Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Microsoft Visual C++ Runtime Library Buf ...
Go to first new post Family Cyber Removal
Go to first new post System Check problem
Go to first new post hijack this log ......
Go to first new post Trojan virus
Go to first new post "svchost application error 0x6fe217 ...
Go to first new post Cannot access any google sites - youtube ...
Go to first new post My computer is slowly dying
Go to first new post Trojan Hider
Go to first new post We Got System Checked :-(
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Incredibar Removal - Support Pls!
Go to first new post need help regarding malware/spyware
Go to first new post Somethings Amiss....
Tag Cloud
access acer asus bios bsod computer crash drive driver drivers error ethernet excel freeze gaming graphics hard drive hardware hdmi internet laptop malware memory monitor motherboard network printer problem ram random registry router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless xbox
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Potentially malicious or infected application says Bit Defender (In Progress)

Page 5 of 6 « First 234 5 6
Reply  
Thread Tools
Cjreef's Avatar
Member with 46 posts.
  
Join Date: Aug 2009
24-Sep-2009, 04:19 PM #61
Well, things are getting worse.
I received a reply from BitDefender with instructions to generate an AVIS log as well as a GMER log and sent them with a reply. Links were given to download the programs
I obtained the AVIS log without problem but received a "Blue Screen" while the GMER tool was running the scan. Now I'm scared to try to rerun it.
I sent the info to BitDefender, we'll see what they have to say. Let me know if you want me to send you the AVIS log, it's called "bd sys log.xml". I don't know if it would mean anything to you, it looks like it might be just for Bit Defender use.

Here is the technical info from the blue screen, if it should mean anything to you:

Technical info: STOP: (0XF9B28000, 0X00000000, 0X8DFAD7E3, 0X00000000)
Uwlii pow.sys - Address 8DFAD7E3 base a 8DFA2000, DateStamp 4aae2e86

The problem seems to be caused by the following file: uwliipow.sys.

Thanks a million.
Register for free to hide this ad!
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,282 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
24-Sep-2009, 07:35 PM #62
It looks like it could be a rogue driver. I thought we had run GMER.

Try running it in safe mode and you can also rename it to something else.
Cjreef's Avatar
Member with 46 posts.
  
Join Date: Aug 2009
25-Sep-2009, 06:57 PM #63
I didn't try to run it in safe mode yet, because, in the mean time I heard from BitDefender and they told me they needed a Rootkit Unhooker log. Here is the beginning of their email.

Dear......,

In order to be able to further investigate the reported situation we need a
log generated by the Rootkit Unhooker application.


[how to GENERATE A ROOTKIT UNHOOKER LOG]

. Save the Rootkit Unhooker tool (and then extract it if needed) to a location
of your choice:
RECOMMENDED:
http://forum.sysinternals.com/upload...ku37300509.rar
alternative:
http://www.bitdefender.com/files/Kno...ku37300509.zip
or use the version attached to this email: rku37300509.zip (not available
for all email providers)

This is getting worse by the minute. I can't believe they would get me to download an infected file.

I did try to disinfect but because BitDefender still gave me a warning, I blocked it, so I'm back at square one.

What on earth do you think of that?
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,282 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
25-Sep-2009, 09:33 PM #64
It wouldn't be an infected file they sent you. Either malware or one of your security programs is interfering. Have you tried replying yes to that prompt?
Cjreef's Avatar
Member with 46 posts.
  
Join Date: Aug 2009
25-Sep-2009, 10:10 PM #65
Yes I did. It took two tries to make that screen disappear. BTW, that screen was from the Rootkit Unhooker tool not from BitDefender. It says the parasite was within itself. How could Malware or BitDefender make up a statement like that? When the screen disappeared, the BitDefender screen gave me the same warning as it does with svchost.exe.

In an earlier post you said you thought we had run GMER. We did not as such but on 9/9 we ran Combofix and it looks like GMER rootkit/stealth malware detection was run as part of Combofix. I didn't download or run the program but there is an entry following the Combofix results.

Here is what we ran so far:
Hijack This (several times throughout this thread)
MBAM
Mount Points Diagnostic
Kaspersky Webscanner
Combofix
Jotti virus scan on svchost file (21 programs checked the file all with negative results.)
OTS
Taskservlist from the cmd command

If I have some malware or other threat on my computer it sure is good at hiding

I'm beginning to wonder if my settings are too high. They're all set at "aggressive"

Microsoft replied about the problem updating. They want me to uninstall and reinstall the MSXML software on my computer. I'll do it tomorrow.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,282 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
26-Sep-2009, 05:20 PM #66
I know it's BitDefender but it may be reacting that way to malware.

ComboFix only runs CatchMe by Gmer which is not the full rootkit detection that GMER is.

Let's remove ComboFix by dragging it to the recycle bin and download the latest version please, do a new scan and post that log.

Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Puppy.exe please.
__________________
Microsoft MVP - Consumer Security
Last edited by Cookiegal; 27-Sep-2009 at 05:33 PM..
Cjreef's Avatar
Member with 46 posts.
  
Join Date: Aug 2009
27-Sep-2009, 03:15 PM #67
I followed the instructions from the Microsoft Tech and it did fix the updating problem. I'm now up to date on critical updates.

Here is the ComboFix log:

ComboFix 09-09-25.01 - Claude Poole 09/27/2009 13:55.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3031.2222 [GMT -4:00]
Running from: c:\documents and settings\Claude Poole\Desktop\Puppy.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Installer\1a267c1.msp
c:\windows\Installer\233f9af.msp

.
((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.

2009-09-25 20:46 . 2009-09-25 20:46 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-09-25 20:44 . 2009-09-25 20:44 -------- d-----w- c:\program files\MSECACHE
2009-09-25 14:40 . 2009-09-25 14:40 0 ----a-w- c:\windows\system32\drivers\rkhdrv40.sys
2009-09-23 17:39 . 2009-09-23 17:39 -------- d-sh--w- c:\documents and settings\Claude Poole\IECompatCache
2009-09-23 17:06 . 2009-09-23 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-09-20 16:58 . 2009-09-20 16:58 -------- d-----w- C:\_OTS
2009-09-20 15:42 . 2009-09-20 15:42 -------- d-----w- c:\program files\real
2009-09-12 01:06 . 2009-09-12 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-12 01:04 . 2009-09-12 01:04 -------- d-----w- c:\program files\Common Files\Apple
2009-09-12 01:04 . 2009-09-12 01:04 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-11 22:46 . 2009-09-11 22:46 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-08 19:19 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 02:13 . 2009-09-08 02:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-08 02:13 . 2009-09-08 02:24 -------- d-----w- c:\program files\SpywareBlaster
2009-08-29 17:32 . 2009-08-29 17:32 -------- d-----w- c:\program files\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 15:34 . 2009-05-14 21:23 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-09-27 15:33 . 2009-08-16 14:00 81984 ----a-w- c:\windows\system32\bdod.bin
2009-09-20 15:42 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-20 15:42 . 2003-02-21 08:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-20 15:42 . 2009-05-26 20:47 -------- d-----w- c:\program files\Common Files\Real
2009-09-12 01:06 . 2009-05-22 01:05 -------- d-----w- c:\program files\QuickTime
2009-09-09 14:26 . 2009-05-06 13:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 17:32 . 2009-05-06 13:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-29 17:31 . 2009-05-06 12:59 -------- d-----w- c:\program files\Java
2009-08-28 16:58 . 2009-05-14 20:44 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\U3
2009-08-24 19:28 . 2009-08-24 19:21 -------- d-----w- c:\program files\Mountpoints Diagnostic
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Malwarebytes
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-23 18:22 . 2009-08-23 18:22 -------- d-----w- c:\program files\Trend Micro
2009-08-23 17:07 . 2009-08-23 17:07 -------- d-----w- c:\program files\Process Explorer
2009-08-21 22:14 . 2009-08-21 22:14 71 ----a-w- c:\documents and settings\Claude Poole\Application DatadMb.dat
2009-08-21 19:46 . 2009-08-21 19:46 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\VSRevoGroup
2009-08-21 19:12 . 2009-08-21 19:11 -------- d-----w- c:\program files\Revouninstaller
2009-08-21 14:48 . 2009-02-12 20:52 104456 ------w- c:\windows\system32\drivers\bdfndisf.sys
2009-08-18 17:27 . 2009-08-18 17:27 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Uniblue
2009-08-16 13:42 . 2009-08-16 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\BitDefender
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\program files\BitDefender
2009-08-16 13:36 . 2009-08-16 13:33 -------- d-----w- c:\program files\Common Files\BitDefender
2009-08-16 13:29 . 2009-05-06 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-16 00:59 . 2009-07-03 22:08 664 ------w- c:\windows\system32\d3d9caps.dat
2009-08-08 17:35 . 2009-08-08 17:35 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Printer Info Cache
2009-08-07 15:49 . 2009-05-22 00:34 3578 ------w- c:\documents and settings\Claude Poole\Application Data\wklnhst.dat
2009-08-07 02:40 . 2009-05-14 15:47 41520 ------w- c:\documents and settings\Claude Poole\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:06 . 2009-08-06 23:06 -------- d-----w- c:\program files\Dell DataSafe Online
2009-08-05 23:03 . 2009-05-06 13:00 -------- d-----w- c:\program files\Dell
2009-08-05 22:40 . 2009-08-05 22:40 -------- d-----w- c:\program files\Intel
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 23:21 . 2009-06-04 23:03 13 ------w- c:\windows\popcinfo.dat
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-08-03 17:36 . 2009-08-23 20:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-08-23 20:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2008-04-25 16:16 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-04 16:46 . 2009-07-04 16:46 61224 ------w- c:\documents and settings\Claude Poole\GoToAssistDownloadHelper.exe
2009-07-03 17:09 . 2008-04-25 16:16 915456 ------w- c:\windows\system32\wininet.dll
2009-05-23 02:23 . 2009-05-23 02:23 1878888 ------w- c:\program files\install_flash_player.exe
2001-04-18 08:01 . 2009-05-21 22:15 6758912 ------r- c:\program files\ps601up.exe
2000-12-02 23:38 . 2009-05-21 22:15 2857 ------r- c:\program files\Abcpy.ini
2000-10-23 05:26 . 2009-05-21 22:15 42 ------r- c:\program files\serial.txt
2000-09-29 13:01 . 2009-05-21 22:15 652 ------r- c:\program files\layout.bin
2000-09-29 13:01 . 2009-05-21 22:15 107119545 ------r- c:\program files\data1.cab
2000-09-29 13:01 . 2009-05-21 22:15 204890 ------r- c:\program files\data1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 49 ------r- c:\program files\setup.lid
2000-09-29 13:00 . 2009-05-21 22:15 2389166 ------r- c:\program files\_user1.cab
2000-09-29 13:00 . 2009-05-21 22:15 101 ------r- c:\program files\DATA.TAG
2000-09-29 13:00 . 2009-05-21 22:15 8812 ------r- c:\program files\_user1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 6492 ------r- c:\program files\_sys1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 181565 ------r- c:\program files\_sys1.cab
2000-09-29 13:00 . 2009-05-21 22:15 198033 ------r- c:\program files\setup.ins
2000-09-14 11:22 . 2009-05-21 22:15 27551 ------r- c:\program files\Photoshop 6.0 Readme.wri
2000-08-30 20:15 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel.exe
2000-06-16 20:21 . 2009-05-21 22:15 415574 ------r- c:\program files\Setup.bmp
2000-01-04 21:34 . 2009-05-21 22:15 250 ------r- c:\program files\SETUP.INI
1998-10-02 22:15 . 2009-05-21 22:15 297989 ------r- c:\program files\_INST32I.EX_
1998-10-02 22:06 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel_old.exe
1998-09-29 20:34 . 2009-05-21 22:15 34816 ------r- c:\program files\_Setup.dll
1998-09-18 18:12 . 2009-05-21 22:15 4679 ------r- c:\program files\lang.dat
1998-07-27 21:41 . 2009-05-21 22:15 450 ------r- c:\program files\os.dat
2009-03-05 22:08 . 2009-08-16 13:42 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-05-06 13:08 . 2009-05-06 13:08 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-04-23 801904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-20 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-20 737280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-04 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-04 150040]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-11-14 1708032]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1422632]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-08-21 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-29 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-20 198160]

