Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 muddog

muddog

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 14 July 2009 - 08:25 AM

I already posted this problem in AM I infected and he said I should come here. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/239068/trojan-tdss/ ~ OB Here's the log


DDS (Ver_09-06-26.01) - NTFSx86
Run by NAME REMOVED at 9:20:15.17 on 07/14/2009 Tue
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.949.82.1033.18.510.153 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\NAME REMOVED\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = www.dell4me.com/myway
uDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [imekrmig] c:\ime\imkr\imekrmig.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {0365D95C-5061-42AB-B118-EAA3CB956E8E} - hxxp://www.bccard.com/plugin/markany/MaPrintModule_BCCard.cab
DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} - hxxp://www.conpia.com/cab/alwaysOn/AlwaysOn.CAB
DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} - hxxp://mpi.dacom.net/XMPI/js/LGDacom_XMPI_20080924.cab
DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} - hxxps://plugin.inicis.com/banktown/initech/plugin/down/INIS60.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {39461460-2552-4D51-A062-3AB6A7B902E9} - hxxp://img.shinhan.com/shttp/install/down/INIS70.cab
DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} - hxxp://img.shinhan.com/rib/common/keyStroke/SoftCamp/403125/SCSK4.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229091301062
DPF: {66413DC2-F891-40BC-822D-B7EEC8ADC281} - hxxp://img.shinhan.com/rib/common/ProWorksGrid_78.cab
DPF: {8055C6FC-E2F3-4FFF-8385-9D71D57A3CF6} - hxxp://codebase.webcompass.co.kr/codebase/launcher/webcompass/WSchosun2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} - hxxp://cyimg7.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
DPF: {99C709C7-4F58-46C1-855B-90213C760395} - hxxps://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} - hxxp://www.conpia.com/cab/yozzi/MagicLockOCX(2310).cab
DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - hxxps://acs1.lottecard.co.kr/visa3d/kdfense/kdfense8305.cab
DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} - hxxps://vbv.shinhancard.com/infovine/VineTransfer.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} - hxxp://cyimg7.cyworld.com/cymusic/package/skcinst.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4CA4B54-056A-4011-BC50-7C49AFF981A4} - hxxps://plugin.inicis.com/banktown/wallet/plugin/BtCxCtlCon.cab
DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - hxxps://vbv.shinhancard.com/popup/npkcx.cab
DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} - hxxps://plugin.inicis.com/wallet60_inilite/INIwallet60.cab
DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} - hxxp://pay.kcp.co.kr/plugin/file/payplus.cab
DPF: {E5A02FD2-A8EF-4E5B-80C1-CB386F95E049} - hxxps://plugin.inicis.com/banktown/wallet/plugin/BtPmntClient.cab
DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxps://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5573/mcfscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - c:\program files\initech\shttp\InitechSHTTPInterface.10111.dll
Name-Space Handler: http\s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - c:\program files\initech\shttp\InitechSHTTPInterface.10111.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = :\windows\syste

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\NAME REMOVED~1\applic~1\mozilla\firefox\profiles\wo75oh8o.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npINISAFEWeb60.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-11 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-11 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-11 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-11 298776]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-7-13 2749736]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-7-13 15656]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 scsk5;SCSK5 Driver Service;c:\windows\system32\drivers\scsk5.sys --> c:\windows\system32\drivers\scsk5.sys [?]

=============== Created Last 30 ================

2009-07-13 13:22 --d----- c:\docume~1\NAME REMOVED~1\applic~1\WTablet
2009-07-13 13:22 1,421,964 -------- c:\windows\system32\PenTablet.znc
2009-07-13 13:22 4,222,760 -------- c:\windows\system32\PenTablet.cpl
2009-07-13 13:22 21,504 a------- c:\windows\system32\hidserv.dll
2009-07-13 13:22 21,504 a------- c:\windows\system32\dllcache\hidserv.dll
2009-07-13 13:21 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
2009-07-13 13:21 14,848 a------- c:\windows\system32\dllcache\kbdhid.sys
2009-07-13 13:21 11,440 a------- c:\windows\system32\drivers\WacomVKHid.sys
2009-07-13 13:21 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-07-13 13:21 12,160 a------- c:\windows\system32\dllcache\mouhid.sys
2009-07-13 13:21 13,352 a------- c:\windows\system32\drivers\wacomvhid.sys
2009-07-13 13:21 11,312 a------- c:\windows\system32\drivers\wacommousefilter.sys
2009-07-13 13:21 9,600 a------- c:\windows\system32\drivers\hidusb.sys
2009-07-13 13:21 9,600 a------- c:\windows\system32\dllcache\hidusb.sys
2009-07-13 13:21 15,656 a------- c:\windows\system32\drivers\wacmoumonitor.sys
2009-07-13 13:20 --d----- c:\windows\system32\WTablet
2009-07-13 13:20 186,152 -------- c:\windows\system32\Pen_Tablet.dll
2009-07-13 13:20 172,840 -------- c:\windows\system32\Wintab32.dll
2009-07-13 13:20 2,749,736 -------- c:\windows\system32\Pen_Tablet.exe
2009-07-13 13:20 --d----- c:\program files\Tablet
2009-07-13 09:02 --d----- c:\program files\Cobian Backup 8
2009-07-11 20:00 --d----- c:\program files\Cobian Backup 9
2009-07-10 12:52 --d----- c:\documents and settings\NAME REMOVED\DoctorWeb
2009-07-09 11:34 --d----- c:\windows\system32\wbem\Repository
2009-07-09 11:33 --d----- c:\program files\Rosetta Stone
2009-07-09 11:33 --d----- c:\program files\iPod
2009-07-09 11:33 --d----- c:\program files\iTunes
2009-07-09 11:33 --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-07-08 09:33 --d----- c:\program files\BAM! Entertainment
2009-07-08 09:33 --d----- c:\program files\Microsoft Money
2009-07-07 10:07 --d----- c:\program files\Spybot - Search & Destroy
2009-07-07 10:07 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-06 08:57 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-06 08:56 --d----- c:\program files\SUPERAntiSpyware
2009-07-06 08:56 --d----- c:\docume~1\NAME REMOVED~1\applic~1\SUPERAntiSpyware.com
2009-07-05 18:15 --d----- c:\program files\common files\Wise Installation Wizard
2009-07-05 14:04 --d----- c:\program files\Enigma Software Group
2009-07-03 16:56 --d-h--- c:\windows\PIF
2009-07-03 14:56 1 a------- c:\windows\934fdfg34fgjf23
2009-06-25 16:52 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-25 16:52 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-22 02:48 192,512 a------- c:\windows\system32\kdfvmgr.exe
2009-06-22 02:48 77,824 a------- c:\windows\system32\kdfapi.dll
2009-06-22 02:48 53,248 a------- c:\windows\system32\Kdfhok.dll
2009-06-22 02:48 640,352 a------- c:\windows\system32\kdfmgr.exe
2009-06-22 02:48 172,129 a------- c:\windows\system32\kdfmod.dll
2009-06-22 02:46 708,096 a------- c:\windows\system32\INIcrypto20.dll
2009-06-22 02:46 154,752 a------- c:\windows\system32\INIWebCrypto.dll
2009-06-22 02:46 233,472 a------- c:\windows\system32\PubCertDlg.dll
2009-06-22 02:46 655,360 a------- c:\windows\system32\ISPPopUpDlg.exe
2009-06-22 02:45 969,376 a------- c:\windows\system32\SCSKAppLink.dll
2009-06-22 02:45 93,312 a------- c:\windows\system32\INICertStore.dll
2009-06-22 02:45 251,008 a------- c:\windows\system32\INICertManUI.dll
2009-06-22 02:45 28,672 a------- c:\windows\system32\ISP_crgen.dll
2009-06-22 02:45 73,728 a------- c:\windows\system32\ISP_INISafeNet.dll
2009-06-22 02:45 3,952,640 a------- c:\windows\system32\KvpVcmd.dll
2009-06-17 16:21 --d----- c:\windows\BBSTORE

==================== Find3M ====================

2009-07-06 08:59 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-22 02:48 760,832 a------- c:\windows\system32\kdfinj.dll
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-31 20:24 206,184 a------- c:\windows\system32\skcbgm.exe
2009-05-31 20:24 144,744 a------- c:\windows\system32\skcbgmf1.dll
2009-05-14 09:50 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-12 13:36 50,708 a---h--- c:\windows\system32\mlfcache.dat
2009-05-11 11:02 78,699 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 11:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-27 05:17 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 05:58 1,846,656 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 11:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 11:11 584,192 -------- c:\windows\system32\dllcache\rpcrt4.dll

============= FINISH: 9:21:12.35 ===============

Attached Files


Edited by Orange Blossom, 14 July 2009 - 04:27 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 22,981 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:23 AM

Posted 25 July 2009 - 02:13 AM

Hello muddog and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 muddog

muddog
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 25 July 2009 - 01:34 PM

My computer is running slower than usual, but I don't see Antivirus Pro anymore. ( http://www.bleepingcomputer.com/forums/t/239068/trojan-tdss/ )
When I try to go into gmail, when I try to log in, the page keeps refreshing, but iGoogle says I'm logged in. So when I go to gmail from there it starts being really wierd, there's a blank screen thats keep refreshing. After a minute or so the page says :
Request-URI Too Large
The requested URL /accounts/ServiceLogin... is too large to process.
This doesn't happen when I use internet explorer. (I use Firefox) I scanned the computer with avast, AVG Free, SUPERantiSpyware Free Edition, Dr. Web, and MBAM but they detected nothing except for a few tracking cookies.


Here is the log.

