Free Malware Removal Forum

[maggiesandytika]

Hi. This computer had a trojan vundo virus on it. My daughter tried to remove it, but I think there are still problems on this computer. I had such a great experience malwareremoval.com getting rid of a trojan vundo virus on my other computer last spring, that I thought it would be good to get this computer cleaned up, also. I'm afraid to use this computer much; I won't put my flash drives on it, because I don't want them to get this virus.

I just downloaded HijackThis and ran it today and here is my logfile; (Thank you so much in advance.)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:13 PM, on 9/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
D:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Pen_Tablet.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\WINDOWS\system32\Pen_Tablet.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
D:\WINDOWS\system32\Pen_Tablet.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
D:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
D:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\SMART Technologies\SMART Board Drivers\Aware.exe
D:\Program Files\SMART Technologies\SMART Board Drivers\Marker.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - D:\Program Files\SMART Technologies\Notebook Software\NotebookPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - D:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "D:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "D:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [MDDiskProtect.exe] D:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BDAgent] "D:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [dimiyubodu] Rundll32.exe "D:\WINDOWS\system32\padetalo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [dimiyubodu] Rundll32.exe "D:\WINDOWS\system32\padetalo.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1214440339-1454471165-682003330-1005\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe (User 'Leah')
O4 - HKUS\S-1-5-21-1214440339-1454471165-682003330-1005\..\Run: [AdobeUpdater] "D:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" (User 'Leah')
O4 - S-1-5-21-1214440339-1454471165-682003330-1005 Startup: PowerReg Scheduler.exe (User 'Leah')
O4 - Global Startup: SMART Board Tools.lnk = D:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1405060188
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1405448451
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: d:\windows\system32\delidubu.dll,D:\WINDOWS\system32\mukejowe.dll
O20 - Winlogon Notify: MacDrive-iTunes compatibility - D:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - D:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: SMART Board Service - SMART Technologies - D:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
O23 - Service: SMART SNMP Agent Service - SMART Technologies ULC - D:\Program Files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe
O23 - Service: SMART Web Server - Unknown owner - D:\Program Files\SMART Technologies\SMART Board Drivers\WebServer.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - D:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - D:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 8751 bytes

[MWR 3 day Mod]

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.

[melboy]

Hi and welcome to the MR forums.

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans whilst I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time please inform me.



Uninstall list

Please post an Uninstall list.

1. Open HijackThis.
2. Click on the Open the Misc Tools section button.
3. Look under System tools.
4. Click on the Open Uninstall Manager... button.
5. Click on the Save list... button.
6. It will prompt you to save. Save this log in a convenient location, such as your Desktop By default it's named uninstall_list.txt.
7. Notepad will open. Please post this log in your next reply.

In your next reply.

1. Uninstall list.

[maggiesandytika]

Hi melboy,

Thank you for helping.

Here is the list you requested:

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
ALZip
AppleWorks 6
BitDefender Definitions Update
BitDefender Total Security 2009
Combined Community Codec Pack 2008-09-21 16:18
Dell ResourceCD
Free Realms Installer
getPlus(R)_ocx
GIMP 2.4.6
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
GTK+ Runtime 2.12.1 rev b (remove only)
Guild Wars
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Inkscape 0.46
Intel(R) PRO Ethernet Adapter and Software
Java(TM) 6 Update 3
MacDrive 6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Monkey 4 Web Demo
Mozilla Firefox (3.0.14)
MSXML 4.0 SP2 (KB954430)
Myst for Windows 95
Notebook Software
Pen Tablet
Pidgin
Prison Tycoon (remove only)
QuickTime
Roll
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SMART Board Drivers
SMART Product Update
SoundMAX
SPORE™ Creature Creator Trial Edition
SpywareBlaster 4.2
The Sims 2
The Sims 2 University
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VFDS Ver 1.01
Viewpoint Media Player
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows XP Service Pack 3
WinZip 11.1
Zoo Tycoon: Complete Collection

[melboy]

Hi maggiesandytika


ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply
• Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

BITDEFENDER

• Double click on the system icon for BitDefender.
• When the Bit Defender window appears, click on the button at the top of the screen labeled Switch to advanced view.
• Click on the Shield tab switch to the Virus shield screen.
• Uncheck the checkbox labeled Real-time protection is enabled.
• When it asks how long you want to disable it, select Permanently.
• BitDefender is now inactive.

To enable BitDefender, do the same steps except you should put a checkmark in the checkbox labeled Real-time protection is enabled.

Please post combofix.txt in your next reply.

[maggiesandytika]

Hi. Thank you so much.

Here is my combofix log file:

ComboFix 09-09-30.03 - Rebecca 09/30/2009 22:03.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.386 [GMT -5:00]
Running from: d:\documents and settings\Rebecca\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\progra~1\BITDEF~1\BITDEF~2\ntSVc.ocx
d:\windows\Downloaded Program Files\bdcore.dll
d:\windows\Downloaded Program Files\libfn.dll
d:\windows\system32\beyuzanu.dll
d:\windows\system32\dorehimo.dll
d:\windows\system32\Drivers\jkqndhjg.sys
d:\windows\system32\duduhahi.dll
d:\windows\system32\gafulono.dll
d:\windows\system32\henateje.dll
d:\windows\system32\hozegupo.dll
d:\windows\system32\ijutakej.ini
d:\windows\system32\logs
d:\windows\system32\mekewapo.dll
d:\windows\system32\niwogepi.dll
d:\windows\system32\rohuhowa.dll
d:\windows\system32\tohudade.dll
d:\windows\system32\vazibipu.dll
d:\windows\system32\yenegeki.dll
d:\windows\system32\zerefugu.dll
d:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))
.

