Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My computer had an infection, but think it's now clean. Could someone please check my various logs?


  • This topic is locked This topic is locked
12 replies to this topic

#1 CPO'd

CPO'd

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 19 December 2008 - 08:17 PM

Hey there,

My OS is Windows XP SP3 and I was running McAfee Total Protection, when one day my Security Center was messed up. I went to McAfee's website, where they told me to uninstall/reinstall. When I uninstalled, I could no longer access McAfee's website nor reinstall. Knowing of Bleeping Computer, I came to your forums and read other users' problems, which led me to download the following:

Ad-Aware 2008
SuperAntiSpyware
Avira AntiVirus
Sygate Personal Firewall
MalwareBytes AntiMalware
Kaspersky Online Scan

Upon installing and running the programs they each found various infections which they cleaned up. I believe I'm now clean, but would really appreciate someone double checking my logs to confirm.

Thanks for your time and assistance


My various logs as follows:

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 19, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 19, 2008 07:38:45
Records in database: 1480857


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Wayne\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics
Files scanned 32048
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 00:29:20

No malware has been detected. The scan area is clean.
The selected area was scanned.

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 19, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 19, 2008 07:38:45
Records in database: 1480857


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
G:\

Scan statistics
Files scanned 563617
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 07:56:19

No malware has been detected. The scan area is clean.
The selected area was scanned.


Logfile of random's system information tool 1.05 (written by random/random)
Run by Wayne at 2008-12-19 17:15:51
Microsoft Windows XP Professional Service Pack 3
System drive C: has 47 GB (59%) free of 79 GB
Total RAM: 3191 MB (74% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:18:34 PM, on 19/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\SUPERAntiSpyware\f3a0f76c-4953-455f-ab43-b3e8896c7ac1.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Wayne\Desktop\RSIT.exe
C:\Program Files\trend micro\Wayne.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\f3a0f76c-4953-455f-ab43-b3e8896c7ac1.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1217637574906
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O20 - AppInit_DLLs: riikpd.dll orucsm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7788 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-19 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-19 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-19 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2004-07-01 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2004-07-01 118784]
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAudPropShortcut.exe [2004-03-17 61952]
"AlcWzrd"=C:\WINDOWS\ALCWZRD.EXE [2004-09-25 2559488]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2004-09-24 57344]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"EPSON Stylus CX6600 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE [2004-02-29 98304]
"MsgCenterExe"=C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe [2008-08-01 69632]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-08-01 185896]
"basicsmssmenu"=C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe [2007-10-09 169328]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-10-01 111936]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]
"SmcService"=C:\PROGRA~1\Sygate\SPF\smc.exe [2004-10-15 2577632]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-19 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\f3a0f76c-4953-455f-ab43-b3e8896c7ac1.exe [2008-11-17 1805552]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="riikpd.dll orucsm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2008-12-12 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-07-01 344064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\hgGwXRki

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\McAfee\MWL\MwlSvc.exe"="C:\Program Files\McAfee\MWL\MwlSvc.exe:*:Enabled:McAfee Wireless Network Security"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2008-12-19 17:15:52 ----D---- C:\Program Files\trend micro
2008-12-19 17:15:51 ----D---- C:\rsit
2008-12-19 05:44:41 ----D---- C:\WINDOWS\Sun
2008-12-19 05:30:30 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-19 05:30:30 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-19 05:30:30 ----A---- C:\WINDOWS\system32\java.exe
2008-12-19 05:30:30 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-19 05:30:17 ----D---- C:\Program Files\Java
2008-12-19 05:29:10 ----D---- C:\Documents and Settings\Wayne\Application Data\Sun
2008-12-12 16:13:04 ----HD---- C:\WINDOWS\system32\GroupPolicy
2008-12-11 16:52:47 ----D---- C:\Documents and Settings\Wayne\Application Data\Malwarebytes
2008-12-11 03:04:35 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-11 03:01:47 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-11 03:00:57 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-11 03:00:34 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-08 15:50:38 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-08 15:50:38 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-08 15:32:01 ----A---- C:\WINDOWS\system32\SSSensor.dll
2008-12-08 15:31:58 ----D---- C:\Program Files\Sygate
2008-12-05 23:50:02 ----D---- C:\Program Files\Avira
2008-12-05 23:50:02 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2008-12-05 19:55:54 ----D---- C:\WINDOWS\system32\NtmsData
2008-12-05 04:56:51 ----D---- C:\Documents and Settings\Wayne\Application Data\Uniblue
2008-12-05 04:56:33 ----D---- C:\Program Files\Uniblue
2008-12-05 04:53:31 ----HDC---- C:\Documents and Settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-03 15:41:21 ----D---- C:\Program Files\MSXML 4.0
2008-12-02 21:04:12 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-02 21:03:13 ----D---- C:\Program Files\SUPERAntiSpyware
2008-12-02 21:03:13 ----D---- C:\Documents and Settings\Wayne\Application Data\SUPERAntiSpyware.com
2008-12-02 20:48:13 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-12-02 20:47:43 ----D---- C:\Program Files\SpywareBlaster
2008-11-30 02:56:16 ----SHD---- C:\WINDOWS\QW5kcmV3IFlhcmphdQ
2008-11-30 02:45:54 ----D---- C:\Documents and Settings\Wayne\Application Data\Twain
2008-11-26 18:04:05 ----SHD---- C:\WINDOWS\CSC
2008-11-26 18:01:30 ----D---- C:\WINDOWS\pss
2008-11-26 16:35:15 ----D---- C:\VundoFix Backups
2008-11-26 16:35:15 ----A---- C:\VundoFix.txt
2008-11-26 08:24:13 ----D---- C:\Program Files\Lavasoft
2008-11-26 08:24:13 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-11-26 08:22:08 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-26 05:38:16 ----D---- C:\Program Files\Webroot
2008-11-26 05:38:16 ----D---- C:\Documents and Settings\Wayne\Application Data\Webroot
2008-11-26 05:38:16 ----D---- C:\Documents and Settings\All Users\Application Data\Webroot
2008-11-26 05:38:16 ----A---- C:\WINDOWS\WRSetup.dll
2008-11-26 01:31:15 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2008-11-26 00:43:07 ----A---- C:\WINDOWS\system32\735a4d9c-.txt
2008-11-26 00:42:28 ----ASH---- C:\WINDOWS\system32\ikRXwGgh.ini2
2008-11-26 00:42:28 ----ASH---- C:\WINDOWS\system32\ikRXwGgh.ini
2008-11-26 00:20:19 ----D---- C:\WINDOWS\system32\uPC
2008-11-26 00:20:19 ----D---- C:\WINDOWS\system32\LA
2008-11-26 00:20:19 ----D---- C:\WINDOWS\system32\kb1
2008-11-26 00:20:18 ----D---- C:\WINDOWS\system32\eva
2008-11-26 00:20:16 ----D---- C:\WINDOWS\system32\os

