Multiple viruses including Antivirus Pro 2010

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
1
2
→

You cannot start a new topic
This topic is locked

Multiple viruses including Antivirus Pro 2010 Malware

#1 trucha del mar

New Member

Group: Members
Posts: 9
Joined: 12-October 09

Posted 13 October 2009 - 12:15 AM

Earlier today, I thought that if it came down to posting on one of these sites, I was just going to stop using a computer. Here I am. Here's my HijackThis log. Any help would be REALLY appreciated. Fire away, please.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:55 AM, on 10/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\smss.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Documents and Settings\Garrick Behelfer\Application Data\seres.exe
C:\Documents and Settings\Garrick Behelfer\Application Data\svcst.exe
C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\asgui.exe
C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\csrss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\services.exe
C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\install.exe
C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\login.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\g.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe sfsp.cfo beforegttav
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPWQTOOLBOX] C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [McPvTray] C:\Program Files\McAfee\Anti-Theft\McPvTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Antivirus Pro 2010] "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [mserv] C:\Documents and Settings\Garrick Behelfer\Application Data\seres.exe
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\LOCALS~1\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [PopRock] C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\g.exe
O4 - HKCU\..\Run: [svchost] C:\Documents and Settings\Garrick Behelfer\Application Data\svcst.exe
O4 - HKCU\..\Run: [Login Software 2009] C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\asgui.exe
O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\csrss.exe
O4 - S-1-5-18 Startup: is-6E0HA.lnk = C:\Documents and Settings\Garrick Behelfer\Desktop\Virus Removal Tool\is-6E0HA\startup.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: is-G5H4M.lnk = E:\Virus Removal Tool1\is-G5H4M\startup.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: is-6E0HA.lnk = C:\Documents and Settings\Garrick Behelfer\Desktop\Virus Removal Tool\is-6E0HA\startup.exe (User 'Default user')
O4 - .DEFAULT Startup: is-G5H4M.lnk = E:\Virus Removal Tool1\is-G5H4M\startup.exe (User 'Default user')
O4 - Startup: is-6E0HA.lnk = C:\Documents and Settings\Garrick Behelfer\Desktop\Virus Removal Tool\is-6E0HA\startup.exe
O4 - Startup: is-G5H4M.lnk = E:\Virus Removal Tool1\is-G5H4M\startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader45.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.yobabyyogurt.com/YBCoupons/ScriptX/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader45.cab
O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader57.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O18 - Filter hijack: text/html - {67a9593d-894c-4acf-8b0a-3f6072935c49} - C:\WINDOWS\system32\dsound3dd.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9be8efd675b54) (gupdate1c9be8efd675b54) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 11854 bytes

EDIT: I am attaching my DDS log as well - Du to my computer illiteracy, I am not sure if this is an different from the HJT log attached above. Thanks!

DDS (Ver_09-10-13.01) - NTFSx86
Run by Garrick Behelfer at 17:36:52.62 on Tue 10/13/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.123 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Documents and Settings\Garrick Behelfer\Application Data\seres.exe
C:\Documents and Settings\Garrick Behelfer\Application Data\svcst.exe
C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\asgui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\install.exe
C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\login.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\drweb.exe
C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\win16.exe
C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\system.exe
C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\mdm.exe
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe
C:\DOCUME~1\GARRIC~1\LOCALS~1\Temp\g.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Garrick Behelfer\Local Settings\Temporary Internet Files\Content.IE5\76KR4O3P\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Shell=Explorer.exe rundll32.exe sfsp.cfo beforegttav
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\drivers\smss.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellTransferAgent] "c:\documents and settings\all users\application data\dell\transferagent\TransferAgent.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [mserv] c:\documents and settings\garrick behelfer\application data\seres.exe
uRun: [calc] rundll32.exe c:\docume~1\locals~1\ntuser.dll,_IWMPEvents@0
uRun: [PopRock] c:\docume~1\garric~1\locals~1\temp\g.exe
uRun: [svchost] c:\documents and settings\garrick behelfer\application data\svcst.exe
uRun: [Login Software 2009] c:\docume~1\garric~1\locals~1\temp\asgui.exe
uRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\docume~1\garric~1\locals~1\temp\services.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [HPWQTOOLBOX] c:\program files\hewlett-packard\hp deskjet 9800 series\toolbox\HPWQTBX.exe "-i"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [McPvTray] c:\program files\mcafee\anti-theft\McPvTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Antivirus Pro 2010] "c:\program files\antiviruspro_2010\AntivirusPro_2010.exe" /hide
mRun: [winupdate.exe] c:\windows\system32\winupdate.exe
StartupFolder: c:\docume~1\garric~1\startm~1\programs\startup\is-6e0ha.lnk - c:\documents and settings\garrick behelfer\desktop\virus removal tool\is-6e0ha\startup.exe
StartupFolder: c:\docume~1\garric~1\startm~1\programs\startup\is-g5h4m.lnk - e:\virus removal tool1\is-g5h4m\startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://www.yobabyyogurt.com/YBCoupons/ScriptX/smsx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: text/html - {67a9593d-894c-4acf-8b0a-3f6072935c49} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-31 64160]
R0 McPvDrv;McPvDrv;c:\windows\system32\drivers\McPvDrv.sys [2008-5-28 61688]
R1 is-6E0HAdrv;is-6E0HAdrv;c:\windows\system32\drivers\09447866.sys [2009-10-12 148496]
R1 is-G5H4Mdrv;is-G5H4Mdrv;c:\windows\system32\drivers\95766709.sys [2009-10-12 148496]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-2 124832]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
S2 gupdate1c9be8efd675b54;Google Update Service (gupdate1c9be8efd675b54);c:\program files\google\update\GoogleUpdate.exe [2009-4-16 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
S3 isapeep;isapeep;c:\windows\system32\isapeep.sys [2004-8-4 2304]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-10-13 15:35 12,424 a------- c:\windows\nifamy.exe
2009-10-13 00:00 <DIR> --d----- c:\program files\Trend Micro
2009-10-12 23:57 <DIR> --ds---- C:\ComboFix
2009-10-12 22:59 48,164,896 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-10-12 22:59 14,564 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-10-12 22:51 <DIR> a-dshr-- C:\cmdcons
2009-10-12 22:48 236,544 a------- c:\windows\PEV.exe
2009-10-12 22:48 161,792 a------- c:\windows\SWREG.exe
2009-10-12 22:48 98,816 a------- c:\windows\sed.exe
2009-10-12 22:46 389,120 a------- c:\windows\system32\CF26021.exe
2009-10-12 20:21 148,496 a------- c:\windows\system32\drivers\95766709.sys
2009-10-12 20:01 148,496 a------- c:\windows\system32\drivers\09447866.sys
2009-10-12 19:45 17,523 a------- c:\program files\common files\sowo.com
2009-10-12 19:45 13,903 a------- c:\windows\fibeky.db
2009-10-12 19:45 13,744 a------- c:\windows\tifuryt._sy
2009-10-12 19:45 11,253 a------- c:\windows\ysan.dl
2009-10-12 19:45 14,592 a------- c:\windows\system32\ufodiduno.exe
2009-10-12 19:45 16,873 a------- c:\windows\ozegonij.com
2009-10-12 19:45 12,661 a------- c:\windows\obylupezyh.bin
2009-10-12 19:45 11,869 a------- c:\windows\xigumibon.ban
2009-10-12 07:45 47,104 a------- c:\windows\system32\drivers\smss.exe
2009-10-12 07:27 1,995,264 a------- c:\windows\system32\AVR09.exe
2009-10-12 07:27 22,528 a------- c:\windows\system32\winhelper.dll
2009-10-12 07:25 <DIR> --d----- c:\program files\Windows Police Pro
2009-10-12 07:24 831 a------- c:\windows\system32\critical_warning.html
2009-10-12 07:24 0 a----r-- c:\windows\win32k.sys
2009-10-12 07:24 18,432 a------- C:\riyxlqe.exe
2009-10-12 07:24 24,576 a------- c:\windows\system32\winupdate.exe
2009-10-12 07:24 192,520 -------- C:\lyqr.exe
2009-10-12 07:24 15,000 a------- c:\windows\system32\v77d0hjarg.dll
2009-10-12 07:24 189,440 a------- C:\tfdp.exe
2009-10-12 07:24 31,232 a------- C:\iytcqy.exe
2009-10-12 07:24 24,576 a------- C:\nmihj.exe
2009-10-12 07:24 19,456 a------- C:\cwxa.exe
2009-10-12 07:24 9,216 a------- C:\svhkapw.exe
2009-10-12 07:23 315,904 a------- c:\windows\system32\~.exe
2009-10-12 07:21 221,184 a------- c:\windows\system32\_scui.cpl
2009-10-12 07:20 <DIR> --d----- c:\program files\AntivirusPro_2010
2009-10-12 07:18 22,016 a------- c:\docume~1\garric~1\applic~1\svcst.exe
2009-10-12 07:18 22,016 a------- c:\docume~1\garric~1\applic~1\seres.exe
2009-10-12 07:18 22,016 a------- c:\windows\system32\a.exe
2009-10-11 23:27 163,840 a------- c:\windows\msa.exe
2009-10-11 23:27 226,308 a------- c:\windows\system32\msxml71.dll
2009-10-08 20:23 19,091 a------- c:\windows\system32\qeduno.com
2009-10-08 20:23 17,087 a------- c:\windows\ekygyryqik.dl
2009-10-08 20:23 16,348 a------- c:\windows\ziqysikof.reg
2009-10-08 20:23 15,710 a------- c:\docume~1\garric~1\applic~1\azezexa.reg
2009-10-08 20:23 12,096 a------- c:\windows\dudaf.bin
2009-10-08 20:23 11,152 a------- c:\program files\common files\fadozyluwe.dat
2009-10-08 20:23 10,614 a------- c:\docume~1\alluse~1\applic~1\azufilatet.reg
2009-10-08 07:51 <DIR> --d----- c:\windows\system32\schtml
2009-10-08 07:48 36 a------- c:\windows\system32\skynet.dat
2009-10-08 07:48 58 a------- c:\windows\wf4.dat
2009-10-08 07:48 3 a------- c:\windows\wf3.dat
2009-10-08 07:47 548,352 a------- c:\windows\system32\pump.exe
2009-10-08 07:47 99 a------- c:\windows\system32\wwp.htm
2009-10-08 07:41 233,584 a------- c:\docume~1\garric~1\applic~1\lizkavd.exe
2009-10-08 07:35 133 a------- C:\divqh.dat
2009-10-08 07:35 46 a------- C:\p2hhr.bat
2009-10-08 07:35 25,600 a------- c:\windows\system32\sfsp.cfo
2009-10-08 07:34 193,032 a------- C:\houkh.exe
2009-10-08 07:34 208,384 a------- C:\dvglbk.exe
2009-10-08 07:34 48,640 a------- C:\hgxs.exe
2009-10-08 07:34 18,432 a------- C:\tixqapi.exe
2009-10-08 07:34 9,216 a------- C:\wridiint.exe
2009-10-08 06:14 <DIR> --d----- c:\program files\WinPcap
2009-10-08 06:10 26,112 a------- c:\windows\system32\stu2.exe