2009-09-20 21:25 . 2009-09-20 21:25 -------- d-----w- d:\program files\Trend Micro
2009-09-08 20:36 . 2009-06-21 21:44 153088 -c----w- d:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 02:10 . 2008-01-31 00:31 -------- d-----w- d:\documents and settings\All Users\Application Data\Google Updater
2009-09-28 23:41 . 2008-01-27 07:20 -------- d-----w- d:\documents and settings\Leah\Application Data\.purple
2009-09-28 22:05 . 2008-02-06 22:48 -------- d-----w- d:\documents and settings\Leah\Application Data\gtk-2.0
2009-09-25 03:39 . 2008-09-13 19:02 -------- d-----w- d:\program files\Common Files\SMART Technologies
2009-09-21 01:21 . 2008-10-29 02:54 -------- d-----w- d:\documents and settings\Rebecca\Application Data\U3
2009-09-19 23:26 . 2009-06-30 03:01 -------- d-----w- d:\documents and settings\Leah\Application Data\WTablet
2009-09-18 02:16 . 2009-06-07 22:58 -------- d-----w- d:\program files\Microsoft Silverlight
2009-09-09 02:39 . 2008-07-03 14:07 81984 ----a-w- d:\windows\system32\bdod.bin
2009-08-29 20:04 . 2009-08-29 20:04 -------- d-----w- d:\documents and settings\Leah\Application Data\Malwarebytes
2009-08-22 20:36 . 2009-02-03 22:03 104456 ----a-w- d:\windows\system32\drivers\bdfndisf.sys
2009-08-18 01:11 . 2009-08-18 01:11 -------- d-----w- d:\documents and settings\All Users\Application Data\TEMP
2009-08-18 01:11 . 2009-08-18 01:11 -------- d-----w- d:\program files\SpywareBlaster
2009-08-18 00:54 . 2009-08-18 00:54 -------- d-----w- d:\documents and settings\Maggie Tika\Application Data\SMART Technologies
2009-08-14 18:44 . 2009-08-14 04:54 -------- d-----w- d:\documents and settings\Maggie Tika\Application Data\.purple
2009-08-14 04:58 . 2009-08-14 04:58 -------- d-----w- d:\documents and settings\Maggie Tika\Application Data\gtk-2.0
2009-08-12 03:01 . 2009-08-12 03:01 -------- d-----w- d:\documents and settings\Rebecca\Application Data\WTablet
2009-08-08 21:52 . 2009-05-06 02:26 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2009-08-08 21:44 . 2009-08-08 21:44 -------- d-----w- d:\documents and settings\Maggie Tika\Application Data\Malwarebytes
2009-08-08 21:23 . 2009-08-08 21:23 -------- d-----w- d:\documents and settings\Maggie Tika\Application Data\WTablet
2009-08-05 09:01 . 2002-06-25 21:42 204800 ----a-w- d:\windows\system32\mswebdvd.dll
2009-08-04 17:38 . 2008-03-08 20:44 -------- d-----w- d:\program files\Common Files\AOL
2009-08-03 18:36 . 2009-05-06 02:26 38160 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-05-06 02:26 19096 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2002-06-25 21:36 58880 ----a-w- d:\windows\system32\atl.dll
2009-07-16 03:14 . 2009-07-15 18:46 291 ----a-w- d:\windows\PowerReg.dat
2009-07-12 17:21 . 2004-08-04 07:56 233472 ------w- d:\windows\system32\wmpdxm.dll
1996-09-06 22:32 . 2009-07-21 06:41 114195 ----a-w- d:\program files\MONKEY2.EXE
1996-08-09 16:15 . 2009-07-21 06:41 24904 ----a-w- d:\program files\SOUNBLAS.IMS
1996-08-09 16:15 . 2009-07-21 06:41 20736 ----a-w- d:\program files\ADLIB.IMS
1992-05-15 18:32 . 2009-07-21 06:41 20062 ----a-w- d:\program files\SPEAKER.IMS
1992-05-15 18:32 . 2009-07-21 06:41 18976 ----a-w- d:\program files\ROLAND.IMS
1992-05-14 20:55 . 2009-07-21 06:41 18976 ----a-w- d:\program files\ROL_336.IMS
1992-05-14 20:54 . 2009-07-21 06:41 18976 ----a-w- d:\program files\ROL_334.IMS
1992-05-14 20:54 . 2009-07-21 06:41 18976 ----a-w- d:\program files\ROL_332.IMS
1992-05-14 20:49 . 2009-07-21 06:41 18976 ----a-w- d:\program files\ROL_330.IMS
1992-03-02 00:39 . 2009-07-21 06:41 9080329 ----a-w- d:\program files\MONKEY2.001
1992-03-02 00:39 . 2009-07-21 06:41 11135 ----a-w- d:\program files\MONKEY2.000
2009-04-05 23:06 . 2008-10-30 22:34 49664 ----a-w- d:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-31 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mediafour Mac Volume Notifications"="d:\program files\Common Files\Mediafour\MACVNTFY.EXE" [2002-12-17 61440]
"MediafourGettingStartedWithMacDrive6"="d:\program files\Mediafour\MacDrive\MacDrive.exe" [2004-08-26 86016]
"MDDiskProtect.exe"="d:\program files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 106496]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"SunJavaUpdateSched"="d:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"BDAgent"="d:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-08-22 782336]
"BitDefender Antiphishing Helper"="d:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-05 69632]