c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Microsoft Works\WkCalRem.exe [2007-11-27 46432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-21 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-04 16:46 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Claude Poole^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 6:16 PM 82696]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [12/18/2008 2:05 PM 155648]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/6/2009 11:46 AM 113024]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2/12/2009 4:52 PM 104456]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [5/6/2009 9:08 AM 135936]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/6/2009 11:46 AM 110080]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [5/6/2009 11:46 AM 176640]
R3 OA008Afx;Provides a software interface to control audio effects of OA008 camera.;c:\windows\system32\drivers\OA008Afx.sys [5/6/2009 11:46 AM 148056]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [5/6/2009 11:46 AM 133472]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [5/6/2009 11:46 AM 271616]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [5/6/2009 11:46 AM 1656960]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ACABC4EE
*Deregistered* - acabc4ee

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-27 c:\windows\Tasks\BitDefender Online Backup - oleyreef@ptd.net.job
- c:\program files\BitDefender\BitDefender Online Backup\sosuploadagent.exe [2009-06-03 18:08]
.
.
------- Supplementary Scan -------
.
TCP: {C653377A-D8AC-4C64-9C39-69762EED141A} = 216.144.187.199,204.186.0.201
FF - ProfilePath - c:\documents and settings\Claude Poole\Application Data\Mozilla\Firefox\Profiles\ehao72fs.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL -
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-RealPlayer 12.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-27 13:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.ex e,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1480)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2009-09-27 14:00
ComboFix-quarantined-files.txt 2009-09-27 18:00
ComboFix2.txt 2009-09-10 15:29

Pre-Run: 206,895,509,504 bytes free
Post-Run: 206,911,574,016 bytes free

235 --- E O F --- 2009-09-27 16:00
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,282 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
27-Sep-2009, 05:43 PM #68
Download RootkitRevealer from here:

http://www.sysinternals.com/utilitie...trevealer.html

Unzip it then doubleclick the RootkitRevealer.exe file. Click the scan button and let it scan. Save the scan results and post them here.
Cjreef's Avatar
Member with 46 posts.
  