======List of files/folders modified in the last 1 months======

2008-12-19 17:18:07 ----D---- C:\Documents and Settings\Wayne\Application Data\Free Download Manager
2008-12-19 17:15:52 ----RD---- C:\Program Files
2008-12-19 17:07:32 ----D---- C:\WINDOWS\Temp
2008-12-19 06:10:52 ----D---- C:\WINDOWS\Prefetch
2008-12-19 05:44:41 ----D---- C:\WINDOWS
2008-12-19 05:30:33 ----SHD---- C:\WINDOWS\Installer
2008-12-19 05:30:30 ----D---- C:\WINDOWS\system32
2008-12-17 16:31:08 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-17 16:27:51 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-17 16:11:00 ----HD---- C:\WINDOWS\inf
2008-12-17 16:10:56 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-17 16:10:52 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-16 17:12:31 ----D---- C:\WINDOWS\system32\wbem
2008-12-16 17:12:31 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-12 23:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-12 17:32:44 ----D---- C:\WINDOWS\system32\drivers
2008-12-11 03:12:38 ----D---- C:\Program Files\Internet Explorer
2008-12-11 03:04:39 ----A---- C:\WINDOWS\imsins.BAK
2008-12-11 03:04:23 ----A---- C:\WINDOWS\win.ini
2008-12-10 19:20:12 ----D---- C:\Downloads
2008-12-09 16:24:37 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-05 19:55:54 ----ASD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-12-05 19:52:06 ----SH---- C:\boot.ini
2008-12-05 19:52:06 ----A---- C:\WINDOWS\system.ini
2008-12-03 15:49:25 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-03 15:41:21 ----D---- C:\WINDOWS\WinSxS
2008-11-26 19:09:30 ----SHD---- C:\System Volume Information
2008-11-26 19:09:30 ----D---- C:\WINDOWS\system32\Restore
2008-11-26 08:22:08 ----D---- C:\Program Files\Common Files
2008-11-26 01:23:25 ----SD---- C:\WINDOWS\Tasks
2008-11-26 00:20:22 ----D---- C:\Temp

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-10-30 75072]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R1 wpsdrvnt;wpsdrvnt; \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2002-12-11 11044]
R2 wg3n;SyGate for NT, wg3n; C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys [2004-10-15 14568]
R2 wg4n;SyGate for NT, wg4n; C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys [2004-10-15 14568]
R2 wg5n;SyGate for NT, wg5n; C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys [2004-10-15 14568]
R2 wg6n;SyGate for NT, wg6n; C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys [2004-10-15 14568]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 E1000;Intel® PRO/1000 Adapter Driver; C:\WINDOWS\system32\DRIVERS\e1000325.sys [2004-03-12 131584]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\USR_MDM.sys [2003-02-20 1068032]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\USR_BSC2.sys [2003-02-20 167296]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-07-01 724221]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2004-09-25 2276672]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 NTIDrvr;Upper Class Filter Driver; C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys [2008-08-01 6912]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_USR.sys [2003-02-20 630016]
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2004-03-17 113664]
S3 SABProcEnum;SABProcEnum; \??\C:\Program Files\Internet Explorer\SABProcEnum.sys []
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 dwshd;dwshd; C:\WINDOWS\System32\drivers\dwshd.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]
S4 vsdatant;vsdatant; C:\WINDOWS\system32\drivers\vsdatant.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Basics Service;Basics Service; C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [2007-10-09 124280]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-19 152984]
R2 MSSQL$MICROSOFTBCM;MSSQL$MICROSOFTBCM; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe [2003-05-31 7544916]
R2 SmcService;Sygate Personal Firewall; C:\Program Files\Sygate\SPF\smc.exe [2004-10-15 2577632]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE [2002-12-17 311872]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.05 2008-12-19 17:18:37