d:\documents and settings\Leah\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-7-15 256000]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
SMART Board Tools.lnk - d:\program files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe [2008-8-12 9618728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MacDrive-iTunes compatibility]
2003-11-07 15:24 61440 ----a-r- d:\program files\Common Files\Mediafour\MacDriveiTunesPatch.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\SMART Technologies\\SMART Board Drivers\\SMARTSNMPAgent.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 MDPMGRNT;MDPMGRNT;d:\windows\system32\drivers\MDPMGRNT.SYS [4/30/2006 9:57 AM 16640]
R1 MDFSYSNT;MDFSYSNT;d:\windows\system32\drivers\MDFSYSNT.SYS [6/16/2006 11:53 AM 212864]
R2 BDVEDISK;BDVEDISK;d:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 5:16 PM 82696]
R2 TabletServicePen;TabletServicePen;d:\windows\system32\Pen_Tablet.exe [6/29/2009 10:00 PM 1373480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;d:\program files\Viewpoint\Common\ViewpointService.exe [3/8/2008 3:46 PM 24652]
R3 bdfm;BDFM;d:\windows\system32\drivers\bdfm.sys [9/18/2008 11:09 AM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;d:\windows\system32\drivers\bdfndisf.sys [2/3/2009 5:03 PM 104456]
S3 Arrakis3;BitDefender Arrakis Server;d:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [7/17/2008 12:06 PM 118784]
S3 ati2mpaa;ati2mpaa;d:\windows\system32\drivers\ati2mpaa.sys [1/26/2008 11:39 AM 281856]
S3 SMART SNMP Agent Service;SMART SNMP Agent Service;d:\program files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe [7/31/2008 2:51 AM 1037608]
S3 SMART Web Server;SMART Web Server;d:\program files\SMART Technologies\SMART Board Drivers\WebServer.exe [7/31/2008 2:50 AM 1205544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-31 12:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Search
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - d:\documents and settings\Rebecca\Application Data\Mozilla\Firefox\Profiles\0wky5sab.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: d:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: d:\documents and settings\Leah\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: d:\progra~1\SONYON~1\npsoe.dll
FF - plugin: d:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: d:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-Mediafour Mac Volume Icons - (no file)
AddRemove-Prison Tycoon - d:\program files\Valusoft\Prison Tycoon\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 22:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
d:\program files\Common Files\Mediafour\MacDriveiTunesPatch.dll

- - - - - - - > 'explorer.exe'(3960)
d:\windows\system32\WININET.dll
d:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
d:\program files\BitDefender\BitDefender 2009\vsserv.exe
d:\program files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
d:\windows\system32\WTablet\Pen_TabletUser.exe
d:\program files\BitDefender\BitDefender 2009\seccenter.exe
d:\program files\SMART Technologies\SMART Board Drivers\Aware.exe
d:\program files\SMART Technologies\SMART Board Drivers\Marker.exe
d:\program files\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-10-01 22:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-01 03:46

Pre-Run: 51,773,091,840 bytes free
Post-Run: 52,281,683,968 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

186 --- E O F --- 2009-09-09 08:06

[melboy]

Hi maggiesandytika

How are things running?


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  Code: Select all

  http://malwareremoval.com/forum/viewtopic.php?p=474498#p474498
  
  collect::
  D:\WINDOWS\system32\padetalo.dll
  D:\WINDOWS\system32\mukejowe.dll
  d:\windows\system32\delidubu.dll
  

  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• If you need help to disable your protection programs see here.
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

FindFile

Download FindFile by Atribune from >here<

• Extract (Unzip) the contents to your Desktop (Instructions on how to unzip files here, if needed)
• Double click on FileFind.exe to open the program.
• Ensure the Directory: box has D:\ entered in it.
• Enter

  PowerReg Scheduler.exe

  into the File: box.
• Click on the Search button.
• After a while, if any files are found, a list of file locations will appear in the List of Files: box.
• Click on the Export button.
• This will create a Notepad file named Export.txt located in the D:\ folder, copy and paste it to your next post please.

ATF-Cleaner

Please download ATF Cleaner by Atribune.

• Save it to your desktop
• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.
  
  If you use Firefox browser
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords
  please click No at the prompt.
  
  If you use Opera browser
• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords
  please click No at the prompt.
  
  
• Click Exit on the Main menu to close the program.

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

• Open Malwarebytes' Anti-Malware
• Select the Update tab
• Click Check for Updates
• After the update have been completed, Select the Scanner tab.
• Select Perform full scan, then click on Scan
• Leave the default options as it is and click on Start Scan
• When done, you will be prompted. Click OK, then click on Show Results
• Check all items except items in the D:\System Volume Information folder... then click on Remove Selected
• After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest

In your next reply:

1. combofix.txt
2. export.txt
3. MBAM log
4. A fresh HijackThis log (Do a system scan and save a logfile) and a description of how the computer is running now.

[maggiesandytika]

1. Combofix:

ComboFix 09-10-01.05 - Rebecca 10/02/2009 22:08.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.233 [GMT -5:00]
Running from: d:\documents and settings\Rebecca\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Rebecca\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))
.

