Solved Unable to use IE & backdoor.bot won't delete

Xpress

How's the computer now?

Yes, let's get a second confirmation that the files are clean.

Also please add a new HJT log.

 

I had a similar problem a couple of weeks ago and was finally able to solve it (remove the virus) using McAfee AV. Before that I had been using Avira's free AV but it couldn't deal with the problem.

 

so here's what's going on, i did another spybot search and found those two fiels again, so i did a search for hijackthis and found them in c:\pcrepair\ folder, I deleted the whole thing, then ran another htj log, here it is. And I also keep finding those 2 backdoors on malware. im going to do another spybot test right now. ill let you know how that turns out.

-------------------------------------------------------------------------------------
ComboFix 09-03-19.01 - Owner 2009-03-20 7:37:10.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.929 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\zip32.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.

2009-03-19 15:19 . 2009-03-19 15:19 <DIR> d-------- c:\windows\LastGood
2009-03-18 20:13 . 2009-03-18 20:45 <DIR> d-------- c:\program files\Kawak
2009-03-18 20:07 . 2009-03-18 21:03 1,015 --a------ c:\windows\kaillera.ini
2009-03-18 20:00 . 2009-03-18 20:01 <DIR> d-------- c:\documents and settings\Owner\Application Data\RSG
2009-03-18 19:58 . 2009-03-18 20:03 <DIR> d-------- c:\program files\Router Screenshot Grabber
2009-03-18 19:45 . 2009-03-18 19:45 <DIR> d-------- c:\documents and settings\Owner\Application Data\com.doubleperfect.ggpo.0753AD3679DBFCA1E7F470171B7D0DB8B404A7EA.1
2009-03-18 19:34 . 2009-03-18 20:01 <DIR> d-------- c:\program files\GGPO
2009-03-18 14:36 . 2009-03-18 14:37 <DIR> d--h-c--- c:\windows\ie8
2009-03-16 22:06 . 2009-03-18 19:46 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-14 14:00 . 2009-03-16 23:06 <DIR> d-------- c:\program files\Conquer 2.0
2009-03-11 17:39 . 2009-03-18 14:44 <DIR> d-------- c:\documents and settings\Owner\Tracing
2009-03-11 17:21 . 2009-03-11 17:21 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-03-11 17:16 . 2009-03-11 17:16 <DIR> d-------- c:\program files\Microsoft
2009-03-11 17:15 . 2009-03-11 17:15 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-11 17:15 . 2009-03-11 17:23 <DIR> d-------- c:\program files\Windows Live
2009-03-11 17:09 . 2009-03-11 17:09 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-10 17:14 . 2009-03-10 17:15 69 --a------ c:\windows\NeroDigital.ini
2009-03-05 18:51 . 2009-03-20 07:37 <DIR> d-------- c:\windows\system32\CatRoot2
2009-03-05 10:28 . 2009-03-05 10:28 250 --a------ c:\windows\gmer.ini
2009-03-02 08:57 . 2008-04-13 17:12 69,120 --a--c--- c:\windows\system32\dllcache\notepad.exe
2009-03-02 08:57 . 2008-04-13 17:12 69,120 --a------ c:\windows\notepad.exe
2009-03-02 08:49 . 2009-03-18 14:38 1,374 --a------ c:\windows\imsins.BAK
2009-03-01 17:39 . 2009-03-19 19:47 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-01 16:35 . 2009-03-19 17:03 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-01 16:35 . 2009-03-01 16:35 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-01 16:35 . 2009-03-01 16:35 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-01 16:35 . 2009-03-01 16:35 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-01 16:34 . 2009-03-01 16:34 <DIR> d-------- c:\program files\AVG
2009-03-01 16:34 . 2009-03-01 16:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-01 16:22 . 2009-03-01 16:22 <DIR> d-------- c:\documents and settings\Owner\Application Data\True Sword
2009-03-01 15:03 . 2009-03-01 15:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-01 14:25 . 2009-03-01 23:41 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-01 12:17 . 2009-03-01 12:18 <DIR> d-------- c:\documents and settings\Owner\Application Data\Nero
2009-02-28 23:37 . 2009-02-28 23:37 4,767 --a------ c:\windows\Irremote.ini
2009-02-28 23:32 . 2009-02-28 23:32 <DIR> d-------- c:\program files\Windows Sidebar
2009-02-28 23:02 . 2009-02-28 23:35 <DIR> d-------- c:\program files\Nero
2009-02-28 23:01 . 2009-03-01 00:04 <DIR> d-------- c:\program files\Common Files\Nero
2009-02-28 23:01 . 2009-02-28 23:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-02-28 19:20 . 2009-02-28 19:21 <DIR> d-------- C:\RecoveryCD
2009-02-28 18:48 . 2009-02-28 18:48 0 --a------ c:\windows\nsreg.dat