==================== Find3M ====================

2009-10-12 23:19 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-10-11 08:07 49,152 a------- c:\windows\system32\userinit.exe
2009-10-08 20:23 11,695 a------- c:\program files\common files\imyryl._dl
2009-10-08 07:45 1,050,659 a--sh--- c:\windows\system32\loboseta.exe
2009-10-08 07:45 1,050,659 a--sh--- c:\windows\system32\fayivani.exe
2009-10-08 07:45 194,056 a--sh--- c:\windows\system32\jegugose.exe
2009-09-21 17:13 15,688 a------- c:\windows\system32\lsdelete.exe
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 08:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-06-08 14:25 94,696 a------- c:\docume~1\garric~1\applic~1\GDIPFONTCACHEV1.DAT
2005-05-03 12:55 28,896 a------- c:\program files\Mc

============= FINISH: 17:37:24.62 ===============

This post has been edited by trucha del mar: 13 October 2009 - 05:47 PM

#2 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 26,080
Joined: 25-January 08
Gender:Female
Location:At home

Posted 27 October 2009 - 12:18 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Please download OTL from following mirror:
- This is THE Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#3 trucha del mar

New Member

Group: Members
Posts: 9
Joined: 12-October 09

Posted 28 October 2009 - 07:10 AM

Hi _temp_ - My MS Security software pops up a dialog box that says that OTL has been reported to be linked to known viruses and recommends that I not download it. Thoughts?

#4 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 26,080
Joined: 25-January 08
Gender:Female
Location:At home

Posted 29 October 2009 - 12:04 PM

Hi,

we are working on the issue, I don't know why the site is being flagged. The file is clean and is used frequently all over this board. If you feel uneasy about using this file, please provide an DDS log instead:

Please run a scan with DDS:

Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.scr
DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results, click no to the Optional_Scan
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards _temp_

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

#5 trucha del mar

New Member

Group: Members
Posts: 9
Joined: 12-October 09

Posted 29 October 2009 - 01:44 PM

OK _temp_, I will put up the latest log when I get home tonight. Thanks!

#6 trucha del mar

New Member

Group: Members
Posts: 9
Joined: 12-October 09

Posted 29 October 2009 - 10:09 PM

OK, full disclosure: I read another post and used ComboFix according to the instructions a week after I posted my initial log. My computer seems to be OK since then, but I've been keeping up with the thread just to make sure. Here is tonight's DDS log. Thanks for your continuing help.