DDS (Ver_09-06-26.01) - NTFSx86
Run by NAME REMOVED at 14:12:15.78 on 07/25/2009 Sat
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.949.82.1033.18.510.73 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.8.1335 [VPS 090724-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\GIMP-2.0\bin\gimp-2.6.exe
C:\Program Files\GIMP-2.0\lib\gimp\2.0\plug-ins\script-fu.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\NAME REMOVED\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = www.dell4me.com/myway
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [imekrmig] c:\ime\imkr\imekrmig.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {0365D95C-5061-42AB-B118-EAA3CB956E8E} - hxxp://www.bccard.com/plugin/markany/MaPrintModule_BCCard.cab
DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} - hxxp://www.conpia.com/cab/alwaysOn/AlwaysOn.CAB
DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} - hxxp://mpi.dacom.net/XMPI/js/LGDacom_XMPI_20080924.cab
DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} - hxxps://plugin.inicis.com/banktown/initech/plugin/down/INIS60.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {39461460-2552-4D51-A062-3AB6A7B902E9} - hxxp://img.shinhan.com/shttp/install/down/INIS70.cab
DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} - hxxp://img.shinhan.com/rib/common/keyStroke/SoftCamp/403125/SCSK4.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229091301062
DPF: {66413DC2-F891-40BC-822D-B7EEC8ADC281} - hxxp://img.shinhan.com/rib/common/ProWorksGrid_78.cab
DPF: {8055C6FC-E2F3-4FFF-8385-9D71D57A3CF6} - hxxp://codebase.webcompass.co.kr/codebase/launcher/webcompass/WSchosun2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} - hxxp://cyimg7.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
DPF: {99C709C7-4F58-46C1-855B-90213C760395} - hxxps://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} - hxxp://www.conpia.com/cab/yozzi/MagicLockOCX(2310).cab
DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - hxxps://acs1.lottecard.co.kr/visa3d/kdfense/kdfense8305.cab
DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} - hxxps://vbv.shinhancard.com/infovine/VineTransfer.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} - hxxp://cyimg7.cyworld.com/cymusic/package/skcinst.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4CA4B54-056A-4011-BC50-7C49AFF981A4} - hxxps://plugin.inicis.com/banktown/wallet/plugin/BtCxCtlCon.cab
DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - hxxps://vbv.shinhancard.com/popup/npkcx.cab
DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} - hxxps://plugin.inicis.com/wallet60_inilite/INIwallet60.cab
DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} - hxxp://pay.kcp.co.kr/plugin/file/payplus.cab
DPF: {E5A02FD2-A8EF-4E5B-80C1-CB386F95E049} - hxxps://plugin.inicis.com/banktown/wallet/plugin/BtPmntClient.cab
DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxps://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5687/mcfscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - c:\program files\initech\shttp\InitechSHTTPInterface.10111.dll
Name-Space Handler: http\s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - c:\program files\initech\shttp\InitechSHTTPInterface.10111.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = :\windows\syste

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\NAME REMOVED~1\applic~1\mozilla\firefox\profiles\wo75oh8o.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com (Virtus Designs)
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npINISAFEWeb60.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-23 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-11 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-11 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-11 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-23 20560]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-7-13 15656]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 scsk5;SCSK5 Driver Service;c:\windows\system32\drivers\scsk5.sys --> c:\windows\system32\drivers\scsk5.sys [?]

=============== Created Last 30 ================

2009-07-24 14:19 --dsh--- c:\documents and settings\NAME REMOVED\IECompatCache
2009-07-24 14:15 --dsh--- c:\documents and settings\NAME REMOVED\PrivacIE
2009-07-24 14:08 --dsh--- c:\documents and settings\NAME REMOVED\IETldCache
2009-07-24 13:48 --d----- c:\windows\ie8updates
2009-07-24 13:43 -cd-h--- c:\windows\ie8
2009-07-24 13:08 101,376 -------- c:\windows\system32\dllcache\iecompat.dll
2009-07-24 13:08 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-24 13:08 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-24 13:08 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-24 13:07 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-13 13:22 --d----- c:\docume~1\NAME REMOVED~1\applic~1\WTablet
2009-07-13 13:22 1,421,964 -------- c:\windows\system32\PenTablet.znc
2009-07-13 13:22 4,222,760 -------- c:\windows\system32\PenTablet.cpl
2009-07-13 13:22 21,504 a------- c:\windows\system32\hidserv.dll
2009-07-13 13:22 21,504 a------- c:\windows\system32\dllcache\hidserv.dll
2009-07-13 13:21 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
2009-07-13 13:21 14,848 a------- c:\windows\system32\dllcache\kbdhid.sys
2009-07-13 13:21 11,440 a------- c:\windows\system32\drivers\WacomVKHid.sys
2009-07-13 13:21 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-07-13 13:21 12,160 a------- c:\windows\system32\dllcache\mouhid.sys
2009-07-13 13:21 13,352 a------- c:\windows\system32\drivers\wacomvhid.sys
2009-07-13 13:21 11,312 a------- c:\windows\system32\drivers\wacommousefilter.sys
2009-07-13 13:21 9,600 a------- c:\windows\system32\drivers\hidusb.sys
2009-07-13 13:21 9,600 a------- c:\windows\system32\dllcache\hidusb.sys
2009-07-13 13:21 15,656 a------- c:\windows\system32\drivers\wacmoumonitor.sys
2009-07-13 13:20 --d----- c:\windows\system32\WTablet
2009-07-13 13:20 186,152 -------- c:\windows\system32\Pen_Tablet.dll
2009-07-13 13:20 172,840 -------- c:\windows\system32\Wintab32.dll
2009-07-13 13:20 2,749,736 -------- c:\windows\system32\Pen_Tablet.exe
2009-07-13 13:20 --d----- c:\program files\Tablet
2009-07-13 09:02 --d----- c:\program files\Cobian Backup 8
2009-07-11 20:00 --d----- c:\program files\Cobian Backup 9
2009-07-10 12:52 --d----- c:\documents and settings\NAME REMOVED\DoctorWeb
2009-07-09 11:34 --d----- c:\windows\system32\wbem\Repository
2009-07-09 11:33 --d----- c:\program files\Rosetta Stone
2009-07-09 11:33 --d----- c:\program files\iPod
2009-07-09 11:33 --d----- c:\program files\iTunes
2009-07-09 11:33 --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-07-08 09:33 --d----- c:\program files\BAM! Entertainment
2009-07-08 09:33 --d----- c:\program files\Microsoft Money
2009-07-07 10:07 --d----- c:\program files\Spybot - Search & Destroy
2009-07-07 10:07 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-06 08:57 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-06 08:56 --d----- c:\program files\SUPERAntiSpyware
2009-07-06 08:56 --d----- c:\docume~1\NAME REMOVED~1\applic~1\SUPERAntiSpyware.com
2009-07-05 18:15 --d----- c:\program files\common files\Wise Installation Wizard
2009-07-05 14:04 --d----- c:\program files\Enigma Software Group
2009-07-03 16:56 --d-h--- c:\windows\PIF
2009-07-03 14:56 1 a------- c:\windows\934fdfg34fgjf23
2009-06-25 16:52 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-25 16:52 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys

==================== Find3M ====================

2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-06 08:59 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-22 02:48 640,352 a------- c:\windows\system32\kdfmgr.exe
2009-06-22 02:48 192,512 a------- c:\windows\system32\kdfvmgr.exe
2009-06-22 02:48 77,824 a------- c:\windows\system32\kdfapi.dll
2009-06-22 02:48 53,248 a------- c:\windows\system32\Kdfhok.dll
2009-06-22 02:48 172,129 a------- c:\windows\system32\kdfmod.dll
2009-06-22 02:48 760,832 a------- c:\windows\system32\kdfinj.dll
2009-06-22 02:46 708,096 a------- c:\windows\system32\INIcrypto20.dll
2009-06-22 02:46 154,752 a------- c:\windows\system32\INIWebCrypto.dll
2009-06-22 02:46 233,472 a------- c:\windows\system32\PubCertDlg.dll
2009-06-22 02:46 655,360 a------- c:\windows\system32\ISPPopUpDlg.exe
2009-06-22 02:45 93,312 a------- c:\windows\system32\INICertStore.dll
2009-06-22 02:45 251,008 a------- c:\windows\system32\INICertManUI.dll
2009-06-22 02:45 28,672 a------- c:\windows\system32\ISP_crgen.dll
2009-06-22 02:45 73,728 a------- c:\windows\system32\ISP_INISafeNet.dll
2009-06-22 02:45 3,952,640 a------- c:\windows\system32\KvpVcmd.dll
2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:55 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:55 82,432 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-06-03 15:27 1,290,752 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-31 20:24 206,184 a------- c:\windows\system32\skcbgm.exe
2009-05-31 20:24 144,744 a------- c:\windows\system32\skcbgmf1.dll
2009-05-14 09:50 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-12 13:36 50,708 a---h--- c:\windows\system32\mlfcache.dat
2009-05-11 11:02 78,699 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 11:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-29 00:52 1,023,488 -------- c:\windows\system32\dllcache\browseui.dll
2009-04-29 00:52 474,112 -------- c:\windows\system32\dllcache\shlwapi.dll
2009-04-29 00:52 1,495,552 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-04-29 00:52 55,808 -------- c:\windows\system32\dllcache\extmgr.dll
2009-04-29 00:52 1,054,208 -------- c:\windows\system32\dllcache\danim.dll
2009-04-29 00:52 151,040 -------- c:\windows\system32\dllcache\cdfview.dll
2009-04-27 05:17 18,432 -------- c:\windows\system32\dllcache\iedw.exe

============= FINISH: 14:14:21.70 ===============

Attached Files



#4 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 684 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 26 July 2009 - 11:58 AM

Hi muddog,

Welcome to Bleeping Computers

My name is Tomk_. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.
I apologize for the delay in response. We get overwhelmed at times but we are trying our best to keep up.

You are running two anti-virus programs. AVG and AVAST. That is not good. They can conflict with each other. Please got to add or remove programs in your control panel and uninstall one of them.

