Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit/Backdoor (TDS)


  • This topic is locked This topic is locked
10 replies to this topic

#1 zeero3

zeero3

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 01 January 2009 - 07:12 PM

Computer was freezing before. With the assistance of rigel in another section of this forum, I was able to get the computer to be seemingly stable. With rigel's advice, SUPERantispyware Free was run in safe mode and TDSS**** was found to be a Rootkit/Backdoor Trojan. Was explained that this could be a very dangerous virus and referred to this forum.

Here is a link of the assistance I was given by a memeber of bleepingcomputer.com: Previous Assistance Thread

The only signs of a virus are when running Spybot. While scanning with Spybot, AVG's background program finds an instance of a virus in the c:\system volume information\

As instructed, I have pasted and attached the DDS.txt and Attach.txt files, respectively.

Thank you SO SO much in advance! I appreciate any help I can get....



DDS (Version 1.1.0) - NTFSx86
Run by Owner at 15:57:19.48 on Thu 01/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.882 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Norton AntiVirus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\vVX1000.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SmartDefrag] "c:\program files\iobit\iobit smartdefrag\IObit SmartDefrag.exe" /StartUp
IE: &AOL Toolbar Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: SpSubLSP.dll
Trusted Zone: musicmatch.com\online
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-20 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-20 26824]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-22 55024]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-6-23 611664]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-6-20 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-6-20 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-20 76040]
R2 Maxtor Sync Service;Maxtor Service;"c:\program files\maxtor\sync\SyncServices.exe" [2008-7-21 193888]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;"c:\program files\postgresql\8.3\bin\pg_ctl.exe" runservice -w -n "pgsql-8.3" -d "c:\program files\postgresql\8.3\data\" []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-10-30 24652]
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-6-23 42376]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-6-23 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-6-23 81288]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-6-23 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-6-23 1072008]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-5-6 1245064]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2008-12-31 15:55 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-31 15:55 --d----- c:\program files\SUPERAntiSpyware
2008-12-31 15:55 --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2008-12-16 00:48 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-07 21:46 --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================== Find3M ====================

2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-12 19:35 256 a------- c:\documents and settings\owner\pool.bin
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-07-06 04:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070620080707\index.dat

============= FINISH: 15:58:09.48 ===============

Attached Files


Edited by zeero3, 01 January 2009 - 07:19 PM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:29 AM

Posted 08 January 2009 - 11:47 AM

Hello zeero.

I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable AVG:
  • Please navigate to the system tray on the bottom right hand corner and look for this Posted Image sign.
  • Right click it-> select Quit Control Center.
  • A warning will pop up, click Yes
To disable SpyBot's TeaTimer:
You can find instructions with visuals here.
  • Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select Advanced Mode.
  • On the left hand side, Click on Tools.
  • Click on the Resident icon in the list.
  • Uncheck Resident TeaTimer and OK any prompts.
  • Download ResetTeaTimer.bat and run it to remove entries set by TeaTimer. If you are not using Internet Explorer, you may not be prompted to download the file when you click it. In that case, right click it and select "Save Target/Link as" and save the file onto your desktop.
    The file should take only a second to finish. Delete this file after use.
Restart your computer for the changes to take affect.


Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 08 January 2009 - 03:41 PM

ComboFix 09-01-08.01 - Owner 2009-01-08 12:21:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1045 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: Norton AntiVirus *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\m3.dll
K:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2008-12-31 15:55 . 2008-12-31 15:55 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-31 15:55 . 2008-12-31 15:55 <DIR> d-------- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2008-12-31 15:55 . 2008-12-31 15:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-30 15:54 . 2008-12-30 15:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-12-30 15:52 . 2008-12-30 15:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-12-16 00:48 . 2008-12-16 00:48 410,984 --a------ c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 08:17 --------- d-----w c:\program files\Full Tilt Poker
2009-01-04 17:32 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2009-01-01 08:46 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-01 08:46 --------- d-----w c:\program files\SpywareBlaster
2009-01-01 08:29 --------- d-----w c:\documents and settings\Owner\Application Data\WeatherBug
2008-12-31 23:53 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-30 23:22 --------- d-----w c:\program files\DivX
2008-12-30 23:21 --------- d-----w c:\program files\Viewpoint
2008-12-24 23:48 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-22 21:40 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-19 22:31 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2008-12-16 08:48 --------- d-----w c:\program files\Java
2008-12-08 05:46 --------- d-----w c:\program files\iTunes
2008-12-08 05:46 --------- d-----w c:\program files\iPod
2008-12-08 05:46 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-08 05:44 --------- d-----w c:\program files\QuickTime
2008-12-08 05:43 --------- d-----w c:\program files\Common Files\Apple
2008-12-04 03:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-01 08:37 --------- d-----w c:\program files\PokerStars
2008-12-01 01:42 --------- d-----w c:\program files\Documents To Go
2008-12-01 01:41 --------- d-----w c:\program files\palmOne
2008-11-25 07:45 --------- d-----w c:\documents and settings\Owner\Application Data\ZoomBrowser EX
2008-11-25 07:29 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-11-15 22:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-13 03:35 256 ----a-w c:\documents and settings\Owner\pool.bin
2008-11-13 02:36 --------- d-----w c:\program files\Common Files\Research In Motion
2008-11-12 11:00 --------- d-----w c:\program files\MSXML 4.0
2008-07-06 12:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070620080707\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2005-06-07 1339392]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-08-09 139264]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1261336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2008-11-21 2386960]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136]