2009-02-28 18:46 . 2009-02-28 18:46 <DIR> d--hs---- c:\documents and settings\Administrator\PrivacIE
2009-02-28 18:46 . 2009-02-28 18:46 <DIR> d--hs---- c:\documents and settings\Administrator\IETldCache
2009-02-28 18:14 . 2009-02-28 18:14 <DIR> d-------- c:\program files\RegCure
2009-02-28 13:42 . 2009-02-28 13:42 <DIR> d-------- c:\program files\ffdshow
2009-02-28 13:42 . 2008-08-22 18:57 14,336 --a------ c:\windows\system32\ff_vfw.dll
2009-02-28 13:42 . 2008-08-10 12:55 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-02-28 13:03 . 2009-02-28 13:03 <DIR> d-------- c:\program files\Veoh Networks
2009-02-26 19:51 . 2009-02-26 19:51 <DIR> d--hs---- c:\documents and settings\NetworkService\IETldCache
2009-02-24 22:05 . 2009-01-09 12:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 03:50 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-17 05:05 --------- d-----w c:\program files\Common Files\Adobe
2009-03-14 22:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-14 21:00 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-14 02:42 --------- d-----w c:\documents and settings\Owner\Application Data\gtk-2.0
2009-03-08 23:16 4,724 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-03-04 06:51 --------- d-----w c:\program files\Google
2009-03-01 11:39 --------- d-----w c:\program files\Joost
2009-02-26 23:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-26 20:37 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-16 06:10 --------- d-----w c:\program files\GIMP-2.0
2009-02-13 07:25 --------- d-----w c:\documents and settings\Owner\Application Data\Epson
2009-02-11 05:07 --------- d-----w c:\program files\Acoustica MP3 CD Burner
2009-02-11 05:07 --------- d-----w c:\documents and settings\Owner\Application Data\Acoustica
2009-02-10 20:40 --------- d-----w c:\documents and settings\Owner\Application Data\Camfrog
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 02:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-07 01:52 49,504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 08:27 --------- d-----w c:\program files\Realtek AC97
2009-02-06 08:21 --------- d-----w c:\program files\Sprint Instinct Applications
2009-02-06 06:38 --------- d-----w c:\program files\EpsonNet
2009-02-06 06:31 --------- d-----w c:\documents and settings\All Users\Application Data\EPSON
2009-02-03 19:20 --------- d-----w c:\program files\Common Files\EPSON
2009-02-03 18:21 --------- d-----w c:\program files\Epson Software
2009-02-03 18:21 --------- d-----w c:\program files\EPSON
2009-02-02 10:43 --------- d-----w c:\program files\iTunes
2009-02-01 22:38 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-01 22:37 --------- d-----w c:\program files\iPod
2009-02-01 22:37 --------- d-----w c:\program files\Common Files\Apple
2009-02-01 22:34 --------- d-----w c:\program files\Bonjour
2009-02-01 22:33 --------- d-----w c:\program files\QuickTime
2009-02-01 22:29 --------- d-----w c:\program files\Apple Software Update
2009-02-01 22:28 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-01-31 08:50 34 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-01-30 01:37 --------- d-----w c:\program files\Yahoo!
2009-01-30 01:37 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-29 20:30 --------- d-----w c:\program files\Reference Assemblies
2009-01-29 20:30 --------- d-----w c:\program files\MSBuild
2009-01-26 22:57 --------- d-----w c:\program files\ABBYY FineReader 6.0 Sprint
2009-01-20 03:41 --------- d-----w c:\program files\Valve
2009-01-20 00:02 --------- d-----w c:\program files\McAfee.com
2009-01-20 00:00 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-17 00:24 499,712 ----a-w c:\windows\system32\msvcp71.dll
2009-01-17 00:24 348,160 ----a-w c:\windows\system32\msvcr71.dll
2009-01-15 09:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 09:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 09:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 09:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 09:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 09:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 09:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 09:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 09:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 08:50 156,160 ----a-w c:\windows\system32\msls31.dll
2009-01-11 22:27 410,984 ----a-w c:\windows\system32\deploytk.dll
2006-04-03 06:26 9,583,368 ----a-w c:\documents and settings\Owner\DesktopDoctor1.5.1.exe
.