JavaRa ...by: Paul McLain and Fred de Vries

Please download JavaRa (Copyright 2008 RaProducts.org) and unzip it to your desktop.
***Please close any instances of Internet Explorer before continuing!***
Print these instructions...you won't have Internet access during this particular phase!
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English or the appropriate language...and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.
  • Copy and paste the contents of the JavaRa log, in your next reply.
Please download the OTM by OldTimer.
  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
    (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
    explorer.exe
    
    :Reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8055C6FC-E2F3-4FFF-8385-9D71D57A3CF6}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D6FCA8ED-4715-43DE-9BD2-2789778A5B09}]
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Please download gmer.zip from Gmer and save it to your desktop.
  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Double click on gmer.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the Gmer scan log and post it in your next reply.
  • Close Gmer.
Note: Do not run any programs while Gmer is running.
Posted Image

#5 muddog

muddog
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 26 July 2009 - 03:31 PM

The GMER didn't work. It said it encountered a problem and needs to close, both times I did it.

Here is the JavaRa log

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Jul 26 15:01:08 2009

Found and removed: C:\Program Files\Java\j2re1.4.2_03

Found and removed: C:\Documents and Settings\NAME REMOVED\Application Data\Sun\Java\jre1.6.0_11

Found and removed: C:\Documents and Settings\NAME REMOVED\Application Data\Sun\Java\jre1.6.0_12

Found and removed: C:\Documents and Settings\NAME REMOVED\Application Data\Sun\Java\jre1.6.0_13

Found and removed: C:\Windows\Installer\{7148F0A8-6813-11D6-A77B-00B0D0142030}

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7148F0A8-6813-11D6-A77B-00B0D0142030}

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F841731866D117AB7000B0D410203

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410203

Found and removed: SOFTWARE\Classes\JavaPlugin.142_03

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.4.2_03

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4.2_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.4.2_03

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\JavaPlugin.142_03

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACB9B14518A96D117A58000B0D410203

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Jul 26 15:01:39 2009

------------------------------------

Finished reporting.


And here is the OMT log:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8055C6FC-E2F3-4FFF-8385-9D71D57A3CF6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8055C6FC-E2F3-4FFF-8385-9D71D57A3CF6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D6FCA8ED-4715-43DE-9BD2-2789778A5B09}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6FCA8ED-4715-43DE-9BD2-2789778A5B09}\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 18219258 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 3068227 bytes

User: All Users

User: NAME REMOVED
->Temp folder emptied: 1203 bytes
->Temporary Internet Files folder emptied: 12907725 bytes
->Java cache emptied: 7625715 bytes
->FireFox cache emptied: 61875277 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NAME REMOVED
->Temp folder emptied: 153777289 bytes
File delete failed. C:\Documents and Settings\NAME REMOVED\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 82333520 bytes
->Java cache emptied: 28682327 bytes
->FireFox cache emptied: 46707315 bytes
->Apple Safari cache emptied: 55351211 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NAME REMOVED
->Temp folder emptied: 3076624 bytes
->Temporary Internet Files folder emptied: 116026087 bytes
->Java cache emptied: 7627866 bytes
->FireFox cache emptied: 79458325 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NAME REMOVED
->Temp folder emptied: 983364 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 7829635 bytes
->FireFox cache emptied: 104846263 bytes

User: NAME REMOVED
->Temp folder emptied: 274865 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 7617538 bytes
->FireFox cache emptied: 54445749 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 39056 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 40327573 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 851.92 mb


OTM by OldTimer - Version 3.0.0.5 log created on 07262009_150415

#6 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 684 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 26 July 2009 - 04:39 PM

muddog,

Lets try a different rootkit scanner.

Please download RootRepeal to your desktop
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Unzip it to it's own folder, close all other programs especially your security programs (anti-spyware, anti-virus, and firewall) and run RootRepeal.exe
  • Click the Report tab at the bottom and then the Scan button.
  • A box will pop up, check the boxes beside Drivers, Files, Processes SSDT and click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button, call it RepealScan and save the log to your desktop.
  • Reconnect to the internet.
  • Post the log here in your reply.

Posted Image

#7 muddog

muddog
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 27 July 2009 - 12:17 PM

I forgot to say, thank you for helping me =D

When I try to run RootRepeal, an error message pops up. On the top it says Virtual Memory Minimum Too Low, but there is no message and the button is blank.

#8 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 684 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 27 July 2009 - 01:17 PM

muddog,

Well then let's try this:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Posted Image

#9 muddog

muddog
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 27 July 2009 - 06:24 PM

Here is the ComboFix log

ComboFix 09-07-27.02 - NAME REMOVED 7/2009 Mon 18:08.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.949.82.1033.18.510.196 [GMT -4:00]
Running from: c:\documents and settings\NAME REMOVED\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskSearch\bin\DefaultSearch.dll
c:\windows\934fdfg34fgjf23
c:\windows\Installer\5a10f.msi
c:\windows\system32\kdfinj.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-27 to 2009-07-27 )))))))))))))))))))))))))))))))
.

