Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo, Conhook, Superjuan?


  • Please log in to reply
9 replies to this topic

#1 cinderblock

cinderblock

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 PM

Posted 03 September 2008 - 08:44 AM

Hi,
I did all the cleaning & scanning (and some re-scanning) and here's my HiJackThis log. I still think "something" is still lurking because my keyboard isn't working consistently (when pressed the key won't type, space bar won't space, etc.), the favicons on the IE tabs don't match up or show-up and after being on the internet for awhile, my computer starts to really slow down. I haven't been able to find any info on the infection SuperJuan that Kaspersky found. Hope to hear results soon.
Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:14 AM, on 9/2/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mspaint.exe
C:\Users\Cynthia\Desktop\Computer Issues\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D14A7B52-4CA1-4862-8470-701BDEA1071C} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoomMonitor.exe] C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VService - Unknown owner - C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe

--
End of file - 8263 bytes

BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:37 AM

Posted 15 September 2008 - 11:37 PM

Hello cinderblock and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately. If you are still having problems please download OTViewIt to your desktop.
  • Close all windows and double click OTViewIt
  • Place a tick in the Scan all Users box
  • In the File Age drop down box select 90 days
  • Click Run Scan and let the program run uninterrupted
  • On completion it will produce two logs on the Desktop, post the OTViewIt.txt and Extras.txt logs in your next post.
Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 cinderblock

cinderblock
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 PM

Posted 21 September 2008 - 10:22 AM

Hi Johannes,
I generated the two files you specified and they are attached. I hope you will get back to me soon. I have system slow-down and my keyboard gets quirky (for instance I'll have to press the "e" button three or four times for the "e" to type) but both are inconsistent.
Thanks for your help.

Attached Files



#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:37 AM

Posted 22 September 2008 - 12:48 PM

hi cinderblock,

please do not attach logs, but rather post them in the replies. It makes my life much easier in terms of analysing the logs and helps others with similar problems.

Please note that comments are made in green, links are in red, important things are outlined by using the blue color and the numbered steps I would like you to follow are outlined with orange.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Step #1

Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Java™ SE Runtime Environment 6, Java™ 6 Update 2, Java™ 6 Update 3, Java™ 6 Update 4, Java™ 6 Update 5, Adobe Acrobat - Reader 6.0.2 Update, Adobe Acrobat and Reader 6.0.3 Update, Adobe Acrobat and Reader 6.0.4 Update, Adobe Acrobat and Reader 6.0.5 Update

Step #2

Please download ComboFix from here and save it to your Desktop.

When done downloading, please print out and follow these instructions: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • When you have completed the ComboFix instructions, copy and paste the contents of C:\ComboFix.txt in your next reply.
  • When done, be sure to re-enable your anti-virus and other security programs.

Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Step #3

Please post back with the required logs. Thanks!

YoHi

-edit- removed one step as you already got latest Java :thumbsup:

Edited by Yourhighness, 22 September 2008 - 12:49 PM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 cinderblock

cinderblock
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 PM

Posted 23 September 2008 - 01:16 PM

hi yohi,
sorry for the attachments; i will copy & paste from now on (hopefully there won't be too much more of this).
i ran the combofix and here are the results:

