Inactive Can't remove malware:log posted mbam,gmer, dds

[ilokobiz]

hi guys i'm new here please help me my laptop has a malware and my avast antivirus keeps popping up about a malware and it cant be erased.

i just read your 8 steps on how to remove malware and i just finished the 6steps whats next please help....

 

[ilokobiz]

here is the mbam log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4585

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/10/2010 9:49:13 AM
mbam-log-2010-09-10 (09-49-13).txt

Scan type: Quick scan
Objects scanned: 130523
Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

 

[ilokobiz]

gmer log

I attached it

 

[Broni]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality)

The above is bad news. Let's double check....

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- explorer.exe located @ C:\Windows
- userinit.exe and svchost.exe located @ C:\Windows\System32
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

 

[ilokobiz]

DDS log

DDS (Ver_10-03-17.01) - NTFSx86
Run by user at 10:46:28.29 on Fri 09/10/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1029 [GMT -7:00]

AV: avast! antivirus 4.8.1368 [VPS 100909-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\USB Disk Security\USBGuard.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Breakpoint Computers\WinTimer\WinTimer.exe
C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\BitTorrent.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\facemoods.com\facemoods\1.4.8.1\facemoodssrv.exe
C:\Documents and Settings\user\Desktop\New Folder (2)\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://start.facemoods.com/?a=wfxt1
mStart Page = hxxp://start.facemoods.com/?a=wfxt1
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://start.facemoods.com/?a=wfxt1&s={searchTerms}&f=4
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: CescrtHlpr Object: {64182481-4f71-486b-a045-b233bd0da8fc} - c:\program files\facemoods.com\facemoods\1.4.8.1\bh\facemoods.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: facemoods Toolbar: {db4e9724-f518-4dfd-9c7c-78b52103cab9} - c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodsTlbr.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [WinTimer] "c:\program files\breakpoint computers\wintimer\WinTimer.exe"
uRun: [L09AXLRD_11467890] "c:\program files\microsoft student\microsoft student with encarta premium 2009 dvd\EDICT.EXE" -m
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent] "c:\program files\bittorrent\BitTorrent.exe"
uRun: [SpywareTerminatorUpdate] "c:\program files\spyware terminator\SpywareTerminatorUpdate.exe"
mRun: [USB Antivirus] c:\program files\usb disk security\USBGuard.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [facemoods] "c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodssrv.exe" /md I
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [_nltide_2] regsvr32 /s /n /I:U shell32
StartupFolder: c:\docume~1\user\startm~1\programs\startup\shortc~1.lnk - c:\program files\rocketdock\RocketDock.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-7-7 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2010-9-9 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-7 20560]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-9-10 304464]
R3 amsint32;amsint32;\??\c:\windows\system32\drivers\jnkppj.sys --> c:\windows\system32\drivers\jnkppj.sys [?]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-9-10 20952]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-7-7 138680]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-7-7 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-7-7 352920]

=============== Created Last 30 ================

2010-09-10 16:13:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-10 16:13:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-10 16:13:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-10 01:01:07 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-09-10 01:01:07 0 d-----w- c:\docume~1\user\applic~1\Spyware Terminator
2010-09-10 01:01:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2010-09-10 01:01:00 0 d-----w- c:\program files\Spyware Terminator
2010-09-09 21:34:50 0 d-----w- C:\_OTS
2010-09-09 20:08:20 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-09-09 20:08:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-09 20:04:38 0 d-----w- c:\program files\Ask.com
2010-09-09 20:04:28 0 d-----w- c:\program files\BitTorrent
2010-09-09 20:04:00 0 d-----w- c:\docume~1\user\applic~1\BitTorrent
2010-09-05 21:48:40 4096 ----a-w- c:\windows\d3dx.dat
2010-09-05 21:48:37 0 d-----w- c:\docume~1\user\applic~1\Wildfire
2010-09-05 18:58:53 0 d-----w- c:\program files\common files\Sandlot Shared
2010-09-05 18:58:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Sandlot Games
2010-08-28 19:57:12 0 d-----w- c:\program files\common files\DirectX
2010-08-28 19:13:03 0 d-----w- C:\Need for Speed Underground 2
2010-08-19 21:01:21 876 ----a-w- c:\windows\$_hpcst$.hpc
2010-08-18 22:43:37 101120 ----a-w- c:\windows\system32\drivers\bthpan.sys
2010-08-18 22:43:23 59136 ----a-w- c:\windows\system32\drivers\rfcomm.sys
2010-08-18 22:43:22 28160 ----a-w- c:\windows\system32\irmon.dll
2010-08-18 22:43:22 17024 ----a-w- c:\windows\system32\drivers\BthEnum.sys
2010-08-18 22:43:22 151552 ----a-w- c:\windows\system32\irftp.exe
2010-08-18 22:43:21 8192 ----a-w- c:\windows\system32\wshirda.dll
2010-08-18 22:43:09 273024 ----a-w- c:\windows\system32\drivers\bthport.sys
2010-08-18 22:43:08 18944 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS
2010-08-11 18:14:58 0 d-----w- c:\program files\RocketDock

==================== Find3M ====================

2010-07-07 18:03:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-07 17:26:22 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 10:46:50.87 ===============

 

[Broni]

Please, make sure, you read my previous reply.