Join Date: Aug 2009
28-Sep-2009, 07:28 PM #69
I ran the RootkitRevealer but ran into trouble trying to save the log. The only place it wanted me to save it was in Sys32. I tried to save to the desktop and to My Documents unsuccessfully. I got a little farther with My Documents and it did try to save but then it froze after telling me the file already existed (that would have been from several prior attempts). Then I was told the program was not responding.
I did a search for the .txt file and found two under My Documents/localservice?. They both had 0 bytes since I had to end the program when it was not responding.

Incidentally, every time I ran the scan I got a different number of discrepancies found. The first time it was 1300 and some, then the other times were in the 30s and 40s?

Now, I got a little farther with BitDefender. They sent me an email asking me to rerun the test with BitDefender disabled. I'm attaching the results here. It looks like two hidden files are suspect.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,282 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
28-Sep-2009, 08:32 PM #70
Open Notepad and copy and paste the text in the code box below into it:

Code:
File::
C:\WINDOWS\system32\emtjh73m.exe
C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\uwliipow.sys

Driver::
uwliipow
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
__________________
Microsoft MVP - Consumer Security
Cjreef's Avatar
Member with 46 posts.
  
Join Date: Aug 2009
28-Sep-2009, 10:33 PM #71
ComboFix 09-09-28.01 - Claude Poole 09/28/2009 20:59.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3031.2182 [GMT -4:00]
Running from: c:\documents and settings\Claude Poole\Desktop\Puppy.exe
Command switches used :: c:\documents and settings\Claude Poole\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

FILE ::
"c:\docume~1\CLAUDE~1\LOCALS~1\Temp\uwliipow.sys"
"c:\windows\system32\emtjh73m.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UWLIIPOW
-------\Service_uwliipow


((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.

