol.AC trojan and deleted it. When I put the HD back into the computer, ESET started updating and Malwarebytes no longer crashes. So it looks like I found the main perpetrator. I will follow your instructions to continue cleaning the rest of it.

Thanks!

**usil** · March 17th, 2010, 04:34 AM

Combofix log after running the script

ComboFix 10-03-16.03 - User 03/17/2010 10:01:17.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1255.972.1033.18.1471.861 [GMT 2:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFscript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\docume~1\User\LOCALS~1\Temp\EJGRU.exe"
"c:\docume~1\User\LOCALS~1\Temp\IXWDHO.exe"
"c:\docume~1\User\LOCALS~1\Temp\NQNTZTTNNMVOO.exe"
"c:\docume~1\User\LOCALS~1\Temp\SIGPMIERHR.exe"
"c:\windows\system32\291.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EJGRU
-------\Legacy_IXWDHO
-------\Legacy_MEMSWEEP2
-------\Legacy_NQNTZTTNNMVOO
-------\Legacy_SIGPMIERHR
-------\Service_EJGRU
-------\Service_IXWDHO
-------\Service_NQNTZTTNNMVOO
-------\Service_SIGPMIERHR

((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-16 11:12 . 2008-03-02 01:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-03-16 11:12 . 2010-03-16 11:12 -------- d-----w- c:\program files\Trend Micro
2010-03-16 08:54 . 2010-03-16 09:32 -------- d-----w- c:\program files\a-squared Free
2010-03-16 08:48 . 2010-03-16 09:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-16 08:48 . 2010-03-16 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-15 11:35 . 2010-03-15 11:35 -------- d-----w- c:\program files\Unlocker
2010-03-15 09:14 . 2010-03-15 09:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-15 08:27 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-03-15 08:03 . 2010-01-07 14:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-15 08:03 . 2010-01-07 14:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-15 08:03 . 2010-03-17 07:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 12:19 . 2010-03-14 12:19 -------- d-----w- c:\program files\ShowMyPCService
2010-02-18 11:25 . 2010-02-18 11:25 -------- d-----w- c:\program files\GIGABYTE
2010-02-18 11:25 . 2010-02-18 11:25 17488 ----a-w- c:\windows\gdrv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 08:16 . 2009-05-15 13:06 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent
2010-03-17 08:12 . 2010-02-03 10:13 -------- d-----w- c:\program files\Common Files\Akamai
2010-03-16 12:09 . 2009-11-23 14:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-16 11:12 . 2006-08-07 15:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-15 09:14 . 2009-11-23 14:36 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2010-03-13 20:14 . 2009-06-03 10:46 -------- d-----w- c:\documents and settings\User\Application Data\Smilebox
2010-03-03 18:18 . 2006-08-08 19:53 -------- d-----w- c:\documents and settings\User\Application Data\OpenOffice.org2
2010-01-21 19:49 . 2006-08-08 20:50 238256 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-19 17:33 . 2008-08-07 08:15 -------- d-----w- c:\documents and settings\User\Application Data\ICQ
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
2007-05-16 13:19 . 2006-08-09 09:29 135168 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2005-05-13 15:12 . 2005-05-13 15:12 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 09:13 . 2005-10-24 09:13 66560 --sha-r- c:\windows\MOTA113.exe
2005-10-13 19:27 . 2005-10-13 19:27 422400 --sha-r- c:\windows\x2.64.exe
2005-10-07 17:14 . 2005-10-07 17:14 308224 --sha-r- c:\windows\system32\avisynth.dll
2005-07-14 10:31 . 2005-07-14 10:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 13:32 . 2005-06-26 13:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-21 20:37 . 2005-06-21 20:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-24 22:00 . 2004-01-24 22:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2005-12-22 18:23 . 2005-12-22 18:23 816640 --sha-r- c:\windows\system32\smab.dll
2005-02-28 11:16 . 2005-02-28 11:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-24 22:00 . 2004-01-24 22:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-11-07 289072]
"SmileboxTray"="c:\documents and settings\User\Application Data\Smilebox\SmileboxTray.exe" [2010-03-09 287368]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-16 2012912]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" [2005-01-11 143360]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-16 1831936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-13 136600]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-03-19 2029640]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-11 282624]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\User\Start Menu\Programs\Startup\
Adobe Media Player.lnk - c:\program files\Adobe Media Player\Adobe Media Player.exe [2009-5-21 261632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-03-16 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-03-16 12:09 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Adobe Media Player.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Adobe Media Player.lnk
backup=c:\windows\pss\Adobe Media Player.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
2002-08-22 08:51 45056 ----a-w- c:\windows\Vm_sti.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DropBoxUtility]
2006-10-15 00:29 139264 ----a-w- c:\program files\DropBox\DropBox\DropBox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-06-14 14:24 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-11 16:24 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
2005-04-21 16:19 589824 ----a-r- c:\program files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
2010-03-09 19:15 287368 ----a-w- c:\documents and settings\User\Application Data\Smilebox\SmileboxTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-04-03 16:12 777424 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2008-11-10 10:23 157312 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Reallusion\\CrazyTalk for Skype\\CT4Skype.exe"=
"c:\\Program Files\\DropBox\\DropBox\\DropBox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6081:TCP"= 6081:TCP:RPC
"3389:TCP"= 3389:TCP:Remote Desktop
"1098:TCP"= 1098:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [19/03/2009 10:44 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [18/08/2008 13:27 93848]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 13:53 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27/02/2007 12:39 66632]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [16/03/2010 10:54 1858144]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 14:00 14336]
R2 ekrn;ESET Service;c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe [19/03/2009 10:44 731840]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [07/08/2008 10:16 222968]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [16/03/2010 13:12 582992]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 17:51 12872]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [16/03/2010 13:12 206608]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [16/03/2010 13:12 206608]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [03/04/2006 18:12 14032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\User_Feed_Synchronization-{EBBD3E84-5707-4C24-8FD6-915B8F416CD1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 01:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
Trusted Zone: plaxo.com\www
DPF: {9100BA25-85A6-4C80-86E9-426D2899F8EF} - hxxp://xtraz.icq.com/xtraz/products/wirelesscl/WirelessContact.cab
DPF: {C42B23DF-334C-4AD0-9AB4-91FF53D04239} - file:///C:/Documents%20and%20Settings/User/Application%20Data/Smilebox/OzDesktopImporter.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\fln44x6l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-17 10:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3264)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\VTTimer.exe
c:\windows\system32\VTtrayp.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2010-03-17 10:24:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-17 08:23
ComboFix2.txt 2010-03-16 09:49
ComboFix3.txt 2009-09-23 13:10