2009-07-26 19:04 . 2009-07-26 19:04 -------- d-----w- C:\_OTM
2009-07-25 14:36 . 2009-07-25 14:36 -------- d-sh--w- c:\documents and settings\NAME REMOVED\IETldCache
2009-07-25 00:41 . 2009-07-25 00:41 -------- d-sh--w- c:\documents and settings\NAME REMOVED\PrivacIE
2009-07-25 00:35 . 2009-07-25 00:35 -------- d-sh--w- c:\documents and settings\NAME REMOVED\IETldCache
2009-07-24 22:38 . 2009-07-24 22:38 -------- d-----w- c:\program files\7-Zip
2009-07-24 18:19 . 2009-07-24 18:19 -------- d-sh--w- c:\documents and settings\NAME REMOVED\IECompatCache
2009-07-24 18:15 . 2009-07-24 18:15 -------- d-sh--w- c:\documents and settings\NAME REMOVED\PrivacIE
2009-07-24 18:08 . 2009-07-24 18:08 -------- d-sh--w- c:\documents and settings\NAME REMOVED\IETldCache
2009-07-24 17:48 . 2009-07-24 17:49 -------- d-----w- c:\windows\ie8updates
2009-07-24 17:43 . 2009-07-24 17:46 -------- dc-h--w- c:\windows\ie8
2009-07-24 17:08 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-07-24 17:08 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-24 17:08 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-24 17:08 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-07-24 17:07 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-07-23 23:07 . 2009-07-23 23:07 -------- d-----w- c:\program files\Alwil Software
2009-07-21 02:19 . 2009-07-21 02:30 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\WTablet
2009-07-14 22:37 . 2009-07-27 00:45 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\WTablet
2009-07-14 19:47 . 2009-07-27 18:35 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\WTablet
2009-07-14 14:56 . 2009-07-14 15:03 -------- d-----w- c:\documents and settings\NAME REMOVED\.gimp-2.6
2009-07-14 14:56 . 2009-07-14 14:56 -------- d-----w- c:\documents and settings\NAME REMOVED\.gegl-0.0
2009-07-14 14:55 . 2009-07-14 15:03 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\WTablet
2009-07-13 21:28 . 2009-07-27 22:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-07-13 21:24 . 2009-07-13 21:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-13 17:22 . 2009-07-27 22:20 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\WTablet
2009-07-13 17:22 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-07-13 17:22 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-07-13 17:21 . 2004-08-04 02:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-07-13 17:21 . 2004-08-04 02:58 14848 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-07-13 17:21 . 2007-02-15 23:11 11440 ----a-w- c:\windows\system32\drivers\WacomVKHid.sys
2009-07-13 17:21 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-07-13 17:21 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-07-13 17:21 . 2008-08-18 21:45 13352 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2009-07-13 17:21 . 2007-02-16 18:12 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2009-07-13 17:21 . 2001-08-17 18:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-07-13 17:21 . 2001-08-17 18:02 9600 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2009-07-13 17:21 . 2008-10-06 17:53 15656 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2009-07-13 17:20 . 2009-07-13 17:20 -------- d-----w- c:\windows\system32\WTablet
2009-07-13 17:20 . 2008-12-11 17:59 186152 ------w- c:\windows\system32\Pen_Tablet.dll
2009-07-13 17:20 . 2008-12-11 17:50 172840 ------w- c:\windows\system32\Wintab32.dll
2009-07-13 17:20 . 2008-12-11 18:11 2749736 ------w- c:\windows\system32\Pen_Tablet.exe
2009-07-13 17:20 . 2009-07-13 17:22 -------- d-----w- c:\program files\Tablet
2009-07-13 13:02 . 2009-07-13 13:02 -------- d-----w- c:\program files\Cobian Backup 8
2009-07-12 00:00 . 2009-07-13 12:57 -------- d-----w- c:\program files\Cobian Backup 9
2009-07-11 12:07 . 2009-07-06 12:59 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-10 16:52 . 2009-07-11 01:38 -------- d-----w- c:\documents and settings\NAME REMOVED\DoctorWeb
2009-07-09 15:34 . 2009-07-09 15:34 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-09 15:33 . 2009-07-09 15:33 -------- d-----w- c:\program files\Rosetta Stone
2009-07-09 15:33 . 2009-07-09 15:33 -------- d-----w- c:\program files\Common Files\Apple
2009-07-09 15:33 . 2009-07-25 22:01 -------- d-----w- c:\program files\iPod
2009-07-09 15:33 . 2009-07-25 22:01 -------- d-----w- c:\program files\iTunes
2009-07-09 15:33 . 2009-07-09 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-07-08 13:33 . 2009-07-08 13:33 -------- d-----w- c:\program files\BAM! Entertainment
2009-07-08 13:33 . 2009-07-08 13:33 -------- d-----w- c:\program files\Microsoft Money
2009-07-07 14:07 . 2009-07-08 12:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-07 14:07 . 2009-07-08 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-07 01:40 . 2009-07-07 01:40 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-07-06 20:34 . 2009-07-06 20:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2009-07-06 20:31 . 2009-07-06 20:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-07-06 20:29 . 2009-07-06 20:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-06 18:51 . 2009-07-06 18:52 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-06 18:50 . 2009-07-06 18:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-06 13:00 . 2009-07-06 12:59 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-06 12:58 . 2009-07-27 22:22 117760 ----a-w- c:\documents and settings\NAME REMOVED\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-06 12:57 . 2009-07-06 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-06 12:56 . 2009-07-06 12:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-06 12:56 . 2009-07-06 12:56 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\SUPERAntiSpyware.com
2009-07-05 22:15 . 2009-07-05 22:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-05 18:48 . 2009-07-06 13:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-05 18:04 . 2009-07-05 18:04 -------- d-----w- c:\program files\Enigma Software Group
2009-07-03 20:56 . 2009-07-03 20:56 -------- d--h--w- c:\windows\PIF
2009-07-03 14:46 . 2009-07-03 14:46 -------- d-s---w- c:\documents and settings\NAME REMOVED\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-27 22:07 . 2008-12-24 21:51 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\gtk-2.0
2009-07-26 19:01 . 2004-09-26 21:21 -------- d-----w- c:\program files\Java
2009-07-24 18:15 . 2009-06-12 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-24 17:27 . 2008-12-12 22:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-24 16:32 . 2009-04-04 16:36 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 17:36 . 2008-12-12 22:02 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2008-12-12 22:02 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-11 12:08 . 2009-05-12 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-08 13:10 . 2004-09-26 21:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 12:59 . 2009-05-12 02:17 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-27 20:19 . 2009-05-12 02:17 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-27 20:19 . 2009-06-27 20:19 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-27 20:19 . 2009-06-27 20:19 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-27 20:18 . 2009-06-27 20:18 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-25 20:53 . 2009-05-12 15:30 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\Apple Computer
2009-06-25 20:51 . 2009-05-12 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-22 07:06 . 2009-04-02 03:45 -------- d-----w- c:\program files\INITECH
2009-06-22 06:48 . 2009-06-22 06:48 77824 ----a-w- c:\windows\system32\kdfapi.dll
2009-06-22 06:48 . 2009-06-22 06:48 53248 ----a-w- c:\windows\system32\Kdfhok.dll
2009-06-22 06:48 . 2009-06-22 06:48 192512 ----a-w- c:\windows\system32\kdfvmgr.exe
2009-06-22 06:48 . 2009-06-22 06:48 640352 ----a-w- c:\windows\system32\kdfmgr.exe
2009-06-22 06:48 . 2009-06-22 06:48 172129 ----a-w- c:\windows\system32\kdfmod.dll
2009-06-22 06:46 . 2009-06-22 06:46 708096 ----a-w- c:\windows\system32\INIcrypto20.dll
2009-06-22 06:46 . 2009-06-22 06:46 154752 ----a-w- c:\windows\system32\INIWebCrypto.dll
2009-06-22 06:46 . 2009-06-22 06:46 233472 ----a-w- c:\windows\system32\PubCertDlg.dll
2009-06-22 06:46 . 2009-06-22 06:46 655360 ----a-w- c:\windows\system32\ISPPopUpDlg.exe
2009-06-22 06:45 . 2009-06-22 06:45 93312 ----a-w- c:\windows\system32\INICertStore.dll
2009-06-22 06:45 . 2009-06-22 06:45 251008 ----a-w- c:\windows\system32\INICertManUI.dll
2009-06-22 06:45 . 2009-06-22 06:45 28672 ----a-w- c:\windows\system32\ISP_crgen.dll
2009-06-22 06:45 . 2009-06-22 06:45 73728 ----a-w- c:\windows\system32\ISP_INISafeNet.dll
2009-06-22 06:45 . 2009-06-22 06:45 3952640 ----a-w- c:\windows\system32\KvpVcmd.dll
2009-06-17 20:21 . 2008-12-29 20:26 -------- d-----w- c:\program files\The Learning Company
2009-06-16 14:55 . 2002-08-29 10:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2002-08-29 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 14:52 . 2009-06-12 14:52 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-05 17:52 . 2009-06-05 17:51 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\AVGTOOLBAR
2009-06-03 19:27 . 2009-05-10 23:58 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 17:37 . 2009-06-12 15:21 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-01 00:24 . 2008-11-27 17:56 206184 ----a-w- c:\windows\system32\skcbgm.exe
2009-06-01 00:24 . 2008-11-27 17:56 144744 ----a-w- c:\windows\system32\skcbgmf1.dll
2009-05-31 22:49 . 2009-05-31 22:49 -------- d-----w- c:\program files\Macromedia
2009-05-31 00:35 . 2009-05-31 00:35 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\AVGTOOLBAR
2009-05-31 00:34 . 2008-11-27 05:19 50744 ----a-w- c:\documents and settings\NAME REMOVED\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 23:06 . 2009-05-28 23:06 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\Apple Computer
2009-05-22 20:48 . 2008-12-06 17:15 50744 ----a-w- c:\documents and settings\NAME REMOVED\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 13:50 . 2009-05-12 02:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-14 13:49 . 2009-05-12 02:17 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-13 05:15 . 2009-05-10 23:57 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 20:34 . 2008-11-29 19:27 50744 ----a-w- c:\documents and settings\NAME REMOVED\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 17:36 . 2009-05-12 17:36 50708 ---ha-w- c:\windows\system32\mlfcache.dat
2009-05-12 02:07 . 2008-11-28 13:26 50744 ----a-w- c:\documents and settings\NAME REMOVED\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 01:21 . 2008-11-27 05:59 50744 ----a-w- c:\documents and settings\NAME REMOVED\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-11 15:02 . 2004-05-11 15:02 78699 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-05-07 15:44 . 2009-05-10 23:56 344064 ----a-w- c:\windows\system32\localspl.dll
2009-07-23 19:00 . 2008-11-28 13:28 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 20:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 14:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-09-26 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 53248]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 131072]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"imekrmig"="c:\ime\IMKR\imekrmig.exe" [2001-01-09 44544]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-9-26 36953]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-9 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-14 13:50 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\SYSTEM32\\skcbgm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/11/2009 10:17 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/11/2009 10:17 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/11/2009 10:15 PM 298776]
R2 TabletServicePen;TabletServicePen;c:\windows\SYSTEM32\Pen_Tablet.exe [7/13/2009 1:20 PM 2749736]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\SYSTEM32\DRIVERS\wacmoumonitor.sys [7/13/2009 1:21 PM 15656]
S3 scsk5;SCSK5 Driver Service;c:\windows\system32\drivers\scsk5.sys --> c:\windows\system32\drivers\scsk5.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-27 c:\windows\Tasks\User_Feed_Synchronization-{4650BAE3-C36C-4B52-8D36-DB04D29DCF46}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Handler: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - c:\program files\INITECH\SHTTP\InitechSHTTPInterface.10111.dll
Name-Space Handler: http\s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - c:\program files\INITECH\SHTTP\InitechSHTTPInterface.10111.dll
DPF: {0365D95C-5061-42AB-B118-EAA3CB956E8E} - hxxp://www.bccard.com/plugin/markany/MaPrintModule_BCCard.cab
DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} - hxxp://www.conpia.com/cab/alwaysOn/AlwaysOn.CAB
DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} - hxxp://mpi.dacom.net/XMPI/js/LGDacom_XMPI_20080924.cab
DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} - hxxps://plugin.inicis.com/banktown/initech/plugin/down/INIS60.cab
DPF: {66413DC2-F891-40BC-822D-B7EEC8ADC281} - hxxp://img.shinhan.com/rib/common/ProWorksGrid_78.cab
DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} - hxxp://cyimg7.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
DPF: {99C709C7-4F58-46C1-855B-90213C760395} - hxxps://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} - hxxp://www.conpia.com/cab/yozzi/MagicLockOCX(2310).cab
DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - hxxps://acs1.lottecard.co.kr/visa3d/kdfense/kdfense8305.cab
DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} - hxxps://vbv.shinhancard.com/infovine/VineTransfer.cab
DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} - hxxp://cyimg7.cyworld.com/cymusic/package/skcinst.cab
DPF: {D4CA4B54-056A-4011-BC50-7C49AFF981A4} - hxxps://plugin.inicis.com/banktown/wallet/plugin/BtCxCtlCon.cab
DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} - hxxps://plugin.inicis.com/wallet60_inilite/INIwallet60.cab
DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} - hxxp://pay.kcp.co.kr/plugin/file/payplus.cab
DPF: {E5A02FD2-A8EF-4E5B-80C1-CB386F95E049} - hxxps://plugin.inicis.com/banktown/wallet/plugin/BtPmntClient.cab
DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxps://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
FF - ProfilePath - c:\documents and settings\NAME REMOVED\Application Data\Mozilla\Firefox\Profiles\wo75oh8o.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com (Virtus Designs)
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npINISAFEWeb60.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

driver loading error catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-27 18:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x????????????????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2600)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\conime.exe
c:\windows\SYSTEM32\WTablet\Pen_TabletUser.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-27 18:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-27 22:27

Pre-Run: 3,351,478,272 bytes free
Post-Run: 3,396,595,712 bytes free

312 --- E O F --- 2009-07-16 01:39

#10 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 684 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 27 July 2009 - 07:05 PM

muddog,

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal. I am not comfortable continuing with out it as we are potentially dealing with a rootktit.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
Posted Image

#11 muddog

muddog
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 28 July 2009 - 07:06 PM

Thankyou for caring for my computer's safety.
Log:

ComboFix 09-07-28.01 - NAME REMOVED 8/2009 Tue 19:12.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.949.82.1033.18.510.254 [GMT -4:00]
Running from: c:\documents and settings\NAME REMOVED\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\NAME REMOVED\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-28 )))))))))))))))))))))))))))))))
.