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint Plus-->MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat - Reader 6.0.2 Update-->MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Acrobat 6.0.1 Standard-->MsiExec.exe /I{AC76BA86-1033-0000-BA7E-000000000001}
Adobe Acrobat and Reader 6.0.3 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000603}
Adobe Acrobat and Reader 6.0.4 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000604}
Adobe Acrobat and Reader 6.0.5 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000605}
Adobe Acrobat and Reader 6.0.6 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000606}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Atmosphere Player for Acrobat and Adobe Reader-->C:\WINDOWS\atmoUn.exe
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ArcSoft Software Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66C8BE35-8BBB-472B-96C7-C7C9A499F988}\Setup.exe" -l0x9
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Business Contact Manager for Outlook 2003-->MsiExec.exe /I{66563AD8-637B-407F-BCA7-0233A16891AB}
Drive Manager-->"C:\Program Files\InstallShield Installation Information\{48B0F38D-1913-44F3-99AA-D4C55A2B038E}\setup.exe" -runfromtemp -l0x0409 -removeonly
Drive Manager-->MsiExec.exe /I{48B0F38D-1913-44F3-99AA-D4C55A2B038E}
EPSON CardMonitor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109D28C7-FB38-483A-9C91-001CB59E2699}\Setup.exe" -l0x9 uninst
EPSON CX6600 Reference Guide-->C:\Program Files\epson\guide\cx6600_e\uninstall.exe
EPSON PhotoStarter3.2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AE704636-ECD0-426C-952E-05B8DABD1949}\Setup.exe" -l0x9 uninst
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r
Free Download Manager 2.5-->"C:\Program Files\Free Download Manager\unins000.exe"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Intel® PRO Network Adapters and Drivers-->Prounstl.exe
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
K-Lite Codec Pack 4.1.7 (Full)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Text-to-Speech Engine 4.0 (English)-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTS.inf, Uninstall
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MobileMe Control Panel-->MsiExec.exe /I{2604C0F9-BFD3-4BA0-9EB5-22537C648F03}
Movie Magic Screenwriter 6-->MsiExec.exe /I{9DBAF799-E58E-4F60-94FD-E1B9B5D56E38}
Movie Magic Screenwriter 6-->MsiExec.exe /I{DC10C616-22E5-40AD-A3EA-3E7A957ECDC7}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 and SOAP Toolkit 3.0-->MsiExec.exe /I{32343DB6-9A52-40C9-87E4-5E7C79791C87}
Nero - Burning Rom-->MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
NTI Backup NOW! 3-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{4E68EAA3-775A-4542-A08A-47DB8E8E74A6} /l1033 BUNText
NTI DriveBackup! 3-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8FDD2A92-9F75-4706-B8C2-08499A9863E6} /l1033 DIBText
NTI DVD Player-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D31612BB-C6D7-4142-96AE-16DB062354CF}\Setup.exe" -l0x9
NTI DVD-Maker Gold-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778} /l1033 AnyText
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
Spy Sweeper Core-->MsiExec.exe /I{3F5B6210-0903-4DC6-8034-8F488AA3A782}
SpywareBlaster 4.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Professional-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Sygate Personal Firewall-->MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
U.S. Robotics V.92 PCI Faxmodem-->C:\Program Files\USR\USR_MODEM_PCI_VEN_16EC&DEV_2F00&SUBSYS_010A16EC\HXFSETUP.EXE -U -IVEN_16EC&DEV_2F00&SUBSYS_010A16EC
Uniblue RegistryBooster 2009-->"C:\Documents and Settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}\Uniblue RegistryBooster.exe" REMOVE=TRUE MODIFY=FALSE
Uniblue RegistryBooster 2009-->C:\Documents and Settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}\Uniblue RegistryBooster.exe
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Security center information======

AV: Avira AntiVir PersonalEdition
FW: Sygate Personal Firewall

System event log

Computer Name: DOWNSTAIRS
Event Code: 7036
Message: The Windows Image Acquisition (WIA) service entered the running state.

Record Number: 4914
Source Name: Service Control Manager
Time Written: 20081120204931.000000-420
Event Type: information
User:

Computer Name: DOWNSTAIRS
Event Code: 7036
Message: The McAfee Real-time Scanner service entered the running state.

Record Number: 4913
Source Name: Service Control Manager
Time Written: 20081120204927.000000-420
Event Type: information
User:

Computer Name: DOWNSTAIRS
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00112F5AFBA7. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 4912
Source Name: Dhcp
Time Written: 20081120204927.000000-420
Event Type: warning
User:

Computer Name: DOWNSTAIRS
Event Code: 7036
Message: The McAfee Real-time Scanner service entered the paused state.

Record Number: 4911
Source Name: Service Control Manager
Time Written: 20081120091649.000000-420
Event Type: information
User:

Computer Name: DOWNSTAIRS
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\D during a paging operation.

Record Number: 4910
Source Name: Disk
Time Written: 20081120091610.000000-420
Event Type: warning
User:

Application event log

Computer Name: DOWNSTAIRS
Event Code: 5000
Message:
Record Number: 373
Source Name: McLogEvent
Time Written: 20080803150016.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: DOWNSTAIRS
Event Code: 19011
Message:
Record Number: 372
Source Name: MSSQL$MICROSOFTBCM
Time Written: 20080803150007.000000-360
Event Type: warning
User:

Computer Name: DOWNSTAIRS
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 371
Source Name: SecurityCenter
Time Written: 20080803150007.000000-360
Event Type: information
User:

Computer Name: DOWNSTAIRS
Event Code: 1
Message:
Record Number: 370
Source Name: Bonjour Service
Time Written: 20080803145956.000000-360
Event Type: information
User:

Computer Name: DOWNSTAIRS
Event Code: 1000
Message: Faulting application iexplore.exe, version 7.0.6000.16674, faulting module ieframe.dll, version 7.0.6000.16674, fault address 0x0018885b.