DDS (Ver_09-10-26.01) - NTFSx86
Run by XXXXXXXXXXXXX at 22:03:39.70 on Thu 10/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.188 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Garrick Behelfer\Local Settings\Temporary Internet Files\Content.IE5\3EFQZN7M\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uRun: [DellTransferAgent] "c:\documents and settings\all users\application data\dell\transferagent\TransferAgent.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [HPWQTOOLBOX] c:\program files\hewlett-packard\hp deskjet 9800 series\toolbox\HPWQTBX.exe "-i"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
StartupFolder: c:\docume~1\garric~1\startm~1\programs\startup\is-6e0ha.lnk - c:\documents and settings\garrick behelfer\desktop\virus removal tool\is-6e0ha\startup.exe
StartupFolder: c:\docume~1\garric~1\startm~1\programs\startup\is-g5h4m.lnk - e:\virus removal tool1\is-g5h4m\startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://www.yobabyyogurt.com/YBCoupons/ScriptX/smsx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-31 64160]
R0 McPvDrv;McPvDrv;c:\windows\system32\drivers\McPvDrv.sys [2008-5-28 61688]
R1 is-6E0HAdrv;is-6E0HAdrv;c:\windows\system32\drivers\09447866.sys [2009-10-12 148496]
R1 is-G5H4Mdrv;is-G5H4Mdrv;c:\windows\system32\drivers\95766709.sys [2009-10-12 148496]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-2 124832]
S2 gupdate1c9be8efd675b54;Google Update Service (gupdate1c9be8efd675b54);c:\program files\google\update\GoogleUpdate.exe [2009-4-16 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
S3 isapeep;isapeep;c:\windows\system32\isapeep.sys [2004-8-4 2304]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-10-29 00:00:43 0 d-----w- C:\3137247f4f1563378797
2009-10-28 00:00:22 0 d-----w- C:\682ccf9f8774ea9182
2009-10-26 23:58:08 0 d-----w- C:\e4b026686dfe560cc5eed5cdea
2009-10-17 16:59:10 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-17 16:54:56 0 d-----w- c:\program files\Microsoft Security Essentials
2009-10-14 12:33:30 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-14 12:33:28 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-10-13 05:00:42 0 d-----w- c:\program files\Trend Micro
2009-10-13 03:59:39 270325792 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-13 03:59:39 2468396 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-13 03:51:03 0 d-sha-r- C:\cmdcons
2009-10-13 03:48:58 98816 ----a-w- c:\windows\sed.exe
2009-10-13 03:48:58 236544 ----a-w- c:\windows\PEV.exe
2009-10-13 03:48:58 161792 ----a-w- c:\windows\SWREG.exe
2009-10-13 01:21:14 148496 ----a-w- c:\windows\system32\drivers\95766709.sys
2009-10-13 01:01:43 148496 ----a-w- c:\windows\system32\drivers\09447866.sys
2009-10-13 00:45:26 13903 ----a-w- c:\windows\fibeky.db
2009-10-13 00:45:24 16873 ----a-w- c:\windows\ozegonij.com
2009-10-09 01:23:09 19091 ----a-w- c:\windows\system32\qeduno.com
2009-10-09 01:23:09 11152 ----a-w- c:\program files\common files\fadozyluwe.dat
2009-10-08 12:47:20 99 ----a-w- c:\windows\system32\wwp.htm
2009-10-08 12:35:37 133 ----a-w- C:\divqh.dat
2009-10-08 11:10:58 26112 ----a-w- c:\windows\system32\stu2.exe

==================== Find3M ====================

2009-10-23 23:51:34 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-19 13:14:15 103520 ----a-w- c:\docume~1\garric~1\applic~1\GDIPFONTCACHEV1.DAT
2009-09-28 14:45:30 82072 ----a-w- c:\windows\fonts\SCRIPTIN.ttf
2009-09-28 14:45:30 11652 ----a-w- c:\windows\fonts\SCRIPALT.ttf
2009-09-28 14:45:08 40920 ----a-w- c:\windows\fonts\SCHOON.TTF
2009-09-28 14:44:49 42652 ----a-w- c:\windows\fonts\Old Script.ttf
2009-09-28 14:44:30 75228 ----a-w- c:\windows\fonts\HenryMorganHand.ttf
2009-09-28 14:43:47 27660 ----a-w- c:\windows\fonts\Champignon.ttf
2009-09-28 14:43:47 27468 ----a-w- c:\windows\fonts\champignonaltswash.ttf
2009-09-25 21:30:21 83244 ----a-w- c:\windows\fonts\yesterday-regulardb.ttf
2009-09-25 21:29:11 70832 ----a-w- c:\windows\fonts\kremlinscriptone-regulardb.ttf
2009-09-25 21:27:18 35892 ----a-w- c:\windows\fonts\fortunaschwein.ttf
2009-09-25 21:26:38 30424 ----a-w- c:\windows\fonts\be______.ttf
2009-09-25 21:21:25 37000 ----a-w- c:\windows\fonts\eyechartbold.ttf
2009-09-25 21:14:24 61676 ----a-w- c:\windows\fonts\Achafita.ttf
2009-09-25 21:14:24 61548 ----a-w- c:\windows\fonts\Achafsex.ttf
2009-09-25 21:14:24 61016 ----a-w- c:\windows\fonts\Achaflft.ttf
2009-09-25 21:14:24 60544 ----a-w- c:\windows\fonts\Achafexp.ttf
2009-09-25 21:14:24 59760 ----a-w- c:\windows\fonts\Achafont.ttf
2009-09-25 21:14:24 118260 ----a-w- c:\windows\fonts\Achafout.ttf
2009-09-21 22:13:53 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 19:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:35:52 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-07 00:24:18 327896 ----a-w- c:\windows\system32\dllcache\wucltui.dll
2009-08-07 00:24:18 209632 ----a-w- c:\windows\system32\dllcache\wuweb.dll
2009-08-07 00:24:10 35552 ----a-w- c:\windows\system32\dllcache\wups.dll
2009-08-07 00:24:06 53472 ----a-w- c:\windows\system32\dllcache\wuauclt.exe
2009-08-07 00:24:04 96480 ----a-w- c:\windows\system32\dllcache\cdm.dll
2009-08-07 00:23:54 575704 ----a-w- c:\windows\system32\dllcache\wuapi.dll
2009-08-07 00:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23:46 1929952 ----a-w- c:\windows\system32\dllcache\wuaueng.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 09:01:48 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 01:44:46 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 15:13:08 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 15:13:08 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 14:20:09 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 14:20:09 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 14:20:08 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2005-05-03 17:55:01 28896 ----a-w- c:\program files\Mc
2009-03-31 16:03:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009033120090401\index.dat

============= FINISH: 22:04:39.96 ===============

#7 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 26,080
Joined: 25-January 08
Gender:Female
Location:At home

Posted 30 October 2009 - 07:06 AM

Hi,
as you probably already know:
ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please do not run Combofix on your own

As you have already run Combofix, you should have a file C:\combofix.txt containing the log of ComboFix. Please post it in your next reply.

There still are a couple of leftovers on your system.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.

Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

Make sure the "Perform Quick Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Please also run a scan with rootrepeal:

Download RootRepeal from the following location and save it to your desktop.
Extract the contents of RootRepeal.zip, to your desktop.
Double click on your desktop.
Click on the report tab, then click scan
Check all seven boxes:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Shadow SSDT
Click Ok
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.

Please post the log from ComboFix, Malwarebytes and RootRepeal in your next reply.

regards _temp_

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

#8 trucha del mar

New Member

Group: Members
Posts: 9
Joined: 12-October 09

Posted 30 October 2009 - 11:19 PM

OK, here is the initial CF Log from a couple of weeks ago. I thought it was a normal log, but all it was was this:
c:windows\system32\drivers\gasfkypxyxumob
c:windows\system32\gasfkywutfqptb.dll
c:windows\system32\gasfkyaijwqbad.dat
c:windows\system32\gasfkyoqyclxus.dll
c:windows\system32\gasfkyjolillot.dat
c:windows\system32\gasfkyoiqaknbo.dll
c:windows\system32\gasfkycpaijufy.dll
c:windows\system32\gasfkyovxthina.dll

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 3064
Windows 5.1.2600 Service Pack 3

10/30/2009 10:28:59 PM
mbam-log-2009-10-30 (22-28-40).txt

Scan type: Quick Scan
Objects scanned: 118003
Time elapsed: 13 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\isapeep (Backdoor.Bot) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\isapeep.sys (Backdoor.Bot) -> No action taken.

Here are the RR logs (separated, for some reason)

RR_Drivers_Log_10_30_09.txt (48.79K)
Number of downloads: 12

RR_Files_Log_10_30_09.txt (11.39K)
Number of downloads: 8

RR_Processes_Log_10_30_09.txt (7.9K)
Number of downloads: 9

RR_Shadow_SSDT_Log_10_30_09.txt (87.29K)
Number of downloads: 11

RR_SSDT_Log_10_30_09.txt (36.44K)
Number of downloads: 5

Please let me know if you need anything else. Thanks.

