Hidden Virus hijacking browser and other issues.

[comyna]

Ok, so...

I finally was able to run rKill (my web browser was purposely not letting me access a download) and there was nothing found. I was still unable to delete 'rikoofph'. I also tried to run combo-fix again - after updating itself the first time, i received an error message saying it had been compromised and i needed to download it again. I did so, re-ran it and got another different message, and whilst trying to scan a third time to copy down the error message it finally worked (which i kind of find worrying tbh, if i kept getting such error messages...). My browser is still being hijacked though...

Heres my combofix log:



ComboFix 11-04-21.02 - user 21/04/2011 23:50:36.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3070.2705 [GMT 1:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))
.
.
2011-04-20 15:30 . 2011-04-20 15:30 16856 ------w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-04-20 15:30 . 2011-04-20 15:30 781272 ------w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-20 15:30 . 2011-04-20 15:30 1874904 ------w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-20 15:30 . 2011-04-20 15:30 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-20 15:30 . 2011-04-20 15:30 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-04-20 14:01 . 2011-04-21 22:28 173419 ----a-w- c:\windows\Explorermgr.exe
2011-04-20 14:00 . 2011-04-20 14:00 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 14:00 . 2011-04-20 14:00 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\{9100749F-A31F-45BA-8670-14EB46DBDE69}
2011-04-20 13:59 . 2011-04-20 13:59 -------- d--h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2011-04-20 13:48 . 2011-04-20 13:48 -------- d-----w- c:\program files\Lavasoft
2011-04-20 13:47 . 2011-04-20 13:47 -------- d-----w- C:\dfc03690a81b4c87b0a421b7001c2f5e
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\documents and settings\user\Application Data\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\GIMP-2.0
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\Safari
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\AdventureSoft
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- C:\AeriaGames
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\Veoh Networks
2011-04-20 13:23 . 2011-04-20 13:23 -------- d-----w- c:\documents and settings\LocalService\IETldCache
2011-04-20 13:23 . 2011-04-20 13:23 -------- d-----w- c:\documents and settings\NetworkService\IETldCache
2011-04-20 13:20 . 2011-04-20 13:20 -------- d-----w- c:\documents and settings\user\IETldCache
2011-04-20 13:12 . 2011-04-20 13:27 -------- dc----w- c:\windows\ie8
2011-04-20 12:46 . 2011-04-20 13:30 -------- dc----w- c:\documents and settings\All Users\Application Data\{6A395471-4AA3-4072-AE1B-9B69A97AD164}(2)
2011-04-12 21:44 . 2011-04-17 01:15 -------- d-----w- C:\MGTools
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\program files\IObit
2011-04-12 19:52 . 2011-04-20 15:30 -------- d-----w- c:\program files\rikoofph
2011-04-12 19:44 . 2011-04-12 19:44 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2011-04-12 19:44 . 2011-04-12 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-12 19:43 . 2011-04-20 13:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-12 19:28 . 2011-04-12 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-12 19:28 . 2011-04-12 19:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-12 19:04 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-12 19:04 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-05 12:18 . 2011-04-05 12:18 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-04-05 12:18 . 2005-10-14 21:42 46592 ----a-w- c:\windows\system32\hpzll43a.dll
2011-04-05 12:18 . 2005-10-14 21:41 72192 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp43a.dll
2011-04-05 12:07 . 2008-04-13 16:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-04-05 12:07 . 2008-04-13 16:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-02 23:46 . 2011-04-20 14:00 -------- d-----w- c:\documents and settings\Administrator
2011-04-02 23:40 . 2011-04-02 23:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-01 20:59 . 2011-04-01 20:59 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-04-01 17:13 . 2011-04-01 17:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-01 15:50 . 2011-04-12 09:30 0 ----a-w- c:\windows\Fbimoyowoh.bin
2011-03-31 10:15 . 2011-03-31 10:16 -------- d-----w- c:\documents and settings\user\Application Data\gtk-2.0
2011-03-31 10:15 . 2011-03-31 10:15 -------- d-----w- c:\documents and settings\user\.thumbnails
2011-03-31 10:11 . 2011-03-31 10:16 -------- d-----w- c:\documents and settings\user\.gimp-2.6
2011-03-31 09:04 . 2011-04-20 23:13 -------- d-----w- c:\documents and settings\user\Application Data\mIRC
2011-03-31 09:04 . 2011-04-20 19:01 -------- d-----w- c:\program files\mIRC
2011-03-30 19:40 . 2011-04-20 13:29 -------- d-----w- c:\program files\Pixia
2011-03-30 19:09 . 2011-03-30 19:40 -------- d-----w- c:\program files\Photobie
2011-03-29 20:12 . 2011-03-29 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ConeXware
2011-03-29 20:12 . 2011-04-20 14:42 -------- d-----w- c:\program files\PowerArchiver
2011-03-27 21:25 . 2011-03-27 21:26 -------- d-----w- c:\program files\iTunes
2011-03-27 21:25 . 2011-03-27 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-13 23:25 . 2011-03-13 23:25 256 ----a-w- c:\documents and settings\user\pool.bin
2011-02-18 15:36 . 2009-11-04 18:53 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 15:36 . 2009-11-04 18:53 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-04-20 15:30 . 2011-04-20 14:07 142296 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-20_15.28.49 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-30 1831407]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-16 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 598430]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 254439]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 03:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-04 18:25 323392 ----a-w- c:\program files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gjeharobif]
c:\windows\usenatuqicacepe.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 14:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-05-01 01:30 13750272 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-05-01 01:30 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-05-01 01:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 598430 ------w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-05-05 17:35 17879552 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-03-16 22:24 2423752 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"nlsX86cc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IS360service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [04/11/2009 19:01 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [01/04/2011 08:22 1181328]
S4 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [12/04/2011 21:18 312152]
S4 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [20/10/2010 18:41 67904]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-01 00:01]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\t48c9v8k.default\
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-21 23:54
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\user\Start Menu\Programs\Startup\apndaole.exe 173419 bytes executable
c:\documents and settings\user\Start Menu\Programs\Startup\desktop.ini 84 bytes
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2011-04-21 23:55:42
ComboFix-quarantined-files.txt 2011-04-21 22:55
ComboFix2.txt 2011-04-20 15:29
ComboFix3.txt 2011-04-17 01:29
ComboFix4.txt 2011-04-12 22:01
.
Pre-Run: 562,354,872,320 bytes free
Post-Run: 562,345,807,872 bytes free
.
- - End Of File - - 2FE09F7D6CBDA0AD7FD280602B265FBB