ComboFix 08-09-20.05 - Cynthia 2008-09-23 12:15:24.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.256 [GMT -5:00]
Running from: C:\Users\Cynthia\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\{525D3~1
C:\Program Files\Common Files\{525D3~1\slscp.log
C:\Program Files\Common Files\{525D3~1\SLZOOM\autorun.inf
C:\Program Files\Common Files\{525D3~1\SLZOOM\Ivr.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM\readme.txt
C:\Program Files\Common Files\{525D3~1\SLZOOM\scusbvip.cat
C:\Program Files\Common Files\{525D3~1\SLZOOM\scusbvip.inf
C:\Program Files\Common Files\{525D3~1\SLZOOM\scusbvip.sys
C:\Program Files\Common Files\{525D3~1\SLZOOM\Setup.exe
C:\Program Files\Common Files\{525D3~1\SLZOOM\Setup.MSI
C:\Program Files\Common Files\{525D3~1\SLZOOM\Setup.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM\SLExtBU\ivr.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM\SLExtBU\Setup.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM\slvad.cat
C:\Program Files\Common Files\{525D3~1\SLZOOM\slvad.inf
C:\Program Files\Common Files\{525D3~1\SLZOOM\slvad.sys
C:\Program Files\Common Files\{525D3~1\SLZOOM\slvipco.dll
C:\Program Files\Common Files\{525D3~1\SLZOOM\slvipgx.dll
C:\Program Files\Common Files\{525D3~1\SLZOOM\TLRecAgent.sys
c:\users\cynthia\appdata\roaming\microsoft\windows\cookies\cynthia@a.vonage[3].txt
c:\users\cynthia\appdata\roaming\microsoft\windows\cookies\cynthia@ehg.allstate[1].txt
c:\users\cynthia\appdata\roaming\microsoft\windows\cookies\cynthia@hb.pcworld[2].txt
c:\users\cynthia\appdata\roaming\microsoft\windows\cookies\cynthia@www35.vzw[1].txt
c:\users\cynthia\appdata\roaming\microsoft\windows\cookies\cynthia@www35.vzw[3].txt
C:\Windows\system32\bmvgdayg.ini
C:\Windows\System32\devcuwhn.ini
C:\Windows\system32\fgpcdohs.ini
C:\Windows\system32\JSuCbcdd.ini
C:\Windows\System32\oWEKknnn.ini
C:\Windows\system32\pmcqqbyt.ini
C:\Windows\system32\rfhoqsyt.ini
C:\Windows\system32\ufshoqje.ini
C:\Windows\System32\vvcbgpyp.ini
C:\Windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-23 12:23 . 2008-09-23 12:24 200,312,390 --a------ C:\Windows\MEMORY.DMP
2008-09-19 20:09 . 2008-09-19 20:09 <DIR> d-------- C:\Users\Guest Acct\AppData\Roaming\skypePM
2008-09-19 20:08 . 2008-09-19 20:10 <DIR> d-------- C:\Users\Guest Acct\AppData\Roaming\Skype
2008-09-15 12:23 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Searches
2008-09-15 12:23 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Contacts
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Videos
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Saved Games
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Pictures
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Music
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Links
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Downloads
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Documents
2008-09-15 12:22 . 2006-11-02 07:37 <DIR> d-------- C:\Users\Guest Acct\AppData\Roaming\Media Center Programs
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> d--h----- C:\Users\Guest Acct\AppData
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> d-------- C:\Users\Guest Acct
2008-09-10 08:36 . 2008-07-30 22:32 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-09-10 08:35 . 2008-07-30 20:13 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-10 08:35 . 2008-08-01 20:01 625,152 --a------ C:\Windows\System32\drivers\dxgkrnl.sys
2008-09-10 08:35 . 2008-06-25 22:29 565,248 --a------ C:\Windows\System32\emdmgmt.dll
2008-09-10 08:35 . 2008-06-25 22:29 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-10 08:35 . 2008-05-08 14:21 211,968 --a------ C:\Windows\System32\drivers\mrxsmb10.sys
2008-09-10 08:35 . 2008-05-19 21:07 148,480 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-09-10 08:35 . 2008-06-25 22:29 45,056 --a------ C:\Windows\System32\dataclen.dll
2008-09-10 08:35 . 2008-08-01 22:26 36,864 --a------ C:\Windows\System32\cdd.dll
2008-09-04 02:14 . 2008-07-19 00:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-09-04 02:14 . 2008-07-18 22:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-09-04 02:14 . 2008-07-19 00:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-09-04 02:14 . 2008-07-19 00:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-09-04 02:13 . 2008-07-19 00:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-09-04 02:13 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-09-04 02:13 . 2008-07-18 22:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-09-04 02:13 . 2008-07-19 00:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-09-04 02:13 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-09-03 15:22 . 2008-09-03 15:22 <DIR> d-------- C:\Program Files\Cheetah Burner