 

[ilokobiz]

virustotal result on explorer.exe

explorer.exe

5 VT Community user(s) with a total of 653 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: explorer.exe
Submission date: 2010-09-10 04:37:57 (UTC)
Current status: finished
Result: 0/ 43 (0.0%)
VT Community

goodware
Safety score: 100.0%

userinit.exe


0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: userinit.exe
Submission date: 2010-09-10 04:42:56 (UTC)
Current status: finished
Result: 0/ 43 (0.0%)
VT Community

not reviewed
Safety score: -

svchost.exe
4 VT Community user(s) with a total of 230 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: svchost.exe
Submission date: 2010-09-10 04:48:50 (UTC)
Current status: analysing
Result: 0/ 43 (0.0%)
VT Community

goodware
Safety score: 100.0%

sir broni here is the result pls help

 

[ilokobiz]

yes sir sorry for the late reply i've sent it

 

[Broni]

That looks promising

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=======================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[ilokobiz]

MBRCheck

just finished running mbrcheck but i cant open it as admin it has a password so i run it as user

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 125):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xBADA8000 \WINDOWS\system32\KDCOM.DLL
0xBACB8000 \WINDOWS\system32\BOOTVID.dll
0xBA779000 ACPI.sys
0xBADAA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xBA768000 pci.sys
0xBA8A8000 isapnp.sys
0xBA8B8000 ohci1394.sys
0xBA8C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBACBC000 compbatt.sys
0xBACC0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBAE70000 PCIIde.sys
0xBAB28000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xBADAC000 intelide.sys
0xBA74A000 pcmcia.sys
0xBA8D8000 MountMgr.sys
0xBA72B000 ftdisk.sys
0xBADAE000 dmload.sys
0xBA705000 dmio.sys
0xBACC4000 ACPIEC.sys
0xBAE71000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xBAB30000 PartMgr.sys
0xBA8E8000 VolSnap.sys
0xBA6ED000 atapi.sys
0xBA8F8000 disk.sys
0xBA908000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xBA6CD000 fltMgr.sys
0xBA6BB000 sr.sys
0xBAB38000 PxHelp20.sys
0xBA6A4000 KSecDD.sys
0xBA617000 Ntfs.sys
0xBA5EA000 NDIS.sys
0xBA5D0000 Mup.sys
0xBAB08000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9D7B000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB9D67000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBABE8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9D43000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBABF0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB99E1000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xBABF8000 \SystemRoot\system32\DRIVERS\RTL8139.SYS
0xB97AA000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xB9786000 \SystemRoot\system32\drivers\portcls.sys
0xBA928000 \SystemRoot\system32\drivers\drmk.sys
0xB9763000 \SystemRoot\system32\drivers\ks.sys
0xBA938000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBAC00000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBAC08000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA948000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA958000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA968000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBAC10000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBAD80000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xBAEE0000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA978000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBAD84000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB974C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA988000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA998000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBAC18000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB973B000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA9A8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBAC28000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBAC30000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB7B0D000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA9C8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBADCA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB7AAF000 \SystemRoot\system32\DRIVERS\update.sys
0xBADA4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA9D8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA9F8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBADCE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBADD8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBAFDD000 \SystemRoot\System32\Drivers\Null.SYS
0xBADDA000 \SystemRoot\System32\Drivers\Beep.SYS
0xBAC58000 \SystemRoot\System32\drivers\vga.sys
0xBADDC000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBADDE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBAC60000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBAC68000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9E90000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA78F4000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA789B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBAA08000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xBAA18000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA7873000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA7851000 \SystemRoot\System32\drivers\afd.sys
0xBAA28000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA782E000 \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
0xA7803000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA776B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBAA38000 \SystemRoot\System32\Drivers\Fips.SYS
0xA774A000 \SystemRoot\System32\Drivers\aswSP.SYS
0xBAC70000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xBAD58000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBAA58000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBAC78000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBAD5C000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBAAD8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA7732000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBADFA000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA57B000 \SystemRoot\System32\drivers\Dxapi.sys
0xBAB58000 \SystemRoot\System32\watchdog.sys
0xBF9C3000 \SystemRoot\System32\drivers\dxg.sys
0xBAEB6000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9E3000 \SystemRoot\System32\ialmdnt5.dll
0xBF9D5000 \SystemRoot\System32\ialmrnt5.dll
0xBFA04000 \SystemRoot\System32\ialmdev5.DLL
0xBFA38000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA58F000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xBAB70000 \SystemRoot\system32\DRIVERS\aswFsBlk.sys
0xA7612000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA7474000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA6D7F000 \SystemRoot\system32\drivers\wdmaud.sys
0xA6EFC000 \SystemRoot\system32\drivers\sysaudio.sys
0xA6B4A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA6AA8000 \SystemRoot\system32\DRIVERS\srv.sys
0xA685F000 \SystemRoot\System32\Drivers\HTTP.sys
0xA6998000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xA7572000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xA31CB000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 43):
0 System Idle Process
4 System
600 C:\WINDOWS\system32\smss.exe
664 csrss.exe
688 C:\WINDOWS\system32\winlogon.exe
732 C:\WINDOWS\system32\services.exe
744 C:\WINDOWS\system32\lsass.exe
900 C:\WINDOWS\system32\svchost.exe
964 svchost.exe
1056 C:\WINDOWS\system32\svchost.exe
1112 svchost.exe
1256 svchost.exe
1544 C:\Program Files\Alwil Software\Avast4\ashServ.exe
1732 C:\WINDOWS\explorer.exe
1804 C:\Program Files\USB Disk Security\USBGuard.exe
1812 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
1820 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
1880 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
1900 C:\WINDOWS\system32\rundll32.exe
1956 C:\Program Files\Breakpoint Computers\WinTimer\WinTimer.exe
1964 C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE
1980 C:\WINDOWS\system32\ctfmon.exe
1992 C:\Program Files\BitTorrent\BitTorrent.exe
2004 C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
2044 C:\Program Files\RocketDock\RocketDock.exe
2064 C:\WINDOWS\system32\spoolsv.exe
2928 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
2944 C:\Program Files\Bonjour\mDNSResponder.exe
2972 svchost.exe
3052 C:\Program Files\Canon\IJPLM\ijplmsvc.exe
3080 C:\Program Files\Java\jre6\bin\jqs.exe
3132 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
3268 C:\Program Files\Spyware Terminator\sp_rsser.exe
636 C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3224 C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1512 C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
228 C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1712 C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
5192 C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
10864 C:\WINDOWS\system32\cmd.exe
11588 C:\WINDOWS\system32\ping.exe
19908 C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
22128 C:\Documents and Settings\user\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000004`e22d6a00 (NTFS)