thanks for all your help

 

[KSoD]

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\documents and settings\user\Start Menu\Programs\Startup\apndaole.exe
c:\windows\Fbimoyowoh.bin
c:\program files\mozilla firefox\components\browsercomps.dll
c:\documents and settings\user\pool.bin

Folder::
c:\documents and settings\All Users\Application Data\{6A395471-4AA3-4072-AE1B-9B69A97AD164}
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
c:\program files\rikoofph

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Try this and let me see the updated log and how things are after this.

 

[comyna]

Ok, here is my new combofix log - i think it said it failed to delete 'rikoofph', and 'apndaole.exe' is still there, even though i manually deleted it...

thanks for the continuing help


ComboFix 11-04-21.02 - user 23/04/2011 12:05:59.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3070.2721 [GMT 1:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\user\pool.bin"
"c:\documents and settings\user\Start Menu\Programs\Startup\apndaole.exe"
"c:\program files\mozilla firefox\components\browsercomps.dll"
"c:\windows\Fbimoyowoh.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DIFxAPI.dll
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DifXInstall32.exe
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DIFxInstallLog.txt
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\GEARAspiWDM.inf
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\gearaspiwdmx86.cat
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\x86\GEARAspi.dll
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\x86\GEARAspiWDM.sys
c:\documents and settings\user\pool.bin
c:\documents and settings\user\Start Menu\Programs\Startup\apndaole.exe
c:\program files\mozilla firefox\components\browsercomps.dll
c:\windows\Fbimoyowoh.bin
c:\program files\rikoofph . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-03-23 to 2011-04-23 )))))))))))))))))))))))))))))))
.
.
2011-04-23 11:11 . 2011-04-23 11:11 173419 ----a-w- c:\windows\system32\rundll32mgr.exe
2011-04-20 15:30 . 2011-04-20 15:30 16856 ------w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-04-20 15:30 . 2011-04-20 15:30 781272 ------w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-20 15:30 . 2011-04-20 15:30 1874904 ------w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-20 15:30 . 2011-04-20 15:30 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-20 15:30 . 2011-04-20 15:30 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-04-20 14:01 . 2011-04-22 14:06 173419 ----a-w- c:\windows\Explorermgr.exe
2011-04-20 14:00 . 2011-04-20 14:00 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 14:00 . 2011-04-20 14:00 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\{9100749F-A31F-45BA-8670-14EB46DBDE69}
2011-04-20 13:59 . 2011-04-20 13:59 -------- d--h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2011-04-20 13:48 . 2011-04-20 13:48 -------- d-----w- c:\program files\Lavasoft
2011-04-20 13:47 . 2011-04-20 13:47 -------- d-----w- C:\dfc03690a81b4c87b0a421b7001c2f5e
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\documents and settings\user\Application Data\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\GIMP-2.0
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\Safari
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\AdventureSoft
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- C:\AeriaGames
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\Veoh Networks
2011-04-20 13:23 . 2011-04-20 13:23 -------- d-----w- c:\documents and settings\LocalService\IETldCache
2011-04-20 13:23 . 2011-04-20 13:23 -------- d-----w- c:\documents and settings\NetworkService\IETldCache
2011-04-20 13:20 . 2011-04-20 13:20 -------- d-----w- c:\documents and settings\user\IETldCache
2011-04-20 13:12 . 2011-04-20 13:27 -------- dc----w- c:\windows\ie8
2011-04-20 12:46 . 2011-04-20 13:30 -------- dc----w- c:\documents and settings\All Users\Application Data\{6A395471-4AA3-4072-AE1B-9B69A97AD164}(2)
2011-04-12 21:44 . 2011-04-17 01:15 -------- d-----w- C:\MGTools
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\program files\IObit
2011-04-12 19:52 . 2011-04-23 11:11 -------- d-----w- c:\program files\rikoofph