2009-10-01 04:04 . 2009-10-01 20:42 -------- d-----w- d:\documents and settings\Rebecca\Application Data\.purple
2009-09-20 21:25 . 2009-09-20 21:25 -------- d-----w- d:\program files\Trend Micro
2009-09-08 20:36 . 2009-06-21 21:44 153088 -c----w- d:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 12:01 . 2009-06-30 03:01 -------- d-----w- d:\documents and settings\Leah\Application Data\WTablet
2009-10-02 03:11 . 2008-01-31 00:31 -------- d-----w- d:\documents and settings\All Users\Application Data\Google Updater
2009-09-28 23:41 . 2008-01-27 07:20 -------- d-----w- d:\documents and settings\Leah\Application Data\.purple
2009-09-28 22:05 . 2008-02-06 22:48 -------- d-----w- d:\documents and settings\Leah\Application Data\gtk-2.0
2009-09-25 03:39 . 2008-09-13 19:02 -------- d-----w- d:\program files\Common Files\SMART Technologies
2009-09-21 01:21 . 2008-10-29 02:54 -------- d-----w- d:\documents and settings\Rebecca\Application Data\U3
2009-09-18 02:16 . 2009-06-07 22:58 -------- d-----w- d:\program files\Microsoft Silverlight
2009-09-09 02:39 . 2008-07-03 14:07 81984 ----a-w- d:\windows\system32\bdod.bin
2009-08-29 20:04 . 2009-08-29 20:04 -------- d-----w- d:\documents and settings\Leah\Application Data\Malwarebytes
2009-08-22 20:36 . 2009-02-03 22:03 104456 ----a-w- d:\windows\system32\drivers\bdfndisf.sys
2009-08-18 01:11 . 2009-08-18 01:11 -------- d-----w- d:\documents and settings\All Users\Application Data\TEMP
2009-08-18 01:11 . 2009-08-18 01:11 -------- d-----w- d:\program files\SpywareBlaster
2009-08-18 00:54 . 2009-08-18 00:54 -------- d-----w- d:\documents and settings\Maggie Tika\Application Data\SMART Technologies
2009-08-14 18:44 . 2009-08-14 04:54 -------- d-----w- d:\documents and settings\Maggie Tika\Application Data\.purple
2009-08-14 04:58 . 2009-08-14 04:58 -------- d-----w- d:\documents and settings\Maggie Tika\Application Data\gtk-2.0
2009-08-12 03:01 . 2009-08-12 03:01 -------- d-----w- d:\documents and settings\Rebecca\Application Data\WTablet
2009-08-08 21:52 . 2009-05-06 02:26 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2009-08-08 21:44 . 2009-08-08 21:44 -------- d-----w- d:\documents and settings\Maggie Tika\Application Data\Malwarebytes
2009-08-08 21:23 . 2009-08-08 21:23 -------- d-----w- d:\documents and settings\Maggie Tika\Application Data\WTablet
2009-08-05 09:01 . 2002-06-25 21:42 204800 ----a-w- d:\windows\system32\mswebdvd.dll
2009-08-04 17:38 . 2008-03-08 20:44 -------- d-----w- d:\program files\Common Files\AOL
2009-08-03 18:36 . 2009-05-06 02:26 38160 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-05-06 02:26 19096 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2002-06-25 21:36 58880 ----a-w- d:\windows\system32\atl.dll
2009-07-16 03:14 . 2009-07-15 18:46 291 ----a-w- d:\windows\PowerReg.dat
2009-07-12 17:21 . 2004-08-04 07:56 233472 ------w- d:\windows\system32\wmpdxm.dll
1996-09-06 22:32 . 2009-07-21 06:41 114195 ----a-w- d:\program files\MONKEY2.EXE
1996-08-09 16:15 . 2009-07-21 06:41 24904 ----a-w- d:\program files\SOUNBLAS.IMS
1996-08-09 16:15 . 2009-07-21 06:41 20736 ----a-w- d:\program files\ADLIB.IMS
1992-05-15 18:32 . 2009-07-21 06:41 20062 ----a-w- d:\program files\SPEAKER.IMS
1992-05-15 18:32 . 2009-07-21 06:41 18976 ----a-w- d:\program files\ROLAND.IMS
1992-05-14 20:55 . 2009-07-21 06:41 18976 ----a-w- d:\program files\ROL_336.IMS
1992-05-14 20:54 . 2009-07-21 06:41 18976 ----a-w- d:\program files\ROL_334.IMS
1992-05-14 20:54 . 2009-07-21 06:41 18976 ----a-w- d:\program files\ROL_332.IMS
1992-05-14 20:49 . 2009-07-21 06:41 18976 ----a-w- d:\program files\ROL_330.IMS
1992-03-02 00:39 . 2009-07-21 06:41 9080329 ----a-w- d:\program files\MONKEY2.001
1992-03-02 00:39 . 2009-07-21 06:41 11135 ----a-w- d:\program files\MONKEY2.000
2009-04-05 23:06 . 2008-10-30 22:34 49664 ----a-w- d:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-01_03.42.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-26 23:16 . 2009-10-02 12:03 25214 d:\windows\Installer\{E58956AD-FB7D-470B-9B1D-BCE7803BCB65}\PeaceShieldIcon.exe
- 2008-01-26 23:16 . 2008-01-26 23:16 25214 d:\windows\Installer\{E58956AD-FB7D-470B-9B1D-BCE7803BCB65}\PeaceShieldIcon.exe
+ 2008-01-26 23:16 . 2009-10-02 12:03 34304 d:\windows\Installer\{E58956AD-FB7D-470B-9B1D-BCE7803BCB65}\Icon3829960D.exe
- 2008-01-26 23:16 . 2008-01-26 23:16 34304 d:\windows\Installer\{E58956AD-FB7D-470B-9B1D-BCE7803BCB65}\Icon3829960D.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-31 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mediafour Mac Volume Notifications"="d:\program files\Common Files\Mediafour\MACVNTFY.EXE" [2002-12-17 61440]
"MediafourGettingStartedWithMacDrive6"="d:\program files\Mediafour\MacDrive\MacDrive.exe" [2004-08-26 86016]
"MDDiskProtect.exe"="d:\program files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 106496]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"SunJavaUpdateSched"="d:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"BDAgent"="d:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-08-22 782336]
"BitDefender Antiphishing Helper"="d:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-05 69632]

