WiredWX Christian Hobby Weather Tools

Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather Tools Log in

Desot, Rootkit, Porntube...HELPPPPP

2 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

Re: Desot, Rootkit, Porntube...HELPPPPP19th October 2009, 11:10 pm

ok. No big deal..

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Re: Desot, Rootkit, Porntube...HELPPPPP20th October 2009, 1:37 am

Malwarebytes' Anti-Malware 1.41
Database version: 2991
Windows 5.1.2600 Service Pack 3

10/19/2009 8:21:16 PM
mbam-log-2009-10-19 (20-21-16).txt

Scan type: Quick Scan
Objects scanned: 122772
Time elapsed: 17 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Active Security (Rogue.ActiveSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Re: Desot, Rootkit, Porntube...HELPPPPP20th October 2009, 1:46 am

Please download CKScanner by askey127 from here

Save it to your desktop.

Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify that the file is saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

NEXT

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Please post the Security Check and CKScanner logs in your next reply.

Re: Desot, Rootkit, Porntube...HELPPPPP20th October 2009, 3:16 am

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
``````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware Free Edition
HijackThis 2.0.2
Java(TM) 6 Update 16
Adobe Flash Player 10
Adobe Reader 9
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Re: Desot, Rootkit, Porntube...HELPPPPP20th October 2009, 5:19 am

Hopefully this will be the last scan.

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Full Scan, and press Scan. Remove selected, and post the log in your next reply.

Re: Desot, Rootkit, Porntube...HELPPPPP20th October 2009, 7:25 am

Malwarebytes' Anti-Malware 1.41
Database version: 2996
Windows 5.1.2600 Service Pack 3

10/20/2009 2:18:23 AM
mbam-log-2009-10-20 (02-18-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 139729
Time elapsed: 53 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WDefend (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Re: Desot, Rootkit, Porntube...HELPPPPP20th October 2009, 2:43 pm

Please re-run ComboFix and post a new log.

Re: Desot, Rootkit, Porntube...HELPPPPP21st October 2009, 5:43 pm

ComboFix 09-10-20.03 - user 10/21/2009 12:29.7.1 - NTFSx86
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-18 07:25 . 2009-10-18 07:25 -------- d-----w- C:\0838201a89dcf32945
2009-10-18 07:24 . 2009-10-18 07:47 -------- d-----w- C:\07f8d7f905cfd708ef591972759c48cd
2009-10-18 07:21 . 2009-10-18 07:21 -------- d-sh--w- c:\documents and settings\user\IECompatCache
2009-10-18 07:21 . 2009-10-18 07:21 -------- d-sh--w- c:\documents and settings\user\PrivacIE
2009-10-18 07:18 . 2009-10-18 07:18 -------- d-sh--w- c:\documents and settings\user\IETldCache
2009-10-18 07:10 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-18 07:10 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-18 07:10 . 2009-10-19 05:00 -------- d-----w- c:\windows\ie8updates
2009-10-18 07:10 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-18 07:02 . 2009-10-18 07:09 -------- dc-h--w- c:\windows\ie8
2009-10-18 06:30 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-18 06:24 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-18 03:40 . 2009-10-17 23:46 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-17 23:46 . 2009-10-19 04:41 -------- d-----w- c:\documents and settings\user\.housecall6.6
2009-10-15 02:07 . 2009-10-15 02:07 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-10-15 02:05 . 2009-10-15 02:05 -------- d-----w- c:\windows\ERUNT
2009-10-15 02:01 . 2009-10-15 02:17 -------- d-----w- C:\SDFix
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 07:25 . 2009-10-14 07:25 -------- d-----w- c:\windows\srchasst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 02:16 . 2009-02-16 15:01 -------- d-----w- c:\program files\Java
2009-10-14 20:29 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee
2009-10-14 08:54 . 2009-08-24 06:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-14 08:21 . 2008-10-01 20:21 -------- d-----w- c:\program files\dl_Cats
2009-10-11 06:05 . 2009-08-24 18:55 664 ----a-w- c:\documents and settings\user\Local Settings\Application Data\d3d9caps.dat
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 04:24 . 2009-09-05 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 07:47 . 2009-09-03 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-29 08:08 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-08-27 01:48 . 2009-08-27 01:48 68256 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 21:46 . 2009-08-27 03:34 3185678 ----a-w- C:\ComboFix.exe
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 20:38 . 2009-08-25 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-25 18:07 . 2009-08-25 18:04 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-25 18:05 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee.com