------- Sigcheck -------

2005-05-25 12:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 10:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 05:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2008-06-20 03:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 04:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 04:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 03:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 05:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2008-04-13 12:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2006-04-20 04:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 12:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 04:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 04:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-03-15_13.41.36.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-28 11:41:28 381,960 ----a-w c:\windows\Downloaded Program Files\GAME_UNO1.dll
+ 2007-02-23 06:41:12 304,544 ----a-w c:\windows\Downloaded Program Files\MessengerStatsPAClient.dll
+ 2008-04-14 00:11:48 61,440 -c--a-w c:\windows\ie8\admparse.dll
+ 2008-04-14 00:11:48 99,840 -c--a-w c:\windows\ie8\advpack.dll
+ 2008-04-14 00:11:51 35,328 -c--a-w c:\windows\ie8\corpol.dll
+ 2008-04-14 00:11:52 357,888 -c--a-w c:\windows\ie8\dxtmsft.dll
+ 2008-04-14 00:11:52 205,312 -c--a-w c:\windows\ie8\dxtrans.dll
+ 2008-04-14 00:11:54 38,912 -c--a-w c:\windows\ie8\hmmapi.dll
+ 2007-08-14 02:36:26 61,952 -c--a-w c:\windows\ie8\icardie.dll
+ 2008-04-14 00:12:22 34,304 -c--a-w c:\windows\ie8\ie4uinit.exe
+ 2008-04-14 00:11:54 143,360 -c--a-w c:\windows\ie8\ieakeng.dll
+ 2008-04-14 00:11:54 216,576 -c--a-w c:\windows\ie8\ieaksie.dll
+ 2004-08-04 12:00:00 221,184 -c--a-w c:\windows\ie8\ieakui.dll
+ 2007-02-13 00:10:12 2,451,312 -c--a-w c:\windows\ie8\ieapfltr.dat
+ 2007-07-11 20:27:48 383,488 -c--a-w c:\windows\ie8\ieapfltr.dll
+ 2008-04-14 00:11:54 323,584 -c--a-w c:\windows\ie8\iedkcs32.dll
+ 2008-04-14 00:11:54 81,920 -c--a-w c:\windows\ie8\ieencode.dll
+ 2008-04-14 00:11:54 251,904 -c--a-w c:\windows\ie8\iepeers.dll
+ 2008-04-14 00:11:54 48,640 -c--a-w c:\windows\ie8\iernonce.dll
+ 2008-04-14 00:11:54 62,976 -c--a-w c:\windows\ie8\iesetup.dll
+ 2008-04-14 00:12:22 93,184 -c--a-w c:\windows\ie8\iexplore.exe
+ 2008-04-14 00:11:54 35,840 -c--a-w c:\windows\ie8\imgutil.dll
+ 2008-04-14 00:11:55 96,256 -c--a-w c:\windows\ie8\inseng.dll
+ 2008-05-09 10:53:39 512,000 -c--a-w c:\windows\ie8\jscript.dll
+ 2008-04-14 00:11:56 15,872 -c--a-w c:\windows\ie8\jsproxy.dll
+ 2008-04-14 00:11:56 22,016 -c--a-w c:\windows\ie8\licmgr10.dll
+ 2007-08-14 02:54:10 458,752 -c--a-w c:\windows\ie8\msfeeds.dll
+ 2007-08-14 02:54:10 50,688 -c--a-w c:\windows\ie8\msfeedsbs.dll
+ 2008-04-14 00:12:27 29,184 -c--a-w c:\windows\ie8\mshta.exe
+ 2008-12-12 17:01:00 3,067,904 -c--a-w c:\windows\ie8\mshtml.dll
+ 2008-04-14 00:11:59 449,024 -c--a-w c:\windows\ie8\mshtmled.dll
+ 2008-04-13 16:26:26 56,832 -c--a-w c:\windows\ie8\mshtmler.dll
+ 2004-08-04 12:00:00 146,432 -c--a-w c:\windows\ie8\msls31.dll
+ 2008-04-14 00:12:00 146,432 -c--a-w c:\windows\ie8\msrating.dll
+ 2008-04-14 00:12:00 532,480 -c--a-w c:\windows\ie8\mstime.dll
+ 2008-04-14 00:12:02 96,256 -c--a-w c:\windows\ie8\occache.dll
+ 2008-04-14 00:12:02 39,424 -c--a-w c:\windows\ie8\pngfilt.dll
+ 2009-01-15 09:23:42 59,880 -c--a-w c:\windows\ie8\spuninst\iecustom.dll
+ 2008-10-13 20:55:34 231,456 -c--a-w c:\windows\ie8\spuninst\spuninst.exe
+ 2008-10-13 20:55:34 382,496 -c--a-w c:\windows\ie8\spuninst\updspapi.dll
+ 2008-04-14 00:12:08 37,888 -c--a-w c:\windows\ie8\url.dll
+ 2008-10-16 01:00:11 619,520 -c--a-w c:\windows\ie8\urlmon.dll
+ 2008-05-09 10:53:40 430,080 -c--a-w c:\windows\ie8\vbscript.dll
+ 2008-04-14 00:12:08 851,968 -c--a-w c:\windows\ie8\vgx.dll
+ 2008-04-14 00:12:08 276,480 -c--a-w c:\windows\ie8\webcheck.dll
+ 2008-10-16 01:00:11 666,112 -c--a-w c:\windows\ie8\wininet.dll
