Problem removing rootkit

I recently installed bitdefender antivirus 2009 on my pc and ran a scan. It has picked up 2 things one which it failed to disinfect and it found a rootkit hidden and it looks like it has not been able to remove it.C:\WINDOWS\system32\lowsec Rootkit-Hidden Items Hidden
I have copied my report below and if anyone can help please let me know, thanks.

BitDefender Log File


Product : BitDefender Antivirus 2009
Version : BitDefender UIScanner v.12
Scanning task : Deep System Scan
Log date : 27/05/2009 15:45:20
Log path : C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1243435520_1_02.xml

Scan Paths:
Path 0000: C:\

Scan Options:
Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes

Target Selection Options:
Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : No
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :

Target Processing:
Default action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None
Default action for encrypted infected objects : None
Default action for encrypted suspicious objects : None
Default action for password-protected objects : Log as not scanned

Scan engines summary
Number of virus signatures : 3171380
Archive plugins : 45
Email plugins : 6
Scan plugins : 13
System plugins : 5
Unpack plugins : 7

Overall scan summary
Scanned items : 61617
Infected items : 1
Suspicious items : 0
Resolved items : 0
Unresolved items : 2
Password-protected items : 0
Overcompressed items : 0
Individual viruses found : 1
Scanned directories : 3613
Scanned boot sectors : 2
Scanned archives : 356
Input-output errors : 1
Scan time : 00:31:51
Files per second : 31

Scanned processes summary
Scanned : 36
Infected : 0

Scanned registry keys summary
Scanned : 710
Infected : 0

Scanned cookies summary
Scanned : 2
Infected : 0

Remaining issues:
Object Name Threat Name Final Status
C:\WINDOWS\system32\sdra64.exe Gen:Trojan.Heur.Dropper.E1B24D4D4D Disinfect Failed
C:\WINDOWS\system32\lowsec Rootkit-Hidden Items Hidden

 

Hi raebie,

If you haven’t been able to resolve your problems, try this:

Download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt


MBAM is good to remove malware and Trojans but If MBAM cannot remove the rootkit, it can be removed with ComboFix, but it will have to be done manually.. So please run ComboFix, post the Logs and I will give you instructions to remove it..


1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.

3. Combo will begin to run DO NOTHING while this is happening.
• It will kill a few processes and disconnect you from the internet.
• If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
• This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.

**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.

If when it's completed you can not get on the internet just reboot the computer

Post the log from comboFix for me located in
c:\comboFix.txt
Also, please post the MBAM Log and a fresh HJT log in your next reply.


2oG

 

I ran mbam i have had it installed on my pc for ages it picked up 23 infections here is the log

Malwarebytes' Anti-Malware 1.37
Database version: 2192
Windows 5.1.2600 Service Pack 3

29/05/2009 17:20:06
mbam-log-2009-05-29 (17-20-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 106262
Time elapsed: 32 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 27
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\videoegg.activexloader (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e282c728-189d-419e-8ee2-1601f4b39ba5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e1a63484-a022-4d42-830a-fbd411514440} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dc3a04ee-cdd7-4407-915c-a5502f97eecd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{db8cce99-59c6-4552-8bfc-058feb38d6ce} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d17726cc-d4dd-4c4a-9671-471d56e413b5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5041fd9-4819-4dc4-b20e-c950b5b03d2a} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bb187c0d-6f53-4f3e-9590-98fd3a7364a2} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad5915ea-b61a-4dba-b5c8-ef4b2df0a3c7} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad0a3058-fd49-4f98-a514-fd055201835e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a58c497b-3ee2-45e7-9594-daca6be2a0d0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a3d06987-c35e-49e4-8fe2-ac67b9fbfb4c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9856e2d8-ffb2-4fe5-8cad-d5ad6a35a804} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8f6a82a2-d7b1-443e-bb9f-f7dc887dd618} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{88d6cf0e-cf70-4c24-bf6e-e4e414bc649c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83dfb6ee-ab18-41b5-86d4-b544a141d67e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c29c7e4-5321-4cad-be2e-877666bed5df} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3f91eb90-ef62-44ee-a685-fac29af111cd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1a8642f1-dc80-4edc-a39d-0fb62a58b455} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{168dc258-1455-4e61-8590-9dac2f27b675} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/publisher,version=1.5 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MozillaPlugins\@videoegg.com/publisher,version=1.5 (Adware.VideoEgg) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Quarantined and deleted successfully.