Record Number: 369
Source Name: Application Error
Time Written: 20080802195357.000000-360
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\IM;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0304
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 AM

Posted 20 December 2008 - 05:20 PM

Hello CPO'd,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 CPO'd

CPO'd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 21 December 2008 - 01:51 AM

Hey tea,

Thanks for picking up my post. :thumbsup:

Here are the logs:

ComboFix 08-12-20.03 - Wayne 2008-12-20 23:20:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3191.2429 [GMT -7:00]
Running from: c:\documents and settings\Wayne\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\FT62
c:\temp\FT62\teTU.log
c:\windows\system32\ikRXwGgh.ini
c:\windows\system32\ikRXwGgh.ini2
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-19 17:15 . 2008-12-19 17:18 <DIR> d-------- C:\rsit
2008-12-19 17:15 . 2008-12-19 17:18 <DIR> d-------- c:\program files\trend micro
2008-12-19 05:44 . 2008-12-19 05:44 <DIR> d-------- c:\windows\Sun
2008-12-19 05:30 . 2008-12-19 05:30 <DIR> d-------- c:\program files\Java
2008-12-19 05:30 . 2008-12-19 05:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-19 05:30 . 2008-12-19 05:30 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-12 16:13 . 2008-12-12 16:13 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-11 16:52 . 2008-12-11 16:52 <DIR> d-------- c:\documents and settings\Wayne\Application Data\Malwarebytes
2008-12-10 14:20 . 2008-12-10 16:22 <DIR> d-------- c:\documents and settings\Wayne\DoctorWeb
2008-12-08 15:50 . 2008-12-12 17:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 15:50 . 2008-12-08 15:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 15:50 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 15:50 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-08 15:32 . 2004-10-15 18:32 83,096 --a------ c:\windows\system32\SSSensor.dll
2008-12-08 15:32 . 2004-10-15 18:17 60,496 --a------ c:\windows\system32\drivers\Teefer.sys
2008-12-08 15:32 . 2004-10-15 18:18 21,075 --a------ c:\windows\system32\drivers\wpsdrvnt.sys
2008-12-08 15:32 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg6n.sys
2008-12-08 15:32 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg5n.sys
2008-12-08 15:32 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg4n.sys
2008-12-08 15:32 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg3n.sys
2008-12-08 15:31 . 2008-12-08 15:31 <DIR> d-------- c:\program files\Sygate
2008-12-05 23:50 . 2008-12-05 23:50 <DIR> d-------- c:\program files\Avira
2008-12-05 23:50 . 2008-12-05 23:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-05 19:55 . 2008-12-05 19:57 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-05 19:36 . 2008-12-05 19:36 552 --a------ c:\windows\system32\d3d8caps.dat
2008-12-05 04:56 . 2008-12-05 04:56 <DIR> d-------- c:\program files\Uniblue
2008-12-05 04:56 . 2008-12-05 04:56 <DIR> d-------- c:\documents and settings\Wayne\Application Data\Uniblue
2008-12-05 04:53 . 2008-12-05 04:56 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-03 15:41 . 2008-12-03 15:41 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-02 21:04 . 2008-12-02 21:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-02 21:03 . 2008-12-12 04:42 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-02 21:03 . 2008-12-02 21:03 <DIR> d-------- c:\documents and settings\Wayne\Application Data\SUPERAntiSpyware.com
2008-12-02 20:48 . 2008-12-07 12:28 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-02 20:47 . 2008-12-02 20:47 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-30 02:56 . 2008-11-30 04:37 <DIR> d--hs---- c:\windows\QW5kcmV3IFlhcmphdQ
2008-11-30 02:45 . 2008-12-07 17:25 <DIR> d-------- c:\documents and settings\Wayne\Application Data\Twain
2008-11-26 16:35 . 2008-11-26 16:35 <DIR> d-------- C:\VundoFix Backups
2008-11-26 08:24 . 2008-11-26 08:24 <DIR> d-------- c:\program files\Lavasoft
2008-11-26 08:24 . 2008-11-26 08:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-26 08:22 . 2008-12-02 21:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-26 05:38 . 2008-11-26 05:38 <DIR> d-------- c:\program files\Webroot
2008-11-26 05:38 . 2008-11-26 05:38 <DIR> d-------- c:\documents and settings\Wayne\Application Data\Webroot
2008-11-26 05:38 . 2008-11-26 07:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Webroot
2008-11-26 05:38 . 2008-11-13 17:11 1,553,272 --a------ c:\windows\WRSetup.dll
2008-11-26 01:31 . 2008-11-26 01:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-11-26 00:20 . 2008-11-26 00:23 <DIR> d-------- c:\windows\system32\uPC
2008-11-26 00:20 . 2008-11-26 08:48 <DIR> d-------- c:\windows\system32\os
2008-11-26 00:20 . 2008-11-26 00:23 <DIR> d-------- c:\windows\system32\LA
2008-11-26 00:20 . 2008-12-10 21:42 <DIR> d-------- c:\windows\system32\kb1
2008-11-26 00:20 . 2008-11-26 00:20 <DIR> d-------- c:\windows\system32\eva
2008-11-26 00:20 . 2008-11-26 00:20 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-26 00:20 . 2008-11-26 00:20 29,184 --a------ c:\windows\system32\MSINET.oca

