WiredWX Christian Hobby Weather Tools

Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather Tools Log in

Desot, Rootkit, Porntube...HELPPPPP

2 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

Desot, Rootkit, Porntube...HELPPPPP14th October 2009, 1:32 am

I probably have 25 different viruses on my machine. I can still get online, but this desot.exe is preventing me from access HIJACK this or any other executable. They will download but I can't open them. I am accessing the internet through safe mode with networking.

Please is there anything that I can do?

I would appreciate any help you may provide! Let me think

Let me think

Let me think

Re: Desot, Rootkit, Porntube...HELPPPPP14th October 2009, 4:14 am

Welcome to GeekPolice. We are here to save you money. Our expertise here can help you get rid of threats.

From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a Tech Staff member, administrator, or moderator. Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.

As this topic is for you only, I just need to issue a warning to outside readers:
Roger that

Roger that

Warning: Instructions issued in this topic are for this user only. We are not responsible for damages, so if you need help; please register for this site, and start a new topic requesting help.

Please download ComboFix Desot, Rootkit, Porntube...HELPPPPP Combofix

Desot, Rootkit, Porntube...HELPPPPP Combofix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first:

Desot, Rootkit, Porntube...HELPPPPP Cf110

Desot, Rootkit, Porntube...HELPPPPP Cf110

Desot, Rootkit, Porntube...HELPPPPP Cf210

Important information about ComboFix

Before the download:

Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
It is important to rename ComboFix before the download.
Please do not rename ComboFix to other names, but only the one indicated.

After the download:

Close any open browsers.
Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

Double click on svchost.exe & follow the prompts.
It will attempt to install the Recovery Console:

Desot, Rootkit, Porntube...HELPPPPP Cf410

Desot, Rootkit, Porntube...HELPPPPP Cf510

When ComboFix finishes, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

Re: Desot, Rootkit, Porntube...HELPPPPP14th October 2009, 5:34 am

I could not get Combo/svchost.exe file to open. I was able to download it, rename it, but once I opened it, I always get the awful desot error.

I tried to attach the screenshot but can't.

Re: Desot, Rootkit, Porntube...HELPPPPP14th October 2009, 5:36 am

Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Networking option from the menu).

Please navigate to c:\WINDOWS\System32 and delete the following file in that folder:
desot.exe

Then, while in Safe Mode with Networking, run ComboFix as noted above.

Re: Desot, Rootkit, Porntube...HELPPPPP14th October 2009, 5:51 am

says that it is not accessible, access denied

Re: Desot, Rootkit, Porntube...HELPPPPP14th October 2009, 6:23 am

Hi

Please follow this article to take ownership of the file. It must be deleted.

http://support.microsoft.com/kb/308421

Re: Desot, Rootkit, Porntube...HELPPPPP14th October 2009, 9:29 am

You guys are the absoƖute BEST...I have been dealing with 402 infected files for almost 2 months with no money to take my laptop to the shop!

You all are Godsends!!! I am so thankful!!! Finally I was able to run Hijackthis...here is the log
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:59 AM, on 10/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis[1].zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,C:\WINDOWS\system32\sdra64.exe,
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [INPROCOMMWireless] C:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\CF11957.exe" /c "C:\svchost.exe\C.bat"
O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\RunOnce: [SafetyCenter] C:\Program Files\SafetyCenter\start.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NordBull] C:\WINDOWS\msa.exe
O4 - HKCU\..\Run: [minix32] C:\WINDOWS\system32\minix32.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\user\protect.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\user\LOCALS~1\Temp\setup.exe
O4 - HKCU\..\Run: [Active Security] "C:\Program Files\Active Security\asecurity.exe" -noscan
O4 - HKCU\..\Run: [AdobeUpdater6] "C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe
O4 - HKUS\S-1-5-21-790525478-688789844-1343024091-1004\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-1343024091-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-1343024091-1004\..\Run: [NordBull] C:\WINDOWS\msa.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-1343024091-1004\..\Run: [minix32] C:\WINDOWS\system32\minix32.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-1343024091-1004\..\Run: [autochk] rundll32.exe C:\DOCUME~1\user\protect.dll,_IWMPEvents@16 (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-1343024091-1004\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\user\LOCALS~1\Temp\setup.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-1343024091-1004\..\Run: [Active Security] "C:\Program Files\Active Security\asecurity.exe" -noscan (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-1343024091-1004\..\Run: [AdobeUpdater6] "C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe" (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-1343024091-1004\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [NordBull] C:\WINDOWS\TEMP\fhtyxhtsnn.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [NordBull] C:\WINDOWS\TEMP\fhtyxhtsnn.exe (User 'Default user')
O4 - S-1-5-21-790525478-688789844-1343024091-1004 Startup: ChkDisk.dll (User '?')
O4 - S-1-5-21-790525478-688789844-1343024091-1004 Startup: ChkDisk.lnk = ? (User '?')
O4 - S-1-5-18 Startup: ChkDisk.dll (User '?')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User '?')
O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ciscosales.webex.com/client/T26LSP49EP12/webex/ieatgpc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:\WINDOWS\svchast.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlbu_device - - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Net Login (NetLogin) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: WDefend - Unknown owner - C:\WINDOWS\svohost.exe (file missing)

--
End of file - 7391 bytes

Re: Desot, Rootkit, Porntube...HELPPPPP14th October 2009, 9:38 am

Hi

Please run ComboFix as noted above.