PhysicalDrive0 Model Number: HTS548060M9AT00, Rev: MGBOA53A

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

 

[ilokobiz]

the combo fix is still donwloading my internet connection is very slow right now 35mins to go....

 

[Broni]

MBRCheck log looks good

 

[ilokobiz]

that a relief to hear....after running combofix?

 

[Broni]

Well, we'll see what Combofix will show...

 

[ilokobiz]

sir i cant download the combo fix ive been downloading this one for about 2 hours now, and it stuck @ 2.2mb

 

[ilokobiz]

combofix log

ComboFix 10-09-09.03 - user 09/10/2010 18:42:52.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.992 [GMT -7:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100909-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\facemoods.com
c:\program files\facemoods.com
c:\program files\facemoods.com\facemoods\1.4.8.1\bh\facemoods.dll
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoods.crx
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoods.png
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodsApp.dll
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodsEng.dll
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodssrv.exe
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodsTlbr.dll
c:\program files\facemoods.com\facemoods\1.4.8.1\uninstall.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_amsint32


((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
.

2010-09-11 00:48 . 2010-09-11 00:48 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\AskToolbar
2010-09-10 16:13 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-10 16:13 . 2010-09-10 16:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-10 16:13 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-10 01:01 . 2010-09-10 01:01 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2010-09-10 01:01 . 2010-09-10 01:01 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2010-09-10 01:01 . 2010-09-10 01:24 -------- d-----w- c:\documents and settings\user\Application Data\Spyware Terminator
2010-09-10 01:01 . 2010-09-10 01:01 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-09-10 01:01 . 2010-09-10 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2010-09-10 01:01 . 2010-09-10 01:07 -------- d-----w- c:\program files\Spyware Terminator
2010-09-09 21:34 . 2010-09-09 21:34 -------- d-----w- C:\_OTS
2010-09-09 20:08 . 2010-09-09 20:08 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-09-09 20:08 . 2010-09-09 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-09 20:04 . 2010-09-09 20:04 -------- d-----w- c:\program files\Ask.com
2010-09-09 20:04 . 2010-09-09 20:04 -------- d-----w- c:\program files\BitTorrent
2010-09-09 20:04 . 2010-09-11 01:53 -------- d-----w- c:\documents and settings\user\Application Data\BitTorrent
2010-09-05 21:48 . 2010-09-05 21:48 4096 ----a-w- c:\windows\d3dx.dat
2010-09-05 21:48 . 2010-09-09 01:13 -------- d-----w- c:\documents and settings\user\Application Data\Wildfire
2010-09-05 18:58 . 2010-09-05 18:58 -------- d-----w- c:\program files\Common Files\Sandlot Shared
2010-09-05 18:58 . 2010-09-05 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2010-09-04 20:19 . 2010-09-04 20:19 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Help
2010-08-28 19:57 . 2010-09-06 19:26 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\NFS Underground 2
2010-08-28 19:57 . 2010-08-28 19:57 -------- d-----w- c:\program files\Common Files\DirectX
2010-08-28 19:13 . 2010-08-28 19:55 -------- d-----w- C:\Need for Speed Underground 2
2010-08-18 22:43 . 2008-04-14 07:21 101120 ----a-w- c:\windows\system32\drivers\bthpan.sys
2010-08-18 22:43 . 2008-04-14 07:16 59136 ----a-w- c:\windows\system32\drivers\rfcomm.sys
2010-08-18 22:43 . 2008-04-14 12:42 151552 ----a-w- c:\windows\system32\irftp.exe
2010-08-18 22:43 . 2008-04-14 12:41 28160 ----a-w- c:\windows\system32\irmon.dll
2010-08-18 22:43 . 2008-04-14 07:16 17024 ----a-w- c:\windows\system32\drivers\BthEnum.sys
2010-08-18 22:43 . 2008-04-14 12:42 8192 ----a-w- c:\windows\system32\wshirda.dll
2010-08-18 22:43 . 2008-04-14 07:16 273024 ----a-w- c:\windows\system32\drivers\bthport.sys
2010-08-18 22:43 . 2008-04-14 07:16 18944 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-09 19:53 . 2010-07-18 05:15 -------- d-----w- c:\documents and settings\user\Application Data\FrostWire
2010-09-09 00:49 . 2010-07-07 18:07 -------- d-----w- c:\program files\QuickTime
2010-09-08 18:51 . 2010-07-07 18:43 90480 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-06 23:44 . 2010-07-07 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-08-28 18:25 . 2010-07-07 23:13 40 ----a-w- c:\windows\RSoftInfo.dat
2010-08-11 18:15 . 2010-08-11 18:14 -------- d-----w- c:\program files\RocketDock
2010-08-04 18:17 . 2010-07-08 02:29 25 ----a-w- c:\windows\popcinfot.dat
2010-07-21 22:10 . 2010-07-21 22:10 10 ----a-w- c:\windows\popcinfo.dat
2010-07-21 02:42 . 2010-07-07 18:02 -------- d-----w- c:\documents and settings\user\Application Data\Skype
2010-07-20 23:14 . 2010-07-07 18:09 -------- d-----w- c:\documents and settings\user\Application Data\Apple Computer
2010-07-20 21:12 . 2010-07-07 18:10 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-19 21:38 . 2010-07-19 21:35 -------- d-----w- c:\documents and settings\user\Application Data\Canon
