Ok, so...
I finally was able to run rKill (my web browser was purposely not letting me access a download) and there was nothing found. I was still unable to delete 'rikoofph'. I also tried to run combo-fix again - after updating itself the first time, i received an error message saying it had been compromised and i needed to download it again. I did so, re-ran it and got another different message, and whilst trying to scan a third time to copy down the error message it finally worked (which i kind of find worrying tbh, if i kept getting such error messages...). My browser is still being hijacked though...
Heres my combofix log:
ComboFix 11-04-21.02 - user 21/04/2011 23:50:36.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3070.2705 [GMT 1:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))
.
.
2011-04-20 15:30 . 2011-04-20 15:30 16856 ------w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-04-20 15:30 . 2011-04-20 15:30 781272 ------w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-20 15:30 . 2011-04-20 15:30 1874904 ------w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-20 15:30 . 2011-04-20 15:30 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-20 15:30 . 2011-04-20 15:30 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-04-20 14:01 . 2011-04-21 22:28 173419 ----a-w- c:\windows\Explorermgr.exe
2011-04-20 14:00 . 2011-04-20 14:00 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 14:00 . 2011-04-20 14:00 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\{9100749F-A31F-45BA-8670-14EB46DBDE69}
2011-04-20 13:59 . 2011-04-20 13:59 -------- d--h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2011-04-20 13:48 . 2011-04-20 13:48 -------- d-----w- c:\program files\Lavasoft
2011-04-20 13:47 . 2011-04-20 13:47 -------- d-----w- C:\dfc03690a81b4c87b0a421b7001c2f5e
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\documents and settings\user\Application Data\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\GIMP-2.0
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\Safari
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\AdventureSoft
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- C:\AeriaGames
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\Veoh Networks
2011-04-20 13:23 . 2011-04-20 13:23 -------- d-----w- c:\documents and settings\LocalService\IETldCache
2011-04-20 13:23 . 2011-04-20 13:23 -------- d-----w- c:\documents and settings\NetworkService\IETldCache
2011-04-20 13:20 . 2011-04-20 13:20 -------- d-----w- c:\documents and settings\user\IETldCache
2011-04-20 13:12 . 2011-04-20 13:27 -------- dc----w- c:\windows\ie8
2011-04-20 12:46 . 2011-04-20 13:30 -------- dc----w- c:\documents and settings\All Users\Application Data\{6A395471-4AA3-4072-AE1B-9B69A97AD164}(2)
2011-04-12 21:44 . 2011-04-17 01:15 -------- d-----w- C:\MGTools
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\program files\IObit
2011-04-12 19:52 . 2011-04-20 15:30 -------- d-----w- c:\program files\rikoofph
2011-04-12 19:44 . 2011-04-12 19:44 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2011-04-12 19:44 . 2011-04-12 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-12 19:43 . 2011-04-20 13:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-12 19:28 . 2011-04-12 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-12 19:28 . 2011-04-12 19:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-12 19:04 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-12 19:04 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-05 12:18 . 2011-04-05 12:18 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-04-05 12:18 . 2005-10-14 21:42 46592 ----a-w- c:\windows\system32\hpzll43a.dll
2011-04-05 12:18 . 2005-10-14 21:41 72192 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp43a.dll
2011-04-05 12:07 . 2008-04-13 16:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-04-05 12:07 . 2008-04-13 16:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-02 23:46 . 2011-04-20 14:00 -------- d-----w- c:\documents and settings\Administrator
2011-04-02 23:40 . 2011-04-02 23:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-01 20:59 . 2011-04-01 20:59 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-04-01 17:13 . 2011-04-01 17:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-01 15:50 . 2011-04-12 09:30 0 ----a-w- c:\windows\Fbimoyowoh.bin
2011-03-31 10:15 . 2011-03-31 10:16 -------- d-----w- c:\documents and settings\user\Application Data\gtk-2.0
2011-03-31 10:15 . 2011-03-31 10:15 -------- d-----w- c:\documents and settings\user\.thumbnails
2011-03-31 10:11 . 2011-03-31 10:16 -------- d-----w- c:\documents and settings\user\.gimp-2.6
2011-03-31 09:04 . 2011-04-20 23:13 -------- d-----w- c:\documents and settings\user\Application Data\mIRC
2011-03-31 09:04 . 2011-04-20 19:01 -------- d-----w- c:\program files\mIRC
2011-03-30 19:40 . 2011-04-20 13:29 -------- d-----w- c:\program files\Pixia
2011-03-30 19:09 . 2011-03-30 19:40 -------- d-----w- c:\program files\Photobie
2011-03-29 20:12 . 2011-03-29 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ConeXware
2011-03-29 20:12 . 2011-04-20 14:42 -------- d-----w- c:\program files\PowerArchiver
2011-03-27 21:25 . 2011-03-27 21:26 -------- d-----w- c:\program files\iTunes