2009-09-28 19:56 . 2009-09-28 19:57 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\QuickScan
2009-09-27 23:35 . 2009-09-27 23:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\BitDefender
2009-09-27 17:54 . 2009-09-27 18:00 -------- d-----w- C:\Puppy
2009-09-25 20:46 . 2009-09-25 20:46 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-09-25 20:44 . 2009-09-25 20:44 -------- d-----w- c:\program files\MSECACHE
2009-09-23 17:39 . 2009-09-23 17:39 -------- d-sh--w- c:\documents and settings\Claude Poole\IECompatCache
2009-09-23 17:06 . 2009-09-23 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-09-20 16:58 . 2009-09-20 16:58 -------- d-----w- C:\_OTS
2009-09-20 15:42 . 2009-09-20 15:42 -------- d-----w- c:\program files\real
2009-09-12 01:06 . 2009-09-12 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-12 01:04 . 2009-09-12 01:04 -------- d-----w- c:\program files\Common Files\Apple
2009-09-12 01:04 . 2009-09-12 01:04 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-11 22:46 . 2009-09-11 22:46 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-08 19:19 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 02:13 . 2009-09-08 02:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-08 02:13 . 2009-09-08 02:24 -------- d-----w- c:\program files\SpywareBlaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 01:04 . 2009-05-14 21:23 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-09-29 01:03 . 2009-08-16 14:00 81984 ----a-w- c:\windows\system32\bdod.bin
2009-09-27 21:27 . 2009-06-04 23:03 13 ----a-w- c:\windows\popcinfo.dat
2009-09-27 18:46 . 2009-08-16 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-09-20 15:42 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-20 15:42 . 2003-02-21 08:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-20 15:42 . 2009-05-26 20:47 -------- d-----w- c:\program files\Common Files\Real
2009-09-12 01:06 . 2009-05-22 01:05 -------- d-----w- c:\program files\QuickTime
2009-09-09 14:26 . 2009-05-06 13:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 17:32 . 2009-08-29 17:32 -------- d-----w- c:\program files\Sun
2009-08-29 17:32 . 2009-05-06 13:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-29 17:31 . 2009-05-06 12:59 -------- d-----w- c:\program files\Java
2009-08-28 16:58 . 2009-05-14 20:44 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\U3
2009-08-24 19:28 . 2009-08-24 19:21 -------- d-----w- c:\program files\Mountpoints Diagnostic
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Malwarebytes
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-23 18:22 . 2009-08-23 18:22 -------- d-----w- c:\program files\Trend Micro
2009-08-23 17:07 . 2009-08-23 17:07 -------- d-----w- c:\program files\Process Explorer
2009-08-21 22:14 . 2009-08-21 22:14 71 ----a-w- c:\documents and settings\Claude Poole\Application DatadMb.dat
2009-08-21 19:46 . 2009-08-21 19:46 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\VSRevoGroup
2009-08-21 19:12 . 2009-08-21 19:11 -------- d-----w- c:\program files\Revouninstaller
2009-08-21 14:48 . 2009-02-12 20:52 104456 ------w- c:\windows\system32\drivers\bdfndisf.sys
2009-08-18 17:27 . 2009-08-18 17:27 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Uniblue
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\BitDefender
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\program files\BitDefender
2009-08-16 13:36 . 2009-08-16 13:33 -------- d-----w- c:\program files\Common Files\BitDefender
2009-08-16 13:29 . 2009-05-06 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-16 00:59 . 2009-07-03 22:08 664 ------w- c:\windows\system32\d3d9caps.dat
2009-08-08 17:35 . 2009-08-08 17:35 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Printer Info Cache
2009-08-07 15:49 . 2009-05-22 00:34 3578 ------w- c:\documents and settings\Claude Poole\Application Data\wklnhst.dat
2009-08-07 02:40 . 2009-05-14 15:47 41520 ------w- c:\documents and settings\Claude Poole\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:06 . 2009-08-06 23:06 -------- d-----w- c:\program files\Dell DataSafe Online
2009-08-05 23:03 . 2009-05-06 13:00 -------- d-----w- c:\program files\Dell
2009-08-05 22:40 . 2009-08-05 22:40 -------- d-----w- c:\program files\Intel
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-08-03 17:36 . 2009-08-23 20:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-08-23 20:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2008-04-25 16:16 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-04 16:46 . 2009-07-04 16:46 61224 ------w- c:\documents and settings\Claude Poole\GoToAssistDownloadHelper.exe
2009-07-03 17:09 . 2008-04-25 16:16 915456 ------w- c:\windows\system32\wininet.dll
2009-05-23 02:23 . 2009-05-23 02:23 1878888 ------w- c:\program files\install_flash_player.exe
2001-04-18 08:01 . 2009-05-21 22:15 6758912 ------r- c:\program files\ps601up.exe
2000-12-02 23:38 . 2009-05-21 22:15 2857 ------r- c:\program files\Abcpy.ini
2000-10-23 05:26 . 2009-05-21 22:15 42 ------r- c:\program files\serial.txt
2000-09-29 13:01 . 2009-05-21 22:15 652 ------r- c:\program files\layout.bin
2000-09-29 13:01 . 2009-05-21 22:15 107119545 ------r- c:\program files\data1.cab
2000-09-29 13:01 . 2009-05-21 22:15 204890 ------r- c:\program files\data1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 49 ------r- c:\program files\setup.lid
2000-09-29 13:00 . 2009-05-21 22:15 2389166 ------r- c:\program files\_user1.cab
2000-09-29 13:00 . 2009-05-21 22:15 101 ------r- c:\program files\DATA.TAG
2000-09-29 13:00 . 2009-05-21 22:15 8812 ------r- c:\program files\_user1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 6492 ------r- c:\program files\_sys1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 181565 ------r- c:\program files\_sys1.cab
2000-09-29 13:00 . 2009-05-21 22:15 198033 ------r- c:\program files\setup.ins
2000-09-14 11:22 . 2009-05-21 22:15 27551 ------r- c:\program files\Photoshop 6.0 Readme.wri
2000-08-30 20:15 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel.exe
2000-06-16 20:21 . 2009-05-21 22:15 415574 ------r- c:\program files\Setup.bmp
2000-01-04 21:34 . 2009-05-21 22:15 250 ------r- c:\program files\SETUP.INI
1998-10-02 22:15 . 2009-05-21 22:15 297989 ------r- c:\program files\_INST32I.EX_
1998-10-02 22:06 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel_old.exe
1998-09-29 20:34 . 2009-05-21 22:15 34816 ------r- c:\program files\_Setup.dll
1998-09-18 18:12 . 2009-05-21 22:15 4679 ------r- c:\program files\lang.dat
1998-07-27 21:41 . 2009-05-21 22:15 450 ------r- c:\program files\os.dat
2009-03-05 22:08 . 2009-08-16 13:42 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-05-06 13:08 . 2009-05-06 13:08 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((( SnapShot@2009-09-27_17.59.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-29 01:04 . 2009-09-29 01:04 16384 c:\windows\Temp\Perflib_Perfdata_180.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-04-23 801904]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-20 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-20 737280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-04 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-04 150040]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-11-14 1708032]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1422632]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-08-21 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-29 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-20 198160]