Pre-Run: 41,712,431,104 bytes free
Post-Run: 41,659,551,744 bytes free

- - End Of File - - 4776B228F5DE00FBA367D9EA0E1EC597

**usil** · March 17th, 2010, 04:36 AM

HJT

Logfile of HijackThis v1.99.1
Scan saved at 10:35:34, on 17/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\User\Application Data\Smilebox\SmileboxTray.exe
C:\Program Files\ICQ6.5\ICQ.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis1991.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AGFormHelperObj Class - {6620E618-1AB9-4EB2-ACA4-CBBE9066DBE6} - C:\PROGRA~1\agat\AGForm\AGFORM~1.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: AGForms - {ed2e7de7-07db-4941-a06d-f780b93ba730} - C:\Program Files\agat\AGForm\AGForms.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\User\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O9 - Extra button: שלח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: ש&לח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {9100BA25-85A6-4C80-86E9-426D2899F8EF} (WirelessContactHandler Class) - http://xtraz.icq.com/xtraz/products/...essContact.cab
O16 - DPF: {C42B23DF-334C-4AD0-9AB4-91FF53D04239} (AbImporter Class) - file:///C:/Documents%20and%20Settings/User/Application%20Data/Smilebox/OzDesktopImporter.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: UPSMONService - Unknown owner - C:\Program Files\UPSMON\UPSMON_Service.Exe

**Broni** · March 17th, 2010, 07:38 PM

Combofix log looks good

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

You're using outdated HJT version.
Download HijackThis:
http://www.trendsecure.com/portal/en...kthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]

==============================================================

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***

STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**usil** · March 17th, 2010, 07:42 PM

Hi Broni, since my last post, I had to return the computer to the customer. I couldn't keep it another day. I did run Malwarebytes after running combofix and it came up 100% clean.

Good work and thanks!

**Broni** · March 17th, 2010, 09:00 PM

You're welcome

One extremely important step, you should have done (call him?) is to reset restore points.
As of now, if he uses system restore for some reason, all crap will be back.

**usil** · March 17th, 2010, 09:06 PM

He's a mechanic. He knows as little about computers as I know about cars. There's no way he'll ever use system restore.
I have my doubts though that restoring the system will bring the virus back.

**Broni** · March 17th, 2010, 09:10 PM

I have my doubts though that restoring the system will bring a virus back.

You have my 100% assurance, it will. With most infections, restore points got compromised.
That's another way, how nasties make sure, they can come back at first possibility.

**usil** · March 17th, 2010, 09:15 PM

With the anti-virus updated, it will catch the virus during restoration.

**Broni** · March 17th, 2010, 09:18 PM

You have to remember, there is no bullet-proof AV program.
How do you think, people got infected?
Most people have some kind of AV program running.

I'm telling you this from years of experience in malware field.
It's your call.

Thread: Hijacked...

Thread Tools

Search Thread

Display

Hijacked...

Thread Information

Users Browsing this Thread

Posting Permissions