Re: Desot, Rootkit, Porntube...HELPPPPP14th October 2009, 10:31 am

ComboFix 09-10-13.01 - user 10/14/2009 4:43.1.1 - NTFSx86 NETWORK
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\afonyte.vbs
c:\documents and settings\All Users\Application Data\kaporu.reg
c:\documents and settings\user\Application Data\avajimum.reg
c:\documents and settings\user\Application Data\ejeh.inf
c:\documents and settings\user\Application Data\gehyjicyzu.reg
c:\documents and settings\user\Application Data\twain_32
c:\documents and settings\user\Application Data\twain_32\user.ds
c:\documents and settings\user\Application Data\xybu.bat
c:\documents and settings\user\Cookies\amocypi.lib
c:\documents and settings\user\Cookies\dawadotyz.com
c:\documents and settings\user\Cookies\fohuguguga._sy
c:\documents and settings\user\Cookies\hilekeq.dat
c:\documents and settings\user\Cookies\tojil.vbs
c:\documents and settings\user\Local Settings\Application Data\kefohuw.reg
c:\documents and settings\user\Local Settings\Application Data\vozajub.inf
c:\documents and settings\user\Local Settings\Temporary Internet Files\adeloh.scr
c:\documents and settings\user\Local Settings\Temporary Internet Files\cojozytaqa.sys
c:\documents and settings\user\Local Settings\Temporary Internet Files\efefidet.bin
c:\documents and settings\user\Local Settings\Temporary Internet Files\otyvi.ban
c:\documents and settings\user\Local Settings\Temporary Internet Files\utohoju.pif
c:\documents and settings\user\Local Settings\Temporary Internet Files\utomon.dll
c:\documents and settings\user\Local Settings\Temporary Internet Files\webex.ini
c:\documents and settings\user\protect.dll
c:\documents and settings\user\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\user\Start Menu\Programs\Startup\ChkDisk.lnk
c:\program files\Common Files\ipit.vbs
c:\program files\PC_Antispyware2010
c:\program files\PC_Antispyware2010\AVEngn.dll
c:\program files\PC_Antispyware2010\data\daily.cvd
c:\program files\PC_Antispyware2010\htmlayout.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\PC_Antispyware2010\PC_Antispyware2010.cfg
c:\program files\PC_Antispyware2010\pthreadVC2.dll
c:\program files\PC_Antispyware2010\Uninstall.exe
c:\program files\PC_Antispyware2010\wscui.cpl
c:\program files\Protection System
c:\program files\Protection System\blacklist.cga
c:\program files\Protection System\core.cga
c:\program files\Protection System\firewall.dll
c:\program files\Protection System\help.ico
c:\program files\Protection System\protection system extension
c:\program files\SafetyCenter
c:\program files\SafetyCenter\main.ico
c:\program files\SafetyCenter\new.exe
c:\program files\SafetyCenter\protector.exe
c:\program files\SafetyCenter\sound.wav
c:\program files\SafetyCenter\start.exe
c:\program files\SafetyCenter\uninstall.exe
c:\program files\Windows Antivirus Pro
c:\program files\Windows Antivirus Pro\msvcm80.dll
c:\program files\Windows Antivirus Pro\msvcp80.dll
c:\program files\Windows Antivirus Pro\msvcr80.dll
c:\program files\Windows Antivirus Pro\tmp\dbsinit.exe
c:\program files\Windows Antivirus Pro\tmp\images\i1.gif
c:\program files\Windows Antivirus Pro\tmp\images\i2.gif
c:\program files\Windows Antivirus Pro\tmp\images\i3.gif
c:\program files\Windows Antivirus Pro\tmp\images\j1.gif
c:\program files\Windows Antivirus Pro\tmp\images\j2.gif
c:\program files\Windows Antivirus Pro\tmp\images\j3.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj1.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj2.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj3.gif
c:\program files\Windows Antivirus Pro\tmp\images\l1.gif
c:\program files\Windows Antivirus Pro\tmp\images\l2.gif
c:\program files\Windows Antivirus Pro\tmp\images\l3.gif
c:\program files\Windows Antivirus Pro\tmp\images\pix.gif
c:\program files\Windows Antivirus Pro\tmp\images\t1.gif
c:\program files\Windows Antivirus Pro\tmp\images\t2.gif
c:\program files\Windows Antivirus Pro\tmp\images\up1.gif
c:\program files\Windows Antivirus Pro\tmp\images\up2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w1.gif
c:\program files\Windows Antivirus Pro\tmp\images\w11.gif
c:\program files\Windows Antivirus Pro\tmp\images\w2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.jpg
c:\program files\Windows Antivirus Pro\tmp\images\wt1.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt2.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt3.gif
c:\program files\Windows Antivirus Pro\tmp\wispex.html
c:\program files\Windows Antivirus Pro\Windows Antivirus Pro.exe
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\windows Police Pro.exe
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\autochk.dll
c:\windows\system32\camikojyf.bat
c:\windows\system32\certstore.dat
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\windows\system32\dddesot.dll
c:\windows\system32\drivers\kbiwkmsnruakvs.sys
c:\windows\system32\drivers\UACewfvdiuxyv.sys
c:\windows\system32\emehigav.bat
c:\windows\system32\FInstall.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\Install.txt
c:\windows\system32\kbiwkmaeoufoew.dll
c:\windows\system32\kbiwkmcmqshixw.dll
c:\windows\system32\kbiwkmjbpjhlgr.dat
c:\windows\system32\kbiwkmlexgbrqh.dll
c:\windows\system32\kbiwkmlheaibmq.dll
c:\windows\system32\kbiwkmpdmyfxep.dat
c:\windows\system32\kbiwkmrttkbmwn.dll
c:\windows\system32\kbiwkmswwkedie.dll
c:\windows\system32\kbiwkmxgufasww.dll
c:\windows\system32\kbiwkmxnbmnepy.dll
c:\windows\system32\kbiwkmxuwbardk.dll
c:\windows\system32\lowsec
c:\windows\system32\mndisk.sys
c:\windows\system32\nuar.old
c:\windows\system32\onhelp.htm
c:\windows\system32\pump.exe
c:\windows\system32\schtml
c:\windows\system32\skynet.dat
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\twain_32
c:\windows\system32\UACbrxrjkwmyx.dll
c:\windows\system32\UACiloafqxhpl.dll
c:\windows\system32\UACkfjpibmuwy.dll
c:\windows\system32\UACkmodmplsbb.dll
c:\windows\system32\UACvngmtsgldn.dat
c:\windows\system32\wiawow32.sys
c:\windows\system32\wisdstr.exe
c:\windows\system32\wispex.html
c:\windows\system32\wiwow64.exe
c:\windows\system32\wscsvc32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_ANTIPPRO2009_100
-------\Legacy_IAS
-------\Legacy_kbiwkmbltprqxf
-------\Legacy_MNDISK
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_6to4
-------\Service_AntipPro2009_100
-------\Service_kbiwkmbltprqxf
-------\Service_mndisk
-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 )))))))))))))))))))))))))))))))
.

2009-10-14 07:25 . 2009-10-14 07:25 -------- d-----w- c:\windows\srchasst
2009-10-13 15:38 . 2009-10-14 08:49 -------- d-----w- c:\documents and settings\All Users\Application Data\97062428
2009-10-09 17:43 . 2009-10-09 17:43 654336 ----a-w- c:\windows\system32\plugie.dll
2009-09-14 13:30 . 2009-09-14 13:31 -------- d-----w- c:\windows\sv3999