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 06:25 --------- d-----w c:\documents and settings\Wayne\Application Data\Free Download Manager
2008-11-25 06:42 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-12 23:02 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-12 23:02 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2008-11-12 23:02 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 21:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 21:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\f3a0f76c-4953-455f-ab43-b3e8896c7ac1.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-07-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-07-01 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"EPSON Stylus CX6600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-02-29 98304]
"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2008-08-01 69632]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-01 185896]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-25 c:\windows\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-12 04:42 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=riikpd.dll orucsm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-11-12 29808]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
.
Contents of the 'Scheduled Tasks' folder

2008-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 23:27:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\Smc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-20 23:29:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-21 06:29:02

Pre-Run: 48,073,129,984 bytes free
Post-Run: 48,735,354,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

201 --- E O F --- 2008-12-11 10:04:39



Logfile of random's system information tool 1.05 (written by random/random)
Run by Wayne at 2008-12-20 23:35:00
Microsoft Windows XP Professional Service Pack 3
System drive C: has 46 GB (59%) free of 79 GB
Total RAM: 3191 MB (87% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:04 PM, on 20/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\f3a0f76c-4953-455f-ab43-b3e8896c7ac1.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Wayne\Desktop\RSIT.exe
C:\Program Files\trend micro\Wayne.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\f3a0f76c-4953-455f-ab43-b3e8896c7ac1.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1217637574906
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O20 - AppInit_DLLs: riikpd.dll orucsm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7447 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-19 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-19 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-19 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2004-07-01 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2004-07-01 118784]
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAudPropShortcut.exe [2004-03-17 61952]
"AlcWzrd"=C:\WINDOWS\ALCWZRD.EXE [2004-09-25 2559488]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"EPSON Stylus CX6600 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE [2004-02-29 98304]
"MsgCenterExe"=C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe [2008-08-01 69632]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-08-01 185896]
"basicsmssmenu"=C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe [2007-10-09 169328]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-10-01 111936]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]
"SmcService"=C:\PROGRA~1\Sygate\SPF\smc.exe [2004-10-15 2577632]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-19 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\f3a0f76c-4953-455f-ab43-b3e8896c7ac1.exe [2008-11-17 1805552]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="riikpd.dll orucsm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2008-12-12 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-07-01 344064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2008-12-20 23:29:06 ----A---- C:\ComboFix.txt
2008-12-20 23:19:31 ----A---- C:\Boot.bak
2008-12-20 23:19:28 ----RASHD---- C:\cmdcons
2008-12-20 23:13:08 ----A---- C:\WINDOWS\zip.exe
2008-12-20 23:13:08 ----A---- C:\WINDOWS\VFIND.exe
2008-12-20 23:13:08 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-20 23:13:08 ----A---- C:\WINDOWS\SWSC.exe
2008-12-20 23:13:08 ----A---- C:\WINDOWS\SWREG.exe
2008-12-20 23:13:08 ----A---- C:\WINDOWS\sed.exe
2008-12-20 23:13:08 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-20 23:13:08 ----A---- C:\WINDOWS\grep.exe
2008-12-20 23:13:08 ----A---- C:\WINDOWS\fdsv.exe
2008-12-20 23:13:03 ----D---- C:\WINDOWS\ERDNT
2008-12-20 23:13:03 ----D---- C:\Qoobox
2008-12-19 17:15:52 ----D---- C:\Program Files\trend micro
2008-12-19 17:15:51 ----D---- C:\rsit
2008-12-19 05:44:41 ----D---- C:\WINDOWS\Sun
2008-12-19 05:30:30 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-19 05:30:30 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-19 05:30:30 ----A---- C:\WINDOWS\system32\java.exe
2008-12-19 05:30:30 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-19 05:30:17 ----D---- C:\Program Files\Java
2008-12-19 05:29:10 ----D---- C:\Documents and Settings\Wayne\Application Data\Sun
2008-12-12 16:13:04 ----HD---- C:\WINDOWS\system32\GroupPolicy
2008-12-11 16:52:47 ----D---- C:\Documents and Settings\Wayne\Application Data\Malwarebytes
2008-12-11 03:04:35 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-11 03:01:47 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-11 03:00:57 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-11 03:00:34 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-08 15:50:38 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-08 15:50:38 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-08 15:32:01 ----A---- C:\WINDOWS\system32\SSSensor.dll
2008-12-08 15:31:58 ----D---- C:\Program Files\Sygate
2008-12-05 23:50:02 ----D---- C:\Program Files\Avira
2008-12-05 23:50:02 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2008-12-05 19:55:54 ----D---- C:\WINDOWS\system32\NtmsData
2008-12-05 04:56:51 ----D---- C:\Documents and Settings\Wayne\Application Data\Uniblue
2008-12-05 04:56:33 ----D---- C:\Program Files\Uniblue
2008-12-05 04:53:31 ----HDC---- C:\Documents and Settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-03 15:41:21 ----D---- C:\Program Files\MSXML 4.0
2008-12-02 21:04:12 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-02 21:03:13 ----D---- C:\Program Files\SUPERAntiSpyware
2008-12-02 21:03:13 ----D---- C:\Documents and Settings\Wayne\Application Data\SUPERAntiSpyware.com
2008-12-02 20:48:13 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-12-02 20:47:43 ----D---- C:\Program Files\SpywareBlaster
2008-11-30 02:56:16 ----SHD---- C:\WINDOWS\QW5kcmV3IFlhcmphdQ
2008-11-30 02:45:54 ----D---- C:\Documents and Settings\Wayne\Application Data\Twain
2008-11-26 18:04:05 ----SHD---- C:\WINDOWS\CSC
2008-11-26 18:01:30 ----D---- C:\WINDOWS\pss
2008-11-26 16:35:15 ----D---- C:\VundoFix Backups
2008-11-26 16:35:15 ----A---- C:\VundoFix.txt
2008-11-26 08:24:13 ----D---- C:\Program Files\Lavasoft
2008-11-26 08:24:13 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-11-26 08:22:08 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-26 05:38:16 ----D---- C:\Program Files\Webroot
2008-11-26 05:38:16 ----D---- C:\Documents and Settings\Wayne\Application Data\Webroot
2008-11-26 05:38:16 ----D---- C:\Documents and Settings\All Users\Application Data\Webroot
2008-11-26 05:38:16 ----A---- C:\WINDOWS\WRSetup.dll
2008-11-26 01:31:15 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2008-11-26 00:43:07 ----A---- C:\WINDOWS\system32\735a4d9c-.txt
2008-11-26 00:20:19 ----D---- C:\WINDOWS\system32\uPC
2008-11-26 00:20:19 ----D---- C:\WINDOWS\system32\LA
2008-11-26 00:20:19 ----D---- C:\WINDOWS\system32\kb1
2008-11-26 00:20:18 ----D---- C:\WINDOWS\system32\eva
2008-11-26 00:20:16 ----D---- C:\WINDOWS\system32\os