d:\documents and settings\Leah\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-7-15 256000]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
SMART Board Tools.lnk - d:\program files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe [2008-8-12 9618728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MacDrive-iTunes compatibility]
2003-11-07 15:24 61440 ----a-r- d:\program files\Common Files\Mediafour\MacDriveiTunesPatch.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\SMART Technologies\\SMART Board Drivers\\SMARTSNMPAgent.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 MDPMGRNT;MDPMGRNT;d:\windows\system32\drivers\MDPMGRNT.SYS [4/30/2006 9:57 AM 16640]
R1 MDFSYSNT;MDFSYSNT;d:\windows\system32\drivers\MDFSYSNT.SYS [6/16/2006 11:53 AM 212864]
R2 BDVEDISK;BDVEDISK;d:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 5:16 PM 82696]
R2 TabletServicePen;TabletServicePen;d:\windows\system32\Pen_Tablet.exe [6/29/2009 10:00 PM 1373480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;d:\program files\Viewpoint\Common\ViewpointService.exe [3/8/2008 3:46 PM 24652]
R3 bdfm;BDFM;d:\windows\system32\drivers\bdfm.sys [9/18/2008 11:09 AM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;d:\windows\system32\drivers\bdfndisf.sys [2/3/2009 5:03 PM 104456]
S3 Arrakis3;BitDefender Arrakis Server;d:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [7/17/2008 12:06 PM 118784]
S3 ati2mpaa;ati2mpaa;d:\windows\system32\drivers\ati2mpaa.sys [1/26/2008 11:39 AM 281856]
S3 SMART SNMP Agent Service;SMART SNMP Agent Service;d:\program files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe [7/31/2008 2:51 AM 1037608]
S3 SMART Web Server;SMART Web Server;d:\program files\SMART Technologies\SMART Board Drivers\WebServer.exe [7/31/2008 2:50 AM 1205544]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 032EA6C7
*NewlyCreated* - B20438B4
*Deregistered* - 032ea6c7
*Deregistered* - b20438b4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-10-03 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-31 12:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Search
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - d:\documents and settings\Rebecca\Application Data\Mozilla\Firefox\Profiles\0wky5sab.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: d:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: d:\documents and settings\Leah\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: d:\progra~1\SONYON~1\npsoe.dll
FF - plugin: d:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: d:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-Mediafour Mac Volume Icons - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 22:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
d:\program files\Common Files\Mediafour\MacDriveiTunesPatch.dll

- - - - - - - > 'winlogon.exe'(3688)
d:\program files\Common Files\Mediafour\MacDriveiTunesPatch.dll

- - - - - - - > 'explorer.exe'(3568)
d:\windows\system32\WININET.dll
d:\program files\Common Files\Mediafour\MACVICON.DLL
d:\windows\system32\ieframe.dll

- - - - - - - > 'explorer.exe'(4980)
d:\windows\system32\WININET.dll
d:\program files\Common Files\Mediafour\MACVICON.DLL
d:\windows\system32\ieframe.dll
.
Completion time: 2009-10-03 22:24
ComboFix-quarantined-files.txt 2009-10-03 03:24
ComboFix2.txt 2009-10-01 03:47

Pre-Run: 52,252,327,936 bytes free
Post-Run: 52,219,445,248 bytes free

161 --- E O F --- 2009-09-09 08:06





2. Find File:

D:\Documents and Settings\Leah\Start Menu\Programs\Startup\PowerReg Scheduler.exe - 256000 Bytes



3. MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 2897
Windows 5.1.2600 Service Pack 3

10/2/2009 11:25:54 PM
mbam-log-2009-10-02 (23-25-54).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 198323
Time elapsed: 48 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)


4. Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:00 PM, on 10/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
D:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Pen_Tablet.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\WINDOWS\system32\Pen_Tablet.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
D:\WINDOWS\system32\Pen_Tablet.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
D:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
D:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Rebecca\Local Settings\temp\_AZTMP0_\FileFind.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - D:\Program Files\SMART Technologies\Notebook Software\NotebookPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - D:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "D:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "D:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [MDDiskProtect.exe] D:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BDAgent] "D:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [swg] "D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-21-1214440339-1454471165-682003330-1005\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe (User 'Leah')
O4 - HKUS\S-1-5-21-1214440339-1454471165-682003330-1005\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe (User 'Leah')
O4 - HKUS\S-1-5-21-1214440339-1454471165-682003330-1005\..\Run: [PicoZip] D:\Program Files\PicoZip\PicoZipTray.exe (User 'Leah')
O4 - HKUS\S-1-5-21-1214440339-1454471165-682003330-1005\..\Run: [AdobeUpdater] "D:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" (User 'Leah')
O4 - S-1-5-21-1214440339-1454471165-682003330-1005 Startup: PowerReg Scheduler.exe (User 'Leah')
O4 - Global Startup: SMART Board Tools.lnk = D:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1405060188
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1405448451
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: MacDrive-iTunes compatibility - D:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - D:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: SMART Board Service - SMART Technologies - D:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
O23 - Service: SMART SNMP Agent Service - SMART Technologies ULC - D:\Program Files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe
O23 - Service: SMART Web Server - Unknown owner - D:\Program Files\SMART Technologies\SMART Board Drivers\WebServer.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - D:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - D:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 8632 bytes


5. How is computer running now?

The computer seems to be running fine now. On the Malware Bytes scan, it said it found 4 worm agents in the System Volume Information -- restore files. Are these files safe? Should they be deleted?


Thank you so much for your help!

[melboy]

Hi maggiesandytika


The logs show that new programs are possibly being installed, can I ask that users of the PC refrain from installing and uninstalling programs unless requested by myself untill after I give you the all clean. Thank you.

On the Malware Bytes scan, it said it found 4 worm agents in the System Volume Information -- restore files. Are these files safe? Should they be deleted?

I need to see the Full log from the Malwarebytes' scan, The "Files infected:" part was missing from what you posted. Please can you post the full log, thank you.
The log can be found here:

1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2009-10-02 (23-25-54).txt
2. Or via the Logs tab when the application is started.

So long as System Restore isn't used untill after I've given you the All Clean! they should not re-infect your PC, but as I said previously, I would need to see the entire log to determine this.

We will deal with the infected System restore points later, flushing the old, infected restore points and creating a new clean one.



Update Adobe Acrobat Reader
Your Adobe Acrobat Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 9.1 to your PC's desktop.

• Uninstall

  Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
  Adobe Reader 8.1.2

  via Start > Control Panel > Add/Remove Programs
• Install the new downloaded updated software.

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 16.