2009-07-26 19:04 . 2009-07-26 19:04 -------- d-----w- C:\_OTM
2009-07-25 14:36 . 2009-07-25 14:36 -------- d-sh--w- c:\documents and settings\NAME REMOVED\IETldCache
2009-07-25 00:41 . 2009-07-25 00:41 -------- d-sh--w- c:\documents and settings\NAME REMOVED\PrivacIE
2009-07-25 00:35 . 2009-07-25 00:35 -------- d-sh--w- c:\documents and settings\NAME REMOVED\IETldCache
2009-07-24 22:38 . 2009-07-24 22:38 -------- d-----w- c:\program files\7-Zip
2009-07-24 18:19 . 2009-07-24 18:19 -------- d-sh--w- c:\documents and settings\NAME REMOVED\IECompatCache
2009-07-24 18:15 . 2009-07-24 18:15 -------- d-sh--w- c:\documents and settings\NAME REMOVED\PrivacIE
2009-07-24 18:08 . 2009-07-24 18:08 -------- d-sh--w- c:\documents and settings\NAME REMOVED\IETldCache
2009-07-24 17:48 . 2009-07-24 17:49 -------- d-----w- c:\windows\ie8updates
2009-07-24 17:43 . 2009-07-24 17:46 -------- dc-h--w- c:\windows\ie8
2009-07-24 17:08 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-07-24 17:08 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-24 17:08 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-24 17:08 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-07-24 17:07 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-07-23 23:07 . 2009-07-23 23:07 -------- d-----w- c:\program files\Alwil Software
2009-07-21 02:19 . 2009-07-21 02:30 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\WTablet
2009-07-14 22:37 . 2009-07-28 00:57 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\WTablet
2009-07-14 19:47 . 2009-07-28 14:47 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\WTablet
2009-07-14 14:56 . 2009-07-14 15:03 -------- d-----w- c:\documents and settings\NAME REMOVED\.gimp-2.6
2009-07-14 14:56 . 2009-07-14 14:56 -------- d-----w- c:\documents and settings\NAME REMOVED\.gegl-0.0
2009-07-14 14:55 . 2009-07-14 15:03 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\WTablet
2009-07-13 21:28 . 2009-07-28 22:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-07-13 21:24 . 2009-07-13 21:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-13 17:22 . 2009-07-28 22:54 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\WTablet
2009-07-13 17:22 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-07-13 17:22 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-07-13 17:21 . 2004-08-04 02:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-07-13 17:21 . 2004-08-04 02:58 14848 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-07-13 17:21 . 2007-02-15 23:11 11440 ----a-w- c:\windows\system32\drivers\WacomVKHid.sys
2009-07-13 17:21 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-07-13 17:21 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-07-13 17:21 . 2008-08-18 21:45 13352 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2009-07-13 17:21 . 2007-02-16 18:12 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2009-07-13 17:21 . 2001-08-17 18:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-07-13 17:21 . 2001-08-17 18:02 9600 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2009-07-13 17:21 . 2008-10-06 17:53 15656 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2009-07-13 17:20 . 2009-07-13 17:20 -------- d-----w- c:\windows\system32\WTablet
2009-07-13 17:20 . 2008-12-11 17:59 186152 ------w- c:\windows\system32\Pen_Tablet.dll
2009-07-13 17:20 . 2008-12-11 17:50 172840 ------w- c:\windows\system32\Wintab32.dll
2009-07-13 17:20 . 2008-12-11 18:11 2749736 ------w- c:\windows\system32\Pen_Tablet.exe
2009-07-13 17:20 . 2009-07-13 17:22 -------- d-----w- c:\program files\Tablet
2009-07-13 13:02 . 2009-07-13 13:02 -------- d-----w- c:\program files\Cobian Backup 8
2009-07-12 00:00 . 2009-07-13 12:57 -------- d-----w- c:\program files\Cobian Backup 9
2009-07-11 12:07 . 2009-07-06 12:59 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-10 16:52 . 2009-07-11 01:38 -------- d-----w- c:\documents and settings\NAME REMOVED\DoctorWeb
2009-07-09 15:34 . 2009-07-09 15:34 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-09 15:33 . 2009-07-09 15:33 -------- d-----w- c:\program files\Rosetta Stone
2009-07-09 15:33 . 2009-07-09 15:33 -------- d-----w- c:\program files\Common Files\Apple
2009-07-09 15:33 . 2009-07-25 22:01 -------- d-----w- c:\program files\iPod
2009-07-09 15:33 . 2009-07-25 22:01 -------- d-----w- c:\program files\iTunes
2009-07-09 15:33 . 2009-07-09 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-07-08 13:33 . 2009-07-08 13:33 -------- d-----w- c:\program files\BAM! Entertainment
2009-07-08 13:33 . 2009-07-08 13:33 -------- d-----w- c:\program files\Microsoft Money
2009-07-07 14:07 . 2009-07-08 12:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-07 14:07 . 2009-07-08 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-07 01:40 . 2009-07-07 01:40 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-07-06 20:34 . 2009-07-06 20:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2009-07-06 20:31 . 2009-07-06 20:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-07-06 20:29 . 2009-07-06 20:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-06 18:51 . 2009-07-06 18:52 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-06 18:50 . 2009-07-06 18:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-06 13:00 . 2009-07-06 12:59 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-06 12:58 . 2009-07-28 22:55 117760 ----a-w- c:\documents and settings\NAME REMOVED\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-06 12:57 . 2009-07-06 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-06 12:56 . 2009-07-06 12:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-06 12:56 . 2009-07-06 12:56 -------- d-----w- c:\documents and settings\NAME REMOVEDApplication Data\SUPERAntiSpyware.com
2009-07-05 22:15 . 2009-07-05 22:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-05 18:48 . 2009-07-06 13:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-05 18:04 . 2009-07-05 18:04 -------- d-----w- c:\program files\Enigma Software Group
2009-07-03 20:56 . 2009-07-03 20:56 -------- d--h--w- c:\windows\PIF
2009-07-03 14:46 . 2009-07-03 14:46 -------- d-s---w- c:\documents and settings\NAME REMOVED\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-27 23:17 . 2008-12-24 21:51 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\gtk-2.0
2009-07-26 19:01 . 2004-09-26 21:21 -------- d-----w- c:\program files\Java
2009-07-24 18:15 . 2009-06-12 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-24 17:27 . 2008-12-12 22:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-24 16:32 . 2009-04-04 16:36 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 17:36 . 2008-12-12 22:02 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2008-12-12 22:02 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-11 12:08 . 2009-05-12 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-08 13:10 . 2004-09-26 21:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 12:59 . 2009-05-12 02:17 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-27 20:19 . 2009-05-12 02:17 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-25 20:53 . 2009-05-12 15:30 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\Apple Computer
2009-06-25 20:51 . 2009-05-12 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-22 07:06 . 2009-04-02 03:45 -------- d-----w- c:\program files\INITECH
2009-06-22 06:48 . 2009-06-22 06:48 77824 ----a-w- c:\windows\system32\kdfapi.dll
2009-06-22 06:48 . 2009-06-22 06:48 53248 ----a-w- c:\windows\system32\Kdfhok.dll
2009-06-22 06:48 . 2009-06-22 06:48 192512 ----a-w- c:\windows\system32\kdfvmgr.exe
2009-06-22 06:48 . 2009-06-22 06:48 640352 ----a-w- c:\windows\system32\kdfmgr.exe
2009-06-22 06:48 . 2009-06-22 06:48 172129 ----a-w- c:\windows\system32\kdfmod.dll
2009-06-22 06:46 . 2009-06-22 06:46 708096 ----a-w- c:\windows\system32\INIcrypto20.dll
2009-06-22 06:46 . 2009-06-22 06:46 154752 ----a-w- c:\windows\system32\INIWebCrypto.dll
2009-06-22 06:46 . 2009-06-22 06:46 233472 ----a-w- c:\windows\system32\PubCertDlg.dll
2009-06-22 06:46 . 2009-06-22 06:46 655360 ----a-w- c:\windows\system32\ISPPopUpDlg.exe
2009-06-22 06:45 . 2009-06-22 06:45 93312 ----a-w- c:\windows\system32\INICertStore.dll
2009-06-22 06:45 . 2009-06-22 06:45 251008 ----a-w- c:\windows\system32\INICertManUI.dll
2009-06-22 06:45 . 2009-06-22 06:45 28672 ----a-w- c:\windows\system32\ISP_crgen.dll
2009-06-22 06:45 . 2009-06-22 06:45 73728 ----a-w- c:\windows\system32\ISP_INISafeNet.dll
2009-06-22 06:45 . 2009-06-22 06:45 3952640 ----a-w- c:\windows\system32\KvpVcmd.dll
2009-06-17 20:21 . 2008-12-29 20:26 -------- d-----w- c:\program files\The Learning Company
2009-06-16 14:55 . 2002-08-29 10:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2002-08-29 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 14:52 . 2009-06-12 14:52 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-05 17:52 . 2009-06-05 17:51 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\AVGTOOLBAR
2009-06-03 19:27 . 2009-05-10 23:58 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 17:37 . 2009-06-12 15:21 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-01 00:24 . 2008-11-27 17:56 206184 ----a-w- c:\windows\system32\skcbgm.exe
2009-06-01 00:24 . 2008-11-27 17:56 144744 ----a-w- c:\windows\system32\skcbgmf1.dll
2009-05-31 22:49 . 2009-05-31 22:49 -------- d-----w- c:\program files\Macromedia
2009-05-31 00:35 . 2009-05-31 00:35 -------- d-----w- c:\documents and settings\Dad\Application Data\AVGTOOLBAR
2009-05-31 00:34 . 2008-11-27 05:19 50744 ----a-w- c:\documents and settings\NAME REMOVED\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 20:48 . 2008-12-06 17:15 50744 ----a-w- c:\documents and settings\NAME REMOVED\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 13:50 . 2009-05-12 02:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-14 13:49 . 2009-05-12 02:17 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-13 05:15 . 2009-05-10 23:57 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 20:34 . 2008-11-29 19:27 50744 ----a-w- c:\documents and settings\NAME REMOVED\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 17:36 . 2009-05-12 17:36 50708 ---ha-w- c:\windows\system32\mlfcache.dat
2009-05-12 02:07 . 2008-11-28 13:26 50744 ----a-w- c:\documents and settings\NAME REMOVED\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 01:21 . 2008-11-27 05:59 50744 ----a-w- c:\documents and settings\NAME REMOVED\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-11 15:02 . 2004-05-11 15:02 78699 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-05-07 15:44 . 2009-05-10 23:56 344064 ----a-w- c:\windows\system32\localspl.dll
2009-07-23 19:00 . 2008-11-28 13:28 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-27_22.21.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-28 22:54 . 2009-07-28 22:54 16384 c:\windows\Temp\Perflib_Perfdata_784.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 20:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 14:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-09-26 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 53248]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 131072]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"imekrmig"="c:\ime\IMKR\imekrmig.exe" [2001-01-09 44544]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-9-26 36953]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-9 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-14 13:50 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\SYSTEM32\\skcbgm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/11/2009 10:17 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/11/2009 10:17 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/11/2009 10:15 PM 298776]
R2 TabletServicePen;TabletServicePen;c:\windows\SYSTEM32\Pen_Tablet.exe [7/13/2009 1:20 PM 2749736]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\SYSTEM32\DRIVERS\wacmoumonitor.sys [7/13/2009 1:21 PM 15656]
S3 scsk5;SCSK5 Driver Service;c:\windows\system32\drivers\scsk5.sys --> c:\windows\system32\drivers\scsk5.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HTTPFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-28 c:\windows\Tasks\User_Feed_Synchronization-{4650BAE3-C36C-4B52-8D36-DB04D29DCF46}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Handler: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - c:\program files\INITECH\SHTTP\InitechSHTTPInterface.10111.dll
Name-Space Handler: http\s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - c:\program files\INITECH\SHTTP\InitechSHTTPInterface.10111.dll
DPF: {0365D95C-5061-42AB-B118-EAA3CB956E8E} - hxxp://www.bccard.com/plugin/markany/MaPrintModule_BCCard.cab
DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} - hxxp://www.conpia.com/cab/alwaysOn/AlwaysOn.CAB
DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} - hxxp://mpi.dacom.net/XMPI/js/LGDacom_XMPI_20080924.cab
DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} - hxxps://plugin.inicis.com/banktown/initech/plugin/down/INIS60.cab
DPF: {66413DC2-F891-40BC-822D-B7EEC8ADC281} - hxxp://img.shinhan.com/rib/common/ProWorksGrid_78.cab
DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} - hxxp://cyimg7.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
DPF: {99C709C7-4F58-46C1-855B-90213C760395} - hxxps://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} - hxxp://www.conpia.com/cab/yozzi/MagicLockOCX(2310).cab
DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - hxxps://acs1.lottecard.co.kr/visa3d/kdfense/kdfense8305.cab
DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} - hxxps://vbv.shinhancard.com/infovine/VineTransfer.cab
DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} - hxxp://cyimg7.cyworld.com/cymusic/package/skcinst.cab
DPF: {D4CA4B54-056A-4011-BC50-7C49AFF981A4} - hxxps://plugin.inicis.com/banktown/wallet/plugin/BtCxCtlCon.cab
DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} - hxxps://plugin.inicis.com/wallet60_inilite/INIwallet60.cab
DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} - hxxp://pay.kcp.co.kr/plugin/file/payplus.cab
DPF: {E5A02FD2-A8EF-4E5B-80C1-CB386F95E049} - hxxps://plugin.inicis.com/banktown/wallet/plugin/BtPmntClient.cab
DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxps://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
FF - ProfilePath - c:\documents and settings\Eunhae Gloria\Application Data\Mozilla\Firefox\Profiles\wo75oh8o.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com (Virtus Designs)
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npINISAFEWeb60.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-28 19:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x????????????????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1564)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-07-28 19:26
ComboFix-quarantined-files.txt 2009-07-28 23:26
ComboFix2.txt 2009-07-27 22:27