I am not going to run combo fix the file you gave me a link to is infected i use this online virus maleware scanner http://virusscan.jotti.org/en and it picked up this inside the file

2009-05-29 Found nothing 2009-05-29 Found nothing
2009-05-29 Found nothing 2009-05-29 Found nothing
2009-05-29 Found nothing 2009-05-29 Found nothing
2009-05-29 Found nothing 2009-05-29 Found nothing
2009-05-29 Found nothing 2009-05-29 Found nothing
2009-05-29 Found nothing 2009-05-29 Found nothing
2009-05-29 Pua.Hideexec 2009-05-29 Found nothing
2009-05-29 Found nothing 2009-05-29 Found nothing
2009-05-29 BATCH.Virus 2009-05-27 Found nothing
2009-05-29 Found nothing 2009-05-29 Found nothing


Here is my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:55:36, on 29/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\Program Files\Vtune\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [Gainward] C:\Program Files\Vtune\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 6043 bytes

 

to remove nasty virus and spyware I use a combination of superantispyware, mbam, spybot sd, and spyware doctor, and it gets every single one, just google them install them and let them do a complete scan, for spyware doctor you might have to get it from torrent or pay for it, but it's a very good program.

 

raebie,

The file I gave you is NOT infected!!! Some AntiViruses pick it up as an infected file. just disable your Bitdefender while you run it.. It happens to be the best program around for cleaning up rootkits and trojans that other programs miss...

2oG

 

As the old geek said I downloaded the combofix file and norton found it just fine! !

 

If you will run ComboFix from the command line, as I directed you, it will disable the AV and do it’s thing as it should..

To keep from having messages that bother you, Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.


Hi garmoon, good to see you…

For the newbies out there, you may have noticed that Spy Sweeper, Spyware Doctor, Spybot, and Ad-Aware are not mentioned in any of my threads. At one time all of them were considered premier tools. A lot has changed over the years, as malware has become much more complex, and all of the aforementioned programs have inferior detection/removal capabilities compared to the tools I use. Please do not waste your time using them.


2oG

 

good to see you oldgeek. What say you about ccleaner??

 

Hey garmoon,

Ccleaner is a great, safe, efficient way to clean up and keep down the trash build-up..

It has some very good extra features like including special folders for it to clean and has a command-line parameter “ /AUTO “ so you can schedule it to run whenever you please.

See here ->
http://www.techsupportalert.com/how_to_schedule_programs_to_run_automatically.htm

I have mine scheduled for a couple of times a day and just prior to a scheduled de-frag..

2oG

 

I run mine before defrag and always after going off line.

 

garmoon,
it's a good idea to run it in SAFE mode so it can kill the temp files that are in use and can't be deleted while running....

2oG

 

here is my combofix log did you even bother 2 check my hijack this
and malewarebytes log above to see if eveything was ok it's just you never mentioned them to me

ComboFix 09-05-30.01 - Raebie 30/05/2009 18:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.667 [GMT 1:00]
Running from: c:\documents and settings\Raebie\desktop\combofix.exe
Command switches used :: /killall
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.