2010-07-19 19:15 . 2010-07-19 19:15 -------- d-----w- c:\documents and settings\user\Application Data\Yahoo!
2010-07-18 18:39 . 2010-07-18 18:39 -------- d-----w- c:\documents and settings\user\Application Data\Media Player Classic
2010-07-18 05:04 . 2010-07-18 05:04 -------- d-----w- c:\documents and settings\user\Application Data\vlc
2010-07-14 22:32 . 2010-07-14 22:32 -------- d-----w- c:\documents and settings\user\Application Data\funkitron
2010-07-09 00:00 . 2010-07-07 17:30 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-07 18:09 . 2010-07-07 18:04 119986 ----a-w- c:\documents and settings\user\Application Data\Facebook\uninstall.exe
2010-07-07 18:06 . 2010-07-07 18:06 0 ----a-w- c:\windows\nsreg.dat
2010-07-07 18:03 . 2010-07-07 18:03 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-07 17:26 . 2010-07-07 17:26 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

------- Sigcheck -------

[-] 2009-01-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 22:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinTimer"="c:\program files\Breakpoint Computers\WinTimer\WinTimer.exe" [2010-12-05 835584]
"L09AXLRD_11467890"="c:\program files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE" [2008-06-03 351000]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2010-09-09 3007344]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2010-09-10 3037696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2008-07-25 868352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-06 1922376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 114096]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 515408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]

c:\documents and settings\user\Start Menu\Programs\Startup\
Shortcut to RocketDock.exe.lnk - c:\program files\RocketDock\RocketDock.exe [2010-8-11 569344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 15:58 114096 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-07-07 18:06 213488 ----atw- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2009-09-08 04:10 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2009-09-08 04:11 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2009-09-08 04:11 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 04:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-04-29 23:59 5248312 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2009-09-08 04:13 77824 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 18:43 317672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2004-12-20 18:41 33792 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Documents and Settings\\user\\My Documents\\Downloads\\Facemoods (5).exe"=
"\\\\Workstation1\\c\\dotahotkeys.exe"=
"c:\\Program Files\\RocketDock\\RocketDock.exe"=
"c:\\Program Files\\USB Disk Security\\USBGuard.exe"=
"c:\\Program Files\\Canon\\MyPrinter\\BJMyPrt.exe"=
"c:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Update\\1.2.183.29\\GoogleCrashHandler.exe"=
"c:\\WINDOWS\\notepad.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\WINDOWS\\system32\\cmd.exe"=
"d:\\games\\warcraft iii\\war3.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamgui.exe"=
"c:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe"=
"c:\\DOCUME~1\\user\\LOCALS~1\\Temp\\winhjcax.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/7/2010 11:21 AM 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [9/9/2010 6:01 PM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/7/2010 11:21 AM 20560]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/10/2010 9:13 AM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/10/2010 9:13 AM 20952]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AMSINT32
.
Contents of the 'Scheduled Tasks' folder

2010-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-602162358-1177238915-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-07 18:06]

2010-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-602162358-1177238915-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-07 18:06]

2010-09-11 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 22:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.facemoods.com/?a=wfxt1
mStart Page = hxxp://start.facemoods.com/?a=wfxt1
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{64182481-4F71-486b-A045-B233BD0DA8FC} - c:\program files\facemoods.com\facemoods\1.4.8.1\bh\facemoods.dll
Toolbar-{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodsTlbr.dll
HKLM-Run-facemoods - c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodssrv.exe
AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.4.8.1\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-10 18:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2324)
c:\program files\RocketDock\RocketDock.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\docume~1\user\LOCALS~1\Temp\winhjcax.exe
.
**************************************************************************
.
Completion time: 2010-09-10 18:59:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-11 01:59

Pre-Run: 687,747,072 bytes free
Post-Run: 467,709,952 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 78273062401612D67AC663D287995B27

 

[Broni]

Please, uninstall Ask.com as it's considered as an adware.