+ 2009-01-15 09:06:46 2,048 -c----w c:\windows\ie8updates\KB961813-IE8\iecompat.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\ie8updates\KB961813-IE8\spuninst\spuninst.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\ie8updates\KB961813-IE8\spuninst\updspapi.dll
+ 2009-03-19 02:34:03 82,726 ----a-r c:\windows\Installer\{68BD9036-0952-4849-AE7A-963BB53EDB71}\controlPanelIcon.exe
- 2008-04-14 00:11:48 99,840 ----a-w c:\windows\system32\advpack.dll
+ 2009-01-15 09:03:12 128,512 ----a-w c:\windows\system32\advpack.dll
+ 1999-08-03 00:11:48 57,344 ----a-w c:\windows\system32\CGZipLibrary.dll
+ 2009-01-15 09:03:32 72,704 -c----w c:\windows\system32\dllcache\admparse.dll
+ 2009-01-15 09:03:12 128,512 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-10-13 20:55:30 1,022,976 -c----w c:\windows\system32\dllcache\browseui.dll
+ 2009-01-15 09:04:28 18,944 -c----w c:\windows\system32\dllcache\corpol.dll
+ 2009-01-15 09:01:22 348,160 -c----w c:\windows\system32\dllcache\dxtmsft.dll
+ 2009-01-15 09:01:16 216,064 -c----w c:\windows\system32\dllcache\dxtrans.dll
+ 2009-01-15 08:53:40 68,608 -c----w c:\windows\system32\dllcache\hmmapi.dll
+ 2009-01-15 09:03:28 172,544 -c----w c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-01-15 09:03:42 125,952 -c----w c:\windows\system32\dllcache\ieakeng.dll
+ 2009-01-15 09:03:50 228,352 -c----w c:\windows\system32\dllcache\ieaksie.dll
- 2004-08-04 12:00:00 221,184 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2009-01-15 09:03:20 163,840 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2009-01-15 09:17:22 392,040 -c----w c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-01-15 09:01:52 183,808 -c----w c:\windows\system32\dllcache\iepeers.dll
+ 2009-01-15 09:03:14 55,808 -c----w c:\windows\system32\dllcache\iernonce.dll
+ 2009-01-15 09:03:18 71,680 -c----w c:\windows\system32\dllcache\iesetup.dll
+ 2009-01-15 09:17:22 636,264 -c----w c:\windows\system32\dllcache\iexplore.exe
+ 2009-01-15 09:01:26 34,304 -c----w c:\windows\system32\dllcache\imgutil.dll
+ 2009-01-15 09:03:14 94,720 -c----w c:\windows\system32\dllcache\inseng.dll
- 2008-05-09 10:53:39 512,000 -c--a-w c:\windows\system32\dllcache\jscript.dll
+ 2009-01-15 09:03:58 724,992 -c--a-w c:\windows\system32\dllcache\jscript.dll
+ 2009-01-15 09:04:16 25,600 -c----w c:\windows\system32\dllcache\jsproxy.dll
+ 2009-01-15 09:05:34 43,008 -c----w c:\windows\system32\dllcache\licmgr10.dll
+ 2009-01-15 09:00:38 45,568 -c----w c:\windows\system32\dllcache\mshta.exe
- 2008-12-12 17:01:00 3,067,904 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-15 09:13:18 5,888,512 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-15 09:01:06 66,560 -c----w c:\windows\system32\dllcache\mshtmled.dll
+ 2009-01-15 09:00:46 48,128 -c----w c:\windows\system32\dllcache\mshtmler.dll
- 2004-08-04 12:00:00 146,432 -c--a-w c:\windows\system32\dllcache\msls31.dll
+ 2009-01-15 08:50:38 156,160 -c--a-w c:\windows\system32\dllcache\msls31.dll
+ 2009-01-15 09:05:34 193,536 -c----w c:\windows\system32\dllcache\msrating.dll
+ 2009-01-15 09:02:20 611,840 -c----w c:\windows\system32\dllcache\mstime.dll
+ 2009-01-15 09:05:34 109,056 -c----w c:\windows\system32\dllcache\occache.dll
+ 2009-01-15 09:01:18 46,592 -c----w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-13 20:55:30 474,112 -c----w c:\windows\system32\dllcache\shlwapi.dll
+ 2008-10-13 20:55:32 134,144 -c----w c:\windows\system32\dllcache\sqmapi.dll
+ 2009-01-15 09:06:00 105,984 -c----w c:\windows\system32\dllcache\url.dll
- 2008-10-16 01:00:11 619,520 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2009-01-15 09:06:48 1,182,720 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-05-09 10:53:40 430,080 -c--a-w c:\windows\system32\dllcache\vbscript.dll
+ 2009-01-15 09:03:36 420,352 -c--a-w c:\windows\system32\dllcache\vbscript.dll
+ 2009-01-15 09:04:56 755,200 -c----w c:\windows\system32\dllcache\VGX.dll