c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Microsoft Works\WkCalRem.exe [2007-11-27 46432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-21 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-04 16:46 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Claude Poole^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 6:16 PM 82696]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [12/18/2008 2:05 PM 155648]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/6/2009 11:46 AM 113024]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2/12/2009 4:52 PM 104456]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [5/6/2009 9:08 AM 135936]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/6/2009 11:46 AM 110080]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [5/6/2009 11:46 AM 176640]
R3 OA008Afx;Provides a software interface to control audio effects of OA008 camera.;c:\windows\system32\drivers\OA008Afx.sys [5/6/2009 11:46 AM 148056]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [5/6/2009 11:46 AM 133472]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [5/6/2009 11:46 AM 271616]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [5/6/2009 11:46 AM 1656960]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]
S3 BWMMHD;BWMMHD;c:\docume~1\CLAUDE~1\LOCALS~1\Temp\BWMMHD.exe --> c:\docume~1\CLAUDE~1\LOCALS~1\Temp\BWMMHD.exe [?]
S3 FKFRBQO;FKFRBQO;c:\docume~1\CLAUDE~1\LOCALS~1\Temp\FKFRBQO.exe --> c:\docume~1\CLAUDE~1\LOCALS~1\Temp\FKFRBQO.exe [?]
S3 P;P;c:\docume~1\CLAUDE~1\LOCALS~1\Temp\P.exe --> c:\docume~1\CLAUDE~1\LOCALS~1\Temp\P.exe [?]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 RKPCFMNZSN;RKPCFMNZSN;c:\docume~1\CLAUDE~1\LOCALS~1\Temp\RKPCFMNZSN.exe --> c:\docume~1\CLAUDE~1\LOCALS~1\Temp\RKPCFMNZSN.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-27 c:\windows\Tasks\BitDefender Online Backup - oleyreef@ptd.net.job
- c:\program files\BitDefender\BitDefender Online Backup\sosuploadagent.exe [2009-06-03 18:08]
.
.
------- Supplementary Scan -------
.
TCP: {C653377A-D8AC-4C64-9C39-69762EED141A} = 216.144.187.199,204.186.0.201
FF - ProfilePath - c:\documents and settings\Claude Poole\Application Data\Mozilla\Firefox\Profiles\ehao72fs.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL -
FF - component: c:\documents and settings\Claude Poole\Application Data\Mozilla\Firefox\Profiles\ehao72fs.default\extensions\speedtest@gotomyh elp.com\components\NetDiag.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-28 21:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.ex e,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1488)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2968)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\drivers\audio\R214424\stacsv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\rpcnet.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
c:\windows\system32\wscript.exe
.
**************************************************************************
.
Completion time: 2009-09-29 21:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-29 01:07
ComboFix2.txt 2009-09-27 18:00
ComboFix3.txt 2009-09-10 15:29

Pre-Run: 206,858,694,656 bytes free
Post-Run: 206,738,780,160 bytes free

278 --- E O F --- 2009-09-27 16:00

Cookiegal: I didn't get a message box with the log.

I will have to post the HijackThis log in a second post as it made this one too long for posting.


Cookiegal: I didn't get a message box with the ComboFix log
Cjreef's Avatar
Member with 46 posts.
  
Join Date: Aug 2009
28-Sep-2009, 10:42 PM #72
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:32 PM, on 9/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r214424\STacSV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} (qsax Control) - http://quickscan.bitdefender.com/qsax/qsax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C653377A-D8AC-4C64-9C39-69762EED141A}: NameServer = 216.144.187.199,204.186.0.201
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: BWMMHD - Unknown owner - C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\BWMMHD.exe (file missing)
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: FKFRBQO - Unknown owner - C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\FKFRBQO.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: P - Unknown owner - C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\P.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RKPCFMNZSN - Unknown owner - C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\RKPCFMNZSN.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r214424\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 9754 bytes
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,282 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
30-Sep-2009, 12:11 PM #73
The driver was likely associated with GMER as well. It uses odd random file names so it looks like malware sometimes.

Open Notepad and copy and paste the text in the code box below into it:

Code:
Driver::
BWMMHD
FKFRBQO
P
rkhdrv40
RKPCFMNZSN

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
__________________
Microsoft MVP - Consumer Security
Cjreef's Avatar
Member with 46 posts.
  
Join Date: Aug 2009
30-Sep-2009, 07:34 PM #74
ComboFix 09-09-30.01 - Claude Poole 09/30/2009 18:21.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3031.2358 [GMT -4:00]
Running from: c:\documents and settings\Claude Poole\Desktop\Puppy.exe
Command switches used :: c:\documents and settings\Claude Poole\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BWMMHD
-------\Legacy_FKFRBQO
-------\Legacy_P
-------\Legacy_RKHDRV40
-------\Legacy_RKPCFMNZSN
-------\Service_BWMMHD
-------\Service_FKFRBQO
-------\Service_P
-------\Service_rkhdrv40
-------\Service_RKPCFMNZSN