2011-04-12 19:44 . 2011-04-12 19:44 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2011-04-12 19:44 . 2011-04-12 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-12 19:43 . 2011-04-20 13:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-12 19:28 . 2011-04-12 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-12 19:28 . 2011-04-12 19:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-12 19:04 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-12 19:04 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-05 12:18 . 2011-04-05 12:18 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-04-05 12:18 . 2005-10-14 21:42 46592 ----a-w- c:\windows\system32\hpzll43a.dll
2011-04-05 12:18 . 2005-10-14 21:41 72192 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp43a.dll
2011-04-05 12:07 . 2008-04-13 16:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-04-05 12:07 . 2008-04-13 16:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-02 23:46 . 2011-04-20 14:00 -------- d-----w- c:\documents and settings\Administrator
2011-04-02 23:40 . 2011-04-02 23:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-01 20:59 . 2011-04-01 20:59 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-04-01 17:13 . 2011-04-01 17:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-03-31 10:15 . 2011-03-31 10:16 -------- d-----w- c:\documents and settings\user\Application Data\gtk-2.0
2011-03-31 10:15 . 2011-03-31 10:15 -------- d-----w- c:\documents and settings\user\.thumbnails
2011-03-31 10:11 . 2011-03-31 10:16 -------- d-----w- c:\documents and settings\user\.gimp-2.6
2011-03-31 09:04 . 2011-04-20 23:13 -------- d-----w- c:\documents and settings\user\Application Data\mIRC
2011-03-31 09:04 . 2011-04-20 19:01 -------- d-----w- c:\program files\mIRC
2011-03-30 19:40 . 2011-04-20 13:29 -------- d-----w- c:\program files\Pixia
2011-03-30 19:09 . 2011-03-30 19:40 -------- d-----w- c:\program files\Photobie
2011-03-29 20:12 . 2011-03-29 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ConeXware
2011-03-29 20:12 . 2011-04-20 14:42 -------- d-----w- c:\program files\PowerArchiver
2011-03-27 21:25 . 2011-03-27 21:26 -------- d-----w- c:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-18 15:36 . 2009-11-04 18:53 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 15:36 . 2009-11-04 18:53 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-20_15.28.49 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-30 1831407]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-16 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 598430]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 254439]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\rikoofph\apndaole.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 03:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-04 18:25 323392 ----a-w- c:\program files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gjeharobif]
c:\windows\usenatuqicacepe.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 14:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-05-01 01:30 13750272 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-05-01 01:30 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-05-01 01:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 598430 ------w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-05-05 17:35 17879552 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-03-16 22:24 2423752 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"nlsX86cc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IS360service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [04/11/2009 19:01 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [01/04/2011 08:22 1181328]
S4 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [12/04/2011 21:18 312152]
S4 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [20/10/2010 18:41 67904]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-01 00:01]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\t48c9v8k.default\
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-23 12:11
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\user\Start Menu\Programs\Startup\apndaole.exe 173419 bytes executable
c:\documents and settings\user\Start Menu\Programs\Startup\desktop.ini 84 bytes
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-04-23 12:13:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-23 11:13
ComboFix2.txt 2011-04-21 22:55
ComboFix3.txt 2011-04-20 15:29
ComboFix4.txt 2011-04-17 01:29
ComboFix5.txt 2011-04-23 11:05
.
Pre-Run: 554,521,579,520 bytes free
Post-Run: 554,484,232,192 bytes free
.
- - End Of File - - 36F2E7ADF1432E6571B8567AF8B7324E