+ 2009-01-15 09:06:08 236,544 -c----w c:\windows\system32\dllcache\webcheck.dll
- 2008-10-16 01:00:11 666,112 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2009-01-15 09:05:42 911,872 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2008-04-14 00:11:52 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2009-01-15 09:01:22 348,160 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-04-14 00:11:52 205,312 ----a-w c:\windows\system32\dxtrans.dll
+ 2009-01-15 09:01:16 216,064 ----a-w c:\windows\system32\dxtrans.dll
+ 2006-01-17 19:50:28 61,952 ----a-w c:\windows\system32\execryptorvb.dll
+ 2005-09-05 02:01:32 1,056,768 ----a-w c:\windows\system32\FreeImage.dll
- 2007-08-14 02:36:26 61,952 ----a-w c:\windows\system32\icardie.dll
+ 2009-01-15 09:01:40 59,904 ----a-w c:\windows\system32\icardie.dll
- 2008-10-13 21:55:22 26,112 ----a-w c:\windows\system32\idndl.dll
+ 2008-10-13 20:55:22 26,112 ----a-w c:\windows\system32\idndl.dll
- 2008-04-14 00:12:22 34,304 ----a-w c:\windows\system32\ie4uinit.exe
+ 2009-01-15 09:03:28 172,544 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-04-14 00:11:54 143,360 ----a-w c:\windows\system32\ieakeng.dll
+ 2009-01-15 09:03:42 125,952 ----a-w c:\windows\system32\ieakeng.dll
- 2008-04-14 00:11:54 216,576 ----a-w c:\windows\system32\ieaksie.dll
+ 2009-01-15 09:03:50 228,352 ----a-w c:\windows\system32\ieaksie.dll
- 2004-08-04 12:00:00 221,184 ----a-w c:\windows\system32\ieakui.dll
+ 2009-01-15 09:03:20 163,840 ----a-w c:\windows\system32\ieakui.dll
- 2007-02-13 00:10:12 2,451,312 ----a-w c:\windows\system32\ieapfltr.dat
+ 2008-12-15 00:12:42 3,698,040 ----a-w c:\windows\system32\ieapfltr.dat
- 2007-07-11 20:27:48 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2009-01-15 08:35:10 445,440 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-04-14 00:11:54 323,584 ----a-w c:\windows\system32\iedkcs32.dll
+ 2009-01-15 09:17:22 392,040 ----a-w c:\windows\system32\iedkcs32.dll
+ 2009-01-15 09:12:12 10,963,968 ------w c:\windows\system32\ieframe.dll
- 2008-04-14 00:11:54 251,904 ----a-w c:\windows\system32\iepeers.dll
+ 2009-01-15 09:01:52 183,808 ----a-w c:\windows\system32\iepeers.dll
- 2008-04-14 00:11:54 48,640 ----a-w c:\windows\system32\iernonce.dll
+ 2009-01-15 09:03:14 55,808 ----a-w c:\windows\system32\iernonce.dll
+ 2009-01-15 09:02:50 1,975,296 ------w c:\windows\system32\iertutil.dll
- 2009-01-15 10:03:18 36,864 ----a-w c:\windows\system32\ieudinit.exe
+ 2009-01-15 09:03:18 36,864 ----a-w c:\windows\system32\ieudinit.exe
+ 2009-01-15 08:50:50 164,352 ------w c:\windows\system32\ieui.dll
- 2008-04-14 00:11:55 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2009-01-15 09:03:14 94,720 ----a-w c:\windows\system32\inseng.dll
- 2008-05-09 10:53:39 512,000 ----a-w c:\windows\system32\jscript.dll
+ 2009-01-15 09:03:58 724,992 ----a-w c:\windows\system32\jscript.dll
- 2008-04-14 00:11:56 15,872 ----a-w c:\windows\system32\jsproxy.dll
+ 2009-01-15 09:04:16 25,600 ----a-w c:\windows\system32\jsproxy.dll
- 2008-10-10 20:42:06 265,720 ----a-w c:\windows\system32\msdbg2.dll
+ 2008-10-10 19:42:06 265,720 ----a-w c:\windows\system32\msdbg2.dll
- 2007-08-14 02:54:10 458,752 ----a-w c:\windows\system32\msfeeds.dll
+ 2009-01-15 09:02:40 593,920 ----a-w c:\windows\system32\msfeeds.dll
- 2007-08-14 02:54:10 50,688 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2009-01-15 09:01:40 54,272 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2009-01-15 09:01:42 13,312 ------w c:\windows\system32\msfeedssync.exe
- 2008-12-12 17:01:00 3,067,904 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-15 09:13:18 5,888,512 ----a-w c:\windows\system32\mshtml.dll
- 2008-04-14 00:11:59 449,024 ----a-w c:\windows\system32\mshtmled.dll
+ 2009-01-15 09:01:06 66,560 ----a-w c:\windows\system32\mshtmled.dll
- 2008-04-14 00:12:00 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2009-01-15 09:05:34 193,536 ----a-w c:\windows\system32\msrating.dll