• Go to Java Site
• Click to Download Java SE Runtime Environment (JRE) 6 Update 16
• In Platform box choose Windows.
• Check the box to Accept License Agreement and click Continue.
• Click on Windows Offline Installation, click on the link under it which says "jre-6u16-windows-i586-p.exe" and save the downloaded file to your desktop.
• Go to Start => Control Panel => Add or Remove Programs
• Uninstall all old versions of Java

  Java(TM) 6 Update 3

• Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  
  
  
  Fix HijackThis entries
  
  • Run HijackThis
  • Click on the do a system scan only button
  • Put a check beside all of the items listed below (if present):
    
    

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    
    O4 - HKUS\S-1-5-21-1214440339-1454471165-682003330-1005\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe (User 'Leah')
    
    O4 - S-1-5-21-1214440339-1454471165-682003330-1005 Startup: PowerReg Scheduler.exe (User 'Leah')

    
    
  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.
  
  
  
  COMBOFIX-Script
  A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  
  
  
  
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    
    

    Code: Select all

    File::
     
    D:\Documents and Settings\Leah\Start Menu\Programs\Startup\PowerReg Scheduler.exe 
    d:\windows\PowerReg.dat
    

    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
    
    
    
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  
  CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
  
  
  
  Uninstall list
  
  
  1. Open HijackThis.
  2. Click on the Open the Misc Tools section button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location, such as your Desktop By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this log in your next reply.
  
  In your next reply:
  1. Full MBAM log.
  2. Combofix.txt
  3. HijackThis Uninstall list
  4. A fresh HijackThis log (Do a system scan and save a logfile)

[melboy]

Hi maggiesandytika

It has been three days since my last post.

• Do you still need help?
• Do you need more time?
• Are you having problems following my instructions?
• According to Malware Removal's latest policy, topics can be closed after 3 days without a response. If you do not reply within the next 24 hours, this topic will be closed.

[maggiesandytika]

Oops! I posted a reply with all of the requested info, but, for some reason, it didn't go through. (Maybe I just did a preview and didn't actually submit it.) I will recollect all that info and resubmit it.

[maggiesandytika]

(Luckily, I had saved all this info in a file, so I didn't have to rerun it. I bet that I just previewed the posting and didn't realize I hadn't actually submitted it.) Here is the info:

1. Combofix:

ComboFix 09-10-01.05 - Rebecca 10/02/2009 22:08.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.233 [GMT -5:00]
Running from: d:\documents and settings\Rebecca\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Rebecca\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))
.

2009-10-01 04:04 . 2009-10-01 20:42 -------- d-----w- d:\documents and settings\Rebecca\Application Data\.purple
2009-09-20 21:25 . 2009-09-20 21:25 -------- d-----w- d:\program files\Trend Micro
2009-09-08 20:36 . 2009-06-21 21:44 153088 -c----w- d:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 12:01 . 2009-06-30 03:01 -------- d-----w- d:\documents and settings\Leah\Application Data\WTablet
2009-10-02 03:11 . 2008-01-31 00:31 -------- d-----w- d:\documents and settings\All Users\Application Data\Google Updater
2009-09-28 23:41 . 2008-01-27 07:20 -------- d-----w- d:\documents and settings\Leah\Application Data\.purple
2009-09-28 22:05 . 2008-02-06 22:48 -------- d-----w- d:\documents and settings\Leah\Application Data\gtk-2.0
2009-09-25 03:39 . 2008-09-13 19:02 -------- d-----w- d:\program files\Common Files\SMART Technologies
2009-09-21 01:21 . 2008-10-29 02:54 -------- d-----w- d:\documents and settings\Rebecca\Application Data\U3
2009-09-18 02:16 . 2009-06-07 22:58 -------- d-----w- d:\program files\Microsoft Silverlight
2009-09-09 02:39 . 2008-07-03 14:07 81984 ----a-w- d:\windows\system32\bdod.bin
2009-08-29 20:04 . 2009-08-29 20:04 -------- d-----w- d:\documents and settings\Leah\Application Data\Malwarebytes
2009-08-22 20:36 . 2009-02-03 22:03 104456 ----a-w- d:\windows\system32\drivers\bdfndisf.sys
2009-08-18 01:11 . 2009-08-18 01:11 -------- d-----w- d:\documents and settings\All Users\Application Data\TEMP
2009-08-18 01:11 . 2009-08-18 01:11 -------- d-----w- d:\program files\SpywareBlaster
2009-08-18 00:54 . 2009-08-18 00:54 -------- d-----w- d:\documents and settings\Maggie Tika\Application Data\SMART Technologies
2009-08-14 18:44 . 2009-08-14 04:54 -------- d-----w- d:\documents and settings\Maggie Tika\Application Data\.purple
2009-08-14 04:58 . 2009-08-14 04:58 -------- d-----w- d:\documents and settings\Maggie Tika\Application Data\gtk-2.0
2009-08-12 03:01 . 2009-08-12 03:01 -------- d-----w- d:\documents and settings\Rebecca\Application Data\WTablet
2009-08-08 21:52 . 2009-05-06 02:26 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2009-08-08 21:44 . 2009-08-08 21:44 -------- d-----w- d:\documents and settings\Maggie Tika\Application Data\Malwarebytes
2009-08-08 21:23 . 2009-08-08 21:23 -------- d-----w- d:\documents and settings\Maggie Tika\Application Data\WTablet
2009-08-05 09:01 . 2002-06-25 21:42 204800 ----a-w- d:\windows\system32\mswebdvd.dll
2009-08-04 17:38 . 2008-03-08 20:44 -------- d-----w- d:\program files\Common Files\AOL
2009-08-03 18:36 . 2009-05-06 02:26 38160 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-05-06 02:26 19096 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2002-06-25 21:36 58880 ----a-w- d:\windows\system32\atl.dll
2009-07-16 03:14 . 2009-07-15 18:46 291 ----a-w- d:\windows\PowerReg.dat
2009-07-12 17:21 . 2004-08-04 07:56 233472 ------w- d:\windows\system32\wmpdxm.dll
1996-09-06 22:32 . 2009-07-21 06:41 114195 ----a-w- d:\program files\MONKEY2.EXE
1996-08-09 16:15 . 2009-07-21 06:41 24904 ----a-w- d:\program files\SOUNBLAS.IMS
1996-08-09 16:15 . 2009-07-21 06:41 20736 ----a-w- d:\program files\ADLIB.IMS
1992-05-15 18:32 . 2009-07-21 06:41 20062 ----a-w- d:\program files\SPEAKER.IMS
1992-05-15 18:32 . 2009-07-21 06:41 18976 ----a-w- d:\program files\ROLAND.IMS
1992-05-14 20:55 . 2009-07-21 06:41 18976 ----a-w- d:\program files\ROL_336.IMS
1992-05-14 20:54 . 2009-07-21 06:41 18976 ----a-w- d:\program files\ROL_334.IMS
1992-05-14 20:54 . 2009-07-21 06:41 18976 ----a-w- d:\program files\ROL_332.IMS
1992-05-14 20:49 . 2009-07-21 06:41 18976 ----a-w- d:\program files\ROL_330.IMS
1992-03-02 00:39 . 2009-07-21 06:41 9080329 ----a-w- d:\program files\MONKEY2.001
1992-03-02 00:39 . 2009-07-21 06:41 11135 ----a-w- d:\program files\MONKEY2.000
2009-04-05 23:06 . 2008-10-30 22:34 49664 ----a-w- d:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-01_03.42.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-26 23:16 . 2009-10-02 12:03 25214 d:\windows\Installer\{E58956AD-FB7D-470B-9B1D-BCE7803BCB65}\PeaceShieldIcon.exe
- 2008-01-26 23:16 . 2008-01-26 23:16 25214 d:\windows\Installer\{E58956AD-FB7D-470B-9B1D-BCE7803BCB65}\PeaceShieldIcon.exe
+ 2008-01-26 23:16 . 2009-10-02 12:03 34304 d:\windows\Installer\{E58956AD-FB7D-470B-9B1D-BCE7803BCB65}\Icon3829960D.exe
- 2008-01-26 23:16 . 2008-01-26 23:16 34304 d:\windows\Installer\{E58956AD-FB7D-470B-9B1D-BCE7803BCB65}\Icon3829960D.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-31 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mediafour Mac Volume Notifications"="d:\program files\Common Files\Mediafour\MACVNTFY.EXE" [2002-12-17 61440]
"MediafourGettingStartedWithMacDrive6"="d:\program files\Mediafour\MacDrive\MacDrive.exe" [2004-08-26 86016]
"MDDiskProtect.exe"="d:\program files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 106496]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"SunJavaUpdateSched"="d:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"BDAgent"="d:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-08-22 782336]
"BitDefender Antiphishing Helper"="d:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-05 69632]