2009-05-29 16:55 . 2009-05-29 16:55 -------- d-----w c:\program files\Trend Micro
2009-05-27 13:51 . 2009-05-30 17:20 81984 ----a-w c:\windows\system32\bdod.bin
2009-05-27 13:44 . 2009-05-27 13:44 -------- d-----w c:\documents and settings\Raebie\Application Data\BitDefender
2009-05-27 13:43 . 2009-05-27 13:46 -------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2009-05-27 13:43 . 2009-05-27 13:43 -------- d-----w c:\program files\BitDefender
2009-05-27 13:41 . 2009-05-27 13:44 -------- d-----w c:\program files\Common Files\BitDefender
2009-05-27 13:34 . 2009-05-27 13:35 -------- d-----w c:\program files\SpywareBlaster
2009-05-27 13:31 . 2009-05-27 13:31 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-27 13:09 . 2009-05-27 13:09 -------- dc----w c:\windows\system32\DRVSTORE
2009-05-27 13:09 . 2009-05-27 13:08 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-27 13:09 . 2009-05-27 13:09 314200 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-05-27 13:09 . 2009-05-27 13:09 348496 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-05-27 13:09 . 2009-05-27 13:09 25440 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-05-27 13:09 . 2009-05-27 13:09 169312 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-05-27 13:09 . 2009-05-27 13:09 15688 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-05-27 13:09 . 2009-05-27 13:09 294240 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-05-27 13:09 . 2009-05-27 13:09 83808 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-05-27 13:09 . 2009-05-27 13:09 1630048 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-05-27 13:08 . 2009-05-27 13:08 40288 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-05-27 13:08 . 2009-05-27 13:08 212848 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-05-27 13:08 . 2009-05-27 13:08 73064 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\AAWDriverTool.exe
2009-05-27 13:08 . 2009-05-27 13:08 64160 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-05-27 13:08 . 2009-05-27 13:08 640360 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-05-27 13:08 . 2009-05-27 13:08 559464 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-05-27 13:08 . 2009-05-27 13:08 540536 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-05-27 13:08 . 2009-05-27 13:08 2352456 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-05-27 13:08 . 2009-05-27 13:08 627536 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWWSC.exe
2009-05-27 13:08 . 2009-05-27 13:08 518488 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-05-27 13:08 . 2009-05-27 13:08 1005904 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-05-27 13:07 . 2009-05-27 13:07 -------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-05-27 13:07 . 2009-01-18 21:43 2892112 -c--a-w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe
2009-05-27 13:06 . 2009-05-27 13:06 -------- d-----w c:\program files\Lavasoft
2009-05-14 14:55 . 2009-05-14 14:55 -------- d-----w c:\program files\Realtek
2009-05-08 12:51 . 2009-05-08 12:51 -------- d-----w c:\documents and settings\Raebie\Application Data\AdobeUM
2009-05-08 12:50 . 2009-05-08 12:50 -------- d-----w c:\documents and settings\Raebie\Local Settings\Application Data\Adobe
2009-05-08 12:47 . 2006-06-02 14:59 81408 ----a-r c:\windows\system32\drivers\Rtnicxp.sys
2009-05-08 12:47 . 2009-05-08 12:47 -------- d-----w c:\windows\OPTIONS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-27 13:35 . 2008-03-09 17:20 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-27 13:34 . 2007-05-26 22:28 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-27 13:22 . 2008-03-09 17:22 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-27 13:21 . 2008-03-09 17:22 3371383 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-27 12:57 . 2008-07-12 13:01 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-26 12:20 . 2008-07-30 13:09 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 12:19 . 2008-05-13 15:32 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-22 15:45 . 2007-10-15 07:04 -------- d-----w c:\documents and settings\Raebie\Application Data\Azureus
2009-05-14 14:55 . 2007-05-26 21:54 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-27 08:26 . 2007-05-26 22:10 -------- d-----w c:\documents and settings\Raebie\Application Data\Vso
2009-03-06 14:22 . 2004-08-03 22:56 284160 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [2006-12-20 557056]
"System Mechanic Popup Blocker"="c:\program files\iolo\System Mechanic 6\PopupBlocker.exe" [2006-12-20 752128]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2004-10-11 589824]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Name of App"="c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2008-07-07 675935]
"Gainward"="c:\program files\Vtune\TBPanel.exe" [2007-04-23 2158592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-22 98304]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-27 518488]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-04-08 778240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-22 90112]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-19 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [27/05/2009 14:09 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28/05/2008 10:33 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/05/2008 10:33 55024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 22:34 1005904]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [18/09/2008 12:09 111112]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/05/2008 10:33 7408]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [20/01/2009 19:16 172032]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-05-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 13:08]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-AVG Anti-Spyware Driver
SafeBoot-procexp90.Sys
SafeBoot-AVG Anti-Spyware Guard


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.co.uk/
IE: &AOL Toolbar search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Name-Space Handler: ftp\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\Common\Lib\URLSTO~1.DLL
Name-Space Handler: http\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\Common\Lib\URLSTO~1.DLL
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-30 18:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
.
**************************************************************************
.
Completion time: 2009-05-30 18:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-30 17:32

Pre-Run: 112,637,882,368 bytes free
Post-Run: 112,624,807,936 bytes free

165 --- E O F --- 2009-05-13 16:30

 

raebie,

If I wasn’t going to check the Logs, I wouldn’t have asked for them.

Why should I have mentioned them? You can’t read them anyway and probably wouldn't know what I was talking about..

I really don’t have to bother myself with Simi-Illiterate Malware Collectors, I only do it because I care that your generation doesn’t have a clue on how to keep from being infected with malware and then cry for someone to help them without taking the time to research and learn how to do it for themselves.

Your ComboFix Log is Clean with no sign of a rootkit…. I didn't see it in MBAM so, it was probably a false alarm..

You will need to un-install ComboFix so it can re-set some things in your computer and it is not to be used if you haven’t been trained on it. You can bork your computer to the point of no return, if you don’t know what you’re doing..