2011-03-27 21:25 . 2011-03-27 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-13 23:25 . 2011-03-13 23:25 256 ----a-w- c:\documents and settings\user\pool.bin
2011-02-18 15:36 . 2009-11-04 18:53 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 15:36 . 2009-11-04 18:53 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-04-20 15:30 . 2011-04-20 14:07 142296 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-20_15.28.49 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-30 1831407]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-16 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 598430]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 254439]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 03:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-04 18:25 323392 ----a-w- c:\program files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gjeharobif]
c:\windows\usenatuqicacepe.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 14:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-05-01 01:30 13750272 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-05-01 01:30 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-05-01 01:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 598430 ------w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-05-05 17:35 17879552 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-03-16 22:24 2423752 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"nlsX86cc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IS360service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [04/11/2009 19:01 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [01/04/2011 08:22 1181328]
S4 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [12/04/2011 21:18 312152]
S4 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [20/10/2010 18:41 67904]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-01 00:01]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\t48c9v8k.default\
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-21 23:54
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\user\Start Menu\Programs\Startup\apndaole.exe 173419 bytes executable
c:\documents and settings\user\Start Menu\Programs\Startup\desktop.ini 84 bytes
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2011-04-21 23:55:42
ComboFix-quarantined-files.txt 2011-04-21 22:55
ComboFix2.txt 2011-04-20 15:29
ComboFix3.txt 2011-04-17 01:29
ComboFix4.txt 2011-04-12 22:01
.
Pre-Run: 562,354,872,320 bytes free
Post-Run: 562,345,807,872 bytes free
.
- - End Of File - - 2FE09F7D6CBDA0AD7FD280602B265FBB
thanks for all your help
I finally was able to run rKill (my web browser was purposely not letting me access a download) and there was nothing found. I was still unable to delete 'rikoofph'. I also tried to run combo-fix again - after updating itself the first time, i received an error message saying it had been compromised and i needed to download it again. I did so, re-ran it and got another different message, and whilst trying to scan a third time to copy down the error message it finally worked (which i kind of find worrying tbh, if i kept getting such error messages...). My browser is still being hijacked though...
Heres my combofix log:
ComboFix 11-04-21.02 - user 21/04/2011 23:50:36.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3070.2705 [GMT 1:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))
.
.
2011-04-20 15:30 . 2011-04-20 15:30 16856 ------w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-04-20 15:30 . 2011-04-20 15:30 781272 ------w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-20 15:30 . 2011-04-20 15:30 1874904 ------w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-20 15:30 . 2011-04-20 15:30 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-20 15:30 . 2011-04-20 15:30 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-04-20 14:01 . 2011-04-21 22:28 173419 ----a-w- c:\windows\Explorermgr.exe
2011-04-20 14:00 . 2011-04-20 14:00 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 14:00 . 2011-04-20 14:00 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\{9100749F-A31F-45BA-8670-14EB46DBDE69}
2011-04-20 13:59 . 2011-04-20 13:59 -------- d--h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2011-04-20 13:48 . 2011-04-20 13:48 -------- d-----w- c:\program files\Lavasoft
2011-04-20 13:47 . 2011-04-20 13:47 -------- d-----w- C:\dfc03690a81b4c87b0a421b7001c2f5e
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\documents and settings\user\Application Data\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\GIMP-2.0
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\Safari
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\AdventureSoft
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- C:\AeriaGames
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\Veoh Networks
2011-04-20 13:23 . 2011-04-20 13:23 -------- d-----w- c:\documents and settings\LocalService\IETldCache
2011-04-20 13:23 . 2011-04-20 13:23 -------- d-----w- c:\documents and settings\NetworkService\IETldCache
2011-04-20 13:20 . 2011-04-20 13:20 -------- d-----w- c:\documents and settings\user\IETldCache
2011-04-20 13:12 . 2011-04-20 13:27 -------- dc----w- c:\windows\ie8