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 08:54 . 2009-08-24 06:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-14 08:21 . 2008-10-01 20:21 -------- d-----w- c:\program files\dl_Cats
2009-10-11 06:05 . 2009-08-24 18:55 664 ----a-w- c:\documents and settings\user\Local Settings\Application Data\d3d9caps.dat
2009-09-25 02:19 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee
2009-09-05 04:24 . 2009-09-05 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-09-03 07:47 . 2009-09-03 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-27 01:48 . 2009-08-27 01:48 68256 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 21:46 . 2009-08-27 03:34 3185678 ----a-w- C:\ComboFix.exe
2009-08-25 20:38 . 2009-08-25 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-25 18:07 . 2009-08-25 18:04 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-25 18:05 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee.com
2009-08-25 16:00 . 2009-08-25 16:00 10213 ----a-w- c:\documents and settings\user\Application Data\exyl.com
2009-08-25 16:00 . 2009-08-25 16:00 19725 ----a-w- c:\documents and settings\user\Application Data\nybiqom.dat
2009-08-25 16:00 . 2009-08-25 16:00 15871 ----a-w- c:\documents and settings\All Users\Application Data\orolozu.com
2009-08-25 16:00 . 2009-08-25 16:00 19218 ----a-w- c:\program files\Common Files\acivyvove._dl
2009-08-25 16:00 . 2009-08-25 16:00 13919 ----a-w- c:\program files\Common Files\ihemotyxuc.dat
2009-08-25 15:57 . 2009-08-25 15:57 164864 ----a-w- c:\windows\system32\unz2.exe
2009-08-25 15:57 . 2009-08-25 15:57 164864 ----a-w- c:\windows\system32\unz1.exe
2009-08-25 04:55 . 2009-08-25 04:55 -------- d-----w- c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-24 20:59 . 2009-08-24 20:59 -------- d-----w- c:\program files\Trend Micro
2009-08-24 13:38 . 2009-08-24 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 13:24 . 2009-08-24 18:06 812344 ----a-w- C:\HJTInstall.exe
2009-08-24 13:10 . 2009-08-24 13:11 389120 ----a-w- c:\windows\system32\CF17216.exe
2009-08-24 06:25 . 2009-08-24 06:25 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-08-24 05:59 . 2009-08-24 05:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-24 05:11 . 2009-08-24 05:11 19114 ----a-w- c:\documents and settings\user\Application Data\kanikurucu.sys
2009-08-23 22:27 . 2009-08-23 22:27 19382 ----a-w- c:\documents and settings\All Users\Application Data\lularipiz.bin
2009-08-23 22:27 . 2009-08-23 22:27 19353 ----a-w- c:\windows\cyxa.pif
2009-08-23 22:27 . 2009-08-23 22:27 19223 ----a-w- c:\documents and settings\user\Application Data\ixymahese.com
2009-08-23 22:27 . 2009-08-23 22:27 18265 ----a-w- c:\documents and settings\All Users\Application Data\ycefatu.exe
2009-08-23 22:27 . 2009-08-23 22:27 17765 ----a-w- c:\documents and settings\user\Local Settings\Application Data\micir.exe
2009-08-23 22:27 . 2009-08-23 22:27 13340 ----a-w- c:\documents and settings\user\Application Data\jyty.dll
2009-08-23 22:27 . 2009-08-23 22:27 11097 ----a-w- c:\documents and settings\user\Local Settings\Application Data\bicecy.exe
2009-08-23 22:27 . 2009-08-23 22:27 10698 ----a-w- c:\windows\system32\tira.sys
2009-08-23 22:27 . 2009-08-23 22:27 10135 ----a-w- c:\documents and settings\All Users\Application Data\xijerasip.pif
2009-08-23 21:38 . 2009-08-23 21:38 16229 ----a-w- c:\documents and settings\user\Local Settings\Application Data\ijuha.scr
2009-08-23 21:38 . 2009-08-23 21:38 18106 ----a-w- c:\program files\Common Files\igalywygak._dl
2009-08-23 21:38 . 2009-08-23 21:38 10129 ----a-w- c:\documents and settings\All Users\Application Data\avydoryxap.bin
2009-08-23 00:03 . 2008-07-17 16:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-16 17:32 . 2009-08-30 00:51 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-09 133104]
"AdobeUpdater6"="c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe" [2009-03-16 2521464]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe" [2009-08-05 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-20 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 148888]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"DLBUCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlbucoms.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 NetLogin;Net Login;c:\windows\svchost.exe [x]
R2 WDefend;WDefend;c:\windows\svohost.exe [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
S2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe [2008-04-14 14336]
S2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2004-08-04 94720]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\DRIVERS\ozscr.sys [2008-01-17 92550]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-08-25 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-25 02:26]

2009-08-25 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-25 02:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\office
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Active Security - c:\program files\Active Security\asecurity.exe
HKLM-Run-INPROCOMMWireless - c:\program files\Atheros\Wireless\Utility\WlanUtil.exe
HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
SafeBoot-mfehidk
SafeBoot-mfehidk.sys
SafeBoot-mferkdk
SafeBoot-mferkdk.sys
SafeBoot-mfetdik
SafeBoot-mfetdik.sys
AddRemove-HijackThis - c:\documents and settings\user\My Documents\Downloads\HijackThis.exe
AddRemove-PC_Antispyware2010 - c:\program files\PC_Antispyware2010\Uninstall.exe
AddRemove-TPS Electronic Financial Worksheets_is1 - g:\tps financial worksheets\unins000.exe
AddRemove-VLC media player - c:\program files\VideoLAN\VLC\uninstall.exe
AddRemove-Win Antivirus Pro - c:\program files\Windows Antivirus Pro\AntiSpyware_Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 04:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1892)
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\dlbucoms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\progra~1\McAfee\MSC\mcupdmgr.exe
c:\windows\system32\opeia.exe
c:\progra~1\McAfee\MSC\mcupdui.exe
c:\windows\system32\lsm32.sys
.
**************************************************************************
.
Completion time: 2009-10-14 5:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-14 10:22

Pre-Run: 9,851,875,328 bytes free
Post-Run: 10,654,420,992 bytes free

385 --- E O F --- 2009-04-16 01:50

Re: Desot, Rootkit, Porntube...HELPPPPP14th October 2009, 12:26 pm

Hi

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekpolice.net/virus-spyware-malware-removal-f11/desot-rootkit-porntubehelppppp-t15177.htm

DirLook::
c:\windows\sv3999
c:\documents and settings\All Users\Application Data\97062428

File::
c:\documents and settings\user\Application Data\nybiqom.dat
c:\documents and settings\user\Application Data\exyl.com
c:\documents and settings\All Users\Application Data\orolozu.com
c:\program files\Common Files\acivyvove._dl
c:\program files\Common Files\ihemotyxuc.dat
c:\windows\system32\unz2.exe
c:\windows\system32\unz1.exe
c:\documents and settings\user\Application Data\kanikurucu.sys
c:\documents and settings\All Users\Application Data\lularipiz.bin
c:\windows\cyxa.pif
c:\documents and settings\user\Application Data\ixymahese.com
c:\documents and settings\All Users\Application Data\ycefatu.exe
c:\documents and settings\user\Local Settings\Application Data\micir.exe
c:\documents and settings\user\Application Data\jyty.dll
c:\documents and settings\user\Local Settings\Application Data\bicecy.exe
c:\windows\system32\tira.sys
c:\documents and settings\All Users\Application Data\xijerasip.pif
c:\documents and settings\user\Local Settings\Application Data\ijuha.scr
c:\program files\Common Files\igalywygak._dl
c:\documents and settings\All Users\Application Data\avydoryxap.bin
c:\windows\svohost.exe
c:\windows\svchost.exe
c:\windows\system32\opeia.exe

Rootkit::
c:\windows\system32\lsm32.sys

Driver::
BtwSrv

DDS::
Trusted Zone: microsoft.com\office

Suspect::
c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
c:\windows\system32\CF17216.exe