2009-08-25 04:55 . 2009-08-25 04:55 -------- d-----w- c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-24 20:59 . 2009-08-24 20:59 -------- d-----w- c:\program files\Trend Micro
2009-08-24 13:38 . 2009-08-24 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 13:24 . 2009-08-24 18:06 812344 ----a-w- C:\HJTInstall.exe
2009-08-24 13:10 . 2009-08-24 13:11 389120 ----a-w- c:\windows\system32\CF17216.exe
2009-08-24 06:25 . 2009-08-24 06:25 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-08-24 05:59 . 2009-08-24 05:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-23 00:03 . 2008-07-17 16:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2005-03-30 01:23 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2005-03-30 01:01 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 20:23 . 2009-02-16 15:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-29 04:37 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-09 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-20 77824]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"DLBUCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlbucoms.exe"=

R2 0092171255552200mcinstcleanup;McAfee Application Installer Cleanup (0092171255552200);c:\windows\TEMP\009217~1.EXE [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\DRIVERS\ozscr.sys [2008-01-17 92550]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-18 c:\windows\Tasks\User_Feed_Synchronization-{089CE16D-8AB0-4B2A-A55B-2690FC67855D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\user\Start Menu\Programs\IMVU\Run IMVU.lnk
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 12:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2028)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-21 12:41
ComboFix-quarantined-files.txt 2009-10-21 17:41
ComboFix2.txt 2009-10-20 18:23
ComboFix3.txt 2009-10-16 02:49
ComboFix4.txt 2009-10-14 22:27
ComboFix5.txt 2009-10-21 17:26

Pre-Run: 9,579,098,112 bytes free
Post-Run: 9,565,155,328 bytes free

- - End Of File - - 33F99F809658DFC868438A06A47899B4

Re: Desot, Rootkit, Porntube...HELPPPPP21st October 2009, 9:50 pm

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
"BtwSrv"=-

Netsvc::
BtwSrv
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Re: Desot, Rootkit, Porntube...HELPPPPP21st October 2009, 11:30 pm

ComboFix 09-10-20.03 - user 10/21/2009 18:09.8.1 - NTFSx86
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript..txt
.

((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-18 07:25 . 2009-10-18 07:25 -------- d-----w- C:\0838201a89dcf32945
2009-10-18 07:24 . 2009-10-18 07:47 -------- d-----w- C:\07f8d7f905cfd708ef591972759c48cd
2009-10-18 07:21 . 2009-10-18 07:21 -------- d-sh--w- c:\documents and settings\user\IECompatCache
2009-10-18 07:21 . 2009-10-18 07:21 -------- d-sh--w- c:\documents and settings\user\PrivacIE
2009-10-18 07:18 . 2009-10-18 07:18 -------- d-sh--w- c:\documents and settings\user\IETldCache
2009-10-18 07:10 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-18 07:10 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-18 07:10 . 2009-10-19 05:00 -------- d-----w- c:\windows\ie8updates
2009-10-18 07:10 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-18 07:02 . 2009-10-18 07:09 -------- dc-h--w- c:\windows\ie8
2009-10-18 06:30 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-18 06:24 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-18 03:40 . 2009-10-17 23:46 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-17 23:46 . 2009-10-19 04:41 -------- d-----w- c:\documents and settings\user\.housecall6.6
2009-10-15 02:07 . 2009-10-15 02:07 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-10-15 02:05 . 2009-10-15 02:05 -------- d-----w- c:\windows\ERUNT
2009-10-15 02:01 . 2009-10-15 02:17 -------- d-----w- C:\SDFix
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 07:25 . 2009-10-14 07:25 -------- d-----w- c:\windows\srchasst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 02:16 . 2009-02-16 15:01 -------- d-----w- c:\program files\Java
2009-10-14 20:29 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee
2009-10-14 08:54 . 2009-08-24 06:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-14 08:21 . 2008-10-01 20:21 -------- d-----w- c:\program files\dl_Cats
2009-10-11 06:05 . 2009-08-24 18:55 664 ----a-w- c:\documents and settings\user\Local Settings\Application Data\d3d9caps.dat
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 04:24 . 2009-09-05 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 07:47 . 2009-09-03 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-29 08:08 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-08-27 01:48 . 2009-08-27 01:48 68256 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 21:46 . 2009-08-27 03:34 3185678 ----a-w- C:\ComboFix.exe