======List of files/folders modified in the last 1 months======

2008-12-20 23:29:10 ----D---- C:\WINDOWS\Prefetch
2008-12-20 23:29:09 ----D---- C:\WINDOWS\system32\drivers
2008-12-20 23:29:09 ----D---- C:\WINDOWS\system32
2008-12-20 23:29:07 ----D---- C:\WINDOWS\Temp
2008-12-20 23:29:07 ----D---- C:\WINDOWS
2008-12-20 23:27:40 ----A---- C:\WINDOWS\system.ini
2008-12-20 23:27:15 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-20 23:25:23 ----D---- C:\Documents and Settings\Wayne\Application Data\Free Download Manager
2008-12-20 23:25:19 ----D---- C:\WINDOWS\system32\config
2008-12-20 23:24:05 ----D---- C:\WINDOWS\AppPatch
2008-12-20 23:24:05 ----D---- C:\Program Files\Common Files
2008-12-20 23:23:29 ----D---- C:\Temp
2008-12-20 23:19:31 ----RASH---- C:\boot.ini
2008-12-20 23:16:33 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-20 23:13:06 ----SHD---- C:\System Volume Information
2008-12-20 23:13:06 ----D---- C:\WINDOWS\system32\Restore
2008-12-19 17:15:52 ----RD---- C:\Program Files
2008-12-19 05:30:33 ----SHD---- C:\WINDOWS\Installer
2008-12-17 16:11:00 ----HD---- C:\WINDOWS\inf
2008-12-17 16:10:56 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-17 16:10:52 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-16 17:12:31 ----D---- C:\WINDOWS\system32\wbem
2008-12-16 17:12:31 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-12 23:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-11 03:12:38 ----D---- C:\Program Files\Internet Explorer
2008-12-11 03:04:39 ----A---- C:\WINDOWS\imsins.BAK
2008-12-11 03:04:23 ----A---- C:\WINDOWS\win.ini
2008-12-10 19:20:12 ----D---- C:\Downloads
2008-12-09 16:24:37 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-05 19:55:54 ----ASD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-12-03 15:49:25 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-03 15:41:21 ----D---- C:\WINDOWS\WinSxS
2008-11-26 01:23:25 ----SD---- C:\WINDOWS\Tasks

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-10-30 75072]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R1 wpsdrvnt;wpsdrvnt; \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2002-12-11 11044]
R2 wg3n;SyGate for NT, wg3n; C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys [2004-10-15 14568]
R2 wg4n;SyGate for NT, wg4n; C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys [2004-10-15 14568]
R2 wg5n;SyGate for NT, wg5n; C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys [2004-10-15 14568]
R2 wg6n;SyGate for NT, wg6n; C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys [2004-10-15 14568]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 E1000;Intel® PRO/1000 Adapter Driver; C:\WINDOWS\system32\DRIVERS\e1000325.sys [2004-03-12 131584]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\USR_MDM.sys [2003-02-20 1068032]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\USR_BSC2.sys [2003-02-20 167296]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-07-01 724221]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2004-09-25 2276672]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 NTIDrvr;Upper Class Filter Driver; C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys [2008-08-01 6912]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_USR.sys [2003-02-20 630016]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2004-03-17 113664]
S3 SABProcEnum;SABProcEnum; \??\C:\Program Files\Internet Explorer\SABProcEnum.sys []
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 dwshd;dwshd; C:\WINDOWS\System32\drivers\dwshd.sys []
S4 vsdatant;vsdatant; C:\WINDOWS\system32\drivers\vsdatant.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Basics Service;Basics Service; C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [2007-10-09 124280]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-19 152984]
R2 MSSQL$MICROSOFTBCM;MSSQL$MICROSOFTBCM; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe [2003-05-31 7544916]
R2 SmcService;Sygate Personal Firewall; C:\Program Files\Sygate\SPF\smc.exe [2004-10-15 2577632]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE [2002-12-17 311872]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 AM