d:\documents and settings\Leah\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-7-15 256000]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
SMART Board Tools.lnk - d:\program files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe [2008-8-12 9618728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MacDrive-iTunes compatibility]
2003-11-07 15:24 61440 ----a-r- d:\program files\Common Files\Mediafour\MacDriveiTunesPatch.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\SMART Technologies\\SMART Board Drivers\\SMARTSNMPAgent.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 MDPMGRNT;MDPMGRNT;d:\windows\system32\drivers\MDPMGRNT.SYS [4/30/2006 9:57 AM 16640]
R1 MDFSYSNT;MDFSYSNT;d:\windows\system32\drivers\MDFSYSNT.SYS [6/16/2006 11:53 AM 212864]
R2 BDVEDISK;BDVEDISK;d:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 5:16 PM 82696]
R2 TabletServicePen;TabletServicePen;d:\windows\system32\Pen_Tablet.exe [6/29/2009 10:00 PM 1373480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;d:\program files\Viewpoint\Common\ViewpointService.exe [3/8/2008 3:46 PM 24652]
R3 bdfm;BDFM;d:\windows\system32\drivers\bdfm.sys [9/18/2008 11:09 AM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;d:\windows\system32\drivers\bdfndisf.sys [2/3/2009 5:03 PM 104456]
S3 Arrakis3;BitDefender Arrakis Server;d:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [7/17/2008 12:06 PM 118784]
S3 ati2mpaa;ati2mpaa;d:\windows\system32\drivers\ati2mpaa.sys [1/26/2008 11:39 AM 281856]
S3 SMART SNMP Agent Service;SMART SNMP Agent Service;d:\program files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe [7/31/2008 2:51 AM 1037608]
S3 SMART Web Server;SMART Web Server;d:\program files\SMART Technologies\SMART Board Drivers\WebServer.exe [7/31/2008 2:50 AM 1205544]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 032EA6C7
*NewlyCreated* - B20438B4
*Deregistered* - 032ea6c7
*Deregistered* - b20438b4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-10-03 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-31 12:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Search
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - d:\documents and settings\Rebecca\Application Data\Mozilla\Firefox\Profiles\0wky5sab.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: d:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: d:\documents and settings\Leah\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: d:\progra~1\SONYON~1\npsoe.dll
FF - plugin: d:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: d:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-Mediafour Mac Volume Icons - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 22:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
d:\program files\Common Files\Mediafour\MacDriveiTunesPatch.dll

- - - - - - - > 'winlogon.exe'(3688)
d:\program files\Common Files\Mediafour\MacDriveiTunesPatch.dll

- - - - - - - > 'explorer.exe'(3568)
d:\windows\system32\WININET.dll
d:\program files\Common Files\Mediafour\MACVICON.DLL
d:\windows\system32\ieframe.dll

- - - - - - - > 'explorer.exe'(4980)
d:\windows\system32\WININET.dll
d:\program files\Common Files\Mediafour\MACVICON.DLL
d:\windows\system32\ieframe.dll
.
Completion time: 2009-10-03 22:24
ComboFix-quarantined-files.txt 2009-10-03 03:24
ComboFix2.txt 2009-10-01 03:47