#9 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 26,080
Joined: 25-January 08
Gender:Female
Location:At home

Posted 31 October 2009 - 09:37 AM

Hi,

ok, please run Combofix again:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards _temp_

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

#10 trucha del mar

New Member

Group: Members
Posts: 9
Joined: 12-October 09

Posted 31 October 2009 - 11:31 PM

Latest CF Log:

ComboFix 09-10-30.01 - Garrick Behelfer 10/31/2009 22:46.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.164 [GMT -5:00]
Running from: c:\documents and settings\Garrick Behelfer\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2009-11-01 03:43 . 2009-11-01 03:44 -------- d-----w- C:\827bba109eafbbb7430434
2009-10-31 16:46 . 2009-10-31 16:46 -------- d-----w- c:\documents and settings\Garrick Behelfer\Local Settings\Application Data\Temp
2009-10-31 03:13 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-31 03:13 . 2009-10-31 03:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 03:13 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 23:59 . 2009-10-30 23:59 -------- d-----w- C:\71172fb4629239747b66
2009-10-29 00:00 . 2009-10-29 00:01 -------- d-----w- C:\3137247f4f1563378797
2009-10-28 00:00 . 2009-10-28 00:00 -------- d-----w- C:\682ccf9f8774ea9182
2009-10-26 23:58 . 2009-10-26 23:59 -------- d-----w- C:\e4b026686dfe560cc5eed5cdea
2009-10-17 16:59 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-17 16:54 . 2009-10-17 16:55 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-10-14 12:33 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-14 12:33 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-10-13 05:00 . 2009-10-13 05:00 -------- d-----w- c:\program files\Trend Micro
2009-10-13 03:59 . 2009-11-01 04:01 301926432 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-13 01:21 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\95766709.sys
2009-10-13 01:01 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\09447866.sys
2009-10-13 00:45 . 2009-10-13 00:45 12603 ----a-w- c:\documents and settings\Garrick Behelfer\Local Settings\Application Data\ikixeke.dat
2009-10-13 00:45 . 2009-10-13 00:45 16873 ----a-w- c:\windows\ozegonij.com
2009-10-12 13:35 . 2009-10-12 13:35 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-12 13:33 . 2009-10-12 13:35 -------- d-----w- c:\documents and settings\Administrator
2009-10-09 01:23 . 2009-10-09 01:23 19091 ----a-w- c:\windows\system32\qeduno.com
2009-10-09 01:23 . 2009-10-09 01:23 11152 ----a-w- c:\program files\Common Files\fadozyluwe.dat
2009-10-08 12:35 . 2009-10-10 13:26 133 ----a-w- C:\divqh.dat
2009-10-08 12:35 . 2009-10-08 12:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-08 12:34 . 2009-10-08 12:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-08 11:10 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 03:44 . 2009-04-01 02:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-31 03:35 . 2008-02-17 23:47 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-31 03:31 . 2009-10-13 03:59 3271940 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-28 11:47 . 2005-05-02 03:01 -------- d-----w- c:\documents and settings\Garrick Behelfer\Application Data\AdobeUM
2009-10-28 11:47 . 2005-04-29 22:20 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-20 20:06 . 2005-04-27 00:51 103520 ----a-w- c:\documents and settings\Garrick Behelfer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 15:45 . 2008-10-02 00:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-09-21 22:13 . 2009-03-31 22:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-06 15:03 . 2009-09-06 15:03 -------- d-----w- c:\program files\Netopia
2009-09-06 14:52 . 2005-04-27 01:00 -------- d-----w- c:\program files\Microsoft Money
2009-09-05 23:58 . 2005-04-23 12:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-05 23:58 . 2009-09-05 23:58 -------- d-----w- c:\documents and settings\Garrick Behelfer\Application Data\InstallShield
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 10:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 00:24 . 2004-08-04 10:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-04 10:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2005-04-27 05:40 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-04 10:00 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-04 10:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-04 10:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-02-18 09:43 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2008-02-18 09:43 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2004-08-04 10:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 1980-01-01 05:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 1980-01-01 05:00 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2005-05-03 17:55 . 2005-05-03 17:55 28896 ----a-w- c:\program files\Mc
.