2008-09-03 15:22 . 2005-11-14 04:23 1,228,800 --a------ C:\Windows\System32\FoxBurner.ocx
2008-09-03 15:22 . 2003-12-17 15:00 1,208,320 --a------ C:\Windows\System32\PTxSCP.ocx
2008-09-03 15:22 . 2007-07-31 11:57 1,164,728 --a------ C:\Windows\System32\NMSDVDXU.dll
2008-09-03 15:22 . 2004-02-08 15:53 856,064 --a------ C:\Windows\System32\mpgfiltr.ax
2008-09-03 15:22 . 2005-01-18 23:44 454,656 --a------ C:\Windows\System32\FoxDVDImager.ocx
2008-09-03 15:22 . 2002-03-25 02:03 380,928 --a------ C:\Windows\System32\CDRipperX.ocx
2008-09-03 15:22 . 2005-01-18 23:18 323,584 --a------ C:\Windows\System32\FoxImager.dll
2008-09-03 15:22 . 2007-04-06 00:08 196,608 --a------ C:\Windows\System32\VideoEdit.ocx
2008-09-03 15:22 . 1998-06-17 23:00 89,360 --a------ C:\Windows\System32\VB5DB.DLL
2008-09-03 15:22 . 2003-08-19 04:31 81,920 --a------ C:\Windows\System32\viscomwave.dll
2008-09-03 10:27 . 2008-09-15 07:47 <DIR> d-------- C:\Users\Guest\AppData\Roaming\skypePM
2008-09-03 10:25 . 2008-09-15 07:49 <DIR> d-------- C:\Users\Guest\AppData\Roaming\Skype
2008-09-03 10:22 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Searches
2008-09-03 10:21 . 2008-09-03 10:21 <DIR> dr------- C:\Users\Guest\Contacts
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Videos
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Saved Games
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Pictures
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Music
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Links
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Downloads
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Documents
2008-09-03 10:20 . 2006-11-02 07:37 <DIR> d-------- C:\Users\Guest\AppData\Roaming\Media Center Programs
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> d--h----- C:\Users\Guest\AppData
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> d-------- C:\Users\Guest
2008-09-02 18:22 . 2008-09-02 18:22 <DIR> d-------- C:\Program Files\Cisco Systems
2008-08-25 20:49 . 2008-08-25 20:49 <DIR> d-------- C:\Program Files\getservices
2008-08-25 19:20 . 2008-08-25 19:57 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-25 19:20 . 2008-08-25 19:57 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-25 19:20 . 2008-08-25 19:25 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-25 16:58 . 2008-08-25 18:52 <DIR> d-------- C:\Windows\BDOSCAN8
2008-08-25 14:23 . 2008-09-03 08:52 <DIR> d-------- C:\Program Files\Panda Security
2008-08-25 12:21 . 2008-08-25 14:23 <DIR> d-------- C:\Users\Cynthia\.housecall6.6
2008-08-24 20:17 . 2008-08-24 20:17 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-08-24 20:17 . 2008-08-24 20:17 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-08-24 20:16 . 2008-08-24 20:16 <DIR> d-------- C:\Users\Cynthia\AppData\Roaming\SUPERAntiSpyware.com
2008-08-24 20:16 . 2008-08-24 20:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-23 12:35 . 2008-08-23 12:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-23 12:35 . 2008-07-19 09:36 51,280 --a------ C:\Windows\System32\drivers\aswMonFlt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 17:22 12,470,560 ----a-w C:\Windows\system32\drivers\fidbox.dat
2008-09-23 16:59 --------- d-----w C:\ProgramData\Kaspersky Lab
2008-09-23 16:57 --------- d-----w C:\Users\Cynthia\AppData\Roaming\Skype
2008-09-23 16:52 --------- d-----w C:\Users\Cynthia\AppData\Roaming\skypePM
2008-09-23 16:27 167,468 --sha-w C:\Windows\system32\drivers\fidbox.idx
2008-09-23 16:20 --------- d-----w C:\ProgramData\pdf995
2008-09-23 15:20 --------- d-----w C:\Program Files\Java
2008-09-23 14:23 --------- d-----w C:\Users\Cynthia\AppData\Roaming\OpenOffice.org2
2008-09-04 21:59 --------- d-----w C:\Program Files\Quicken
2008-09-03 20:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-26 17:57 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-08-25 01:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-24 22:32 5,775,648 ----a-w C:\Windows\system32\drivers\fidbox(18).dat
2008-08-24 22:09 78,284 --sha-w C:\Windows\system32\drivers\fidbox(19).idx
2008-08-22 16:45 5,436,960 ----a-w C:\Windows\system32\drivers\fidbox(80).dat
2008-08-21 16:03 73,412 --sha-w C:\Windows\system32\drivers\fidbox(81).idx