c:\documents and settings\postgres\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=c:\windows\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2005-11-02 19:01 50792 c:\program files\Common Files\AOL\1134098829\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a--c--- 2005-05-10 16:04 11776 c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a--c--- 2003-06-17 17:13 118784 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2003-02-13 07:01 155648 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-16 00:48 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 11:22 1622016 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"omniserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Wildtangent\\Cdacache\\B4538D2C-E5CB-4449-9FA5-BB2D8FA18FFF\\game.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134098829\\ee\\aolsoftware.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134098829\\ee\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-20 97928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-06-20 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-20 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-06-20 76040]
R4 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-06-09 65536]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-10-30 24652]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-23 356920]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea40caaf-082d-11dc-a803-0016b651a731}]
\Shell\AutoRun\command - K:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-08 c:\windows\Tasks\User_Feed_Synchronization-{9182487D-96ED-4FF0-A453-A641807F735E}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CamMonitor - c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
MSConfigStartUp-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
MSConfigStartUp-NeroCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-WT GameChannel - c:\program files\WildTangent\Apps\GameChannel.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
IE: &AOL Toolbar Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: SpSubLSP.dll
Trusted Zone: online.musicmatch.com

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 12:29:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*NULL*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,\
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
cb,8e,67,a2,a4,bc,37,ad,9b,ef,51,64,cf,f2,ef,b7,de,53,fd,b2,dd,81,d0,0a,6f,\
1a,cd,e3,17,7f,88,1b,28,fd,fe,49,90,19,da,92,09,b9,30,b9,37,b7,0c,cc,32,29,\
f2,1c,2e,bd,a3,54,9d,bc,08,35,4a,8e,86,15,33,59,06,d0,2d,3d,29,97,23,71,6b,\