This may or may not work if you did not follow the instructions and download it to your desktop as instructed, if it doesn’t work, then go to where you have Combofix and drag it to the trash.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.



• When shown the disclaimer, Select "2"

The above procedure will:
• Delete ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

Have a Happy!
2oG

 

i was not being ungrateful i just was wondering why you did not mention them 2 me and by the way this is not my pc i am just doing a favour for my mother who is 70 and does not have a clue. I dont get any infections on my pc i do know a bit about stuff like this but i thought i better ask someone that knew more than what i did and thanks for all the help and the things that got picked up was not false on the machine i could see the files before mbam removed them. i am not an idiot just so you know no need to say cheeky things like that. like i am maleware illiterate
what do you mean my generation i am 37 years old not 10 and i do know how to keep my pc clean but it is not mine. what a cheek you have
i only came here to ask for advice not to have you taking the mickey
look thanks for the help i am very grateful minus taking the mickey.
next time think before you blab off 2 people i was only asking you a question about the logs not saying you asked for them for nothing ok

 

raebie,

Statements like “did you even bother 2 check” appears to be un-grateful and turns most people off. The art of getting someone to do something you want done because they WANT to do it requires a little stroking, lol.
When I refer to “your generation”, I mean anyone that I have kids or grand kids older than or maybe even Socks, older than… : )

In your Bitdefender log there was:

MBAM cleared these but, they were not classified as a rootkit and that is Why I requested ComboFix to see if a rootkit remained….. it didn’t.

In most of the tests I have seen, Bitdefender failed the VB100 tests and has a lot of missed viruses and heaps of false positives… you would be wise to choose another AV. Googling reviews and tests ran by independent testers can help you decide on a better AV. Three (free) AV’s that are better than Bitdefender are: Avira AntiVir, Avast and AVG.

In three words I can sum up everything I’ve learned about life: “it goes on.”

Strive to be Happy, and work on your PR..: )
2oG

 

I use to have avg then later i had avast the only reason i got bitdefender cause the reviews told me it was the top 1 and others in the top 5 and also i got it for £11. That was the first time i ever bought an antivirus prog i have always used free ones. It cant be that bad cause it picked up sdra 64 exe file and lowsec files that are rootkits and both files are connected to each other even i know that and by the way you said i am maleware illiterate and you are not, avg never picked them up and i know this is a rootkit that disables your firewall amongst other dodgy things. Why not do some research on this sdra64.exe file yourself and you will see it is a rootkit just because bitdefender did not state it is a rootkit it does not mean it is not. My firewall was getting disabled all the time until mbam removed it all. Thanks a lot for your help. And i think also you need to work on your pr. Talking like that to people calling them illiterate and all that is not on if someone said that to my face i probably would of decked them. Peace and thanks for all the help you gave me and i hope my mothers pc does not get infected again

 

@raebie

Did you take another wrong PMS pill this morning again?

It can't be that good either, since the pc got all screwed up on its watch!

Why couldn't you let all the $hit just drop. You had to get the last word in. I would have not helped after your first outburst.

Geek was right about your rudeness, just in the tone of your question. Which might have been better-Did you find anything of help in my log file?? Make nice, you just got excellent professional FREE f**king help, and you're still bitching! Geek didn't need any defensive help from me, he handled it gentlemanly, me not so much.

 

I saw mwntion of ccleaner earlier..

just wanted to mention that it will uninstall and screw up bt-hohub (pimping your wifi to the neighbourhood) drivers and settings for some unfathomable reason... perhaps because the bt setup/install disk comes with a trial of some bitdefender trash? .. version I saw on callout did anyways.

 

duh mate i had just put bitdefender in that day i sent the log into afterdawn. If you took time to read the thread properly instead of just jumping into peoples threads and talking crap.I had avg in this pc for years and it did not pick it up.
I had just installed bitdefender that day i sent the logs into this site and straight away it picked these infections up duh listen to what people say.you thought i had bitdefender on this pc all along no i had avg the free antivirus and it did not pick this infection up so there u go avg free is not that good either.And by the way i know i got pro help and it is well appreciated.But it is not appreciated idiots like u jumping on other peoples threads talking crap without even reading the posts properly idiot. Bitdefender was not keeping watch on my pc when it got infected it was avg duh.And i get called illiterate what does that say for you i rest my case.And for your info i have used this site for ages and i have never been called illiterate or anything else or even ended up arguing with anyone for that matter so of course i was going to come back and say something what a cheek.I only came on this site for some help not 2 have idiots take the crap and others trying to back it up when they dont even know what they are talking about

 

not worth my time