- 2008-04-14 00:12:00 532,480 ----a-w c:\windows\system32\mstime.dll
+ 2009-01-15 09:02:20 611,840 ----a-w c:\windows\system32\mstime.dll
- 2008-10-13 21:55:22 24,576 ----a-w c:\windows\system32\nlsdl.dll
+ 2008-10-13 20:55:22 24,576 ----a-w c:\windows\system32\nlsdl.dll
- 2008-10-13 21:55:22 23,552 ----a-w c:\windows\system32\normaliz.dll
+ 2008-10-13 20:55:22 23,552 ----a-w c:\windows\system32\normaliz.dll
- 2008-04-14 00:12:02 96,256 ----a-w c:\windows\system32\occache.dll
+ 2009-01-15 09:05:34 109,056 ----a-w c:\windows\system32\occache.dll
- 2008-04-14 00:12:02 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2009-01-15 09:01:18 46,592 ----a-w c:\windows\system32\pngfilt.dll
- 2008-10-13 21:55:34 16,928 ------w c:\windows\system32\spmsg.dll
+ 2008-10-13 20:55:34 16,928 ------w c:\windows\system32\spmsg.dll
- 2008-10-13 21:55:34 26,144 ----a-w c:\windows\system32\spupdsvc.exe
+ 2008-10-13 20:55:34 26,144 ----a-w c:\windows\system32\spupdsvc.exe
- 2008-04-14 00:12:08 37,888 ----a-w c:\windows\system32\url.dll
+ 2009-01-15 09:06:00 105,984 ----a-w c:\windows\system32\url.dll
- 2008-10-16 01:00:11 619,520 ----a-w c:\windows\system32\urlmon.dll
+ 2009-01-15 09:06:48 1,182,720 ----a-w c:\windows\system32\urlmon.dll
- 2008-04-14 00:12:08 276,480 ----a-w c:\windows\system32\webcheck.dll
+ 2009-01-15 09:06:08 236,544 ----a-w c:\windows\system32\webcheck.dll
+ 2009-01-15 09:06:22 208,384 ------w c:\windows\system32\WinFXDocObj.exe
- 2008-10-13 21:55:36 121,856 ----a-w c:\windows\system32\xmllite.dll
+ 2008-10-13 20:55:36 121,856 ----a-w c:\windows\system32\xmllite.dll
+ 2009-03-20 14:36:29 16,384 ----atw c:\windows\temp\Perflib_Perfdata_11b0.dat
+ 2009-03-18 21:42:30 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6ec.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader "= "c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"AdobeCS4ServiceManager "= "c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"EEventManager "= "c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-19 591696]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-01 1601304]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-11-29 c:\windows\KHALMNPR.Exe]
"PCTVOICE "= "pctspk.exe" [2003-04-24 c:\windows\system32\pctspk.exe]
"SoundMan "= "SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-06-16 1757]
Kodak EasyShare software.lnk.disabled [2009-01-09 1837]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
MiniEYE-MiniREAD Launch .lnk.disabled [2009-01-02 1523]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 12:30 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-01 16:35 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Messenger (Yahoo!) "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"SpybotSD TeaTimer "=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" -atboottime
"NeroCheck "=c:\windows\System32\\NeroCheck.exe
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe "
"ArcSoft Connection Service "=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\akirayabuki\\condition zero\\hl.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\EpsonNet\\EpsonNet Config V3\\ENConfig.exe "=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\akirayabuki\\counter-strike\\hl.exe "=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
"c:\\Program Files\\GGPO\\ggpo.exe "=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-01 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-01 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-01 298264]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 gupdate1c99c9589fb5a82;Google Update Service (gupdate1c99c9589fb5a82);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 133104]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\Drivers\FarDrive.sys --> c:\windows\system32\Drivers\FarDrive.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-03 23:52]