2008-08-20 11:32 4,539,168 --sha-w C:\Windows\system32\drivers\fidbox(19).dat
2008-08-20 11:32 31,220 --sha-w C:\Windows\system32\drivers\fidbox(20).idx
2008-08-13 23:25 112,144 ----a-w C:\Windows\system32\drivers\kl1.sys
2008-08-13 23:23 96,976 ----a-w C:\Windows\system32\drivers\klin.dat
2008-08-13 23:23 87,855 ----a-w C:\Windows\system32\drivers\klick.dat
2008-08-13 22:38 --------- d-----w C:\Program Files\Kaspersky Lab
2008-08-13 22:30 --------- d-----w C:\ProgramData\Trend Micro
2008-08-13 12:39 --------- d-----w C:\Program Files\Windows Mail
2008-08-12 18:12 718,008 --sha-w C:\Windows\System32\oWEKknnn.ini2
2008-08-11 14:12 716,529 --sha-w C:\Windows\System32\JSuCbcdd.ini2
2008-08-05 18:07 --------- d-----w C:\Program Files\COL11002
2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-16 01:32 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-05-22 13:31 7,964 ----a-w C:\Users\Cynthia\AppData\Roaming\wklnhst.dat
2008-05-16 18:15 174 --sha-w C:\Program Files\desktop.ini
2007-02-28 20:39 262,144 ----a-w C:\ProgramData\ntuser.dat
2007-05-28 17:37 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007052820070529\index.dat
2007-05-31 00:57 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007053020070531\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 125952]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-06-03 21718312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-10-29 102400]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-01-19 448632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 133656]
"ZoomMonitor.exe"="C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe" [2008-01-22 801296]
"WPCUMI"="C:\Windows\system32\WpcUmi.exe" [2006-11-02 176128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-06 C:\Windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
--a------ 2007-02-13 11:30 405504 C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-02-28 15:10 220160 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
--a------ 2006-12-07 19:49 55416 C:\Program Files\Toshiba\TBS\HSON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{28130F52-3192-4018-8632-71B8A84086BB}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{85C4F6F4-FBAD-4811-A2FC-0B886590C511}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{F1926EDE-ADD4-4898-8C28-4A6D81A6D4E6}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{D04E0653-AF35-45BE-8469-47B2A14DCF54}"= UDP:8097:EarthLink UHP Modem Support
"{C07C1985-44B2-4C84-96E3-9542377C0453}"= UDP:C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:EarthLink TotalAccess
"{02F9D5C7-763E-454B-AB30-189BC0120A71}"= TCP:C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:EarthLink TotalAccess
"{7B3FD94B-60BF-4EC6-836F-4FF0C5DA3969}"= C:\Program Files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 TLRecAgent;TLRecAgent;C:\Windows\system32\DRIVERS\TLRecAgent.sys [2008-03-13 36976]
R1 ATMhelpr;ATMhelpr;C:\Windows\system32\drivers\ATMhelpr.sys [1997-06-17 4064]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2007-04-04 20760]
R2 VService;VService;C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe [2008-01-17 104976]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
R3 NWADI;NWADI Bus Enumerator;C:\Windows\system32\DRIVERS\NWADIenum.sys [2007-02-01 158720]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-01-09 221696]
S3 scusbvip;VL1800 USB Driver;C:\Windows\system32\DRIVERS\scusbvip.sys [2008-03-13 609936]
S3 SLVAD_simple;Zoom Virtual Audio Device;C:\Windows\system32\drivers\slvad.sys [2008-03-13 84912]
S3 usbprint;Microsoft USB PRINTER Class;C:\Windows\system32\DRIVERS\usbprint.sys [2008-01-19 18944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rsmsvcs REG_MULTI_SZ ntmssvc
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{D14A7B52-4CA1-4862-8470-701BDEA1071C} - (no file)
MSConfigStartUp-BMad27170b - C:\Windows\system32\hdqaiinu.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
O8 -: E&xport to Microsoft Excel
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 12:43:32
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> G:\Windows\system32\iertutil.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\agrsmsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Windows\System32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\WerFault.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\System32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-09-23 12:52:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-23 17:52:35