14,f2,6e,f9,dd,a7,cd,e3,fc,8c,59,04,69,a7,59,e9,4a,a6,10,65,b1,d3,29,60,01,\
f0,ff,c3,70,86,a3,7b,a6,1a,4b,4e,80,af,52,a4,b4,43,20,e6,34,99,bb,ac,64,92,\
32,f5,90,53,97,46,66,10,74,22,83,33,bb,a5,ed,43,c4,e1,06,36,22,6b,e8,9e,49,\
9e,78,cc,39,70,fb,c1,94,eb,70,64,29,08,36,8d,eb,8d,27,73,68,78,a1,54,01,40,\
d1,a0,fa,b4,1f,73,d3,0a,14,82,82,95,8d,91,73,b1,19,b1,92,34,b0,3d,4b,ec,d0,\
32,2e,7c,6c,9c,fa,60,b3,6c,a4,75,23,f9,e7,db,91,16,35,3b,48,84,f7,7c,b7,26,\
6f,0a,0b,c8,ec,2b,ba,8c,3a,98,bb,0f,ef,1d,32,43,13,2d,e4,e3,62,61,5e,f5,f8,\
de,66,de,f1,be,87,17,f0,44,39,26,c7,ba,56,37,c0,ed,6a,66,a7,d4,d5,f7,4a,8a,\
e1,08,98,5c,93,32,26,d3,60,7f,fe,a9,3f,21,a9,a3,59,5c,1a,9b,a3,fb,56,d8,20,\
88,e9,b9,58,09,a2,7c,9c,d7,c8,e8,bf,94,ed,fb,7f,b2,0d,83,50,47
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,\
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
cb,8e,67,a2,a4,bc,37,ad,9b,ef,51,64,cf,f2,ef,b7,de,53,fd,b2,dd,81,d0,0a,6f,\
1a,cd,e3,17,7f,88,1b,28,fd,fe,49,90,19,da,92,09,b9,30,b9,37,b7,0c,cc,32,29,\
f2,1c,2e,bd,a3,54,9d,bc,08,35,4a,8e,86,15,33,59,06,d0,2d,3d,29,97,23,71,6b,\
14,f2,6e,f9,dd,a7,cd,e3,fc,8c,59,04,69,a7,59,e9,4a,a6,10,65,b1,d3,29,60,01,\
f0,ff,c3,70,86,a3,7b,a6,1a,4b,4e,80,af,52,a4,b4,43,20,e6,34,99,bb,ac,64,92,\
32,f5,90,53,97,46,66,10,74,22,83,33,bb,a5,ed,43,c4,e1,06,36,17,4a,fc,d5,fc,\
7a,7c,ed,ea,ef,3f,9c,c8,20,0b,e9,22,12,6f,5f,bf,07,c6,37,f5,23,61,ac,10,b0,\
d7,d4,f0,3a,04,f8,35,12,88,ab,40,b3,53,a9,b5,ba,3d,e4,a8,3e,0c,b4,88,e8,e3,\
95,d4,6c,62,a9,b2,75,24,9d,20,2e,a4,1d,ed,c0,68,5d,41,61,3f,e0,5e,fd,47,ae,\
c6,1d,0f,43,15,05,81,c7,3d,53,df,d0,ee,00,9f,74,bb,6f,c4,37,b1,b7,d9,ab,8d,\
cc,05,98,cd,9e,71,15,36,dd,48,50,3a,91,9d,36,de,d2,1a,b8,87,dd,09,0a,8a,ad,\
7a,a8,f9,fe,e9,e0,cb,18,c1,e3,8f,19,ca,10,1a,67,26,a0,39,ac,3f,b7,84,7c,72,\
19,dc,6d,b7,30,13,0c,fc,d1,12,22,e2,48,c6,90,c2,d4,8b,97,02,9a,57,f2,75,34,\
aa,96,79,9a,32,ce,ea,d0,6b,9e,e3,84,ae,3d,f1,09,39,54,08,86,69,a1,c7,8c,06,\
e2,73,6c,30,23,af,75,5c,d8,31,9d,b7,cf,5b,01,0c,48,60,c6,06,15,28,00,bb,7a,\
f5,f0,d5,71,92,55,c7,65,63,8d,76,fc,32,b2,d2,69,07,a5,86,07,17,86,44,1a,76,\
e5,db,e7,49,1a,b1,32,83,9f,cf,7d,1d,09,b5,bf,d2,36,8f,40,ed,13,d9,1b,39,0a,\
81,0f,d0,68,45,d4,93,bc,a6,54,08,e3,dc,d2,4e,6a,72,95,fc,88,6c,8e,d9,21,90,\
63,ae,86,dc,e5,81,a3,6b,1d,56,92,78,78,b5,fd,8b,0f,68,03,ca,37,99,cc,3d,fd,\
7c,b3,7e,01,3d,06,61,3f,b8,59,72,dd,de,0a,21,f9,f0,03,8f,ec,0a,96,1f,a6,56,\
22,c0,34,80,fe,78,de,be,b0,29,62,95,1a,11,7d,a0,12,20,ae,b9,47,7c,2c,f9,59,\
07,71,68,ab,d7,71,a4,66,dc,a3,21,57,2d,9d,4f,5d,5f,f9,64,2c,10,97,11,4c,32,\