=========================================================================

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=-
"AntiVirusDisableNotify"=-
"FirewallDisableNotify"=-
"FirewallOverride"=-
"UpdatesDisableNotify"=-
"UacDisableNotify"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=-

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[ilokobiz]

combofix.txt

ComboFix 10-09-09.04 - user 09/11/2010 8:31:35.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1050 [GMT -7:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100910-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AMSINT32
-------\Service_amsint32


((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
.

2010-09-11 15:42:29 . 2010-09-11 15:42:29 5157 ----a-w- C:\WINDOWS\system32\drivers\jnkppj.sys
2010-09-11 00:48:05 . 2010-09-11 00:48:25 -------- d-----w- C:\Documents and Settings\user\Local Settings\Application Data\AskToolbar
2010-09-10 16:13:50 . 2010-04-29 22:39:38 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-09-10 16:13:47 . 2010-09-10 16:13:53 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-09-10 16:13:47 . 2010-04-29 22:39:26 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-09-09 21:34:50 . 2010-09-09 21:34:50 -------- d-----w- C:\_OTS
2010-09-09 20:08:20 . 2010-09-09 20:08:20 -------- d-----w- C:\Documents and Settings\user\Application Data\Malwarebytes
2010-09-09 20:08:12 . 2010-09-09 20:08:12 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-09-09 20:04:38 . 2010-09-09 20:04:46 -------- d-----w- C:\Program Files\Ask.com
2010-09-09 20:04:28 . 2010-09-09 20:04:29 -------- d-----w- C:\Program Files\BitTorrent
2010-09-09 20:04:00 . 2010-09-11 15:41:58 -------- d-----w- C:\Documents and Settings\user\Application Data\BitTorrent
2010-09-05 21:48:40 . 2010-09-05 21:48:40 4096 ----a-w- C:\WINDOWS\d3dx.dat
2010-09-05 21:48:37 . 2010-09-09 01:13:18 -------- d-----w- C:\Documents and Settings\user\Application Data\Wildfire
2010-09-05 18:58:53 . 2010-09-05 18:58:53 -------- d-----w- C:\Program Files\Common Files\Sandlot Shared
2010-09-05 18:58:51 . 2010-09-05 18:58:51 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2010-09-04 20:19:37 . 2010-09-04 20:19:37 -------- d-----w- C:\Documents and Settings\user\Local Settings\Application Data\Help
2010-08-28 19:57:14 . 2010-09-06 19:26:12 -------- d-----w- C:\Documents and Settings\user\Local Settings\Application Data\NFS Underground 2
2010-08-28 19:57:12 . 2010-08-28 19:57:12 -------- d-----w- C:\Program Files\Common Files\DirectX
2010-08-28 19:13:03 . 2010-08-28 19:55:57 -------- d-----w- C:\Need for Speed Underground 2
2010-08-18 22:43:37 . 2008-04-14 07:21:36 101120 ----a-w- C:\WINDOWS\system32\drivers\bthpan.sys
2010-08-18 22:43:23 . 2008-04-14 07:16:34 59136 ----a-w- C:\WINDOWS\system32\drivers\rfcomm.sys
2010-08-18 22:43:22 . 2008-04-14 12:42:24 151552 ----a-w- C:\WINDOWS\system32\irftp.exe
2010-08-18 22:43:22 . 2008-04-14 12:41:56 28160 ----a-w- C:\WINDOWS\system32\irmon.dll
2010-08-18 22:43:22 . 2008-04-14 07:16:34 17024 ----a-w- C:\WINDOWS\system32\drivers\BthEnum.sys
2010-08-18 22:43:21 . 2008-04-14 12:42:12 8192 ----a-w- C:\WINDOWS\system32\wshirda.dll
2010-08-18 22:43:09 . 2008-04-14 07:16:34 273024 ----a-w- C:\WINDOWS\system32\drivers\bthport.sys
2010-08-18 22:43:08 . 2008-04-14 07:16:30 18944 ----a-w- C:\WINDOWS\system32\drivers\BTHUSB.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-09 19:53:53 . 2010-07-18 05:15:09 -------- d-----w- C:\Documents and Settings\user\Application Data\FrostWire
2010-09-09 00:49:43 . 2010-07-07 18:07:12 -------- d-----w- C:\Program Files\QuickTime
2010-09-08 18:51:51 . 2010-07-07 18:43:45 90480 ----a-w- C:\Documents and Settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-06 23:44:49 . 2010-07-07 21:44:35 -------- d-----w- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2010-08-28 18:25:09 . 2010-07-07 23:13:09 40 ----a-w- C:\WINDOWS\RSoftInfo.dat
2010-08-11 18:15:31 . 2010-08-11 18:14:58 -------- d-----w- C:\Program Files\RocketDock
2010-08-04 18:17:05 . 2010-07-08 02:29:13 25 ----a-w- C:\WINDOWS\popcinfot.dat
2010-07-21 22:10:25 . 2010-07-21 22:10:25 10 ----a-w- C:\WINDOWS\popcinfo.dat
2010-07-21 02:42:33 . 2010-07-07 18:02:09 -------- d-----w- C:\Documents and Settings\user\Application Data\Skype
2010-07-20 23:14:52 . 2010-07-07 18:09:17 -------- d-----w- C:\Documents and Settings\user\Application Data\Apple Computer
2010-07-20 21:12:02 . 2010-07-07 18:10:04 -------- d-----w- C:\Program Files\Common Files\Adobe
2010-07-19 21:38:00 . 2010-07-19 21:35:50 -------- d-----w- C:\Documents and Settings\user\Application Data\Canon
2010-07-19 19:15:07 . 2010-07-19 19:15:07 -------- d-----w- C:\Documents and Settings\user\Application Data\Yahoo!
2010-07-18 18:39:12 . 2010-07-18 18:39:05 -------- d-----w- C:\Documents and Settings\user\Application Data\Media Player Classic
2010-07-18 05:04:25 . 2010-07-18 05:04:24 -------- d-----w- C:\Documents and Settings\user\Application Data\vlc
2010-07-14 22:32:03 . 2010-07-14 22:32:03 -------- d-----w- C:\Documents and Settings\user\Application Data\funkitron
2010-07-09 00:00:17 . 2010-07-07 17:30:16 86327 ----a-w- C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat
2010-07-07 18:09:30 . 2010-07-07 18:04:53 119986 ----a-w- C:\Documents and Settings\user\Application Data\Facebook\uninstall.exe
2010-07-07 18:06:04 . 2010-07-07 18:06:04 0 ----a-w- C:\WINDOWS\nsreg.dat
2010-07-07 18:03:19 . 2010-07-07 18:03:33 411368 ----a-w- C:\WINDOWS\system32\deployJava1.dll
2010-07-07 17:26:22 . 2010-07-07 17:26:22 21640 ----a-w- C:\WINDOWS\system32\emptyregdb.dat
.