 

[KSoD]

c:\program files\rikoofph . . . . Failed to delete

Yeah it still failed to delete this folder. Dont know why. How is the system operating now? Still getting redirects and everything or whats going on?

 

[comyna]

yeah, im still getting redirects, google is pretty much unusable, it either re-directs me to an ad or back to the google homepage every time. It is trying to run in the background via Explorer - if i boot with no net connection plugged in, it constantly prompts me to connect of work offline, and now i upped my security im constantly being asked if i want to give internet access to IE - which i never ever use, so i assume the virus is trying to run it.

things are also running slower and sometimes programs wont open at all. i dont download or anything so i have lots of free space on my hard drive and it has always run pretty fast, but now things are slowing down...

 

[KSoD]

Alright do you have another system available? Basically what it comes down to is that there is nothing that can be done while your OS is running. You need to put it in another system and run scans on it from that OS and see if the infection can be picked up that way. That is all i can think of.

Can go to a site like Bleeping Computer and see if they can assist you.

 

[comyna]

no, unfortunately i dont have another system available. I just tried to check out Bleeping Computers, and the page refuses to open. I'm assuming the virus is blocking me from accessing it...

 

[Trotter]

You could try using a live distro of a flavor of Linux. Download one, burn the image to disk, then boot from it. That way Windows is not engaged and the files are completely inactive and vulnerable.

I am not up on most Linux but Knoppix is well known and often used for these kinds of things. Plus Knoppix will not let you accidentally install it over your Windows installation. Here's a short a link to a version of Knoppix just for this kind of situation:
S-T-D