b4,58,fc,f9,a7,64,1b,17,d9,bf,91,01,a6,14,3a,00,15,89,95,2b,30,c9,dc,b4,63,\
8e,5a,44,30,0e,2b,54,1e,e7,57,b7,4b,5f,e6,19,9e,f9,b2
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,\
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
cb,8e,67,a2,a4,bc,37,ad,9b,ef,51,64,cf,f2,ef,b7,de,53,fd,b2,dd,81,d0,0a,6f,\
1a,cd,e3,17,7f,88,1b,28,fd,fe,49,90,19,da,92,09,b9,30,b9,37,b7,0c,cc,32,29,\
f2,1c,2e,bd,a3,54,9d,bc,08,35,4a,8e,86,15,33,59,06,d0,2d,3d,29,97,23,71,6b,\
14,f2,6e,f9,dd,a7,cd,e3,fc,8c,59,04,69,a7,59,e9,4a,a6,10,65,b1,d3,29,60,01,\
f0,ff,c3,70,86,a3,7b,a6,1a,4b,4e,80,af,52,a4,b4,43,20,e6,34,99,bb,ac,64,92,\
32,f5,90,53,97,46,66,10,74,22,83,33,bb,a5,ed,43,c4,e1,06,36,2d,af,34,00,95,\
41,1a,ea,d0,23,08,0e,d3,a0,34,21,7a,2b,13,29,42,6e,28,d6,fe,21,2d,18,06,08,\
c0,db,21,6c,f3,af,49,a2,54,91,ba,0b,cc,08,6d,a2,7d,e0,82,99,91,1e,ab,b3,b7,\
46,8d,91,ab,a5,14,d2,ab,b5,b7,6a,97,0b,73,2d,cc,51,51,82,6b,e4,ad,41,a3,73,\
be,0f,64,6e,11,4d,40,c2,6e,03,c6,9b,71,51,5e,e1,f5,d1,89,05,8b,e4,6f,90,5b,\
dc,52,04,6e,ef,ef,11,3c,20,7f,22,a9,83,40,7a,01,a2,9e,4c,0b,ba,06,2c,c1,09,\
0a,04,a4,4f,75,9d,05,50,96,62,0a,fe,76,eb,45,19,4f,de,1e,3d,09,f6,0b,de,10,\
05,da,14,39,1a,15,f7,37,f0,e0,bc,39,eb,74,ce,28,6c,ff,04,57,e0,f8,4a,a2,32,\
10,d9,be,86,38,5f,b0,6b,9d,d9,06,17,00,db,19,63,92,86,b9,a7,76,f0,cf,76,cb,\
b7,d3,a7,7b,25,85,9c,02,58,5a,2c,27,0d,60,3d,36,61,cd,97,11,6d,81,ec,01,70,\
be,89,c7,66,f6,bf,f4,87,da,92,25,30,4e,c6,d5,15,70,f6,6e,a9,cb,c7,fe,a9,88,\
2e,9b,4e,36,60,ea,55,17,f1,f9,d0,ff,14,8f,9c,41,c1,1a,12,13,6a,d5,7e,8e,d8,\
07,8b,28,9d,4e,72,29,85,84,0d,c0,70,3a,61,6e,6d,13,d2,c2,ea,13,b5,3e,59,8d,\
89,5f,48,b3,ea,66,a7,87,e1,65,e5,ba,10,0f,c2,ae,80,e4,f4,96,c4,ac,ef,83,a7,\
29,72,95,f5,14,8b,9b,9f,73,3a,3b,34,ac,b9,d6,bb,93,0c,29,df,05,49,c8,82,83,\
93,ab,14,c0,87,aa,43,0b,ef,7e,6f,89,7b,b8,cd,4a,93,16,0c,37,a6,a8,d1,d8,e0,\
a0,c2,c6,5d,49,16,56,be,a0,c5,f2,c1,d7,86,01,08,aa,21,fd,51,5d,46,7c,58,49,\
91,0c,95,7c,33,2b,3b,a1,12,91,f4,d4,d1,53,de,03,13,66,44,c3,05,ff,41,79,f2,\
05,f8,8c,9e,88,d7,b6,f0,89,16,5c,62,8e,d2,48,31,e9,1e,f2,34,e2,75,e6,4d,66,\
68,d5,1a,97,c4,da,0a,b5,fe,e2,c1,c0,ad,e4,29,a1,51,25,cc,d4,52,2f,40,71,42,\
31,b8,0c,ec,aa,bb,36,e4,32,02,9b,1f,46,56,c6,2a,0d,b3,07,3f,1b,0f,13,3f,22,\
20,02,56,6d,02,30,ea
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(872)
c:\windows\system32\SpSubLSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-01-08 12:37:25 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-01-08 20:37:22
ComboFix2.txt 2008-06-27 22:26:35