Pre-Run: 3,408,257,024 bytes free
Post-Run: 3,382,509,568 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

296 --- E O F --- 2009-07-16 01:39

#12 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 684 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 28 July 2009 - 08:04 PM

muddog,

Thank you. I just wan't some options if something goes wrong. Rootkits are very tricky. The good news is, I think it's now dead. We'll check though.

COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    c:\windows\system32\drivers\scsk5.sys
    
    Driver::
    scsk5
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Then I'd like you to try Gmer again. If, and only if, it doesn't work still, please try RootRepeal (I don't need both).

Then
Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Posted Image

#13 muddog

muddog
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 30 July 2009 - 06:27 PM

GMER and RootRepeal didn't work.

This is the ComboFix log:

ComboFix 09-07-29.01 - NAME REMOVED 9/2009 Wed 13:36.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.949.82.1033.18.510.209 [GMT -4:00]
Running from: c:\documents and settings\NAME REMOVED\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\NAME REMOVED\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\drivers\scsk5.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SCSK5
-------\Service_scsk5


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.

2009-07-29 13:35 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 13:35 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-28 23:05 . 2009-07-28 23:05 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-26 19:04 . 2009-07-26 19:04 -------- d-----w- C:\_OTM
2009-07-25 14:36 . 2009-07-25 14:36 -------- d-sh--w- c:\documents and settings\NAME REMOVED\IETldCache
2009-07-25 00:41 . 2009-07-25 00:41 -------- d-sh--w- c:\documents and settings\NAME REMOVED\PrivacIE
2009-07-25 00:35 . 2009-07-25 00:35 -------- d-sh--w- c:\documents and settings\NAME REMOVED\IETldCache
2009-07-24 22:38 . 2009-07-24 22:38 -------- d-----w- c:\program files\7-Zip
2009-07-24 18:19 . 2009-07-24 18:19 -------- d-sh--w- c:\documents and settings\NAME REMOVED\IECompatCache
2009-07-24 18:15 . 2009-07-24 18:15 -------- d-sh--w- c:\documents and settings\NAME REMOVED\PrivacIE
2009-07-24 18:08 . 2009-07-24 18:08 -------- d-sh--w- c:\documents and settings\NAME REMOVED\IETldCache
2009-07-24 17:48 . 2009-07-24 17:49 -------- d-----w- c:\windows\ie8updates
2009-07-24 17:43 . 2009-07-24 17:46 -------- dc-h--w- c:\windows\ie8
2009-07-24 17:08 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-07-24 17:08 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-24 17:08 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-24 17:08 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-07-24 17:07 . 2009-07-19 22:48 11067392 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-07-23 23:07 . 2009-07-23 23:07 -------- d-----w- c:\program files\Alwil Software
2009-07-21 02:19 . 2009-07-21 02:30 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\WTablet
2009-07-14 22:37 . 2009-07-28 00:57 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\WTablet
2009-07-14 19:47 . 2009-07-29 14:08 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\WTablet
2009-07-14 14:56 . 2009-07-14 15:03 -------- d-----w- c:\documents and settings\NAME REMOVED\.gimp-2.6
2009-07-14 14:56 . 2009-07-14 14:56 -------- d-----w- c:\documents and settings\NAME REMOVED\.gegl-0.0
2009-07-14 14:55 . 2009-07-14 15:03 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\WTablet
2009-07-13 21:28 . 2009-07-29 17:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-07-13 21:24 . 2009-07-13 21:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-13 17:22 . 2009-07-29 20:14 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\WTablet
2009-07-13 17:22 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-07-13 17:22 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-07-13 17:21 . 2004-08-04 02:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-07-13 17:21 . 2004-08-04 02:58 14848 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-07-13 17:21 . 2007-02-15 23:11 11440 ----a-w- c:\windows\system32\drivers\WacomVKHid.sys
2009-07-13 17:21 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-07-13 17:21 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-07-13 17:21 . 2008-08-18 21:45 13352 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2009-07-13 17:21 . 2007-02-16 18:12 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2009-07-13 17:21 . 2001-08-17 18:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-07-13 17:21 . 2001-08-17 18:02 9600 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2009-07-13 17:21 . 2008-10-06 17:53 15656 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2009-07-13 17:20 . 2009-07-13 17:20 -------- d-----w- c:\windows\system32\WTablet
2009-07-13 17:20 . 2008-12-11 17:59 186152 ------w- c:\windows\system32\Pen_Tablet.dll
2009-07-13 17:20 . 2008-12-11 17:50 172840 ------w- c:\windows\system32\Wintab32.dll
2009-07-13 17:20 . 2008-12-11 18:11 2749736 ------w- c:\windows\system32\Pen_Tablet.exe
2009-07-13 17:20 . 2009-07-13 17:22 -------- d-----w- c:\program files\Tablet
2009-07-13 13:02 . 2009-07-13 13:02 -------- d-----w- c:\program files\Cobian Backup 8
2009-07-12 00:00 . 2009-07-13 12:57 -------- d-----w- c:\program files\Cobian Backup 9
2009-07-11 12:07 . 2009-07-06 12:59 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-10 16:52 . 2009-07-11 01:38 -------- d-----w- c:\documents and settings\NAME REMOVED\DoctorWeb
2009-07-09 15:34 . 2009-07-09 15:34 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-09 15:33 . 2009-07-09 15:33 -------- d-----w- c:\program files\Rosetta Stone
2009-07-09 15:33 . 2009-07-09 15:33 -------- d-----w- c:\program files\Common Files\Apple
2009-07-09 15:33 . 2009-07-25 22:01 -------- d-----w- c:\program files\iPod
2009-07-09 15:33 . 2009-07-25 22:01 -------- d-----w- c:\program files\iTunes
2009-07-09 15:33 . 2009-07-09 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-07-08 13:33 . 2009-07-08 13:33 -------- d-----w- c:\program files\BAM! Entertainment
2009-07-08 13:33 . 2009-07-08 13:33 -------- d-----w- c:\program files\Microsoft Money
2009-07-07 14:07 . 2009-07-08 12:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-07 14:07 . 2009-07-08 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-07 01:40 . 2009-07-07 01:40 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-07-06 20:34 . 2009-07-06 20:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2009-07-06 20:31 . 2009-07-06 20:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-07-06 20:29 . 2009-07-06 20:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-06 18:51 . 2009-07-06 18:52 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-06 18:50 . 2009-07-06 18:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-06 13:00 . 2009-07-06 12:59 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-06 12:58 . 2009-07-29 20:15 117760 ----a-w- c:\documents and settings\NAME REMOVED\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-06 12:57 . 2009-07-06 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-06 12:56 . 2009-07-29 17:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-06 12:56 . 2009-07-06 12:56 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\SUPERAntiSpyware.com
2009-07-05 22:15 . 2009-07-05 22:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-05 18:48 . 2009-07-06 13:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-05 18:04 . 2009-07-05 18:04 -------- d-----w- c:\program files\Enigma Software Group
2009-07-03 20:56 . 2009-07-03 20:56 -------- d--h--w- c:\windows\PIF
2009-07-03 14:46 . 2009-07-03 14:46 -------- d-s---w- c:\documents and settings\NAME REMOVED\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-27 23:17 . 2008-12-24 21:51 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\gtk-2.0
2009-07-26 19:01 . 2004-09-26 21:21 -------- d-----w- c:\program files\Java
2009-07-24 18:15 . 2009-06-12 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-24 17:27 . 2008-12-12 22:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-24 16:32 . 2009-04-04 16:36 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 17:36 . 2008-12-12 22:02 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2008-12-12 22:02 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-11 12:08 . 2009-05-12 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-08 13:10 . 2004-09-26 21:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 12:59 . 2009-05-12 02:17 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 17:09 . 2009-05-10 23:57 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-27 20:19 . 2009-05-12 02:17 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-25 20:53 . 2009-05-12 15:30 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\Apple Computer
2009-06-25 20:51 . 2009-05-12 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-22 07:06 . 2009-04-02 03:45 -------- d-----w- c:\program files\INITECH
2009-06-22 06:48 . 2009-06-22 06:48 77824 ----a-w- c:\windows\system32\kdfapi.dll
2009-06-22 06:48 . 2009-06-22 06:48 53248 ----a-w- c:\windows\system32\Kdfhok.dll
2009-06-22 06:48 . 2009-06-22 06:48 192512 ----a-w- c:\windows\system32\kdfvmgr.exe
2009-06-22 06:48 . 2009-06-22 06:48 640352 ----a-w- c:\windows\system32\kdfmgr.exe
2009-06-22 06:48 . 2009-06-22 06:48 172129 ----a-w- c:\windows\system32\kdfmod.dll
2009-06-22 06:46 . 2009-06-22 06:46 708096 ----a-w- c:\windows\system32\INIcrypto20.dll
2009-06-22 06:46 . 2009-06-22 06:46 154752 ----a-w- c:\windows\system32\INIWebCrypto.dll
2009-06-22 06:46 . 2009-06-22 06:46 233472 ----a-w- c:\windows\system32\PubCertDlg.dll
2009-06-22 06:46 . 2009-06-22 06:46 655360 ----a-w- c:\windows\system32\ISPPopUpDlg.exe
2009-06-22 06:45 . 2009-06-22 06:45 93312 ----a-w- c:\windows\system32\INICertStore.dll
2009-06-22 06:45 . 2009-06-22 06:45 251008 ----a-w- c:\windows\system32\INICertManUI.dll
2009-06-22 06:45 . 2009-06-22 06:45 28672 ----a-w- c:\windows\system32\ISP_crgen.dll
2009-06-22 06:45 . 2009-06-22 06:45 73728 ----a-w- c:\windows\system32\ISP_INISafeNet.dll