((((((((((((((((((((((((((((( SnapShot@2009-10-14_12.58.36 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-04-23 12:36 . 2009-10-13 22:42 53436 c:\windows\SYSTEM32\PERFC009.DAT
+ 2005-04-23 12:36 . 2009-10-20 23:06 53436 c:\windows\SYSTEM32\PERFC009.DAT
- 2006-11-08 02:03 . 2009-07-03 17:09 55296 c:\windows\SYSTEM32\msfeedsbs.dll
+ 2006-11-08 02:03 . 2009-08-29 08:08 55296 c:\windows\SYSTEM32\msfeedsbs.dll
+ 2004-08-04 10:00 . 2009-08-29 08:08 25600 c:\windows\SYSTEM32\jsproxy.dll
- 2004-08-04 10:00 . 2009-07-03 17:09 25600 c:\windows\SYSTEM32\jsproxy.dll
- 2009-09-06 16:10 . 2009-07-03 17:09 12800 c:\windows\SYSTEM32\DLLCACHE\xpshims.dll
+ 2009-09-06 16:10 . 2009-08-29 08:08 12800 c:\windows\SYSTEM32\DLLCACHE\xpshims.dll
- 2007-06-02 00:42 . 2009-07-03 17:09 55296 c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
+ 2007-06-02 00:42 . 2009-08-29 08:08 55296 c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
+ 2009-09-04 21:03 . 2009-09-04 21:03 58880 c:\windows\SYSTEM32\DLLCACHE\msasn1.dll
- 2006-05-10 05:22 . 2009-07-03 17:09 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2006-05-10 05:22 . 2009-08-29 08:08 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2005-04-27 00:37 . 2009-10-17 13:59 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-04-27 00:37 . 2009-10-13 03:48 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-04-27 00:37 . 2009-10-13 03:48 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-04-27 00:37 . 2009-10-17 13:59 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-04-27 00:37 . 2009-10-13 03:48 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2009-10-16 18:17 . 2009-10-17 13:59 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2009-06-25 00:56 . 2009-06-25 00:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
+ 2008-05-28 05:49 . 2008-05-28 05:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 01:58 . 2007-04-14 01:58 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2008-05-28 06:30 . 2008-05-28 06:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2007-04-14 02:30 . 2007-04-14 02:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2009-10-31 16:46 . 2009-10-31 16:46 22528 c:\windows\Installer\2d5128b.msi
- 2005-06-29 22:20 . 2009-08-17 08:01 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2005-06-29 22:20 . 2009-10-16 08:02 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2005-06-29 22:20 . 2009-10-16 08:02 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2005-06-29 22:20 . 2009-08-17 08:01 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2005-06-29 22:20 . 2009-10-16 08:02 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2005-06-29 22:20 . 2009-08-17 08:01 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2005-06-29 22:20 . 2009-10-16 08:02 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2005-06-29 22:20 . 2009-08-17 08:01 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2005-06-29 22:20 . 2009-10-16 08:02 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2005-06-29 22:20 . 2009-08-17 08:01 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2005-06-29 22:20 . 2009-08-17 08:01 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2005-06-29 22:20 . 2009-10-16 08:02 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2005-06-29 22:20 . 2009-08-17 08:01 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2005-06-29 22:20 . 2009-10-16 08:02 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2009-10-22 08:04 . 2009-07-03 17:09 12800 c:\windows\ie8updates\KB974455-IE8\xpshims.dll
+ 2009-10-22 08:04 . 2009-07-03 17:09 55296 c:\windows\ie8updates\KB974455-IE8\msfeedsbs.dll
+ 2009-10-22 08:04 . 2009-07-03 17:09 25600 c:\windows\ie8updates\KB974455-IE8\jsproxy.dll
+ 2009-10-16 08:03 . 2009-10-16 08:03 90112 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_3f5f271e\System.Drawing.Design.dll
+ 2009-10-16 08:03 . 2009-10-16 08:03 61440 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_76561815\CustomMarshalers.dll
+ 2009-10-16 13:36 . 2009-10-16 13:36 20480 c:\windows\ASSEMBLY\GAC\ArbusApplicationController\1.0.3093.38280__da57d5d39b1d6dd8\ArbusApplicationController.dll
- 2009-09-04 08:29 . 2009-09-04 08:29 20480 c:\windows\ASSEMBLY\GAC\ArbusApplicationController\1.0.3093.38280__da57d5d39b1d6dd8\ArbusApplicationController.dll
- 2009-09-04 08:29 . 2009-09-04 08:29 20480 c:\windows\ASSEMBLY\GAC\Arbus.Interfacing.Library\1.0.4.0__2be3a081d8c94867\Arbus.Interfacing.Library.dll
+ 2009-10-16 13:36 . 2009-10-16 13:36 20480 c:\windows\ASSEMBLY\GAC\Arbus.Interfacing.Library\1.0.4.0__2be3a081d8c94867\Arbus.Interfacing.Library.dll
+ 2005-06-29 22:20 . 2009-10-16 08:02 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2005-06-29 22:20 . 2009-08-17 08:01 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2005-06-29 22:20 . 2009-08-17 08:01 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2005-06-29 22:20 . 2009-10-16 08:02 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2005-06-29 22:20 . 2009-08-17 08:01 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2005-06-29 22:20 . 2009-10-16 08:02 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2004-08-04 10:00 . 2009-04-02 04:02 604160 c:\windows\SYSTEM32\wmspdmod.dll
- 2005-04-23 12:36 . 2009-10-13 22:42 381692 c:\windows\SYSTEM32\PERFH009.DAT
+ 2005-04-23 12:36 . 2009-10-20 23:06 381692 c:\windows\SYSTEM32\PERFH009.DAT
- 2004-08-04 10:00 . 2009-07-03 17:09 206848 c:\windows\SYSTEM32\occache.dll
+ 2004-08-04 10:00 . 2009-08-29 08:08 206848 c:\windows\SYSTEM32\occache.dll
+ 2006-11-08 02:03 . 2009-08-29 08:08 594432 c:\windows\SYSTEM32\msfeeds.dll
- 2006-11-08 02:03 . 2009-07-03 17:09 594432 c:\windows\SYSTEM32\msfeeds.dll
- 2004-08-04 10:00 . 2009-07-03 17:09 184320 c:\windows\SYSTEM32\iepeers.dll
+ 2004-08-04 10:00 . 2009-08-29 08:08 184320 c:\windows\SYSTEM32\iepeers.dll
+ 2004-08-04 10:00 . 2009-08-29 08:08 387584 c:\windows\SYSTEM32\iedkcs32.dll
+ 2004-08-04 10:00 . 2009-08-28 10:35 173056 c:\windows\SYSTEM32\ie4uinit.exe
- 2004-08-04 10:00 . 2009-07-03 11:01 173056 c:\windows\SYSTEM32\ie4uinit.exe
+ 2009-06-18 23:48 . 2009-06-18 23:48 142832 c:\windows\SYSTEM32\DRIVERS\MpFilter.sys
+ 2004-08-04 10:00 . 2009-04-02 04:02 604160 c:\windows\SYSTEM32\DLLCACHE\wmspdmod.dll
+ 2006-05-10 05:23 . 2009-08-29 08:08 916480 c:\windows\SYSTEM32\DLLCACHE\wininet.dll
+ 2006-08-21 15:52 . 2009-08-26 08:00 247326 c:\windows\SYSTEM32\DLLCACHE\strmdll.dll
- 2006-08-21 15:52 . 2008-10-03 10:02 247326 c:\windows\SYSTEM32\DLLCACHE\strmdll.dll
- 2006-10-17 17:04 . 2009-07-03 17:09 206848 c:\windows\SYSTEM32\DLLCACHE\occache.dll
+ 2006-10-17 17:04 . 2009-08-29 08:08 206848 c:\windows\SYSTEM32\DLLCACHE\occache.dll
- 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\SYSTEM32\DLLCACHE\msv1_0.dll
+ 2009-06-25 08:25 . 2009-09-11 14:18 136192 c:\windows\SYSTEM32\DLLCACHE\msv1_0.dll
+ 2007-06-02 00:42 . 2009-08-29 08:08 594432 c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
- 2007-06-02 00:42 . 2009-07-03 17:09 594432 c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
+ 2009-09-06 16:10 . 2009-08-29 08:08 246272 c:\windows\SYSTEM32\DLLCACHE\ieproxy.dll
- 2009-09-06 16:10 . 2009-07-03 17:09 246272 c:\windows\SYSTEM32\DLLCACHE\ieproxy.dll
- 2006-05-10 05:22 . 2009-07-03 17:09 184320 c:\windows\SYSTEM32\DLLCACHE\iepeers.dll
+ 2006-05-10 05:22 . 2009-08-29 08:08 184320 c:\windows\SYSTEM32\DLLCACHE\iepeers.dll
+ 2006-11-07 08:27 . 2009-08-29 08:08 387584 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
+ 2006-11-07 08:26 . 2009-08-28 10:35 173056 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
- 2006-11-07 08:26 . 2009-07-03 11:01 173056 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
- 2007-04-14 01:58 . 2007-04-14 01:58 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2007-04-14 01:56 . 2007-04-14 01:56 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2008-05-28 06:30 . 2008-05-28 06:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2007-04-14 02:30 . 2007-04-14 02:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2009-10-17 16:55 . 2009-10-17 16:55 259072 c:\windows\Installer\688346b.msi
+ 2009-10-17 16:55 . 2009-10-17 16:55 211968 c:\windows\Installer\6883466.msi
+ 2009-10-17 16:54 . 2009-10-17 16:54 301056 c:\windows\Installer\6883461.msi
+ 2005-06-29 22:20 . 2009-10-16 08:02 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2005-06-29 22:20 . 2009-08-17 08:01 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2005-06-29 22:20 . 2009-08-17 08:01 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2005-06-29 22:20 . 2009-10-16 08:02 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2009-10-22 08:04 . 2009-07-03 17:09 915456 c:\windows\ie8updates\KB974455-IE8\wininet.dll
+ 2009-10-22 08:04 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB974455-IE8\spuninst\updspapi.dll
+ 2009-10-22 08:04 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB974455-IE8\spuninst\spuninst.exe
+ 2009-10-22 08:04 . 2009-07-03 17:09 206848 c:\windows\ie8updates\KB974455-IE8\occache.dll
+ 2009-10-22 08:04 . 2009-07-03 17:09 594432 c:\windows\ie8updates\KB974455-IE8\msfeeds.dll
+ 2009-10-22 08:04 . 2009-07-03 17:09 246272 c:\windows\ie8updates\KB974455-IE8\ieproxy.dll
+ 2009-10-22 08:04 . 2009-07-03 17:09 184320 c:\windows\ie8updates\KB974455-IE8\iepeers.dll
+ 2009-10-22 08:04 . 2009-07-03 17:09 386048 c:\windows\ie8updates\KB974455-IE8\iedkcs32.dll
+ 2009-10-22 08:04 . 2009-07-03 11:01 173056 c:\windows\ie8updates\KB974455-IE8\ie4uinit.exe
+ 2009-10-16 08:04 . 2009-10-16 08:04 835584 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_e8841ec0\System.Drawing.dll
- 2009-09-04 08:29 . 2009-09-04 08:29 126976 c:\windows\ASSEMBLY\GAC\Arbus.Common\2.2.4.3__14cac4d33a885ed2\Arbus.Common.dll
+ 2009-10-16 13:36 . 2009-10-16 13:36 126976 c:\windows\ASSEMBLY\GAC\Arbus.Common\2.2.4.3__14cac4d33a885ed2\Arbus.Common.dll
+ 2009-10-15 21:34 . 2009-08-13 13:55 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2004-08-04 10:00 . 2009-08-29 08:08 1208832 c:\windows\SYSTEM32\urlmon.dll
- 2004-08-04 10:00 . 2009-07-03 17:09 1208832 c:\windows\SYSTEM32\urlmon.dll
+ 2004-08-04 10:00 . 2009-07-17 16:22 1435648 c:\windows\SYSTEM32\query.dll
- 2004-08-04 10:00 . 2008-04-14 00:12 1435648 c:\windows\SYSTEM32\query.dll
+ 2004-08-04 10:00 . 2009-08-29 08:08 5940224 c:\windows\SYSTEM32\mshtml.dll
+ 2006-10-17 16:57 . 2009-08-29 08:08 1985536 c:\windows\SYSTEM32\iertutil.dll
- 2006-10-17 16:57 . 2009-07-03 17:09 1985536 c:\windows\SYSTEM32\iertutil.dll
+ 2004-08-10 18:08 . 2009-10-20 20:02 2220328 c:\windows\SYSTEM32\FNTCACHE.DAT
- 2006-05-10 05:23 . 2009-07-03 17:09 1208832 c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
+ 2006-05-10 05:23 . 2009-08-29 08:08 1208832 c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
+ 2009-07-17 16:22 . 2009-07-17 16:22 1435648 c:\windows\SYSTEM32\DLLCACHE\query.dll
+ 2008-10-14 19:01 . 2009-08-05 01:44 2189184 c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
+ 2008-10-14 19:01 . 2009-08-04 14:20 2023936 c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
- 2008-10-14 19:01 . 2009-02-06 10:32 2023936 c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
- 2008-10-14 19:01 . 2009-02-08 00:02 2066048 c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
+ 2008-10-14 19:01 . 2009-08-04 14:20 2066048 c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
- 2008-10-14 19:01 . 2009-02-06 11:06 2145280 c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
+ 2008-10-14 19:01 . 2009-08-04 15:13 2145280 c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
+ 2006-05-19 15:08 . 2009-08-29 08:08 5940224 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
- 2007-06-02 00:42 . 2009-07-03 17:09 1985536 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
+ 2007-06-02 00:42 . 2009-08-29 08:08 1985536 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
- 2007-04-14 02:35 . 2007-04-14 02:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2008-05-28 06:35 . 2008-05-28 06:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-04-14 02:35 . 2007-04-14 02:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2008-05-28 06:35 . 2008-05-28 06:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 05:43 . 2008-05-28 05:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2007-04-14 01:50 . 2007-04-14 01:50 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2009-09-11 03:44 . 2009-09-11 03:44 6704640 c:\windows\Installer\93f9316.msp
+ 2009-10-22 08:04 . 2009-07-03 17:09 1208832 c:\windows\ie8updates\KB974455-IE8\urlmon.dll
+ 2009-10-22 08:04 . 2009-07-19 13:18 5937152 c:\windows\ie8updates\KB974455-IE8\mshtml.dll
+ 2009-10-22 08:04 . 2009-07-03 17:09 1985536 c:\windows\ie8updates\KB974455-IE8\iertutil.dll
+ 2008-10-14 19:01 . 2009-08-05 01:44 2189184 c:\windows\Driver Cache\I386\ntoskrnl.exe
- 2008-10-14 19:01 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\I386\ntkrpamp.exe
+ 2008-10-14 19:01 . 2009-08-04 14:20 2023936 c:\windows\Driver Cache\I386\ntkrpamp.exe
+ 2008-10-14 19:01 . 2009-08-04 14:20 2066048 c:\windows\Driver Cache\I386\ntkrnlpa.exe
- 2008-10-14 19:01 . 2009-02-08 00:02 2066048 c:\windows\Driver Cache\I386\ntkrnlpa.exe
- 2008-10-14 19:01 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\I386\ntkrnlmp.exe
+ 2008-10-14 19:01 . 2009-08-04 15:13 2145280 c:\windows\Driver Cache\I386\ntkrnlmp.exe
+ 2009-10-16 08:03 . 2009-10-16 08:03 1966080 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_c1960c6e\System.dll
+ 2009-10-16 08:03 . 2009-10-16 08:03 2088960 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_028aef06\System.Xml.dll
+ 2009-10-16 08:03 . 2009-10-16 08:03 3018752 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_43246132\System.Windows.Forms.dll
+ 2009-10-16 08:04 . 2009-10-16 08:04 1470464 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_86fe84b1\System.Design.dll
+ 2009-10-16 08:04 . 2009-10-16 08:04 3391488 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\MSCORLIB\1.0.5000.0__b77a5c561934e089_ddfeed00\mscorlib.dll
+ 2009-10-16 08:03 . 2009-10-16 08:03 1232896 c:\windows\ASSEMBLY\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2007-07-11 08:01 . 2007-07-11 08:01 1232896 c:\windows\ASSEMBLY\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2007-07-11 08:01 . 2007-07-11 08:01 1265664 c:\windows\ASSEMBLY\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-10-16 08:03 . 2009-10-16 08:03 1265664 c:\windows\ASSEMBLY\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-10-16 08:04 . 2009-10-02 16:01 25198016 c:\windows\SYSTEM32\MRT.exe
+ 2006-11-08 02:03 . 2009-08-29 08:08 11069440 c:\windows\SYSTEM32\ieframe.dll
+ 2007-06-02 00:42 . 2009-08-29 08:08 11069440 c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
+ 2009-08-11 02:08 . 2009-08-11 02:08 11315712 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp
+ 2009-08-10 19:09 . 2009-08-10 19:09 17254912 c:\windows\Installer\93f9332.msp
+ 2009-10-22 08:04 . 2009-07-19 23:48 11067392 c:\windows\ie8updates\KB974455-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"HPWQTOOLBOX"="c:\program files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe" [2005-06-01 335872]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-02-22 54576]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]

