1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Malware doesn't seem to go away

Discussion in 'Malware and Virus Removal Archive' started by Vladdy, 2009/03/03.

  1. 2009/03/03
    Vladdy

    Vladdy Inactive Thread Starter

    Joined:
    2009/03/03
    Messages:
    18
    Likes Received:
    0
    [Active] Malware doesn't seem to go away

    Hi there,

    Please help, I seem to have a remnant of a virus that has been extra stubborn to remove.

    Malwarebytes identifies eight files by the vendor name "Hijack.Sound" in my Registry Data:

    ===============================================
    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
    ===============================================

    Every time Malwarebytes removes them and reboots, they always reappear.

    I've also noticed this suspicious startup item in my MSCONFIG: Startup item "ae54a05c1 ", under a "rundll32.exe" command. Unticking its box and hitting "apply" does nothing - returning to MSCONFIG right after shows that it's ticked again. I've also gone into REGEDIT to delete the thing directly; it deletes, but when you go back to look it's right back there again.

    Here is my ComboFix log. Please let me know what I should try next, thanks:

    ===============================================

    ComboFix 09-02-26.01 - don 2009-03-02 23:33:35.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2559.2251 [GMT -8:00]
    Running from: c:\documents and settings\don\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))
    .

    2009-03-02 22:50 . 2009-03-02 23:32 <DIR> d-------- c:\program files\SUPERAntiSpyware
    2009-03-02 22:50 . 2009-03-02 22:50 <DIR> d-------- c:\documents and settings\don\Application Data\SUPERAntiSpyware.com
    2009-03-02 22:50 . 2009-03-02 22:50 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
    2009-03-02 22:33 . 2009-03-02 22:33 <DIR> d-------- c:\documents and settings\don\Application Data\Uniblue
    2009-02-26 02:27 . 2009-03-02 06:23 2,204 --a------ c:\windows\vzrmarff
    2009-02-17 17:46 . 2009-02-17 17:46 <DIR> d-------- c:\program files\MSECache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-03 06:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
    2009-03-02 22:54 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
    2009-03-02 22:10 --------- d-----w c:\program files\Spybot - Search & Destroy
    2009-02-25 02:40 --------- d-----w c:\program files\FriendBlasterPro
    2009-02-18 01:40 --------- d-----w c:\program files\XLView
    2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
    2009-01-09 00:57 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\DVD Shrink
    2009-01-07 08:43 --------- d-----w c:\documents and settings\don\Application Data\Digidesign
    2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
    2008-09-14 06:29 31,441 ----a-w c:\documents and settings\don\xrt_log.dat
    2008-08-31 08:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081820080825\index.dat
    2008-08-31 08:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
    .