Pre-Run: 103,547,666,432 bytes free
Post-Run: 103,234,285,568 bytes free

287 --- E O F --- 2008-09-13 14:57:24

thanks for the help
cinderblock

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:37 AM

Posted 24 September 2008 - 10:47 AM

hi cinderblock,

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    File::
    C:\Windows\System32\oWEKknnn.ini2
    C:\Windows\System32\JSuCbcdd.ini2
    
    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
Step #2

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step #3

Please run the F-Secure Onlinescan Beta Version
(You need to use InternetExplorer or enable IEView in Firefox)
  • Follow the Instruction here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Step #4

PROCESS: C:\Windows\Explorer.exe
-> G:\Windows\system32\iertutil.dll

Is there a specific reason why you have windows installed twice on your pc?

Step #5

Please anser my question(s) and reply with the ComboFix and F-Secure log. Thanks!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 cinderblock

cinderblock
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 PM

Posted 24 September 2008 - 09:33 PM

yohi,
hello again. copied/pasted combofix and f-secure logs.
to answer your question (Step #4), I didn't realize Windows was installed twice BUT I do know I do not have a G: drive so that's got me baffled.
regards & thanks for your help and expertise.

*******************************************************************************
ComboFix 08-09-20.05 - Cynthia 2008-09-24 15:48:03.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.364 [GMT -5:00]
Running from: C:\Users\Cynthia\Desktop\ComboFix.exe
Command switches used :: C:\Users\Cynthia\Desktop\CFScript.txt

FILE ::
C:\Windows\System32\JSuCbcdd.ini2
C:\Windows\System32\oWEKknnn.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\System32\JSuCbcdd.ini2
C:\Windows\System32\oWEKknnn.ini2

.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.