c:\documents and settings\Garrick Behelfer\Start Menu\Programs\Startup\
is-6E0HA.lnk - c:\documents and settings\Garrick Behelfer\Desktop\Virus Removal Tool\is-6E0HA\startup.exe [2009-10-12 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/31/2009 5:13 PM 64160]
R0 McPvDrv;McPvDrv;c:\windows\SYSTEM32\DRIVERS\McPvDrv.sys [5/28/2008 9:32 AM 61688]
R1 is-6E0HAdrv;is-6E0HAdrv;c:\windows\SYSTEM32\DRIVERS\09447866.sys [10/12/2009 8:01 PM 148496]
R1 is-G5H4Mdrv;is-G5H4Mdrv;c:\windows\SYSTEM32\DRIVERS\95766709.sys [10/12/2009 8:21 PM 148496]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [10/2/2007 3:46 PM 124832]
S2 gupdate1c9be8efd675b54;Google Update Service (gupdate1c9be8efd675b54);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2009 7:29 AM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1028432]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder

2009-10-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:13]

2009-10-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2009-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 12:28]

2009-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 12:28]

2009-10-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32]
@DACL=(02 0000)
@="c:\\Program Files\\MyWaySA\\SrchAsDe\\1.bin\\deSrcAs.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2416)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-11-01 23:04
ComboFix-quarantined-files.txt 2009-11-01 04:03
ComboFix2.txt 2009-10-14 13:03

Pre-Run: 1,050,533,888 bytes free
Post-Run: 1,259,950,080 bytes free

- - End Of File - - 52D5B4770666A32BF774FF37120F3F6B

#11 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 26,080
Joined: 25-January 08
Gender:Female
Location:At home