2009-03-18 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 23:50]

2008-03-15 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe []

2009-03-20 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 10:58]

2009-03-19 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 10:58]
.
- - - - ORPHANS REMOVED - - - -

BHO-{574FAE5A-6223-A054-3174-91E7DFC53986} - (no file)
BHO-{72183A59-F2E3-3507-E1B2-E9A5789D07F1} - (no file)
BHO-{A5E51C5B-57CF-A04A-BF60-3E709924E2F8} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Settings,ProxyOverride = *.local
TCP: {93AFF8A7-2782-47C8-8EB0-219C14CDC0ED} = 208.67.220.220,208.67.222.222
TCP: {B01A2396-58D0-4382-ABF4-7E8B21CD2807} = 208.67.220.220,208.67.222.222
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 07:39:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-1229272821-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-73586283-1229272821-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AAA29F7D-8524-39E3-4159-DC057D589FD5}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abbchnknbkadbpkkmafbnlopegejilnlbp "=hex:61,61,00,00
"bbbchnknbkadbpkkmaibkgijonnobbgaccch "=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-73586283-1229272821-839522115-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-73586283-1229272821-839522115-1003)
@Allowed: (Read) (S-1-5-21-73586283-1229272821-839522115-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-73586283-1229272821-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,85,7a,f5,33,a5,3b,9b,42,84,6d,c2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,85,7a,f5,33,a5,3b,9b,42,84,6d,c2,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2009-03-20 7:41:57
ComboFix-quarantined-files.txt 2009-03-20 14:41:27
ComboFix2.txt 2009-03-07 18:41:27
ComboFix3.txt 2009-03-04 19:49:51
ComboFix4.txt 2009-03-04 00:31:29

Pre-Run: 3,371,634,688 bytes free
Post-Run: 4,455,088,128 bytes free

456 --- E O F --- 2009-03-20 10:01:01

 

there's also a HIJACKTHIS[1].EXE-3404F798.pf, can i get rid of this?