2008-09-23 12:23 . 2008-09-23 12:24 200,312,390 --a------ C:\Windows\MEMORY.DMP
2008-09-19 20:09 . 2008-09-23 19:04 <DIR> d-------- C:\Users\Guest Acct\AppData\Roaming\skypePM
2008-09-19 20:08 . 2008-09-23 21:54 <DIR> d-------- C:\Users\Guest Acct\AppData\Roaming\Skype
2008-09-15 12:23 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Searches
2008-09-15 12:23 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Contacts
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Videos
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Saved Games
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Pictures
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Music
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Links
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Downloads
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> dr------- C:\Users\Guest Acct\Documents
2008-09-15 12:22 . 2006-11-02 07:37 <DIR> d-------- C:\Users\Guest Acct\AppData\Roaming\Media Center Programs
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> d--h----- C:\Users\Guest Acct\AppData
2008-09-15 12:22 . 2008-09-15 12:23 <DIR> d-------- C:\Users\Guest Acct
2008-09-10 08:36 . 2008-07-30 22:32 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-09-10 08:35 . 2008-07-30 20:13 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-10 08:35 . 2008-08-01 20:01 625,152 --a------ C:\Windows\System32\drivers\dxgkrnl.sys
2008-09-10 08:35 . 2008-06-25 22:29 565,248 --a------ C:\Windows\System32\emdmgmt.dll
2008-09-10 08:35 . 2008-06-25 22:29 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-10 08:35 . 2008-05-08 14:21 211,968 --a------ C:\Windows\System32\drivers\mrxsmb10.sys
2008-09-10 08:35 . 2008-05-19 21:07 148,480 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-09-10 08:35 . 2008-06-25 22:29 45,056 --a------ C:\Windows\System32\dataclen.dll
2008-09-10 08:35 . 2008-08-01 22:26 36,864 --a------ C:\Windows\System32\cdd.dll
2008-09-04 02:14 . 2008-07-19 00:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-09-04 02:14 . 2008-07-18 22:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-09-04 02:14 . 2008-07-19 00:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-09-04 02:14 . 2008-07-19 00:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-09-04 02:13 . 2008-07-19 00:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-09-04 02:13 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-09-04 02:13 . 2008-07-18 22:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-09-04 02:13 . 2008-07-19 00:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-09-04 02:13 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-09-03 15:22 . 2008-09-03 15:22 <DIR> d-------- C:\Program Files\Cheetah Burner
2008-09-03 15:22 . 2005-11-14 04:23 1,228,800 --a------ C:\Windows\System32\FoxBurner.ocx
2008-09-03 15:22 . 2003-12-17 15:00 1,208,320 --a------ C:\Windows\System32\PTxSCP.ocx
2008-09-03 15:22 . 2007-07-31 11:57 1,164,728 --a------ C:\Windows\System32\NMSDVDXU.dll
2008-09-03 15:22 . 2004-02-08 15:53 856,064 --a------ C:\Windows\System32\mpgfiltr.ax
2008-09-03 15:22 . 2005-01-18 23:44 454,656 --a------ C:\Windows\System32\FoxDVDImager.ocx
2008-09-03 15:22 . 2002-03-25 02:03 380,928 --a------ C:\Windows\System32\CDRipperX.ocx
2008-09-03 15:22 . 2005-01-18 23:18 323,584 --a------ C:\Windows\System32\FoxImager.dll
2008-09-03 15:22 . 2007-04-06 00:08 196,608 --a------ C:\Windows\System32\VideoEdit.ocx
2008-09-03 15:22 . 1998-06-17 23:00 89,360 --a------ C:\Windows\System32\VB5DB.DLL
2008-09-03 15:22 . 2003-08-19 04:31 81,920 --a------ C:\Windows\System32\viscomwave.dll
2008-09-03 10:27 . 2008-09-24 09:57 <DIR> d-------- C:\Users\Guest\AppData\Roaming\skypePM
2008-09-03 10:25 . 2008-09-24 09:57 <DIR> d-------- C:\Users\Guest\AppData\Roaming\Skype
2008-09-03 10:22 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Searches
2008-09-03 10:21 . 2008-09-03 10:21 <DIR> dr------- C:\Users\Guest\Contacts
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Videos
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Saved Games
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Pictures
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Music
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Links
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Downloads
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> dr------- C:\Users\Guest\Documents
2008-09-03 10:20 . 2006-11-02 07:37 <DIR> d-------- C:\Users\Guest\AppData\Roaming\Media Center Programs
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> d--h----- C:\Users\Guest\AppData
2008-09-03 10:20 . 2008-09-03 10:22 <DIR> d-------- C:\Users\Guest
2008-09-02 18:22 . 2008-09-02 18:22 <DIR> d-------- C:\Program Files\Cisco Systems
2008-08-25 20:49 . 2008-08-25 20:49 <DIR> d-------- C:\Program Files\getservices
2008-08-25 19:20 . 2008-08-25 19:57 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-25 19:20 . 2008-08-25 19:57 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-25 19:20 . 2008-08-25 19:25 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-25 16:58 . 2008-08-25 18:52 <DIR> d-------- C:\Windows\BDOSCAN8
2008-08-25 14:23 . 2008-09-03 08:52 <DIR> d-------- C:\Program Files\Panda Security
2008-08-25 12:21 . 2008-08-25 14:23 <DIR> d-------- C:\Users\Cynthia\.housecall6.6
2008-08-24 20:17 . 2008-08-24 20:17 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-08-24 20:17 . 2008-08-24 20:17 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-08-24 20:16 . 2008-08-24 20:16 <DIR> d-------- C:\Users\Cynthia\AppData\Roaming\SUPERAntiSpyware.com
2008-08-24 20:16 . 2008-08-24 20:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 20:36 12,914,976 ----a-w C:\Windows\system32\drivers\fidbox.dat
2008-09-24 20:27 --------- d-----w C:\Users\Cynthia\AppData\Roaming\Skype
2008-09-24 20:22 --------- d-----w C:\Program Files\Quicken
2008-09-24 20:13 --------- d-----w C:\ProgramData\pdf995
2008-09-24 17:18 --------- d-----w C:\ProgramData\Kaspersky Lab
2008-09-24 16:54 173,348 --sha-w C:\Windows\system32\drivers\fidbox.idx
2008-09-24 15:36 --------- d-----w C:\Users\Cynthia\AppData\Roaming\skypePM
2008-09-23 15:20 --------- d-----w C:\Program Files\Java
2008-09-23 14:23 --------- d-----w C:\Users\Cynthia\AppData\Roaming\OpenOffice.org2
2008-09-03 20:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-26 17:57 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-08-25 01:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-24 22:32 5,775,648 ----a-w C:\Windows\system32\drivers\fidbox(18).dat