Save this as CFScript.txt

Desot, Rootkit, Porntube...HELPPPPP Cfscriptb4

Desot, Rootkit, Porntube...HELPPPPP Cfscriptb4

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

Re: Desot, Rootkit, Porntube...HELPPPPP14th October 2009, 3:45 pm

ComboFix 09-10-13.04 - user 10/14/2009 10:02.3.1 - NTFSx86 NETWORK
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\All Users\Application Data\avydoryxap.bin"
"c:\documents and settings\All Users\Application Data\lularipiz.bin"
"c:\documents and settings\All Users\Application Data\orolozu.com"
"c:\documents and settings\All Users\Application Data\xijerasip.pif"
"c:\documents and settings\All Users\Application Data\ycefatu.exe"
"c:\documents and settings\user\Application Data\exyl.com"
"c:\documents and settings\user\Application Data\ixymahese.com"
"c:\documents and settings\user\Application Data\jyty.dll"
"c:\documents and settings\user\Application Data\kanikurucu.sys"
"c:\documents and settings\user\Application Data\nybiqom.dat"
"c:\documents and settings\user\Local Settings\Application Data\bicecy.exe"
"c:\documents and settings\user\Local Settings\Application Data\ijuha.scr"
"c:\documents and settings\user\Local Settings\Application Data\micir.exe"
"c:\program files\Common Files\acivyvove._dl"
"c:\program files\Common Files\igalywygak._dl"
"c:\program files\Common Files\ihemotyxuc.dat"
"c:\windows\cyxa.pif"
"c:\windows\svchost.exe"
"c:\windows\svohost.exe"
"c:\windows\system32\opeia.exe"
"c:\windows\system32\tira.sys"
"c:\windows\system32\unz1.exe"
"c:\windows\system32\unz2.exe"

file zipped: c:\windows\system32\CF17216.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\avydoryxap.bin
c:\documents and settings\All Users\Application Data\lularipiz.bin
c:\documents and settings\All Users\Application Data\orolozu.com
c:\documents and settings\All Users\Application Data\xijerasip.pif
c:\documents and settings\All Users\Application Data\ycefatu.exe
c:\documents and settings\user\Application Data\exyl.com
c:\documents and settings\user\Application Data\ixymahese.com
c:\documents and settings\user\Application Data\jyty.dll
c:\documents and settings\user\Application Data\kanikurucu.sys
c:\documents and settings\user\Application Data\nybiqom.dat
c:\documents and settings\user\Local Settings\Application Data\bicecy.exe
c:\documents and settings\user\Local Settings\Application Data\ijuha.scr
c:\documents and settings\user\Local Settings\Application Data\micir.exe
c:\program files\Common Files\acivyvove._dl
c:\program files\Common Files\igalywygak._dl
c:\program files\Common Files\ihemotyxuc.dat
c:\windows\cyxa.pif
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\opeia.exe
c:\windows\system32\tira.sys
c:\windows\system32\unz1.exe
c:\windows\system32\unz2.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BTWSRV
-------\Service_BtwSrv

((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 )))))))))))))))))))))))))))))))
.

2009-10-14 07:25 . 2009-10-14 07:25 -------- d-----w- c:\windows\srchasst
2009-10-13 15:38 . 2009-10-14 08:49 -------- d-----w- c:\documents and settings\All Users\Application Data\97062428
2009-10-09 17:43 . 2009-10-09 17:43 654336 ----a-w- c:\windows\system32\plugie.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 08:54 . 2009-08-24 06:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-14 08:21 . 2008-10-01 20:21 -------- d-----w- c:\program files\dl_Cats
2009-10-11 06:05 . 2009-08-24 18:55 664 ----a-w- c:\documents and settings\user\Local Settings\Application Data\d3d9caps.dat
2009-09-25 02:19 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee
2009-09-05 04:24 . 2009-09-05 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-09-03 07:47 . 2009-09-03 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-27 01:48 . 2009-08-27 01:48 68256 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 21:46 . 2009-08-27 03:34 3185678 ----a-w- C:\ComboFix.exe
2009-08-25 20:38 . 2009-08-25 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-25 18:07 . 2009-08-25 18:04 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-25 18:05 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee.com
2009-08-25 04:55 . 2009-08-25 04:55 -------- d-----w- c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-24 20:59 . 2009-08-24 20:59 -------- d-----w- c:\program files\Trend Micro
2009-08-24 13:38 . 2009-08-24 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 13:24 . 2009-08-24 18:06 812344 ----a-w- C:\HJTInstall.exe
2009-08-24 13:10 . 2009-08-24 13:11 389120 ----a-w- c:\windows\system32\CF17216.exe
2009-08-24 06:25 . 2009-08-24 06:25 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-08-24 05:59 . 2009-08-24 05:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-23 00:03 . 2008-07-17 16:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-16 17:32 . 2009-08-30 00:51 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\97062428 ----

---- Directory of c:\windows\sv3999 ----

2009-09-14 13:31 . 2009-10-09 11:54 57344 ----a-w- c:\windows\sv3999\isvchost.exe

((((((((((((((((((((((((((((( SnapShot@2009-10-14_09.59.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-14 15:13 . 2009-10-14 15:13 16384 c:\windows\Temp\Perflib_Perfdata_1d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-09 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe" [2009-08-05 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-20 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 148888]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"DLBUCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlbucoms.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 NetLogin;Net Login;c:\windows\svchost.exe [x]
R2 WDefend;WDefend;c:\windows\svohost.exe [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
S2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2004-08-04 94720]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\DRIVERS\ozscr.sys [2008-01-17 92550]
S4 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe [2008-04-14 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-08-25 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-25 02:26]

2009-08-25 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-25 02:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 10:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

Re: Desot, Rootkit, Porntube...HELPPPPP14th October 2009, 9:04 pm

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\windows\sv3999
c:\windows\srchasst
c:\documents and settings\All Users\Application Data\97062428

File::
c:\windows\system32\plugie.dll

FileLook::
svchost.exe
svohost.exe
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Re: Desot, Rootkit, Porntube...HELPPPPP14th October 2009, 10:29 pm

ComboFix 09-10-14.01 - user 10/14/2009 17:09.4.1 - NTFSx86
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\plugie.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\97062428
c:\windows\Install.txt
c:\windows\sv3999
c:\windows\sv3999\isvchost.exe
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\plugie.dll
c:\windows\TEMP\mta13187.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 )))))))))))))))))))))))))))))))
.

2009-10-14 20:29 . 2009-10-14 20:29 -------- d-----w- c:\windows\LastGood.Tmp
2009-10-14 07:25 . 2009-10-14 07:25 -------- d-----w- c:\windows\srchasst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 20:29 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee
2009-10-14 08:54 . 2009-08-24 06:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-14 08:21 . 2008-10-01 20:21 -------- d-----w- c:\program files\dl_Cats
2009-10-11 06:05 . 2009-08-24 18:55 664 ----a-w- c:\documents and settings\user\Local Settings\Application Data\d3d9caps.dat
2009-09-05 04:24 . 2009-09-05 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-09-03 07:47 . 2009-09-03 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-27 01:48 . 2009-08-27 01:48 68256 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 21:46 . 2009-08-27 03:34 3185678 ----a-w- C:\ComboFix.exe
2009-08-25 20:38 . 2009-08-25 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-25 18:07 . 2009-08-25 18:04 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-25 18:05 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee.com
2009-08-25 04:55 . 2009-08-25 04:55 -------- d-----w- c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-24 20:59 . 2009-08-24 20:59 -------- d-----w- c:\program files\Trend Micro
2009-08-24 13:38 . 2009-08-24 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 13:24 . 2009-08-24 18:06 812344 ----a-w- C:\HJTInstall.exe
2009-08-24 13:10 . 2009-08-24 13:11 389120 ----a-w- c:\windows\system32\CF17216.exe
2009-08-24 06:25 . 2009-08-24 06:25 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-08-24 05:59 . 2009-08-24 05:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-23 00:03 . 2008-07-17 16:01 -------- d--h--w- c:\program files\InstallShield Installation Information
.