Posted 01 November 2009 - 06:11 AM

Hi,

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\system32\drivers\95766709.sys
c:\windows\system32\drivers\09447866.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

regards _temp_

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

#12 trucha del mar

New Member

Group: Members
Posts: 9
Joined: 12-October 09

Posted 01 November 2009 - 02:21 PM

Virustotal results:

File 59803524.sys received on 2009.10.30 23:56:34 (UTC)
Current status: finished

Result: 0/41 (0.00%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.30 -
AhnLab-V3 5.0.0.2 2009.10.30 -
AntiVir 7.9.1.53 2009.10.30 -
Antiy-AVL 2.0.3.7 2009.10.30 -
Authentium 5.1.2.4 2009.10.30 -
Avast 4.8.1351.0 2009.10.30 -
AVG 8.5.0.423 2009.10.30 -
BitDefender 7.2 2009.10.30 -
CAT-QuickHeal 10.00 2009.10.30 -
ClamAV 0.94.1 2009.10.30 -
Comodo 2780 2009.10.30 -
DrWeb 5.0.0.12182 2009.10.30 -
eSafe 7.0.17.0 2009.10.29 -
eTrust-Vet 35.1.7094 2009.10.30 -
F-Prot 4.5.1.85 2009.10.30 -
F-Secure 9.0.15370.0 2009.10.30 -
Fortinet 3.120.0.0 2009.10.30 -
GData 19 2009.10.30 -
Ikarus T3.1.1.72.0 2009.10.30 -
Jiangmin 11.0.800 2009.10.30 -
K7AntiVirus 7.10.884 2009.10.30 -
Kaspersky 7.0.0.125 2009.10.31 -
McAfee 5787 2009.10.30 -
McAfee+Artemis 5787 2009.10.30 -
McAfee-GW-Edition 6.8.5 2009.10.30 -
Microsoft 1.5202 2009.10.30 -
NOD32 4559 2009.10.30 -
Norman 6.03.02 2009.10.30 -
nProtect 2009.1.8.0 2009.10.30 -
Panda 10.0.2.2 2009.10.30 -
PCTools 7.0.3.5 2009.10.30 -
Prevx 3.0 2009.10.31 -
Rising 21.53.43.00 2009.10.30 -
Sophos 4.47.0 2009.10.30 -
Sunbelt 3.2.1858.2 2009.10.30 -
Symantec 1.4.4.12 2009.10.31 -
TheHacker 6.5.0.2.056 2009.10.28 -
TrendMicro 8.950.0.1094 2009.10.30 -
VBA32 3.12.10.11 2009.10.30 -
ViRobot 2009.10.30.2013 2009.10.30 -
VirusBuster 4.6.5.0 2009.10.30 -
Additional information
File size: 148496 bytes
MD5 : 0aa3ad071827118fcc8f37f7a6ab7aa1
SHA1 : 59784c49ffe530931010070c8843366f9d7fa6f0
SHA256: 3e893bcf9e3ec8fa44c8ef0cf7c2d269212651d65c16b30bd953cc3a54f3b2aa
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x33010
timedatestamp.....: 0x4873470A (Tue Jul 8 12:52:58 2008)
machinetype.......: 0x14C (Intel I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1A848 0x1AA00 6.38 ca8bbffb8c1aac75560de3ffede16f38
NONPAGED 0x1C000 0x25 0x200 0.30 76fbfaa1c4997eccce3ca016c3b1345b
.rdata 0x1D000 0x850 0xA00 4.25 6ffc26ac817e2ae1a1cf5ce42adc9f0b
.data 0x1E000 0x1B00 0x600 6.42 2680643c152bf562cae4ab5d1ed2070c
PAGE 0x20000 0x2CDC 0x2E00 6.28 7516763c152ec5b6c5df87c555fadbb5
INIT 0x23000 0x1B88 0x1C00 5.96 4459dca4b85a564cb98f26cfbff36fbe
.rsrc 0x25000 0x400 0x400 3.36 09f200edb8e02e6fa4ab2f6bc27ad921
.reloc 0x26000 0x1B6E 0x1C00 6.47 5d73a4e2a3be56c2448dbd9511deefa3

( 0 imports )

( 0 exports )

TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 3072:xoZsjyhxlNCet3MATPO1jUFLVFnRkPjcow9gT7wNwSk7Fa/4NJ:xnjyhx8Ad6jcpgTsW/KqJ
PEiD : -
RDS : NSRL Reference Data Set

Second one:

File 59803524.sys received on 2009.10.30 23:56:34 (UTC)
Current status: finished

Result: 0/41 (0.00%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.30 -
AhnLab-V3 5.0.0.2 2009.10.30 -
AntiVir 7.9.1.53 2009.10.30 -
Antiy-AVL 2.0.3.7 2009.10.30 -
Authentium 5.1.2.4 2009.10.30 -
Avast 4.8.1351.0 2009.10.30 -
AVG 8.5.0.423 2009.10.30 -
BitDefender 7.2 2009.10.30 -
CAT-QuickHeal 10.00 2009.10.30 -
ClamAV 0.94.1 2009.10.30 -
Comodo 2780 2009.10.30 -
DrWeb 5.0.0.12182 2009.10.30 -
eSafe 7.0.17.0 2009.10.29 -
eTrust-Vet 35.1.7094 2009.10.30 -
F-Prot 4.5.1.85 2009.10.30 -
F-Secure 9.0.15370.0 2009.10.30 -
Fortinet 3.120.0.0 2009.10.30 -
GData 19 2009.10.30 -
Ikarus T3.1.1.72.0 2009.10.30 -
Jiangmin 11.0.800 2009.10.30 -
K7AntiVirus 7.10.884 2009.10.30 -
Kaspersky 7.0.0.125 2009.10.31 -
McAfee 5787 2009.10.30 -
McAfee+Artemis 5787 2009.10.30 -
McAfee-GW-Edition 6.8.5 2009.10.30 -
Microsoft 1.5202 2009.10.30 -
NOD32 4559 2009.10.30 -
Norman 6.03.02 2009.10.30 -
nProtect 2009.1.8.0 2009.10.30 -
Panda 10.0.2.2 2009.10.30 -
PCTools 7.0.3.5 2009.10.30 -
Prevx 3.0 2009.10.31 -
Rising 21.53.43.00 2009.10.30 -
Sophos 4.47.0 2009.10.30 -
Sunbelt 3.2.1858.2 2009.10.30 -
Symantec 1.4.4.12 2009.10.31 -
TheHacker 6.5.0.2.056 2009.10.28 -
TrendMicro 8.950.0.1094 2009.10.30 -
VBA32 3.12.10.11 2009.10.30 -
ViRobot 2009.10.30.2013 2009.10.30 -
VirusBuster 4.6.5.0 2009.10.30 -
Additional information
File size: 148496 bytes
MD5 : 0aa3ad071827118fcc8f37f7a6ab7aa1
SHA1 : 59784c49ffe530931010070c8843366f9d7fa6f0
SHA256: 3e893bcf9e3ec8fa44c8ef0cf7c2d269212651d65c16b30bd953cc3a54f3b2aa
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x33010
timedatestamp.....: 0x4873470A (Tue Jul 8 12:52:58 2008)
machinetype.......: 0x14C (Intel I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1A848 0x1AA00 6.38 ca8bbffb8c1aac75560de3ffede16f38
NONPAGED 0x1C000 0x25 0x200 0.30 76fbfaa1c4997eccce3ca016c3b1345b
.rdata 0x1D000 0x850 0xA00 4.25 6ffc26ac817e2ae1a1cf5ce42adc9f0b
.data 0x1E000 0x1B00 0x600 6.42 2680643c152bf562cae4ab5d1ed2070c
PAGE 0x20000 0x2CDC 0x2E00 6.28 7516763c152ec5b6c5df87c555fadbb5
INIT 0x23000 0x1B88 0x1C00 5.96 4459dca4b85a564cb98f26cfbff36fbe
.rsrc 0x25000 0x400 0x400 3.36 09f200edb8e02e6fa4ab2f6bc27ad921
.reloc 0x26000 0x1B6E 0x1C00 6.47 5d73a4e2a3be56c2448dbd9511deefa3