((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-29 15:39 . 2009-09-29 15:39 8676 ----a-w- c:\documents and settings\Claude Poole\BootRecs.zip
2009-09-28 19:56 . 2009-09-28 19:57 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\QuickScan
2009-09-27 23:35 . 2009-09-27 23:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\BitDefender
2009-09-27 17:54 . 2009-09-27 18:00 -------- d-----w- C:\Puppy
2009-09-25 20:46 . 2009-09-25 20:46 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-09-25 20:44 . 2009-09-25 20:44 -------- d-----w- c:\program files\MSECACHE
2009-09-23 17:39 . 2009-09-23 17:39 -------- d-sh--w- c:\documents and settings\Claude Poole\IECompatCache
2009-09-23 17:06 . 2009-09-23 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-09-20 16:58 . 2009-09-20 16:58 -------- d-----w- C:\_OTS
2009-09-20 15:42 . 2009-09-20 15:42 -------- d-----w- c:\program files\real
2009-09-12 01:06 . 2009-09-12 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-12 01:04 . 2009-09-12 01:04 -------- d-----w- c:\program files\Common Files\Apple
2009-09-12 01:04 . 2009-09-12 01:04 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-11 22:46 . 2009-09-11 22:46 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-08 19:19 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 02:13 . 2009-09-08 02:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-08 02:13 . 2009-09-08 02:24 -------- d-----w- c:\program files\SpywareBlaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 22:26 . 2009-05-14 21:23 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-09-30 22:24 . 2009-08-16 14:00 81984 ----a-w- c:\windows\system32\bdod.bin
2009-09-27 21:27 . 2009-06-04 23:03 13 ----a-w- c:\windows\popcinfo.dat
2009-09-27 18:46 . 2009-08-16 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-09-20 15:42 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-20 15:42 . 2003-02-21 08:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-20 15:42 . 2009-05-26 20:47 -------- d-----w- c:\program files\Common Files\Real
2009-09-12 01:06 . 2009-05-22 01:05 -------- d-----w- c:\program files\QuickTime
2009-09-09 14:26 . 2009-05-06 13:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 17:32 . 2009-08-29 17:32 -------- d-----w- c:\program files\Sun
2009-08-29 17:32 . 2009-05-06 13:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-29 17:31 . 2009-05-06 12:59 -------- d-----w- c:\program files\Java
2009-08-28 16:58 . 2009-05-14 20:44 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\U3
2009-08-24 19:28 . 2009-08-24 19:21 -------- d-----w- c:\program files\Mountpoints Diagnostic
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Malwarebytes
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-23 18:22 . 2009-08-23 18:22 -------- d-----w- c:\program files\Trend Micro
2009-08-23 17:07 . 2009-08-23 17:07 -------- d-----w- c:\program files\Process Explorer
2009-08-21 22:14 . 2009-08-21 22:14 71 ----a-w- c:\documents and settings\Claude Poole\Application DatadMb.dat
2009-08-21 19:46 . 2009-08-21 19:46 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\VSRevoGroup
2009-08-21 19:12 . 2009-08-21 19:11 -------- d-----w- c:\program files\Revouninstaller
2009-08-21 14:48 . 2009-02-12 20:52 104456 ------w- c:\windows\system32\drivers\bdfndisf.sys
2009-08-18 17:27 . 2009-08-18 17:27 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Uniblue
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\BitDefender
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\program files\BitDefender
2009-08-16 13:36 . 2009-08-16 13:33 -------- d-----w- c:\program files\Common Files\BitDefender
2009-08-16 13:29 . 2009-05-06 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-16 00:59 . 2009-07-03 22:08 664 ------w- c:\windows\system32\d3d9caps.dat
2009-08-08 17:35 . 2009-08-08 17:35 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Printer Info Cache
2009-08-07 15:49 . 2009-05-22 00:34 3578 ------w- c:\documents and settings\Claude Poole\Application Data\wklnhst.dat
2009-08-07 02:40 . 2009-05-14 15:47 41520 ------w- c:\documents and settings\Claude Poole\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:06 . 2009-08-06 23:06 -------- d-----w- c:\program files\Dell DataSafe Online
2009-08-05 23:03 . 2009-05-06 13:00 -------- d-----w- c:\program files\Dell
2009-08-05 22:40 . 2009-08-05 22:40 -------- d-----w- c:\program files\Intel
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-08-03 17:36 . 2009-08-23 20:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-08-23 20:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2008-04-25 16:16 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-04 16:46 . 2009-07-04 16:46 61224 ------w- c:\documents and settings\Claude Poole\GoToAssistDownloadHelper.exe
2009-07-03 17:09 . 2008-04-25 16:16 915456 ------w- c:\windows\system32\wininet.dll
2009-05-23 02:23 . 2009-05-23 02:23 1878888 ------w- c:\program files\install_flash_player.exe
2001-04-18 08:01 . 2009-05-21 22:15 6758912 ------r- c:\program files\ps601up.exe
2000-12-02 23:38 . 2009-05-21 22:15 2857 ------r- c:\program files\Abcpy.ini
2000-10-23 05:26 . 2009-05-21 22:15 42 ------r- c:\program files\serial.txt
2000-09-29 13:01 . 2009-05-21 22:15 652 ------r- c:\program files\layout.bin
2000-09-29 13:01 . 2009-05-21 22:15 107119545 ------r- c:\program files\data1.cab
2000-09-29 13:01 . 2009-05-21 22:15 204890 ------r- c:\program files\data1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 49 ------r- c:\program files\setup.lid
2000-09-29 13:00 . 2009-05-21 22:15 2389166 ------r- c:\program files\_user1.cab
2000-09-29 13:00 . 2009-05-21 22:15 101 ------r- c:\program files\DATA.TAG
2000-09-29 13:00 . 2009-05-21 22:15 8812 ------r- c:\program files\_user1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 6492 ------r- c:\program files\_sys1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 181565 ------r- c:\program files\_sys1.cab
2000-09-29 13:00 . 2009-05-21 22:15 198033 ------r- c:\program files\setup.ins
2000-09-14 11:22 . 2009-05-21 22:15 27551 ------r- c:\program files\Photoshop 6.0 Readme.wri
2000-08-30 20:15 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel.exe
2000-06-16 20:21 . 2009-05-21 22:15 415574 ------r- c:\program files\Setup.bmp
2000-01-04 21:34 . 2009-05-21 22:15 250 ------r- c:\program files\SETUP.INI
1998-10-02 22:15 . 2009-05-21 22:15 297989 ------r- c:\program files\_INST32I.EX_
1998-10-02 22:06 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel_old.exe
1998-09-29 20:34 . 2009-05-21 22:15 34816 ------r- c:\program files\_Setup.dll
1998-09-18 18:12 . 2009-05-21 22:15 4679 ------r- c:\program files\lang.dat
1998-07-27 21:41 . 2009-05-21 22:15 450 ------r- c:\program files\os.dat
2009-03-05 22:08 . 2009-08-16 13:42 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-05-06 13:08 . 2009-05-06 13:08 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((( SnapShot@2009-09-27_17.59.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-30 22:26 . 2009-09-30 22:26 16384 c:\windows\Temp\Perflib_Perfdata_3ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-20 737280]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1422632]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-08-21 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]