------- Sigcheck -------

[-] 2009-01-12 02:44:02 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512 (xpsp.080413-2111)] . . C:\WINDOWS\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-09-11_01.54.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-11 15:42:17 . 2010-09-11 15:42:17 16384 C:\WINDOWS\Temp\Perflib_Perfdata_e60.dat
+ 2010-09-11 15:09:48 . 2010-09-11 15:09:48 16384 C:\WINDOWS\Temp\Perflib_Perfdata_628.dat
+ 2010-09-11 15:42:02 . 2010-09-11 15:42:02 16384 C:\WINDOWS\Temp\Perflib_Perfdata_5a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 22:23:06 1385864 ----a-w- C:\Program Files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "C:\Program Files\Ask.com\GenericAskToolbar.dll" [2010-05-26 22:23:06 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "C:\Program Files\Ask.com\GenericAskToolbar.dll" [2010-05-26 22:23:06 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinTimer"="C:\Program Files\Breakpoint Computers\WinTimer\WinTimer.exe" [2010-12-05 12:11:44 835584]
"L09AXLRD_11467890"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE" [2008-06-03 10:05:38 351000]
"BitTorrent"="C:\Program Files\BitTorrent\BitTorrent.exe" [2010-09-09 20:04:30 3007344]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 12:42:18 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Antivirus"="C:\Program Files\USB Disk Security\USBGuard.exe" [2008-07-25 06:24:20 868352]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 22:51:40 81000]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-06 17:07:00 1922376]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 15:58:00 114096]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 08:06:33 976832]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 12:42:42 110592]
"Malwarebytes' Anti-Malware"="C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 22:39:32 515408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
Shortcut to RocketDock.exe.lnk - C:\Program Files\RocketDock\RocketDock.exe [2010-8-11 569344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 15:58:00 114096 ----a-w- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42:18 15360 ----a-w- C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-07-07 18:06:02 213488 ----atw- C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47:42 31016 ----a-w- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2009-09-08 04:10:42 77824 ----a-w- C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2009-09-08 04:11:18 114688 ----a-w- C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2009-09-08 04:11:22 94208 ----a-w- C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 04:09:42 305440 ----a-w- C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-04-29 23:59:14 5248312 ----a-w- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54:42 417792 ----a-w- C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2009-09-08 04:13:31 77824 ----a-w- C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 18:43:18 317672 ----a-w- C:\Program Files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2004-12-20 18:41:22 33792 ----a-w- C:\Program Files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Documents and Settings\\user\\My Documents\\Downloads\\Facemoods (5).exe"=
"\\\\Workstation1\\c\\dotahotkeys.exe"=
"C:\\Program Files\\RocketDock\\RocketDock.exe"=
"C:\\Program Files\\USB Disk Security\\USBGuard.exe"=
"C:\\Program Files\\Canon\\MyPrinter\\BJMyPrt.exe"=
"C:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Update\\1.2.183.29\\GoogleCrashHandler.exe"=
"C:\\WINDOWS\\notepad.exe"=
"C:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"C:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"C:\\WINDOWS\\system32\\cmd.exe"=
"d:\\games\\warcraft iii\\war3.exe"=
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbamgui.exe"=
"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe"=
"C:\\Documents and Settings\\user\\My Documents\\Downloads\\ComboFix.exe"=
"C:\\Program Files\\Breakpoint Computers\\WinTimer\\WinTimer.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [7/7/2010 11:21:37 AM 114768]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\drivers\aswFsBlk.sys [7/7/2010 11:21:37 AM 20560]
R2 MBAMService;MBAMService;C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [9/10/2010 9:13:52 AM 304464]
R3 MBAMProtector;MBAMProtector;C:\WINDOWS\system32\drivers\mbam.sys [9/10/2010 9:13:47 AM 20952]
.
Contents of the 'Scheduled Tasks' folder