2009-06-22 06:45 . 2009-06-22 06:45 3952640 ----a-w- c:\windows\system32\KvpVcmd.dll
2009-06-17 20:21 . 2008-12-29 20:26 -------- d-----w- c:\program files\The Learning Company
2009-06-16 14:55 . 2002-08-29 10:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2002-08-29 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 14:52 . 2009-06-12 14:52 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-05 17:52 . 2009-06-05 17:51 -------- d-----w- c:\documents and settings\NAME REMOVED\Application Data\AVGTOOLBAR
2009-06-03 19:27 . 2009-05-10 23:58 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 17:37 . 2009-06-12 15:21 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-01 00:24 . 2008-11-27 17:56 206184 ----a-w- c:\windows\system32\skcbgm.exe
2009-06-01 00:24 . 2008-11-27 17:56 144744 ----a-w- c:\windows\system32\skcbgmf1.dll
2009-05-31 22:49 . 2009-05-31 22:49 -------- d-----w- c:\program files\Macromedia
2009-05-31 00:35 . 2009-05-31 00:35 -------- d-----w- c:\documents and settings\Dad\Application Data\AVGTOOLBAR
2009-05-31 00:34 . 2008-11-27 05:19 50744 ----a-w- c:\documents and settings\NAME REMOVED\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 20:48 . 2008-12-06 17:15 50744 ----a-w- c:\documents and settings\NAME REMOVED\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 13:50 . 2009-05-12 02:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-14 13:49 . 2009-05-12 02:17 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-12 20:34 . 2008-11-29 19:27 50744 ----a-w- c:\documents and settings\NAME REMOVED\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 17:36 . 2009-05-12 17:36 50708 ---ha-w- c:\windows\system32\mlfcache.dat
2009-05-12 02:07 . 2008-11-28 13:26 50744 ----a-w- c:\documents and settings\NAME REMOVED\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 01:21 . 2008-11-27 05:59 50744 ----a-w- c:\documents and settings\NAME REMOVED\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-11 15:02 . 2004-05-11 15:02 78699 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-05-07 15:44 . 2009-05-10 23:56 344064 ----a-w- c:\windows\system32\localspl.dll
2009-07-23 19:00 . 2008-11-28 13:28 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-27_22.21.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-29 17:47 . 2009-07-29 17:47 16384 c:\windows\Temp\Perflib_Perfdata_754.dat
- 2009-03-08 08:31 . 2009-03-08 08:31 55296 c:\windows\SYSTEM32\msfeedsbs.dll
+ 2009-03-08 08:31 . 2009-07-03 17:09 55296 c:\windows\SYSTEM32\msfeedsbs.dll
- 2009-05-10 23:59 . 2009-04-30 21:22 25600 c:\windows\SYSTEM32\jsproxy.dll
+ 2009-05-10 23:59 . 2009-07-03 17:09 25600 c:\windows\SYSTEM32\jsproxy.dll
+ 2009-02-20 08:30 . 2009-07-03 17:09 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
- 2009-02-20 08:30 . 2009-04-30 21:22 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2009-07-29 14:09 . 2009-04-30 21:22 12800 c:\windows\ie8updates\KB972260-IE8\xpshims.dll
+ 2009-07-29 14:09 . 2009-03-08 08:31 55296 c:\windows\ie8updates\KB972260-IE8\msfeedsbs.dll
+ 2009-07-29 14:09 . 2009-04-30 21:22 25600 c:\windows\ie8updates\KB972260-IE8\jsproxy.dll
+ 2009-05-10 23:58 . 2009-07-03 17:09 206848 c:\windows\SYSTEM32\occache.dll
- 2009-03-08 08:32 . 2009-03-08 08:32 594432 c:\windows\SYSTEM32\msfeeds.dll
+ 2009-03-08 08:32 . 2009-07-03 17:09 594432 c:\windows\SYSTEM32\msfeeds.dll
+ 2009-05-10 23:59 . 2009-07-03 17:09 184320 c:\windows\SYSTEM32\iepeers.dll
+ 2009-05-10 23:59 . 2009-07-03 17:09 386048 c:\windows\SYSTEM32\iedkcs32.dll
+ 2009-05-10 23:59 . 2009-07-03 11:01 173056 c:\windows\SYSTEM32\ie4uinit.exe
- 2009-05-10 23:59 . 2009-04-30 11:21 173056 c:\windows\SYSTEM32\ie4uinit.exe
- 2009-02-20 08:30 . 2009-05-13 05:15 915456 c:\windows\SYSTEM32\DLLCACHE\wininet.dll
+ 2009-02-20 08:30 . 2009-07-03 17:09 915456 c:\windows\SYSTEM32\DLLCACHE\wininet.dll
+ 2009-03-08 08:34 . 2009-07-03 17:09 206848 c:\windows\SYSTEM32\DLLCACHE\occache.dll
+ 2009-02-20 08:30 . 2009-07-03 17:09 184320 c:\windows\SYSTEM32\DLLCACHE\iepeers.dll
+ 2009-03-08 18:09 . 2009-07-03 17:09 386048 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
+ 2009-03-08 08:32 . 2009-07-03 11:01 173056 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
- 2009-03-08 08:32 . 2009-04-30 11:21 173056 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
+ 2009-07-29 14:09 . 2009-05-13 05:15 915456 c:\windows\ie8updates\KB972260-IE8\wininet.dll
+ 2009-07-29 14:09 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB972260-IE8\spuninst\updspapi.dll
+ 2009-07-29 14:09 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB972260-IE8\spuninst\spuninst.exe
+ 2009-07-29 14:09 . 2009-03-08 08:34 109568 c:\windows\ie8updates\KB972260-IE8\occache.dll
+ 2009-07-29 14:09 . 2009-03-08 08:32 594432 c:\windows\ie8updates\KB972260-IE8\msfeeds.dll
+ 2009-07-29 14:09 . 2009-04-30 21:22 246272 c:\windows\ie8updates\KB972260-IE8\ieproxy.dll
+ 2009-07-29 14:09 . 2009-03-08 08:31 183808 c:\windows\ie8updates\KB972260-IE8\iepeers.dll
+ 2009-07-29 14:09 . 2009-04-30 21:22 385536 c:\windows\ie8updates\KB972260-IE8\iedkcs32.dll
+ 2009-07-29 14:09 . 2009-04-30 11:21 173056 c:\windows\ie8updates\KB972260-IE8\ie4uinit.exe
+ 2009-05-10 23:57 . 2009-07-03 17:09 1208832 c:\windows\SYSTEM32\urlmon.dll
+ 2009-05-10 23:59 . 2009-07-19 13:18 5937152 c:\windows\SYSTEM32\mshtml.dll
+ 2009-03-08 08:32 . 2009-07-03 17:09 1985536 c:\windows\SYSTEM32\iertutil.dll
+ 2009-02-20 08:30 . 2009-07-03 17:09 1208832 c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
+ 2009-02-20 08:30 . 2009-07-19 13:18 5937152 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2009-07-29 14:09 . 2009-04-30 21:22 1207808 c:\windows\ie8updates\KB972260-IE8\urlmon.dll
+ 2009-07-29 14:09 . 2009-05-13 05:15 5936128 c:\windows\ie8updates\KB972260-IE8\mshtml.dll
+ 2009-07-29 14:09 . 2009-04-30 21:22 1985024 c:\windows\ie8updates\KB972260-IE8\iertutil.dll
+ 2009-03-08 08:39 . 2009-07-19 22:48 11067392 c:\windows\SYSTEM32\ieframe.dll
+ 2009-07-29 14:09 . 2009-04-30 21:22 11064832 c:\windows\ie8updates\KB972260-IE8\ieframe.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 20:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 14:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-29 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-09-26 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 53248]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 131072]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"imekrmig"="c:\ime\IMKR\imekrmig.exe" [2001-01-09 44544]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-9-26 36953]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-9 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-14 13:50 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\SYSTEM32\\skcbgm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/11/2009 10:17 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/11/2009 10:17 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/11/2009 10:15 PM 298776]
R2 TabletServicePen;TabletServicePen;c:\windows\SYSTEM32\Pen_Tablet.exe [7/13/2009 1:20 PM 2749736]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\SYSTEM32\DRIVERS\wacmoumonitor.sys [7/13/2009 1:21 PM 15656]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-29 c:\windows\Tasks\User_Feed_Synchronization-{4650BAE3-C36C-4B52-8D36-DB04D29DCF46}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Handler: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - c:\program files\INITECH\SHTTP\InitechSHTTPInterface.10111.dll
Name-Space Handler: http\s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - c:\program files\INITECH\SHTTP\InitechSHTTPInterface.10111.dll
DPF: {0365D95C-5061-42AB-B118-EAA3CB956E8E} - hxxp://www.bccard.com/plugin/markany/MaPrintModule_BCCard.cab
DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} - hxxp://www.conpia.com/cab/alwaysOn/AlwaysOn.CAB
DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} - hxxp://mpi.dacom.net/XMPI/js/LGDacom_XMPI_20080924.cab
DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} - hxxps://plugin.inicis.com/banktown/initech/plugin/down/INIS60.cab
DPF: {66413DC2-F891-40BC-822D-B7EEC8ADC281} - hxxp://img.shinhan.com/rib/common/ProWorksGrid_78.cab
DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} - hxxp://cyimg7.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
DPF: {99C709C7-4F58-46C1-855B-90213C760395} - hxxps://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} - hxxp://www.conpia.com/cab/yozzi/MagicLockOCX(2310).cab
DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - hxxps://acs1.lottecard.co.kr/visa3d/kdfense/kdfense8305.cab
DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} - hxxps://vbv.shinhancard.com/infovine/VineTransfer.cab
DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} - hxxp://cyimg7.cyworld.com/cymusic/package/skcinst.cab
DPF: {D4CA4B54-056A-4011-BC50-7C49AFF981A4} - hxxps://plugin.inicis.com/banktown/wallet/plugin/BtCxCtlCon.cab
DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} - hxxps://plugin.inicis.com/wallet60_inilite/INIwallet60.cab
DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} - hxxp://pay.kcp.co.kr/plugin/file/payplus.cab
DPF: {E5A02FD2-A8EF-4E5B-80C1-CB386F95E049} - hxxps://plugin.inicis.com/banktown/wallet/plugin/BtPmntClient.cab
DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxps://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
FF - ProfilePath - c:\documents and settings\Eunhae Gloria\Application Data\Mozilla\Firefox\Profiles\wo75oh8o.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com (Virtus Designs)
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npINISAFEWeb60.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-29 16:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x????????????????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2148)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\SYSTEM32\conime.exe
c:\windows\SYSTEM32\WTablet\Pen_TabletUser.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-29 16:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-29 20:20
ComboFix2.txt 2009-07-28 23:26
ComboFix3.txt 2009-07-27 22:27