    ------- Sigcheck -------

    2008-08-31 00:46 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll
    2004-08-04 04:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\dllcache\termsrv.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2009-02-26_14.51.35.07 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-03-03 06:50:29 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
    + 2009-03-03 06:50:29 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
    + 2007-01-22 21:42:48 35,328 -c--a-w c:\windows\system32\ActiveScan\rawvfile.dll
    + 2009-03-02 14:07:49 64,512 ----a-w c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common\ae54a05c1.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "rundll32.exe "= "c:\documents and settings\don\Application Data\Macromedia\Common\ae54a05c1.dll" [2009-03-02 64512]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "rundll32.exe "= "c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Macromedia\Common\ae54a05c1.dll" [2009-03-02 64512]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator "= "Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=pmqxof.dll pzuyns.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "MIDI "= diomidi.dll
    "wave "= Digi32.dll
    "msacm.dvacm "= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
    "wave1 "= c:\docume~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll
    "midi1 "= c:\docume~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll
    "mixer1 "= c:\docume~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll
    "aux1 "= c:\docume~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll
    "midi2 "= c:\docume~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll
    "aux2 "= c:\docume~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll
    "wave2 "= c:\docume~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll
    "mixer2 "= c:\docume~1\don\APPLIC~1\MACROM~1\Common\ae54a05c1.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^don^Start Menu^Programs^Startup^ChkDisk.dll]
    path=c:\documents and settings\don\Start Menu\Programs\Startup\ChkDisk.dll
    backup=c:\windows\pss\ChkDisk.dllStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^don^Start Menu^Programs^Startup^ChkDisk.lnk]
    path=c:\documents and settings\don\Start Menu\Programs\Startup\ChkDisk.lnk
    backup=c:\windows\pss\ChkDisk.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^don^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
    path=c:\documents and settings\don\Start Menu\Programs\Startup\PowerReg Scheduler.exe
    backup=c:\windows\pss\PowerReg Scheduler.exeStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lygscxzr]
    c:\documents and settings\don\Application Data\?racle\r?gedit.exe [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    --a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    --a------ 2007-04-24 13:25 149040 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
    --a------ 2007-03-01 15:11 43008 c:\program files\BitTorrent\bittorrent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 04:00 15360 c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
    --------- 2006-10-05 22:17 53248 c:\windows\Ctregrun.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
    --a------ 2005-10-25 22:21 61440 c:\program files\Digidesign\Drivers\MMERefresh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT HPW]
    --a------ 2007-04-25 11:36 280064 c:\program files\Portrait Displays\HP My Display\dthtml.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo 1400 Series]
    --a--c--- 2006-10-11 03:01 143360 c:\windows\system32\spool\drivers\w32x86\3\E_FATIBUA.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    --a------ 2006-05-09 16:24 50760 c:\program files\Common Files\AOL\1163066592\ee\aolsoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
    --a--c--- 2006-02-17 08:59 124520 c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    --a--c--- 2006-06-23 11:33 438359 c:\progra~1\Verizon\SMARTB~1\MotiveSB.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2004-10-13 08:24 1694208 c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2007-03-15 20:02 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rundll32.exe]
    --a------ 2009-03-02 06:07 64512 c:\documents and settings\don\Application Data\Macromedia\Common\ae54a05c1.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    --a------ 2002-04-17 09:42 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a--c--- 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2006-09-07 01:18 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    -ra--c--- 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
    --a--c--- 2007-03-11 13:37 936960 c:\program files\Verizon\McciTrayApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
    --a------ 2007-01-04 13:38 112336 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
    --------- 2007-02-28 17:50 180224 c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
    --a------ 2003-05-28 11:59 28672 c:\windows\system32\cthelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
    --------- 2003-11-07 01:50 19968 c:\windows\LOGI_MWX.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
    -ra------ 2006-07-02 20:43 10752 c:\windows\system32\SPIRun.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "iPodService "=3 (0x3)
    "IDriverT "=3 (0x3)
    "digiSPTIService "=3 (0x3)
    "iPod Service "=3 (0x3)
    "Apple Mobile Device "=2 (0x2)
    "DigiRefresh "=2 (0x2)
    "DTSRVC "=2 (0x2)
    "Viewpoint Manager Service "=2 (0x2)
    "Creative Service for CDROM Access "=2 (0x2)
    "SandraAgentSrv "=2 (0x2)
    "WMPNetworkSvc "=3 (0x3)
    "Bonjour Service "=2 (0x2)
    "NMSAccessU "=2 (0x2)
    "NMIndexingService "=3 (0x3)
    "NBService "=3 (0x3)
    "idsvc "=3 (0x3)
    "Stuffit Archive Name Service "=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Documents and Settings\\don\\My Documents\\WS_FTP\\WS_FTP32.EXE "=
    "c:\\Program Files\\LimeWire\\LimeWire.exe "=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
    "c:\\Program Files\\Common Files\\AOL\\1163066592\\ee\\aolsoftware.exe "=
    "c:\\Program Files\\Common Files\\AOL\\1163066592\\ee\\aim6.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe "=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
    "c:\\Program Files\\AIM6\\aim6.exe "=
    "c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\RpcAgentSrv.exe "=
    "c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\WNt500x86\\RpcSandraSrv.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest "= 1 (0x1)

    R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-06-05 16384]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-08-05 28544]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
    S2 USBTuner;%USBTuner.SvcDesc%;c:\windows\system32\drivers\USBTuner.sys [2001-09-24 41290]
    S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2006-06-04 105472]
    S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-09-27 10664]
    S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [2008-03-11 54256]
    S4 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [2008-05-26 98488]
    S4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt 12.0.1\ArcNameService.exe [2008-05-23 157016]
    S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-24 24652]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe


    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    FF - ProfilePath - c:\documents and settings\don\Application Data\Mozilla\Firefox\Profiles\hk6vq7rn.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.msn.com/
    FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFFab&query=
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-02 23:36:45
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(548)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    Completion time: 2009-03-02 23:41:19
    ComboFix-quarantined-files.txt 2009-03-03 07:40:01
    ComboFix2.txt 2009-03-03 05:41:43
    ComboFix3.txt 2009-02-26 22:52:33

    Pre-Run: 2,236,276,736 bytes free

    229 --- E O F --- 2009-02-21 11:09:12
     
    Vladdy,
    #1
  2. 2009/03/04
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Vladdy
    Welcome to WindowsBBS.

    I see you have P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

    References for the risk of these programs are here, and here.

    I would strongly recommend that you uninstall them,

    Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

    Please do this.

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
    Save both reports to your desktop post the contents of both the logs.

    Thanks
    Geri
     
    Geri,
    #2


  3. to hide this advert.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...