Pre-Run: 51,286,716,416 bytes free
Post-Run: 51,218,157,568 bytes free

322 --- E O F --- 2008-12-18 20:54:29















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:45 PM, on 1/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-21-182555412-327989232-1648109500-1009\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'postgres')
O4 - S-1-5-21-182555412-327989232-1648109500-1009 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'postgres')
O4 - S-1-5-21-182555412-327989232-1648109500-1009 User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'postgres')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 8466 bytes









I have not made any changes since I started the topic other than what was linked above from my older topic.

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:29 AM

Posted 09 January 2009 - 08:16 AM

Hello.

That looks clean. Do you have any problems right now?

Weather Bug Warning
You appear to have Weather Bug installed. The free version of Weather Bug is generally considered to be adware. As such, it is up to you whether you wish to remove it or leave it installed. The information here and here may help you decide. If you wish to uninstall this: First, right click the WeatherBug icon in the systray and disable it, then go to Add/Remove Programs and uninstall from there.

You may also want to remove Viewpoint programs.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.
With Regards,
The Panda

#5 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 09 January 2009 - 08:27 AM

My main concern is if I should cease using and remove uTorrent.

Also, should I be using a Firewall othe than the Windows XP one?

Will now remove Viewpoint programs, do F-Secure Scan, and post report...

#6 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 09 January 2009 - 02:43 PM

Scanning Report
Friday, January 09, 2009 05:36:42 - 11:42:28
Computer name: PITTBOSS
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ K:\


--------------------------------------------------------------------------------

Result: 2 malware found
TrackingCookie.Atwola (spyware)
System
TrackingCookie.Revsci (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 44981
System: 4437
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2009-01-09
F-Secure AVP: 7.0.171, 2009-01-09
F-Secure Pegasus: 1.20.0, 2008-11-17
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:29 AM

Posted 09 January 2009 - 04:32 PM

Hello.

That all looks good.

I would definately suggest agaisnt using P2P programs like uTorrent.

Install Firewall
Installing a 3rd party firewall is a good decision.The main reason you would prefer a third-party firewall over the Windows XP Firewall is because Windows Firewall only stops incoming signals from accessing your computer. However, it will not stop programs (possibly ones that could intrude your privacy) from sending outgoing signals to the Internet or to other networks. You can read this article for more.

After you have installed one of the above firewalls, please disable your Windows Firewall, if you had it enabled.

If you do decide to install a firewall, please post back a new DDS log after.

With Regards,
The Panda

#8 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 11 January 2009 - 11:31 PM

Installed COMODO and restarted computer. Just finished DDS/Attach and here are the logs.
One thing to note, I see "Norton Antivirus" at the top of the DDS log and that program was uninstalled long ago. Orphan? No action needed?






DDS (Version 1.1.0) - NTFSx86
Run by Owner at 20:21:36.75 on Sun 01/11/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.980 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: Norton AntiVirus *enabled*
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\vVX1000.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Weather] c:\progra~1\aws\weathe~1\Weather.exe 1
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SmartDefrag] "c:\program files\iobit\iobit smartdefrag\IObit SmartDefrag.exe" /StartUp
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
IE: &AOL Toolbar Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: SpSubLSP.dll
Trusted Zone: musicmatch.com\online
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-20 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-20 26824]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-1-9 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-1-9 31504]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-22 55024]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-6-23 611664]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-6-20 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-6-20 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-20 76040]
R2 cmdAgent;COMODO Internet Security Helper Service;"c:\program files\comodo\comodo internet security\cmdagent.exe" [2009-1-9 618232]
R2 Maxtor Sync Service;Maxtor Service;"c:\program files\maxtor\sync\SyncServices.exe" [2008-7-21 193888]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;"c:\program files\postgresql\8.3\bin\pg_ctl.exe" runservice -w -n "pgsql-8.3" -d "c:\program files\postgresql\8.3\data\" []
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-6-23 42376]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-6-23 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-6-23 81288]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-6-23 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-6-23 1072008]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-5-6 1245064]

=============== Created Last 30 ================

2009-01-09 13:39 147,192 a------- c:\windows\system32\guard32.dll
2009-01-09 13:39 101,776 a------- c:\windows\system32\drivers\cmdguard.sys
2009-01-09 13:39 31,504 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-01-09 13:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\comodo
2009-01-09 13:38 <DIR> --d----- c:\program files\COMODO
2009-01-09 05:34 <DIR> --d----- C:\fsaua.data
2009-01-08 18:36 <DIR> --d----- c:\documents and settings\owner\tmp
2009-01-08 12:20 161,792 a------- c:\windows\SWREG.exe
2009-01-08 12:20 98,816 a------- c:\windows\sed.exe
2008-12-31 15:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-31 15:55 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-31 15:55 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2008-12-16 00:48 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-01-04 18:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 18:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-12 19:35 256 a------- c:\documents and settings\owner\pool.bin
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-07-06 04:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070620080707\index.dat

============= FINISH: 20:22:50.53 ===============

Attached Files



#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:29 AM

Posted 12 January 2009 - 08:19 AM

Hello.

That looks good.

I see "Norton Antivirus" at the top of the DDS log and that program was uninstalled long ago. Orphan? No action needed?

It appears to be. DDS reads the registry values that Norton Antivirus left behind.

Unless you have any other problems, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.

If this tool has helped you, please consider making a donation to its author. Posted Image
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#10 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 12 January 2009 - 03:55 PM

Everything seems to be fine. Thank you again. I have nothing else to add. If you do please go ahead.

If you want to close this thread, I have no objections.

Again, thanks to you and the whole BC forum.

---Nick

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:29 AM

Posted 12 January 2009 - 05:30 PM

You are welcome Nick.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users