((((((((((((((((((((((((((((( SnapShot@2009-10-14_09.59.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 10:00 . 2004-08-04 10:00 94208 c:\windows\system32\FastNetSrv.exe
+ 2009-10-14 15:47 . 2009-10-14 15:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-17 15:43 . 2009-10-14 15:43 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-17 15:43 . 2009-10-14 07:31 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-14 15:47 . 2009-10-14 15:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 10:00 . 2004-08-04 10:00 131072 c:\windows\system32\wmdtc.exe
+ 2004-08-04 10:00 . 2004-08-04 10:00 131072 c:\windows\system32\opeia.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-09 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe" [2009-08-05 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-20 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 148888]
"DLBUCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlbucoms.exe"=

R2 0092171255552200mcinstcleanup;McAfee Application Installer Cleanup (0092171255552200);c:\windows\TEMP\009217~1.EXE [x]
R2 NetLogin;Net Login;c:\windows\svchost.exe [x]
R2 WDefend;WDefend;c:\windows\svohost.exe [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
S2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2004-08-04 94208]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\DRIVERS\ozscr.sys [2008-01-17 92550]
S4 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe [2008-04-14 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0092171255552200MCINSTCLEANUP
*NewlyCreated* - BTWSRV

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mcmscsvc
SafeBoot-MCODS

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 17:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3936)
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\dlbucoms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\wmdtc.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\windows\system32\lsm32.sys
.
**************************************************************************
.
Completion time: 2009-10-14 17:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-14 22:27
ComboFix2.txt 2009-10-14 15:38
ComboFix3.txt 2009-10-14 10:23

Pre-Run: 10,639,077,376 bytes free
Post-Run: 10,633,576,448 bytes free

173 --- E O F --- 2009-04-16 01:50

Re: Desot, Rootkit, Porntube...HELPPPPP14th October 2009, 10:46 pm

Desot, Rootkit, Porntube...HELPPPPP Mbamicontw5

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Re: Desot, Rootkit, Porntube...HELPPPPP14th October 2009, 11:57 pm

Malwarebytes' Anti-Malware 1.41
Database version: 2963
Windows 5.1.2600 Service Pack 3

10/14/2009 6:47:36 PM
mbam-log-2009-10-14 (18-47-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 129366
Time elapsed: 52 minute(s), 5 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 66

Memory Processes Infected:
C:\WINDOWS\system32\wmdtc.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\BtwSrv.dllx (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25ecc7c8-331f-4758-8371-1d34c1e6a983} (Rogue.SafetyCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983} (Rogue.SafetyCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983} (Rogue.SafetyCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLogin (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wmdtc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\BtwSrv.dllx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\user\protect.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\user\Start Menu\Programs\Startup\ChkDisk.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\PC_Antispyware2010\htmlayout.dll.vir (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\PC_Antispyware2010\Uninstall.exe.vir (Rogue.PC_AntiSpyware2010) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\PC_Antispyware2010\wscui.cpl.vir (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Protection System\protection system extension.vir (ProtectionSystem) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\SafetyCenter\new.exe.vir (Rogue.SafetyCenter) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\SafetyCenter\protector.exe.vir (Rogue.SafetyCenter) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\SafetyCenter\start.exe.vir (Rogue.SafetyCenter) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\SafetyCenter\uninstall.exe.vir (Rogue.SafetyCenter) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Windows Antivirus Pro\Windows Antivirus Pro.exe.vir (Antivirus2009) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Windows Antivirus Pro\tmp\dbsinit.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Windows Police Pro\windows Police Pro.exe.vir (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\popcaploader.dll.vir (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmswwkedie.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\autochk.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dddesot.dll.vir (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmaeoufoew.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmcmqshixw.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmlexgbrqh.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmlheaibmq.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmrttkbmwn.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmxgufasww.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmxnbmnepy.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmxuwbardk.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mndisk.sys.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\opeia.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\plugie.dll.vir (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACiloafqxhpl.dll.vir (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkfjpibmuwy.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkmodmplsbb.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiawow32.sys.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir (Rogue.PC_AntiSpyware2010) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wscsvc32.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\protect.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\kbiwkmsnruakvs.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1E30FE5B-B713-4154-AC7E-8D5EDFD9D3B1}\RP1\A0000002.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1E30FE5B-B713-4154-AC7E-8D5EDFD9D3B1}\RP1\A0000003.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1E30FE5B-B713-4154-AC7E-8D5EDFD9D3B1}\RP1\A0000004.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1E30FE5B-B713-4154-AC7E-8D5EDFD9D3B1}\RP1\A0000006.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1E30FE5B-B713-4154-AC7E-8D5EDFD9D3B1}\RP1\A0000009.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1E30FE5B-B713-4154-AC7E-8D5EDFD9D3B1}\RP1\A0000318.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1E30FE5B-B713-4154-AC7E-8D5EDFD9D3B1}\RP1\A0000348.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1E30FE5B-B713-4154-AC7E-8D5EDFD9D3B1}\RP1\A0000362.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1E30FE5B-B713-4154-AC7E-8D5EDFD9D3B1}\RP1\A0001335.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1E30FE5B-B713-4154-AC7E-8D5EDFD9D3B1}\RP1\A0001336.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1E30FE5B-B713-4154-AC7E-8D5EDFD9D3B1}\RP1\A0001337.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1E30FE5B-B713-4154-AC7E-8D5EDFD9D3B1}\RP1\A0001915.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1E30FE5B-B713-4154-AC7E-8D5EDFD9D3B1}\RP1\A0002007.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1E30FE5B-B713-4154-AC7E-8D5EDFD9D3B1}\RP1\A0002008.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opeia.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dvdpaly.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EvdoServer.dllx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\dllcache\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\t4m0_151216525912.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Cookies\yguryby.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\My Documents\downloads\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Re: Desot, Rootkit, Porntube...HELPPPPP15th October 2009, 1:04 am

Unfortunately, your log shows a dangerous trojan is residing on your computer which has a backdoor functionality. It is possible that a remote attacker has already breached your computer. If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would
be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System.

Visit the following sites for more information on internet theft and when to reformat!
How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before making a final decision, please feel free to ask.

Please let me know if you would like to continue with trying to clean your computer.

Instead, if you decide to format and reinstall, please disconnect your computer from the Internet immediately.

Guides for format and reinstall: http://www.geekpolice.net/tutorials-guides-f13/how-to-reformat-and-reinstall-your-operating-system-t15119.htm#95115

http://www.helpmyos.com/tutorials-software-alternatives-to-proprietary-f19/how-to-reformat-and-reinstall-your-operating-system-the-easy-way-t1307.htm#3143

Re: Desot, Rootkit, Porntube...HELPPPPP15th October 2009, 1:19 am

Is it safe to use; but just not performing banking transactions on here? I JUST viewed my bank account information about 2 minutes ago.
Did you say that if I changed my passwords on another computer then this computer would be safe to use?