 

Yes

Post the log from MBAM



Do this next


Additionally, download GMER Rootkit Scanner from here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

• In the right panel, you will see several boxes that have been checked.
  
  Uncheck the following ...
  • 
    
    [*]Sections
    [*]IAT/EAT
    [*]Drives/Partition other than Systemdrive (typically C:\)
    [*]Show All (don't miss this one)
  
  
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in ark.txt

Save it where you can easily find it, such as your desktop then post the contents here.

**Caution**
Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries

Post:
MBAM
ARK.txt

 

i dont know if this is good or not, but i did another search for hijackthis, and that HIJACKTHIS[1].EXE-3404F798.pf file, after deleting it made another copy in -> C:\Documents and Settings\Owner\Application Data\Thinstall\SUPERAntiSpyware Professional\%SystemRoot%\Prefetch

ill delete then get back to you with other post. Finished spybot scan, and still detecting the Right Media cookie and the Win32.agent.grp trogen.

 

I'm not worried about cookies, we all get those.
The file in SAS is not a big concern. If you delete the contents of SAS quarantine folder that will be gone.

I want to know the file path of what Spybot is finding for Win32.agent.grp ...sometimes location is keyword.
Depending on where it's found is what we want to know.

 

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-20 13:51:46
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew@Language 1033
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AAA29F7D-8524-39E3-4159-DC057D589FD5}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AAA29F7D-8524-39E3-4159-DC057D589FD5}@abbchnknbkadbpkkmafbnlopegejilnlbp 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AAA29F7D-8524-39E3-4159-DC057D589FD5}@bbbchnknbkadbpkkmaibkgijonnobbgaccch 0x61 0x61 0x00 0x00

---- EOF - GMER 1.0.15 ----

-------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.32
Database version: 1634
Windows 5.1.2600 Service Pack 3

3/19/2009 10:43:47 PM
mbam-log-2009-03-19 (22-43-47).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 204242
Time elapsed: 3 hour(s), 10 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------------------------------------------------------------------------
SPYBOT
Win32.Agent.gpr: [SBI $7D538BD0] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-73586283-1229272821-839522115-1003\Software\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin

Win32.Agent.gpr: [SBI $7A0FA0D8] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin

Right Media: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-07-30 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-02-26 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-22 Includes\Adware.sbi (*)
2009-03-10 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-03-10 Includes\Dialer.sbi (*)
2009-03-10 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-02-10 Includes\Hijackers.sbi (*)
2009-03-03 Includes\HijackersC.sbi (*)
2009-03-17 Includes\Keyloggers.sbi (*)
2009-03-17 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-03-18 Includes\Malware.sbi (*)
2009-03-18 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-03-17 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-02-10 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-01-28 Includes\Spyware.sbi (*)
2009-01-28 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-03-17 Includes\Trojans.sbi (*)
2009-03-17 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

 

Question
Did you run MBAM first or SpyBot?

MBAM says it took out an item then Spybot finds it again?

 

I dont remember which one I ran first. But see, whichever one it was, everytime I delete the items, they come right back. The MBAM only found they two backdoor.bot then I showed you what the Spybot found.

 

Let's try something different and see if we get better results.

Please download OTMoveIt3 by OldTimer and save it to your desktop

• Double-click OTMoveIt3.exe to run it.
• Copy the lines in the codebox below. ( Make sure you include rocesses )

Code:

:Processes
explorer.exe
:reg
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin]
[-HKEY_USERS\S-1-5-21-73586283-1229272821-839522115-1003\Software\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin]
:commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

• Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

• - Close ALL open windows (especially Internet Explorer!)-
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Post the log it creates.

By the way, how's the computer?

 

Glad we could help.

Since this issue appears resolved ... this Topic is closed.