Pre-Run: 52,252,327,936 bytes free
Post-Run: 52,219,445,248 bytes free

161 --- E O F --- 2009-09-09 08:06





2. Find File:

D:\Documents and Settings\Leah\Start Menu\Programs\Startup\PowerReg Scheduler.exe - 256000 Bytes



3. MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 2897
Windows 5.1.2600 Service Pack 3

10/2/2009 11:25:54 PM
mbam-log-2009-10-02 (23-25-54).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 198323
Time elapsed: 48 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)


4. Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:00 PM, on 10/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
D:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Pen_Tablet.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\WINDOWS\system32\Pen_Tablet.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
D:\WINDOWS\system32\Pen_Tablet.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
D:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
D:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Rebecca\Local Settings\temp\_AZTMP0_\FileFind.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - D:\Program Files\SMART Technologies\Notebook Software\NotebookPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - D:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "D:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "D:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [MDDiskProtect.exe] D:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BDAgent] "D:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [swg] "D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-21-1214440339-1454471165-682003330-1005\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe (User 'Leah')
O4 - HKUS\S-1-5-21-1214440339-1454471165-682003330-1005\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe (User 'Leah')
O4 - HKUS\S-1-5-21-1214440339-1454471165-682003330-1005\..\Run: [PicoZip] D:\Program Files\PicoZip\PicoZipTray.exe (User 'Leah')
O4 - HKUS\S-1-5-21-1214440339-1454471165-682003330-1005\..\Run: [AdobeUpdater] "D:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" (User 'Leah')
O4 - S-1-5-21-1214440339-1454471165-682003330-1005 Startup: PowerReg Scheduler.exe (User 'Leah')
O4 - Global Startup: SMART Board Tools.lnk = D:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1405060188
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1405448451
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: MacDrive-iTunes compatibility - D:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - D:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: SMART Board Service - SMART Technologies - D:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
O23 - Service: SMART SNMP Agent Service - SMART Technologies ULC - D:\Program Files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe
O23 - Service: SMART Web Server - Unknown owner - D:\Program Files\SMART Technologies\SMART Board Drivers\WebServer.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - D:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - D:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 8632 bytes


5. How is computer running now?

The computer seems to be running fine now. On the Malware Bytes scan, it said it found 4 worm agents in the System Volume Information -- restore files. Are these files safe? Should they be deleted?


Thank you so much for your help!

[melboy]

Hi maggiesandytika

Oops! I posted a reply with all of the requested info, but, for some reason, it didn't go through. (Maybe I just did a preview and didn't actually submit it.) I will recollect all that info and resubmit it.

Sorry, but what you have posted in your last reply is a copy of a reply to a previous set of instructions I had given you.

The logs I am looking for are:

D:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2009-10-02 (23-25-54).txt
Or mbam-log-2009-10-02 (23-25-54).txt via the Logs tab when the application is started.

D:\ComboFix.txt

A fresh HijackThis Uninstall list.
A fresh HijackThis log (Do a system scan and save a logfile)


If you have not done so already, Please can you carry out the instructions below.

If you have already done the following instructions previously, please post the correct results for this set of instructions if you have them. Thank you


Previously given instructions:

The logs show that new programs are possibly being installed, can I ask that users of the PC refrain from installing and uninstalling programs unless requested by myself untill after I give you the all clean. Thank you.

On the Malware Bytes scan, it said it found 4 worm agents in the System Volume Information -- restore files. Are these files safe? Should they be deleted?

I need to see the Full log from the Malwarebytes' scan, The "Files infected:" part was missing from what you posted. Please can you post the full log, thank you.
The log can be found here:

1. D:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2009-10-02 (23-25-54).txt
2. Or via the Logs tab when the application is started.

So long as System Restore isn't used untill after I've given you the All Clean! they should not re-infect your PC, but as I said previously, I would need to see the entire log to determine this.

We will deal with the infected System restore points later, flushing the old, infected restore points and creating a new clean one.



Update Adobe Acrobat Reader
Your Adobe Acrobat Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 9.1 to your PC's desktop.

• Uninstall

  Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
  Adobe Reader 8.1.2

  via Start > Control Panel > Add/Remove Programs
• Install the new downloaded updated software.

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 16.

• Go to Java Site
• Click to Download Java SE Runtime Environment (JRE) 6 Update 16
• In Platform box choose Windows.
• Check the box to Accept License Agreement and click Continue.
• Click on Windows Offline Installation, click on the link under it which says "jre-6u16-windows-i586-p.exe" and save the downloaded file to your desktop.
• Go to Start => Control Panel => Add or Remove Programs
• Uninstall all old versions of Java

  Java(TM) 6 Update 3

• Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  
  
  
  Fix HijackThis entries
  
  • Run HijackThis
  • Click on the do a system scan only button
  • Put a check beside all of the items listed below (if present):
    
    

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    
    O4 - HKUS\S-1-5-21-1214440339-1454471165-682003330-1005\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe (User 'Leah')
    
    O4 - S-1-5-21-1214440339-1454471165-682003330-1005 Startup: PowerReg Scheduler.exe (User 'Leah')

    
    
  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.
  
  
  
  COMBOFIX-Script
  A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  
  
  
  
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    
    

    Code: Select all

    File::
     
    D:\Documents and Settings\Leah\Start Menu\Programs\Startup\PowerReg Scheduler.exe 
    d:\windows\PowerReg.dat
    

    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
    
    
    
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  
  CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
  
  
  
  Uninstall list
  
  
  1. Open HijackThis.
  2. Click on the Open the Misc Tools section button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location, such as your Desktop By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this log in your next reply.
  
  In your next reply:
  1. Full MBAM log.
  2. Combofix.txt
  3. HijackThis Uninstall list
  4. A fresh HijackThis log (Do a system scan and save a logfile)

[NonSuch]

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.