Re: Desot, Rootkit, Porntube...HELPPPPP15th October 2009, 1:21 am

I would like to continue to clean this system

Re: Desot, Rootkit, Porntube...HELPPPPP15th October 2009, 1:27 am

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Re: Desot, Rootkit, Porntube...HELPPPPP15th October 2009, 8:25 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:31 PM, on 10/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlbucoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\user\Desktop\HijackThis1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-790525478-688789844-1343024091-1004\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-1343024091-1004\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-1343024091-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ciscosales.webex.com/client/T26LSP49EP12/webex/ieatgpc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee Application Installer Cleanup (0092171255552200) (0092171255552200mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\009217~1.EXE (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlbu_device - - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: WDefend - Unknown owner - C:\WINDOWS\svohost.exe (file missing)

--
End of file - 4574 bytes

Re: Desot, Rootkit, Porntube...HELPPPPP15th October 2009, 8:27 pm

Sorry here is the SDFIX log...

SDFix: Version 1.240
Run by user on Wed 10/14/2009 at 09:08 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\188065~1 - Deleted
C:\DOCUME~1\USER\COOKIES\ZOZERY~1.SYS - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 21:13:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden services & system hive ...

scanning hȋdden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=""

scanning hȋdden files ...

scan completed successfully
hȋdden processes: 0
hȋdden services: 0
hȋdden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\dlbucoms.exe"="C:\\WINDOWS\\system32\\dlbucoms.exe:*:Enabled:Photo AIO Printer 942 Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with hȋdden Attributes :

Sat 29 Aug 2009 20,688 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sat 29 Aug 2009 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Mon 10 Nov 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 14 Sep 2009 88,576 ...H. --- "C:\Documents and Settings\user\Desktop\CRIM\~WRL0440.tmp"
Tue 30 Jun 2009 59,392 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\~WRL2578.tmp"
Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\user\Application Data\U3\temp\Launchpad Removal.exe"
Thu 3 Sep 2009 170,496 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL0153.tmp"
Thu 3 Sep 2009 172,544 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL0326.tmp"
Thu 3 Sep 2009 172,032 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL1665.tmp"
Thu 3 Sep 2009 172,544 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL2031.tmp"
Thu 3 Sep 2009 172,544 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL2257.tmp"
Thu 3 Sep 2009 172,032 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL2344.tmp"
Thu 3 Sep 2009 170,496 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL2669.tmp"
Thu 3 Sep 2009 180,736 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL3064.tmp"
Thu 3 Sep 2009 171,520 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL3122.tmp"
Thu 3 Sep 2009 171,520 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL3392.tmp"
Thu 3 Sep 2009 171,008 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL3905.tmp"
Thu 3 Sep 2009 172,544 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL3915.tmp"
Thu 3 Sep 2009 170,496 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL3925.tmp"
Thu 3 Sep 2009 172,544 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL3938.tmp"

Finished!

Re: Desot, Rootkit, Porntube...HELPPPPP16th October 2009, 1:07 am

Please re-run ComboFix as noted above and post a log.

Re: Desot, Rootkit, Porntube...HELPPPPP16th October 2009, 2:53 am

ComboFix 09-10-15.04 - user 10/15/2009 21:36.5.1 - NTFSx86
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\Install.txt

.
((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
.

2009-10-15 02:07 . 2009-10-15 02:07 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-10-15 02:05 . 2009-10-15 02:05 -------- d-----w- c:\windows\ERUNT
2009-10-15 02:01 . 2009-10-15 02:17 -------- d-----w- C:\SDFix
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 07:25 . 2009-10-14 07:25 -------- d-----w- c:\windows\srchasst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 20:29 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee
2009-10-14 08:54 . 2009-08-24 06:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-14 08:21 . 2008-10-01 20:21 -------- d-----w- c:\program files\dl_Cats
2009-10-11 06:05 . 2009-08-24 18:55 664 ----a-w- c:\documents and settings\user\Local Settings\Application Data\d3d9caps.dat
2009-09-05 04:24 . 2009-09-05 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-09-03 07:47 . 2009-09-03 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-27 01:48 . 2009-08-27 01:48 68256 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 21:46 . 2009-08-27 03:34 3185678 ----a-w- C:\ComboFix.exe
2009-08-25 20:38 . 2009-08-25 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-25 18:07 . 2009-08-25 18:04 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-25 18:05 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee.com
2009-08-25 04:55 . 2009-08-25 04:55 -------- d-----w- c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-24 20:59 . 2009-08-24 20:59 -------- d-----w- c:\program files\Trend Micro
2009-08-24 13:38 . 2009-08-24 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 13:24 . 2009-08-24 18:06 812344 ----a-w- C:\HJTInstall.exe
2009-08-24 13:10 . 2009-08-24 13:11 389120 ----a-w- c:\windows\system32\CF17216.exe
2009-08-24 06:25 . 2009-08-24 06:25 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-08-24 05:59 . 2009-08-24 05:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-23 00:03 . 2008-07-17 16:01 -------- d--h--w- c:\program files\InstallShield Installation Information
.

((((((((((((((((((((((((((((( SnapShot@2009-10-14_09.59.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-14 15:47 . 2009-10-14 15:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-17 15:43 . 2009-10-14 15:43 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-17 15:43 . 2009-10-14 07:31 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-14 15:47 . 2009-10-14 15:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-15 02:05 . 2009-10-15 02:05 233472 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2009-10-15 02:05 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-10-15 02:05 . 2009-10-15 02:05 233472 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-10-15 02:05 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-10-15 02:05 . 2009-10-15 02:05 3850240 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2009-10-15 02:05 . 2009-10-15 02:05 3850240 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-09 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-20 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 148888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"DLBUCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlbucoms.exe"=

R2 0092171255552200mcinstcleanup;McAfee Application Installer Cleanup (0092171255552200);c:\windows\TEMP\009217~1.EXE [x]
R2 WDefend;WDefend;c:\windows\svohost.exe [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\DRIVERS\ozscr.sys [2008-01-17 92550]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-15 21:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-16 21:49
ComboFix-quarantined-files.txt 2009-10-16 02:48
ComboFix2.txt 2009-10-14 22:27
ComboFix3.txt 2009-10-14 15:38
ComboFix4.txt 2009-10-14 10:23

Pre-Run: 10,428,555,264 bytes free
Post-Run: 10,465,759,232 bytes free

146 --- E O F --- 2009-04-16 01:50

Re: Desot, Rootkit, Porntube...HELPPPPP16th October 2009, 7:30 am

Run the Malicious Software Removal tool

The Microsoft Malware Protection Center has updated the Malicious Software Removal tool (MSRT). This is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove malware.

Note The MSRT does not prevent reinfection because it is not a real-time antivirus program.

You can download the MSRT from here: http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

Then, please run the tool.