( 0 imports )

( 0 exports )

TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 3072:xoZsjyhxlNCet3MATPO1jUFLVFnRkPjcow9gT7wNwSk7Fa/4NJ:xnjyhx8Ad6jcpgTsW/KqJ
PEiD : -
RDS : NSRL Reference Data Set

#13 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 26,080
Joined: 25-January 08
Gender:Female
Location:At home

Posted 01 November 2009 - 03:09 PM

Hi,

we need to remove a couple of remaining files_

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

File::
c:\documents and settings\Garrick Behelfer\Local Settings\Application Data\ikixeke.dat
c:\windows\ozegonij.com
c:\windows\system32\qeduno.com
c:\program files\Common Files\fadozyluwe.dat
C:\divqh.dat

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

How is your PC behaving now?
regards _temp_

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

#14 trucha del mar

New Member

Group: Members
Posts: 9
Joined: 12-October 09

Posted 02 November 2009 - 08:12 AM

Hi _Temp_,

Computer seems to be acting much better lately. Here is CF log from last run.

ComboFix 09-10-30.01 - Garrick Behelfer 11/01/2009 22:19.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.271 [GMT -6:00]
Running from: c:\documents and settings\Garrick Behelfer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Garrick Behelfer\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"C:\divqh.dat"
"c:\documents and settings\Garrick Behelfer\Local Settings\Application Data\ikixeke.dat"
"c:\program files\Common Files\fadozyluwe.dat"
"c:\windows\ozegonij.com"
"c:\windows\system32\qeduno.com"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\divqh.dat
c:\documents and settings\Garrick Behelfer\Local Settings\Application Data\ikixeke.dat
c:\program files\Common Files\fadozyluwe.dat
c:\windows\ozegonij.com
c:\windows\system32\qeduno.com

.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-11-01 03:43 . 2009-11-01 03:44 -------- d-----w- C:\827bba109eafbbb7430434
2009-10-31 16:46 . 2009-10-31 16:46 -------- d-----w- c:\documents and settings\Garrick Behelfer\Local Settings\Application Data\Temp
2009-10-31 03:13 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-31 03:13 . 2009-10-31 03:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 03:13 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 23:59 . 2009-10-30 23:59 -------- d-----w- C:\71172fb4629239747b66
2009-10-29 00:00 . 2009-10-29 00:01 -------- d-----w- C:\3137247f4f1563378797
2009-10-28 00:00 . 2009-10-28 00:00 -------- d-----w- C:\682ccf9f8774ea9182
2009-10-26 23:58 . 2009-10-26 23:59 -------- d-----w- C:\e4b026686dfe560cc5eed5cdea
2009-10-17 16:59 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-17 16:54 . 2009-10-17 16:55 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-10-14 12:33 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-14 12:33 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-10-13 05:00 . 2009-10-13 05:00 -------- d-----w- c:\program files\Trend Micro
2009-10-13 03:59 . 2009-11-02 04:30 310005792 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-13 01:21 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\95766709.sys
2009-10-13 01:01 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\09447866.sys
2009-10-12 13:35 . 2009-10-12 13:35 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-12 13:33 . 2009-10-12 13:35 -------- d-----w- c:\documents and settings\Administrator
2009-10-08 12:35 . 2009-10-08 12:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-08 12:34 . 2009-10-08 12:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-08 11:10 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-01 19:03 . 2008-02-17 23:47 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-11-01 19:03 . 2009-10-13 03:59 3611684 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-31 03:44 . 2009-04-01 02:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-28 11:47 . 2005-05-02 03:01 -------- d-----w- c:\documents and settings\Garrick Behelfer\Application Data\AdobeUM
2009-10-28 11:47 . 2005-04-29 22:20 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-20 20:06 . 2005-04-27 00:51 103520 ----a-w- c:\documents and settings\Garrick Behelfer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 15:45 . 2008-10-02 00:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-09-21 22:13 . 2009-03-31 22:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-06 15:03 . 2009-09-06 15:03 -------- d-----w- c:\program files\Netopia
2009-09-06 14:52 . 2005-04-27 01:00 -------- d-----w- c:\program files\Microsoft Money
2009-09-05 23:58 . 2005-04-23 12:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-05 23:58 . 2009-09-05 23:58 -------- d-----w- c:\documents and settings\Garrick Behelfer\Application Data\InstallShield
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 10:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 00:24 . 2004-08-04 10:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-04 10:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2005-04-27 05:40 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-04 10:00 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-04 10:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-04 10:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-02-18 09:43 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2008-02-18 09:43 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2004-08-04 10:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 1980-01-01 05:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 1980-01-01 05:00 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2005-05-03 17:55 . 2005-05-03 17:55 28896 ----a-w- c:\program files\Mc
.

((((((((((((((((((((((((((((( SnapShot_2009-11-01_04.01.08 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-04-23 12:36 . 2009-10-20 23:06 53436 c:\windows\SYSTEM32\PERFC009.DAT
+ 2005-04-23 12:36 . 2009-11-01 19:06 53436 c:\windows\SYSTEM32\PERFC009.DAT
+ 2005-04-23 12:36 . 2009-11-01 19:06 381692 c:\windows\SYSTEM32\PERFH009.DAT
- 2005-04-23 12:36 . 2009-10-20 23:06 381692 c:\windows\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"HPWQTOOLBOX"="c:\program files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe" [2005-06-01 335872]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-02-22 54576]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]

c:\documents and settings\Garrick Behelfer\Start Menu\Programs\Startup\
is-6E0HA.lnk - c:\documents and settings\Garrick Behelfer\Desktop\Virus Removal Tool\is-6E0HA\startup.exe [2009-10-12 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/31/2009 4:13 PM 64160]
R0 McPvDrv;McPvDrv;c:\windows\SYSTEM32\DRIVERS\McPvDrv.sys [5/28/2008 8:32 AM 61688]
R1 is-6E0HAdrv;is-6E0HAdrv;c:\windows\SYSTEM32\DRIVERS\09447866.sys [10/12/2009 7:01 PM 148496]
R1 is-G5H4Mdrv;is-G5H4Mdrv;c:\windows\SYSTEM32\DRIVERS\95766709.sys [10/12/2009 7:21 PM 148496]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 1028432]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [10/2/2007 2:46 PM 124832]
S2 gupdate1c9be8efd675b54;Google Update Service (gupdate1c9be8efd675b54);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2009 6:29 AM 133104]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-10-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:13]

2009-10-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2009-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 12:28]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 12:28]

2009-11-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 22:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32]
@DACL=(02 0000)
@="c:\\Program Files\\MyWaySA\\SrchAsDe\\1.bin\\deSrcAs.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-11-02 22:33
ComboFix-quarantined-files.txt 2009-11-02 04:33
ComboFix2.txt 2009-11-01 04:04
ComboFix3.txt 2009-10-14 13:03

Pre-Run: 1,217,585,152 bytes free
Post-Run: 1,254,453,248 bytes free

- - End Of File - - 2480389A1582ED4D70B8341EAE23E49C

#15 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 26,080
Joined: 25-January 08
Gender:Female
Location:At home

Posted 03 November 2009 - 02:25 PM

Hi

it is looking better as well.

I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push