2011-04-20 12:46 . 2011-04-20 13:30 -------- dc----w- c:\documents and settings\All Users\Application Data\{6A395471-4AA3-4072-AE1B-9B69A97AD164}(2)
2011-04-12 21:44 . 2011-04-17 01:15 -------- d-----w- C:\MGTools
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\program files\IObit
2011-04-12 19:52 . 2011-04-20 15:30 -------- d-----w- c:\program files\rikoofph
2011-04-12 19:44 . 2011-04-12 19:44 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2011-04-12 19:44 . 2011-04-12 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-12 19:43 . 2011-04-20 13:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-12 19:28 . 2011-04-12 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-12 19:28 . 2011-04-12 19:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-12 19:04 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-12 19:04 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-05 12:18 . 2011-04-05 12:18 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-04-05 12:18 . 2005-10-14 21:42 46592 ----a-w- c:\windows\system32\hpzll43a.dll
2011-04-05 12:18 . 2005-10-14 21:41 72192 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp43a.dll
2011-04-05 12:07 . 2008-04-13 16:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-04-05 12:07 . 2008-04-13 16:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-02 23:46 . 2011-04-20 14:00 -------- d-----w- c:\documents and settings\Administrator
2011-04-02 23:40 . 2011-04-02 23:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-01 20:59 . 2011-04-01 20:59 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-04-01 17:13 . 2011-04-01 17:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-01 15:50 . 2011-04-12 09:30 0 ----a-w- c:\windows\Fbimoyowoh.bin
2011-03-31 10:15 . 2011-03-31 10:16 -------- d-----w- c:\documents and settings\user\Application Data\gtk-2.0
2011-03-31 10:15 . 2011-03-31 10:15 -------- d-----w- c:\documents and settings\user\.thumbnails
2011-03-31 10:11 . 2011-03-31 10:16 -------- d-----w- c:\documents and settings\user\.gimp-2.6
2011-03-31 09:04 . 2011-04-20 23:13 -------- d-----w- c:\documents and settings\user\Application Data\mIRC
2011-03-31 09:04 . 2011-04-20 19:01 -------- d-----w- c:\program files\mIRC
2011-03-30 19:40 . 2011-04-20 13:29 -------- d-----w- c:\program files\Pixia
2011-03-30 19:09 . 2011-03-30 19:40 -------- d-----w- c:\program files\Photobie
2011-03-29 20:12 . 2011-03-29 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ConeXware
2011-03-29 20:12 . 2011-04-20 14:42 -------- d-----w- c:\program files\PowerArchiver
2011-03-27 21:25 . 2011-03-27 21:26 -------- d-----w- c:\program files\iTunes
2011-03-27 21:25 . 2011-03-27 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-13 23:25 . 2011-03-13 23:25 256 ----a-w- c:\documents and settings\user\pool.bin
2011-02-18 15:36 . 2009-11-04 18:53 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 15:36 . 2009-11-04 18:53 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-04-20 15:30 . 2011-04-20 14:07 142296 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-20_15.28.49 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-30 1831407]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-16 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 598430]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 254439]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 03:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-04 18:25 323392 ----a-w- c:\program files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gjeharobif]
c:\windows\usenatuqicacepe.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 14:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-05-01 01:30 13750272 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-05-01 01:30 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-05-01 01:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 598430 ------w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-05-05 17:35 17879552 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-03-16 22:24 2423752 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"nlsX86cc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IS360service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [04/11/2009 19:01 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [01/04/2011 08:22 1181328]
S4 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [12/04/2011 21:18 312152]
S4 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [20/10/2010 18:41 67904]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-01 00:01]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\t48c9v8k.default\
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-21 23:54
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\user\Start Menu\Programs\Startup\apndaole.exe 173419 bytes executable
c:\documents and settings\user\Start Menu\Programs\Startup\desktop.ini 84 bytes
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2011-04-21 23:55:42
ComboFix-quarantined-files.txt 2011-04-21 22:55
ComboFix2.txt 2011-04-20 15:29
ComboFix3.txt 2011-04-17 01:29
ComboFix4.txt 2011-04-12 22:01
.
Pre-Run: 562,354,872,320 bytes free
Post-Run: 562,345,807,872 bytes free
.
- - End Of File - - 2FE09F7D6CBDA0AD7FD280602B265FBB
thanks for all your help