NEXT

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Re: Desot, Rootkit, Porntube...HELPPPPP16th October 2009, 2:36 pm

Malwarebytes' Anti-Malware 1.41
Database version: 2971
Windows 5.1.2600 Service Pack 3

10/16/2009 9:33:56 AM
mbam-log-2009-10-16 (09-33-56).txt

Scan type: Quick Scan
Objects scanned: 98812
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Re: Desot, Rootkit, Porntube...HELPPPPP17th October 2009, 1:26 am

One more scan for malware to make sure...

Please run Trend Micro Housecall online scan.

Click Scan now.
Read and put a Check next to Yes I accept the terms of use.
Click the Launching HouseCall>> button.
If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
You may receive a Security Warning about the TrendMicro Java applet, click YES.
Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
Please be patient while it installs, updates, and scans your system.
Once the scan is complete, it will take you to the summary page.
Under Cleanup options, choose clean all detected infections automatically.
Click the Clean now>> button.
If anything was found you may be prompted to run the scan again, you can just close the browser window.

Re: Desot, Rootkit, Porntube...HELPPPPP17th October 2009, 11:38 pm

It found 2 Trojans. 1 was ignored and the other was fȋxed.
What should I do now?

Re: Desot, Rootkit, Porntube...HELPPPPP17th October 2009, 11:41 pm

Sorry clicked Beta; I am performing the correct scan now!

Re: Desot, Rootkit, Porntube...HELPPPPP18th October 2009, 2:58 am

Post when ready.

Re: Desot, Rootkit, Porntube...HELPPPPP19th October 2009, 8:41 pm

I am getting an error; it says that it is happening transferring from the internet...also it says that Java 1.4 or higher is not installed but it is.

Re: Desot, Rootkit, Porntube...HELPPPPP19th October 2009, 11:10 pm

ok. No big deal..

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Re: Desot, Rootkit, Porntube...HELPPPPP20th October 2009, 1:37 am

Malwarebytes' Anti-Malware 1.41
Database version: 2991
Windows 5.1.2600 Service Pack 3

10/19/2009 8:21:16 PM
mbam-log-2009-10-19 (20-21-16).txt

Scan type: Quick Scan
Objects scanned: 122772
Time elapsed: 17 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Active Security (Rogue.ActiveSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Re: Desot, Rootkit, Porntube...HELPPPPP20th October 2009, 1:46 am

Please download CKScanner by askey127 from here

Save it to your desktop.

Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify that the file is saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

NEXT

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Please post the Security Check and CKScanner logs in your next reply.