2010-08-31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34:12 . 2008-07-30 19:34:12]

2010-09-09 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-602162358-1177238915-1003Core.job
- C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-07 18:06:06 . 2010-07-07 18:06:02]

2010-09-11 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-602162358-1177238915-1003UA.job
- C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-07 18:06:06 . 2010-07-07 18:06:02]

2010-09-11 C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
- C:\Program Files\Ask.com\UpdateTask.exe [2010-05-26 22:23:08 . 2010-05-26 22:23:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.facemoods.com/?a=wfxt1
mStart Page = hxxp://start.facemoods.com/?a=wfxt1
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
.

 

[ilokobiz]

sir there is still a virus alert what will i do next?

 

[Broni]

We still have some "baddies".

You didn't:

Please, uninstall Ask.com as it's considered as an adware.

Please, do it now.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\drivers\jnkppj.sys

Driver::
jnkppj

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[ilokobiz]

combofix.txt

ComboFix 10-09-09.04 - user 09/11/2010 10:13:37.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1072 [GMT -7:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100910-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"C:\WINDOWS\system32\drivers\jnkppj.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AMSINT32
-------\Service_amsint32
-------\Legacy_AMSINT32
-------\Service_amsint32


((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
.

2010-09-11 17:23:51 . 2010-09-11 17:23:51 5157 ----a-w- C:\WINDOWS\system32\drivers\jnkppj.sys
2010-09-10 16:13:50 . 2010-04-29 22:39:38 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-09-10 16:13:47 . 2010-09-10 16:13:53 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-09-10 16:13:47 . 2010-04-29 22:39:26 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-09-09 21:34:50 . 2010-09-09 21:34:50 -------- d-----w- C:\_OTS
2010-09-09 20:08:20 . 2010-09-09 20:08:20 -------- d-----w- C:\Documents and Settings\user\Application Data\Malwarebytes
2010-09-09 20:08:12 . 2010-09-09 20:08:12 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-09-09 20:04:28 . 2010-09-09 20:04:29 -------- d-----w- C:\Program Files\BitTorrent
2010-09-09 20:04:00 . 2010-09-11 17:23:29 -------- d-----w- C:\Documents and Settings\user\Application Data\BitTorrent
2010-09-05 21:48:40 . 2010-09-05 21:48:40 4096 ----a-w- C:\WINDOWS\d3dx.dat
2010-09-05 21:48:37 . 2010-09-09 01:13:18 -------- d-----w- C:\Documents and Settings\user\Application Data\Wildfire
2010-09-05 18:58:53 . 2010-09-05 18:58:53 -------- d-----w- C:\Program Files\Common Files\Sandlot Shared
2010-09-05 18:58:51 . 2010-09-05 18:58:51 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2010-09-04 20:19:37 . 2010-09-04 20:19:37 -------- d-----w- C:\Documents and Settings\user\Local Settings\Application Data\Help
2010-08-28 19:57:14 . 2010-09-06 19:26:12 -------- d-----w- C:\Documents and Settings\user\Local Settings\Application Data\NFS Underground 2
2010-08-28 19:57:12 . 2010-08-28 19:57:12 -------- d-----w- C:\Program Files\Common Files\DirectX
2010-08-28 19:13:03 . 2010-08-28 19:55:57 -------- d-----w- C:\Need for Speed Underground 2
2010-08-18 22:43:37 . 2008-04-14 07:21:36 101120 ----a-w- C:\WINDOWS\system32\drivers\bthpan.sys
2010-08-18 22:43:23 . 2008-04-14 07:16:34 59136 ----a-w- C:\WINDOWS\system32\drivers\rfcomm.sys
2010-08-18 22:43:22 . 2008-04-14 12:42:24 151552 ----a-w- C:\WINDOWS\system32\irftp.exe
2010-08-18 22:43:22 . 2008-04-14 12:41:56 28160 ----a-w- C:\WINDOWS\system32\irmon.dll
2010-08-18 22:43:22 . 2008-04-14 07:16:34 17024 ----a-w- C:\WINDOWS\system32\drivers\BthEnum.sys
2010-08-18 22:43:21 . 2008-04-14 12:42:12 8192 ----a-w- C:\WINDOWS\system32\wshirda.dll
2010-08-18 22:43:09 . 2008-04-14 07:16:34 273024 ----a-w- C:\WINDOWS\system32\drivers\bthport.sys
2010-08-18 22:43:08 . 2008-04-14 07:16:30 18944 ----a-w- C:\WINDOWS\system32\drivers\BTHUSB.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-09 19:53:53 . 2010-07-18 05:15:09 -------- d-----w- C:\Documents and Settings\user\Application Data\FrostWire