Posted 21 December 2008 - 11:44 AM

Hello,

You're welcome. :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O20 - AppInit_DLLs: riikpd.dll orucsm.dll


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Do a Wndows Search for the following files and delete them. They *should* be in System32 :

riikpd.dll
orucsm.dll


Reboot your computer.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Folder::
c:\windows\system32\uPC
c:\windows\system32\os
c:\windows\system32\LA
c:\windows\system32\kb1
c:\windows\system32\eva
c:\windows\QW5kcmV3IFlhcmphdQ


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Now also have a scan with MBAM and post the report if it finds anything. :) How is it running now?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 CPO'd

CPO'd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 21 December 2008 - 04:42 PM

Hi tea,

I ran a quick scan of MBAM, which found NO infected or malicious files.

Thanks :thumbsup:

Here is the Combofix log:


ComboFix 08-12-20.03 - Wayne 2008-12-21 14:22:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3191.2760 [GMT -7:00]
Running from: c:\documents and settings\Wayne\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Wayne\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\QW5kcmV3IFlhcmphdQ
c:\windows\system32\eva
c:\windows\system32\kb1
c:\windows\system32\LA
c:\windows\system32\os
c:\windows\system32\uPC

.
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-19 17:15 . 2008-12-19 17:18 <DIR> d-------- C:\rsit
2008-12-19 17:15 . 2008-12-21 13:40 <DIR> d-------- c:\program files\trend micro
2008-12-19 05:44 . 2008-12-19 05:44 <DIR> d-------- c:\windows\Sun
2008-12-19 05:30 . 2008-12-19 05:30 <DIR> d-------- c:\program files\Java
2008-12-19 05:30 . 2008-12-19 05:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-19 05:30 . 2008-12-19 05:30 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-12 16:13 . 2008-12-12 16:13 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-11 16:52 . 2008-12-11 16:52 <DIR> d-------- c:\documents and settings\Wayne\Application Data\Malwarebytes
2008-12-10 14:20 . 2008-12-10 16:22 <DIR> d-------- c:\documents and settings\Wayne\DoctorWeb
2008-12-08 15:50 . 2008-12-12 17:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 15:50 . 2008-12-08 15:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 15:50 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 15:50 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-08 15:32 . 2004-10-15 18:32 83,096 --a------ c:\windows\system32\SSSensor.dll
2008-12-08 15:32 . 2004-10-15 18:17 60,496 --a------ c:\windows\system32\drivers\Teefer.sys
2008-12-08 15:32 . 2004-10-15 18:18 21,075 --a------ c:\windows\system32\drivers\wpsdrvnt.sys
2008-12-08 15:32 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg6n.sys
2008-12-08 15:32 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg5n.sys
2008-12-08 15:32 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg4n.sys
2008-12-08 15:32 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg3n.sys
2008-12-08 15:31 . 2008-12-08 15:31 <DIR> d-------- c:\program files\Sygate
2008-12-05 23:50 . 2008-12-05 23:50 <DIR> d-------- c:\program files\Avira
2008-12-05 23:50 . 2008-12-05 23:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-05 19:55 . 2008-12-05 19:57 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-05 19:36 . 2008-12-05 19:36 552 --a------ c:\windows\system32\d3d8caps.dat
2008-12-05 04:56 . 2008-12-05 04:56 <DIR> d-------- c:\program files\Uniblue
2008-12-05 04:56 . 2008-12-05 04:56 <DIR> d-------- c:\documents and settings\Wayne\Application Data\Uniblue
2008-12-05 04:53 . 2008-12-05 04:56 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-03 15:41 . 2008-12-03 15:41 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-02 21:04 . 2008-12-02 21:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-02 21:03 . 2008-12-12 04:42 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-02 21:03 . 2008-12-02 21:03 <DIR> d-------- c:\documents and settings\Wayne\Application Data\SUPERAntiSpyware.com
2008-12-02 20:48 . 2008-12-07 12:28 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-02 20:47 . 2008-12-02 20:47 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-30 02:45 . 2008-12-07 17:25 <DIR> d-------- c:\documents and settings\Wayne\Application Data\Twain
2008-11-26 16:35 . 2008-11-26 16:35 <DIR> d-------- C:\VundoFix Backups
2008-11-26 08:24 . 2008-11-26 08:24 <DIR> d-------- c:\program files\Lavasoft
2008-11-26 08:24 . 2008-11-26 08:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-26 08:22 . 2008-12-02 21:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-26 05:38 . 2008-11-26 05:38 <DIR> d-------- c:\program files\Webroot
2008-11-26 05:38 . 2008-11-26 05:38 <DIR> d-------- c:\documents and settings\Wayne\Application Data\Webroot
2008-11-26 05:38 . 2008-11-26 07:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Webroot
2008-11-26 05:38 . 2008-11-13 17:11 1,553,272 --a------ c:\windows\WRSetup.dll
2008-11-26 01:31 . 2008-11-26 01:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-11-26 00:20 . 2008-11-26 00:20 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-26 00:20 . 2008-11-26 00:20 29,184 --a------ c:\windows\system32\MSINET.oca