2008-08-24 22:09 78,284 --sha-w C:\Windows\system32\drivers\fidbox(19).idx
2008-08-23 17:35 --------- d-----w C:\Program Files\Alwil Software
2008-08-22 16:45 5,436,960 ----a-w C:\Windows\system32\drivers\fidbox(80).dat
2008-08-21 16:03 73,412 --sha-w C:\Windows\system32\drivers\fidbox(81).idx
2008-08-20 11:32 4,539,168 --sha-w C:\Windows\system32\drivers\fidbox(19).dat
2008-08-20 11:32 31,220 --sha-w C:\Windows\system32\drivers\fidbox(20).idx
2008-08-13 23:25 112,144 ----a-w C:\Windows\system32\drivers\kl1.sys
2008-08-13 23:23 96,976 ----a-w C:\Windows\system32\drivers\klin.dat
2008-08-13 23:23 87,855 ----a-w C:\Windows\system32\drivers\klick.dat
2008-08-13 22:38 --------- d-----w C:\Program Files\Kaspersky Lab
2008-08-13 22:30 --------- d-----w C:\ProgramData\Trend Micro
2008-08-13 12:39 --------- d-----w C:\Program Files\Windows Mail
2008-08-05 18:07 --------- d-----w C:\Program Files\COL11002
2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-16 01:32 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-05-22 13:31 7,964 ----a-w C:\Users\Cynthia\AppData\Roaming\wklnhst.dat
2008-05-16 18:15 174 --sha-w C:\Program Files\desktop.ini
2007-02-28 20:39 262,144 ----a-w C:\ProgramData\ntuser.dat
2007-05-28 17:37 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007052820070529\index.dat
2007-05-31 00:57 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007053020070531\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-09-23_12.51.54.08 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-23 16:27:03 2,576,288 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-09-24 16:54:23 2,576,288 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-09-23 17:24:57 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-24 17:15:34 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-09-23 17:24:57 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-09-24 17:15:34 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-09-02 23:02:52 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-23 23:57:59 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-02 23:02:52 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-23 23:57:59 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-02 23:02:52 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-23 23:57:59 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-23 17:35:37 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-24 17:18:37 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-09-23 17:35:42 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-24 17:18:32 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-09-23 16:49:49 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-24 20:16:38 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-23 16:49:49 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-24 20:16:38 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-23 17:25:03 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-24 20:16:38 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-23 16:52:51 15,078 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-571816384-2711589552-159082532-1000_UserData.bin
+ 2008-09-24 17:19:35 15,102 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-571816384-2711589552-159082532-1000_UserData.bin
- 2008-09-23 16:52:50 66,174 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 17:19:34 66,356 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-23 16:26:38 6,420 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-09-24 03:03:03 6,420 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-09-23 16:52:50 75,486 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 15:28:16 75,534 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-09-23 14:20:19 240,248 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-09-24 03:01:27 240,554 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 125952]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-06-03 21718312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-10-29 102400]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-01-19 448632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 133656]
"ZoomMonitor.exe"="C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe" [2008-01-22 801296]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-06 C:\Windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
--a------ 2007-02-13 11:30 405504 C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-02-28 15:10 220160 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
--a------ 2006-12-07 19:49 55416 C:\Program Files\Toshiba\TBS\HSON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{28130F52-3192-4018-8632-71B8A84086BB}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{85C4F6F4-FBAD-4811-A2FC-0B886590C511}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{F1926EDE-ADD4-4898-8C28-4A6D81A6D4E6}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{D04E0653-AF35-45BE-8469-47B2A14DCF54}"= UDP:8097:EarthLink UHP Modem Support
"{C07C1985-44B2-4C84-96E3-9542377C0453}"= UDP:C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:EarthLink TotalAccess
"{02F9D5C7-763E-454B-AB30-189BC0120A71}"= TCP:C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:EarthLink TotalAccess
"{7B3FD94B-60BF-4EC6-836F-4FF0C5DA3969}"= C:\Program Files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 TLRecAgent;TLRecAgent;C:\Windows\system32\DRIVERS\TLRecAgent.sys [2008-03-13 36976]
R1 ATMhelpr;ATMhelpr;C:\Windows\system32\drivers\ATMhelpr.sys [1997-06-17 4064]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2007-04-04 20760]
R2 VService;VService;C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe [2008-01-17 104976]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
R3 NWADI;NWADI Bus Enumerator;C:\Windows\system32\DRIVERS\NWADIenum.sys [2007-02-01 158720]
R3 scusbvip;VL1800 USB Driver;C:\Windows\system32\DRIVERS\scusbvip.sys [2008-03-13 609936]
R3 SLVAD_simple;Zoom Virtual Audio Device;C:\Windows\system32\drivers\slvad.sys [2008-03-13 84912]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-01-09 221696]
S3 usbprint;Microsoft USB PRINTER Class;C:\Windows\system32\DRIVERS\usbprint.sys [2008-01-19 18944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rsmsvcs REG_MULTI_SZ ntmssvc
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 15:52:41
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-09-24 15:55:23
ComboFix-quarantined-files.txt 2008-09-24 20:54:18
ComboFix2.txt 2008-09-23 17:52:46