Re: Desot, Rootkit, Porntube...HELPPPPP20th October 2009, 3:16 am

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
``````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware Free Edition
HijackThis 2.0.2
Java(TM) 6 Update 16
Adobe Flash Player 10
Adobe Reader 9
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Re: Desot, Rootkit, Porntube...HELPPPPP20th October 2009, 5:19 am

Hopefully this will be the last scan.

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Full Scan, and press Scan. Remove selected, and post the log in your next reply.

Re: Desot, Rootkit, Porntube...HELPPPPP20th October 2009, 7:25 am

Malwarebytes' Anti-Malware 1.41
Database version: 2996
Windows 5.1.2600 Service Pack 3

10/20/2009 2:18:23 AM
mbam-log-2009-10-20 (02-18-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 139729
Time elapsed: 53 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WDefend (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Re: Desot, Rootkit, Porntube...HELPPPPP20th October 2009, 2:43 pm

Please re-run ComboFix and post a new log.

Re: Desot, Rootkit, Porntube...HELPPPPP21st October 2009, 5:43 pm

ComboFix 09-10-20.03 - user 10/21/2009 12:29.7.1 - NTFSx86
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-18 07:25 . 2009-10-18 07:25 -------- d-----w- C:\0838201a89dcf32945
2009-10-18 07:24 . 2009-10-18 07:47 -------- d-----w- C:\07f8d7f905cfd708ef591972759c48cd
2009-10-18 07:21 . 2009-10-18 07:21 -------- d-sh--w- c:\documents and settings\user\IECompatCache
2009-10-18 07:21 . 2009-10-18 07:21 -------- d-sh--w- c:\documents and settings\user\PrivacIE
2009-10-18 07:18 . 2009-10-18 07:18 -------- d-sh--w- c:\documents and settings\user\IETldCache
2009-10-18 07:10 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-18 07:10 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-18 07:10 . 2009-10-19 05:00 -------- d-----w- c:\windows\ie8updates
2009-10-18 07:10 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-18 07:02 . 2009-10-18 07:09 -------- dc-h--w- c:\windows\ie8
2009-10-18 06:30 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-18 06:24 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-18 03:40 . 2009-10-17 23:46 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-17 23:46 . 2009-10-19 04:41 -------- d-----w- c:\documents and settings\user\.housecall6.6
2009-10-15 02:07 . 2009-10-15 02:07 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-10-15 02:05 . 2009-10-15 02:05 -------- d-----w- c:\windows\ERUNT
2009-10-15 02:01 . 2009-10-15 02:17 -------- d-----w- C:\SDFix
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 07:25 . 2009-10-14 07:25 -------- d-----w- c:\windows\srchasst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 02:16 . 2009-02-16 15:01 -------- d-----w- c:\program files\Java
2009-10-14 20:29 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee
2009-10-14 08:54 . 2009-08-24 06:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-14 08:21 . 2008-10-01 20:21 -------- d-----w- c:\program files\dl_Cats
2009-10-11 06:05 . 2009-08-24 18:55 664 ----a-w- c:\documents and settings\user\Local Settings\Application Data\d3d9caps.dat
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 04:24 . 2009-09-05 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 07:47 . 2009-09-03 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-29 08:08 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-08-27 01:48 . 2009-08-27 01:48 68256 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 21:46 . 2009-08-27 03:34 3185678 ----a-w- C:\ComboFix.exe
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 20:38 . 2009-08-25 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-25 18:07 . 2009-08-25 18:04 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-25 18:05 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee.com
2009-08-25 04:55 . 2009-08-25 04:55 -------- d-----w- c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-24 20:59 . 2009-08-24 20:59 -------- d-----w- c:\program files\Trend Micro
2009-08-24 13:38 . 2009-08-24 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 13:24 . 2009-08-24 18:06 812344 ----a-w- C:\HJTInstall.exe
2009-08-24 13:10 . 2009-08-24 13:11 389120 ----a-w- c:\windows\system32\CF17216.exe
2009-08-24 06:25 . 2009-08-24 06:25 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-08-24 05:59 . 2009-08-24 05:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-23 00:03 . 2008-07-17 16:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2005-03-30 01:23 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2005-03-30 01:01 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 20:23 . 2009-02-16 15:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-29 04:37 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-09 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-20 77824]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"DLBUCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlbucoms.exe"=

R2 0092171255552200mcinstcleanup;McAfee Application Installer Cleanup (0092171255552200);c:\windows\TEMP\009217~1.EXE [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\DRIVERS\ozscr.sys [2008-01-17 92550]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-18 c:\windows\Tasks\User_Feed_Synchronization-{089CE16D-8AB0-4B2A-A55B-2690FC67855D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\user\Start Menu\Programs\IMVU\Run IMVU.lnk
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 12:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2028)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-21 12:41
ComboFix-quarantined-files.txt 2009-10-21 17:41
ComboFix2.txt 2009-10-20 18:23
ComboFix3.txt 2009-10-16 02:49
ComboFix4.txt 2009-10-14 22:27
ComboFix5.txt 2009-10-21 17:26

Pre-Run: 9,579,098,112 bytes free
Post-Run: 9,565,155,328 bytes free

- - End Of File - - 33F99F809658DFC868438A06A47899B4

Re: Desot, Rootkit, Porntube...HELPPPPP21st October 2009, 9:50 pm

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
"BtwSrv"=-

Netsvc::
BtwSrv
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Re: Desot, Rootkit, Porntube...HELPPPPP21st October 2009, 11:30 pm

ComboFix 09-10-20.03 - user 10/21/2009 18:09.8.1 - NTFSx86
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript..txt
.

((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-18 07:25 . 2009-10-18 07:25 -------- d-----w- C:\0838201a89dcf32945
2009-10-18 07:24 . 2009-10-18 07:47 -------- d-----w- C:\07f8d7f905cfd708ef591972759c48cd
2009-10-18 07:21 . 2009-10-18 07:21 -------- d-sh--w- c:\documents and settings\user\IECompatCache
2009-10-18 07:21 . 2009-10-18 07:21 -------- d-sh--w- c:\documents and settings\user\PrivacIE
2009-10-18 07:18 . 2009-10-18 07:18 -------- d-sh--w- c:\documents and settings\user\IETldCache
2009-10-18 07:10 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-18 07:10 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-18 07:10 . 2009-10-19 05:00 -------- d-----w- c:\windows\ie8updates
2009-10-18 07:10 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-18 07:02 . 2009-10-18 07:09 -------- dc-h--w- c:\windows\ie8
2009-10-18 06:30 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-18 06:24 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-18 03:40 . 2009-10-17 23:46 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-17 23:46 . 2009-10-19 04:41 -------- d-----w- c:\documents and settings\user\.housecall6.6
2009-10-15 02:07 . 2009-10-15 02:07 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-10-15 02:05 . 2009-10-15 02:05 -------- d-----w- c:\windows\ERUNT
2009-10-15 02:01 . 2009-10-15 02:17 -------- d-----w- C:\SDFix
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 07:25 . 2009-10-14 07:25 -------- d-----w- c:\windows\srchasst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 02:16 . 2009-02-16 15:01 -------- d-----w- c:\program files\Java
2009-10-14 20:29 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee
2009-10-14 08:54 . 2009-08-24 06:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-14 08:21 . 2008-10-01 20:21 -------- d-----w- c:\program files\dl_Cats
2009-10-11 06:05 . 2009-08-24 18:55 664 ----a-w- c:\documents and settings\user\Local Settings\Application Data\d3d9caps.dat
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 04:24 . 2009-09-05 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 07:47 . 2009-09-03 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-29 08:08 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-08-27 01:48 . 2009-08-27 01:48 68256 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 21:46 . 2009-08-27 03:34 3185678 ----a-w- C:\ComboFix.exe
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 20:38 . 2009-08-25 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-25 18:07 . 2009-08-25 18:04 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-25 18:05 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee.com
2009-08-25 04:55 . 2009-08-25 04:55 -------- d-----w- c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-24 20:59 . 2009-08-24 20:59 -------- d-----w- c:\program files\Trend Micro
2009-08-24 13:38 . 2009-08-24 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 13:24 . 2009-08-24 18:06 812344 ----a-w- C:\HJTInstall.exe
2009-08-24 13:10 . 2009-08-24 13:11 389120 ----a-w- c:\windows\system32\CF17216.exe
2009-08-24 06:25 . 2009-08-24 06:25 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-08-24 05:59 . 2009-08-24 05:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-23 00:03 . 2008-07-17 16:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2005-03-30 01:23 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2005-03-30 01:01 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 20:23 . 2009-02-16 15:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-29 04:37 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-09 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-20 77824]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"DLBUCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlbucoms.exe"=

R2 0092171255552200mcinstcleanup;McAfee Application Installer Cleanup (0092171255552200);c:\windows\TEMP\009217~1.EXE [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\DRIVERS\ozscr.sys [2008-01-17 92550]

.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-18 c:\windows\Tasks\User_Feed_Synchronization-{089CE16D-8AB0-4B2A-A55B-2690FC67855D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\user\Start Menu\Programs\IMVU\Run IMVU.lnk
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 18:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3140)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-21 18:22
ComboFix-quarantined-files.txt 2009-10-21 23:21
ComboFix2.txt 2009-10-21 17:41
ComboFix3.txt 2009-10-20 18:23
ComboFix4.txt 2009-10-16 02:49
ComboFix5.txt 2009-10-21 23:06

Pre-Run: 9,590,427,648 bytes free
Post-Run: 9,557,635,072 bytes free

- - End Of File - - 9D4DFEA755E0B1369E62BEE540F99B4C

Re: Desot, Rootkit, Porntube...HELPPPPP22nd October 2009, 12:17 am

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Antivirus/Antispyware

Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
AVG Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.

Firewall

Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
PC Tools Firewall Plus: free and excellent firewall.

Note: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

Firefox may be downloaded from here: http://www.getfirefox.com
Opera is available here: http://www.opera.com/download/

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Re: Desot, Rootkit, Porntube...HELPPPPP22nd October 2009, 12:45 am

Is it safe for me to install Microsoft 07 now? It says that I don't have Microsoft on here; from the start menu shows that Microsoft is empty.
Also I can download McAfee free from Comcast, should I do that as well?

Re: Desot, Rootkit, Porntube...HELPPPPP22nd October 2009, 12:59 am

Would that be Microsoft Office 2007? Or Microsoft Security Essentials (MSE)?

If you would like to use McAfee, rather, go ahead. I recommend AVG or MSE!

Re: Desot, Rootkit, Porntube...HELPPPPP22nd October 2009, 1:37 am

That would be Microsoft Office 2007 and I will download AVG now!

Re: Desot, Rootkit, Porntube...HELPPPPP22nd October 2009, 3:19 am

I downloaded AVG and TallEMU Online Armor. I was a bit confused as to what I was to do once I opened the HPhost file.

I can't say it enough how much I appreciate your help. Because of your kindness I have been able to stay in school, and send out resumes. I NOW have a job, and I promise that I am going to make a sizable contribution to your site once I receive a paycheck.
I am most grateful to you and those that serve with you! Your assistance and patience will never be forgotten or unappreciated!

THANK YOU!!! I will await your instructions pertaining to Window 07 and should I add the free McAfee from Comcast atop the AVG, Tallemu, that I downloaded.

Re: Desot, Rootkit, Porntube...HELPPPPP22nd October 2009, 4:36 am

Microsoft Security Center is saying that I have a firewall and automatic updates on, but is not detecting an antivirus. I download the free AVG. Did I do something wrong?

Re: Desot, Rootkit, Porntube...HELPPPPP22nd October 2009, 4:46 am

Click on the Security Center, and click Recommendations under Antivirus. Then click You have an Antivirus you will monitor yourself.

desot.exe
desot.exe
desot.exe
Desot.exe?
desot.exe problems HELP!

Permissions in this forum:

You cannot reply to topics in this forum