c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Microsoft Works\WkCalRem.exe [2007-11-27 46432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-21 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-04 16:46 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Claude Poole^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 6:16 PM 82696]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [12/18/2008 2:05 PM 155648]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/6/2009 11:46 AM 113024]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2/12/2009 4:52 PM 104456]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [5/6/2009 9:08 AM 135936]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/6/2009 11:46 AM 110080]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [5/6/2009 11:46 AM 176640]
R3 OA008Afx;Provides a software interface to control audio effects of OA008 camera.;c:\windows\system32\drivers\OA008Afx.sys [5/6/2009 11:46 AM 148056]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [5/6/2009 11:46 AM 133472]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [5/6/2009 11:46 AM 271616]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [5/6/2009 11:46 AM 1656960]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-27 c:\windows\Tasks\BitDefender Online Backup - oleyreef@ptd.net.job
- c:\program files\BitDefender\BitDefender Online Backup\sosuploadagent.exe [2009-06-03 18:08]
.
.
------- Supplementary Scan -------
.
TCP: {C653377A-D8AC-4C64-9C39-69762EED141A} = 216.144.187.199,204.186.0.201
FF - ProfilePath - c:\documents and settings\Claude Poole\Application Data\Mozilla\Firefox\Profiles\ehao72fs.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL -
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 18:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\CLAUDE~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1484)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2292)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\drivers\audio\R214424\stacsv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\rpcnet.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\searchindexer.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-09-30 18:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-30 22:28
ComboFix2.txt 2009-09-29 01:07
ComboFix3.txt 2009-09-27 18:00
ComboFix4.txt 2009-09-10 15:29

Pre-Run: 206,688,657,408 bytes free
Post-Run: 206,656,454,656 bytes free

251 --- E O F --- 2009-09-27 16:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:11 PM, on 9/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r214424\STacSV.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} (qsax Control) - http://quickscan.bitdefender.com/qsax/qsax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C653377A-D8AC-4C64-9C39-69762EED141A}: NameServer = 216.144.187.199,204.186.0.201
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r214424\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 7503 bytes
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,282 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
05-Oct-2009, 08:59 PM #75
I'm sorry about the delay and wanted to let you know that I haven't forgotten you. I've had connection problems for several days and wasn't able to get on-line at all. It will probably take me a few days to catch up so I will post back here as soon as I can with further instructions.
__________________
Microsoft MVP - Consumer Security
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 5 of 6 « First 234 5 6

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 04:49 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.