2010-09-09 00:49:43 . 2010-07-07 18:07:12 -------- d-----w- C:\Program Files\QuickTime
2010-09-08 18:51:51 . 2010-07-07 18:43:45 90480 ----a-w- C:\Documents and Settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-06 23:44:49 . 2010-07-07 21:44:35 -------- d-----w- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2010-08-28 18:25:09 . 2010-07-07 23:13:09 40 ----a-w- C:\WINDOWS\RSoftInfo.dat
2010-08-11 18:15:31 . 2010-08-11 18:14:58 -------- d-----w- C:\Program Files\RocketDock
2010-08-04 18:17:05 . 2010-07-08 02:29:13 25 ----a-w- C:\WINDOWS\popcinfot.dat
2010-07-21 22:10:25 . 2010-07-21 22:10:25 10 ----a-w- C:\WINDOWS\popcinfo.dat
2010-07-21 02:42:33 . 2010-07-07 18:02:09 -------- d-----w- C:\Documents and Settings\user\Application Data\Skype
2010-07-20 23:14:52 . 2010-07-07 18:09:17 -------- d-----w- C:\Documents and Settings\user\Application Data\Apple Computer
2010-07-20 21:12:02 . 2010-07-07 18:10:04 -------- d-----w- C:\Program Files\Common Files\Adobe
2010-07-19 21:38:00 . 2010-07-19 21:35:50 -------- d-----w- C:\Documents and Settings\user\Application Data\Canon
2010-07-19 19:15:07 . 2010-07-19 19:15:07 -------- d-----w- C:\Documents and Settings\user\Application Data\Yahoo!
2010-07-18 18:39:12 . 2010-07-18 18:39:05 -------- d-----w- C:\Documents and Settings\user\Application Data\Media Player Classic
2010-07-18 05:04:25 . 2010-07-18 05:04:24 -------- d-----w- C:\Documents and Settings\user\Application Data\vlc
2010-07-14 22:32:03 . 2010-07-14 22:32:03 -------- d-----w- C:\Documents and Settings\user\Application Data\funkitron
2010-07-09 00:00:17 . 2010-07-07 17:30:16 86327 ----a-w- C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat
2010-07-07 18:09:30 . 2010-07-07 18:04:53 119986 ----a-w- C:\Documents and Settings\user\Application Data\Facebook\uninstall.exe
2010-07-07 18:06:04 . 2010-07-07 18:06:04 0 ----a-w- C:\WINDOWS\nsreg.dat
2010-07-07 18:03:19 . 2010-07-07 18:03:33 411368 ----a-w- C:\WINDOWS\system32\deployJava1.dll
2010-07-07 17:26:22 . 2010-07-07 17:26:22 21640 ----a-w- C:\WINDOWS\system32\emptyregdb.dat
.

------- Sigcheck -------

[-] 2009-01-12 02:44:02 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512 (xpsp.080413-2111)] . . C:\WINDOWS\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-09-11_01.54.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-11 17:23:39 . 2010-09-11 17:23:39 16384 C:\WINDOWS\Temp\Perflib_Perfdata_9c0.dat
+ 2010-09-11 17:23:27 . 2010-09-11 17:23:27 16384 C:\WINDOWS\Temp\Perflib_Perfdata_58c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinTimer"="C:\Program Files\Breakpoint Computers\WinTimer\WinTimer.exe" [2010-12-05 12:11:44 835584]
"L09AXLRD_11467890"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE" [2008-06-03 10:05:38 351000]
"BitTorrent"="C:\Program Files\BitTorrent\BitTorrent.exe" [2010-09-09 20:04:30 3007344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Antivirus"="C:\Program Files\USB Disk Security\USBGuard.exe" [2008-07-25 06:24:20 868352]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 22:51:40 81000]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-06 17:07:00 1922376]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 15:58:00 114096]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 08:06:33 976832]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 12:42:42 110592]
"Malwarebytes' Anti-Malware"="C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 22:39:32 515408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
Shortcut to RocketDock.exe.lnk - C:\Program Files\RocketDock\RocketDock.exe [2010-8-11 569344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

 

[ilokobiz]

thiskeeps poping up "C:\WINDOWS\system32\drivers\jnkppj.sys" is this a virus?

 

[Broni]

Most likely...
Your Combofix log is incomplete and I need to see a whole log.
Please, repost the log.

 

[ilokobiz]

yes sir because combofix freezes evertime its making a log i've waited for about 1hour nothing happens so i restart my computer....

 

[ilokobiz]

should i redo the last step?