Pre-Run: 102,004,699,136 bytes free
Post-Run: 102,112,309,248 bytes free

254 --- E O F --- 2008-09-24 15:09:43



*************************************************************************************
F-Secure Online Scanner 3.3.1 - Scanning Report - Wednesday, September 24, 2008 21:16:01Scanning
Report
Wednesday, September 24, 2008 19:08:13 - 21:15:59
Computer name: CYNTHIA-PC
Scanning type: Scan system for malware, rootkits
Target: C:\

Result: 15 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Adbrite (spyware)
System
TrackingCookie.Adinterax (spyware)
System
TrackingCookie.Adrevolver (spyware)
System
TrackingCookie.Advertising (spyware)
System
TrackingCookie.Atdmt (spyware)
System
TrackingCookie.Clickbank (spyware)
System
TrackingCookie.Doubleclick (spyware)
System
TrackingCookie.Mediaplex (spyware)
System
TrackingCookie.Questionmarket (spyware)
System
TrackingCookie.Revsci (spyware)
System
TrackingCookie.Specificclick (spyware)
System
TrackingCookie.Statcounter (spyware)
System
TrackingCookie.Webtrends (spyware)
System
TrackingCookie.Yieldmanager (spyware)
System

Statistics
Scanned:
Files: 52535
System: 4482
Not scanned: 42
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 15
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\TMP00000049451A79FBF3773A92
C:\WINDOWS\TEMP\TMP0000004EF98D5E24F71233C2
C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
C:\USERS\CYNTHIA\APPDATA\LOCAL\MICROSOFT\WINDOWS
DEFENDER\FILETRACKER\{CB9B2AE2-6B9D-4377-8378-9640D62DEDD2}
C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE
C:\SYSTEM VOLUME
INFORMATION\{0D61C8B5-83EA-11DD-868F-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{0FEE5798-87EC-11DD-A50E-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{1CF5B8DE-77A1-11DD-97D9-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{1E77FCA7-7BAD-11DD-BE3D-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{37CE8202-8109-11DD-8B25-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{3808876B-C176-4E48-B7AE-04046E6CC752}
C:\SYSTEM VOLUME
INFORMATION\{5A7863BC-8A5C-11DD-8468-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{5DCA40C7-8063-11DD-8B25-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{76CBDDB1-8823-11DD-A50E-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{814E2048-7943-11DD-B7FF-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{87867744-85B5-11DD-86A3-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{87868563-85B5-11DD-86A3-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{884038BC-7840-11DD-A3D6-0019D28A5B54}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{91CAA620-898F-11DD-93D1-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{91CAA759-898F-11DD-93D1-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{9ED5BDAB-79F7-11DD-A1B2-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{AE003492-793F-11DD-A40E-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{AE0034B4-793F-11DD-A40E-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{AE00362A-793F-11DD-A40E-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{AFADAF1A-7B48-11DD-A1B2-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{C5B04BC9-8982-11DD-A50E-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME
INFORMATION\{D65F5FE9-8A3A-11DD-92A8-00A0D171D45B}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\BOOT\BCD

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-09-24
F-Secure Pegasus: 1.20.0, 2008-08-09
F-Secure AVP: 7.0.171, 2008-09-24
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF
VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI
MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0
TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB
BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

#8 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:37 AM

Posted 25 September 2008 - 11:30 AM

hi there,

your pc looks much better. can you tell me if you have any visible problems at this stage? I am currently checking someting and once you let me know how the pc is doing, we shall continue.

thanks.

yohi

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#9 cinderblock

cinderblock
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 PM

Posted 25 September 2008 - 04:16 PM

Yourhighness,
My PC is behaving very nicely. I'm not experiencing any slowdowns or lock-ups and everything looks normal. I'm still curious about Windows being loaded twice; did you find out anything further about that?
Again, many thanks for all your help! :thumbsup:
cblock

#10 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:37 AM

Posted 26 September 2008 - 10:58 AM

hi,

Step #1

Please navigate to: Start >> Run... and type Combofix /u and hit Enter. Thanks.

Step #2
  • Please double-click on "OTViewIt.exe"
  • Navigate to the following icon and click it: Posted Image
  • OTViewIt might ask you to reboot. If it does so, please let it do so.
Note: after reboot, OTViewIt and your other helper tools downloaded while cleaning your Pc, will be removed. So its ok if it is not there anymore ;) .

Step #3

Please also have a look at the following links, giving some advice and suggestions for preventing future infections:I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atl east one of them (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself. Should you experience any difficulties in updating your Hosts file, you may wish to visit this link: "Updating the HOSTS file in Windows Vista"
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users