Pre-Run: 3,202,465,792 bytes free
Post-Run: 3,187,179,520 bytes free

363 --- E O F --- 2009-07-29 14:09

And here is the Kapersky log.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, July 30, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, July 30, 2009 18:27:46
Records in database: 2564123
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 70219
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:49:23

No malware has been detected. The scan area is clean.

The selected area was scanned.

#14 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 684 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 30 July 2009 - 07:22 PM

muddog,

Hmm. This is a less powerful Ark scan. Let's try it anyway.

Then please also let me know how your computer is acting.

Download Rooter.exe to your desktop
  • Then doubleclick it to start the tool
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here
And don't forget to tell me how your computer is running.
Posted Image

#15 muddog

muddog
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 31 July 2009 - 07:01 PM

The computer is slow, but not as much as it was before. But my computer is old anyway. Gmail still doen't work on Firefox, but that's about it.

Here is the Rooter log, I think

Windows XP Home Edition (5.1.2600) Service Pack 2
[32_bits] - x86 Family 15 Model 3 Stepping 4, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.0.12 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:33 Go - Free:2 Go )
D:\ [CD_Rom]
.
Scan : 19:56.17
Path : C:\Documents and Settings\Eunhae Gloria\Desktop\Rooter.exe
User : Eunhae Gloria ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (760)
______ \??\C:\WINDOWS\system32\csrss.exe (816)
______ \??\C:\WINDOWS\system32\winlogon.exe (840)
______ C:\WINDOWS\system32\services.exe (884)
______ C:\WINDOWS\system32\lsass.exe (896)
______ C:\WINDOWS\system32\svchost.exe (1056)
______ C:\WINDOWS\system32\svchost.exe (1104)
______ C:\WINDOWS\System32\svchost.exe (1144)
______ C:\WINDOWS\System32\svchost.exe (1264)
______ C:\WINDOWS\system32\svchost.exe (1292)
______ C:\WINDOWS\system32\spoolsv.exe (1568)
______ C:\WINDOWS\System32\svchost.exe (1700)
______ C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (1736)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1756)
______ C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (1836)
______ C:\Program Files\Bonjour\mDNSResponder.exe (1884)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1928)
______ C:\WINDOWS\System32\svchost.exe (204)
______ C:\WINDOWS\system32\Pen_Tablet.exe (292)
______ C:\WINDOWS\System32\wdfmgr.exe (364)
______ C:\WINDOWS\wanmpsvc.exe (252)
______ C:\PROGRA~1\AVG\AVG8\avgrsx.exe (948)
______ C:\PROGRA~1\AVG\AVG8\avgnsx.exe (900)
______ C:\WINDOWS\Explorer.EXE (632)
______ C:\WINDOWS\System32\hkcmd.exe (2428)
______ C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe (2436)
______ C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (2444)
______ C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe (2500)
______ C:\Program Files\Dell\Media Experience\PCMService.exe (2516)
______ C:\Program Files\Real\RealPlayer\RealPlay.exe (2584)
______ C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe (2628)
______ C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe (2636)
______ C:\Program Files\Common Files\Dell\EUSW\Support.exe (2644)
______ C:\PROGRA~1\AVG\AVG8\avgtray.exe (2660)
______ C:\Program Files\Java\jre6\bin\jusched.exe (2676)
______ C:\Program Files\iTunes\iTunesHelper.exe (2684)
______ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (2712)
______ C:\WINDOWS\system32\ctfmon.exe (2724)
______ C:\WINDOWS\system32\Pen_Tablet.exe (2732)
______ c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe (3092)
______ C:\Program Files\America Online 9.0\aoltray.exe (3112)
______ C:\WINDOWS\System32\alg.exe (3184)
______ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe (3292)
______ C:\Program Files\Mozilla Firefox\firefox.exe (3352)
______ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (3416)
______ C:\Program Files\iPod\bin\iPodService.exe (3724)
______ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe (580)
______ C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe (1252)
______ C:\Program Files\AVG\AVG8\avgui.exe (3900)
______ C:\WINDOWS\system32\wuauclt.exe (248)
______ C:\Documents and Settings\Eunhae Gloria\Desktop\Rooter.exe (3364)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:49319424)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:49351680 | Length:36183006720)
\Device\Harddisk0\Partition3 (Start_Offset:36232358400 | Length:3758952960)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\DESKTOP.INI
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\User_Feed_Synchronization-{4650BAE3-C36C-4B52-8D36-DB04D29DCF46}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 19:56.37
.
C:\Rooter$\Rooter_1.txt - (31/07/2009 | 19:56.37)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users