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 21:10 --------- d-----w c:\documents and settings\Wayne\Application Data\Free Download Manager
2008-11-25 06:42 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-12 23:02 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-12 23:02 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2008-11-12 23:02 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 21:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 21:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-20_23.28.39.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-21 06:27:15 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_150.dat
+ 2008-12-21 21:14:13 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_150.dat
+ 2008-12-21 21:14:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\f3a0f76c-4953-455f-ab43-b3e8896c7ac1.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-07-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-07-01 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"EPSON Stylus CX6600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-02-29 98304]
"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2008-08-01 69632]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-01 185896]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-25 c:\windows\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-12 04:42 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-11-12 29808]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
.
Contents of the 'Scheduled Tasks' folder

2008-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 14:24:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2008-12-21 14:25:31
ComboFix-quarantined-files.txt 2008-12-21 21:25:29
ComboFix2.txt 2008-12-21 06:29:06

Pre-Run: 48,642,781,184 bytes free
Post-Run: 48,683,229,184 bytes free

174 --- E O F --- 2008-12-11 10:04:39

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 AM

Posted 21 December 2008 - 05:11 PM

Hello,

You're welcome. Excellent....so it's running all right too? :)

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

I believe that does it then. :thumbsup: If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

It is very important to maintain your Firewall.
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 CPO'd

CPO'd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 22 December 2008 - 03:20 AM

Hi tea,

Thanks for all your help, everything seems to be running great! I really appreciate it. :thumbsup:

Just some follow up questions, if you don't mind:

1. I'm going to reinstall McAfee Total Protection. Are all three programs you suggested compatible?
2. Can I run all three programs (SpywareBlaster, SpywareGuard & Spybot-Search & Destroy) together? Or do I have to pick one?
3. Should I uninstall SuperAntiSpyware Professional and Malwarebytes' Anti-Malware?
4. Do I keep RSIT and HijackThis on my computer?

Thanks again tea, I hope you and yours have a very Merry Christmas and a joyous New Year!

P.S. Thanks for the early Christmas gift. :)

Edited by CPO'd, 22 December 2008 - 03:23 AM.


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 AM

Posted 22 December 2008 - 03:06 PM

Hi there,

You're most welcome, and I'm glad all is well. :thumbsup:

3. Should I uninstall SuperAntiSpyware Professional and Malwarebytes' Anti-Malware?

Nope. Those two should be sufficient. You don't have to install any of the others, especially with what you already have. But it's nice to have choices, and free ones at that. :) Keep HijackThis, but don't go playing with it! Personally I think it's a good thing to have, just in case. If you find yourself infected and can't download anything, well, you already have a good start on what a Helper would need to see. :) When you reinstall McAfee, please be sure to use the firewall. It's as important as AntiVirus.

You have a Merry Christmas as well!

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 CPO'd

CPO'd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 27 December 2008 - 07:43 AM

Hi again tea,

I just got finished uninstalling all the software I no longer wanted and replaced it with McAfee Total Protection. Upon running a scan, it found the following items:

Detection Type: Potentially Unwanted Program
Detection Name: RemAdm-ProcLaunch! 171
Status: Detected
Items:
File Name: C:\System Volume Information\_restore
{0D8B1BE3-C452-4253-B8B0-12A8FDEC8F1A}\RP3
\A0000164.exe

Detection Type: Potentially Unwanted Program
Detection Name: Tool-NirCmd
Status: Detected
Items:
File Name: C:\System Volume Information\_restore
{0D8B1BE3-C452-4253-B8B0-12A8FDEC8F1A}\RP3
\A0000138.com, C:\System Volume Information\_restore
{0D8B1BE3-C452-4253-B8B0-12A8FDEC8F1A}\RP2
\A0000107.exe, C:\System Volume Information\_restore
{0D8B1BE3-C452-4253-B8B0-12A8FDEC8F1A}\RP2
\A0000060.com

I checked at McAfee.com and it stated they were PUPs and NOT viruses. I searched around, but couldn't find anything. McAfee gives me the option to either Remove or Trust, do you know what I should do? I don't know whether or not they have anything to do with my previous problem, but wanted to ask before Removing them just in case.

Thanks for your time. :thumbsup:

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 AM

Posted 27 December 2008 - 02:32 PM

Hi there,

Those are not problems at all. :) The first one is in System Restore and not a threat at all, whatever it is. The second one is related to ComboFix, so perfectly legit. :thumbsup:

We can clear the restore points to prevent that from happening again :

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Let me know if that does the trick. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 CPO'd

CPO'd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 29 December 2008 - 12:54 PM

Hey tea,

Yep that did it! :) Everything is running great and McAfee didn't find anything this time.

Sorry for the delay in my response and I hope you enjoy the final days of '08. All the best in 2009!

Thanks again tea for all the help you've given me, :thumbsup:

CPO'd

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 AM

Posted 29 December 2008 - 01:04 PM

Well hi there. :)

You're welcome. :)

No need to be sorry at all, and I'm so glad all is still well. :)

Time flies......it seems like the last year has raced by, and I'm looking forward to the next one. :thumbsup: You have a great 2009 as well!

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 AM

Posted 31 December 2008 - 03:03 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users