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 20:38 . 2009-08-25 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-25 18:07 . 2009-08-25 18:04 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-25 18:05 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee.com
2009-08-25 04:55 . 2009-08-25 04:55 -------- d-----w- c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-24 20:59 . 2009-08-24 20:59 -------- d-----w- c:\program files\Trend Micro
2009-08-24 13:38 . 2009-08-24 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 13:24 . 2009-08-24 18:06 812344 ----a-w- C:\HJTInstall.exe
2009-08-24 13:10 . 2009-08-24 13:11 389120 ----a-w- c:\windows\system32\CF17216.exe
2009-08-24 06:25 . 2009-08-24 06:25 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-08-24 05:59 . 2009-08-24 05:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-23 00:03 . 2008-07-17 16:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2005-03-30 01:23 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2005-03-30 01:01 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 20:23 . 2009-02-16 15:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-29 04:37 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-09 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-20 77824]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"DLBUCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlbucoms.exe"=

R2 0092171255552200mcinstcleanup;McAfee Application Installer Cleanup (0092171255552200);c:\windows\TEMP\009217~1.EXE [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\DRIVERS\ozscr.sys [2008-01-17 92550]

.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-18 c:\windows\Tasks\User_Feed_Synchronization-{089CE16D-8AB0-4B2A-A55B-2690FC67855D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\user\Start Menu\Programs\IMVU\Run IMVU.lnk
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 18:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3140)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-21 18:22
ComboFix-quarantined-files.txt 2009-10-21 23:21
ComboFix2.txt 2009-10-21 17:41
ComboFix3.txt 2009-10-20 18:23
ComboFix4.txt 2009-10-16 02:49
ComboFix5.txt 2009-10-21 23:06

Pre-Run: 9,590,427,648 bytes free
Post-Run: 9,557,635,072 bytes free

- - End Of File - - 9D4DFEA755E0B1369E62BEE540F99B4C

Re: Desot, Rootkit, Porntube...HELPPPPP22nd October 2009, 12:17 am

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Antivirus/Antispyware

Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
AVG Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.

Firewall

Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
PC Tools Firewall Plus: free and excellent firewall.

Note: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

Firefox may be downloaded from here: http://www.getfirefox.com
Opera is available here: http://www.opera.com/download/

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Re: Desot, Rootkit, Porntube...HELPPPPP22nd October 2009, 12:45 am

Is it safe for me to install Microsoft 07 now? It says that I don't have Microsoft on here; from the start menu shows that Microsoft is empty.
Also I can download McAfee free from Comcast, should I do that as well?

Re: Desot, Rootkit, Porntube...HELPPPPP22nd October 2009, 12:59 am

Would that be Microsoft Office 2007? Or Microsoft Security Essentials (MSE)?

If you would like to use McAfee, rather, go ahead. I recommend AVG or MSE!

Re: Desot, Rootkit, Porntube...HELPPPPP22nd October 2009, 1:37 am

That would be Microsoft Office 2007 and I will download AVG now!

Re: Desot, Rootkit, Porntube...HELPPPPP22nd October 2009, 3:19 am

I downloaded AVG and TallEMU Online Armor. I was a bit confused as to what I was to do once I opened the HPhost file.

I can't say it enough how much I appreciate your help. Because of your kindness I have been able to stay in school, and send out resumes. I NOW have a job, and I promise that I am going to make a sizable contribution to your site once I receive a paycheck.
I am most grateful to you and those that serve with you! Your assistance and patience will never be forgotten or unappreciated!

THANK YOU!!! I will await your instructions pertaining to Window 07 and should I add the free McAfee from Comcast atop the AVG, Tallemu, that I downloaded.

Re: Desot, Rootkit, Porntube...HELPPPPP22nd October 2009, 4:36 am

Microsoft Security Center is saying that I have a firewall and automatic updates on, but is not detecting an antivirus. I download the free AVG. Did I do something wrong?

Re: Desot, Rootkit, Porntube...HELPPPPP22nd October 2009, 4:46 am

Click on the Security Center, and click Recommendations under Antivirus. Then click You have an Antivirus you will monitor yourself.

desot.exe
desot.exe
desot.exe
Desot.exe?
desot.exe problems HELP!

Permissions in this forum:

You cannot reply to topics in this forum