Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox fails to connect after clipboard use / Can't boot into safe mode


  • This topic is locked This topic is locked
21 replies to this topic

#1 djbanging

djbanging

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 04 January 2009 - 05:51 PM

Hi,

Referred here from Am I Infected. ~ OB

This is a follow on from this topic: http://www.bleepingcomputer.com/forums/t/191741/firefox-fails-to-connect-after-copying/

When I copy from Firefox the browser won't connect until I restart the program. My other browsers seem to be unaffected.

Also I can't boot into safe mode as described in the previous topic. My DDS log is below:


DDS (Version 1.1.0) - NTFSx86
Run by at 22:42:35.45 on 04/01/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1127 [GMT 0:00]

AV: avast! antivirus 4.8.1296 [VPS 090104-0] *On-access scanning disabled* (Updated)
FW: COMODO Firewall Pro *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\abit\abit uGuru\AirPaceWifi.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\WinFlip\WinFlip.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Program Files\MediaMonkey\MediaMonkey.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: IEBookmark Class: {ef341f91-4715-46e2-b0af-724e3225e52e} - c:\program files\webmetalogic\bookmark synchronizer\Bookmark.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NWEReboot]
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [AirPaceWifi] "c:\program files\abit\abit uguru\AirPaceWifi.exe" -nogui
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
StartupFolder: c:\docume~1\\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
StartupFolder: c:\docume~1\\startm~1\programs\startup\SHORTC~1.LNK -
StartupFolder: c:\docume~1\\startm~1\programs\startup\shortc~2.lnk - c:\program files\winflip\WinFlip.exe
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
IE: {47685814-18BB-4659-8245-14A9C9EBDD76} - {EF341F91-4715-46E2-B0AF-724E3225E52E} - c:\program files\webmetalogic\bookmark synchronizer\Bookmark.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
TCP: {22093057-9BAB-47ED-91A2-F5A45676DDD2} = 208.67.222.222,208.67.220.220
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\\applic~1\mozilla\firefox\profiles\79p7ph7g.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\\application data\mozilla\firefox\profiles\79p7ph7g.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\documents and settings\\application data\mozilla\firefox\profiles\79p7ph7g.default\extensions\ubiquity@labs.mozilla.com\platform\winnt_x86-msvc\components\ubiquity.dll
FF - component: c:\program files\evernote\evernote3\fftbclipper\components\enbar3.dll
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\google\lively\nplively.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-29 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 AR2425;abit AirPace Wi-Fi Wireless Network Adapter Service;c:\windows\system32\drivers\aw5006.sys [2008-12-1 556832]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2007-10-9 38656]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2007-10-22 56960]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
R3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [2007-10-19 1694592]
R4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-29 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-4-29 155160]
R4 CmdAgent;Comodo Application Agent;c:\program files\comodo\firewall\cmdagent.exe [2008-4-23 361040]
R4 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2007-10-22 46336]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-4-29 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-4-29 352920]
S3 GoogleDesktopManager-121807-210419;Google Desktop Manager 5.7.712.18632;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-1-31 29744]
S3 ProtoWall;ProtoWall Defender;c:\windows\system32\drivers\ProtoWall.sys [2004-1-28 21376]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-11-16 550272]
S4 gupdate1c8e2b184ebb42c;Google Update Service (gupdate1c8e2b184ebb42c);c:\program files\google\update\GoogleUpdate.exe [2008-7-10 133104]

=============== Created Last 30 ================

2009-01-04 14:48 --d----- c:\program files\Trend Micro
2009-01-04 00:59 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-04 00:59 --d----- c:\program files\SUPERAntiSpyware
2009-01-04 00:59 --d----- c:\docume~1\\applic~1\SUPERAntiSpyware.com
2009-01-03 19:22 --d----- C:\fsaua.data
2009-01-03 18:11 --d----- C:\SDFix
2009-01-03 15:58 --d----- c:\docume~1\\applic~1\Canneverbe_Limited
2009-01-03 14:55 --d----- C:\temp
2009-01-03 14:08 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-03 14:08 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 20:11 --d----- c:\program files\Evernote
2008-12-22 23:18 --d----- c:\program files\HandBrake
2008-12-14 17:25 --d----- c:\windows\Logs
2008-12-14 17:17 --d----- c:\windows\system32\XPSViewer
2008-12-14 17:16 14,048 -------- c:\windows\system32\spmsg2.dll
2008-12-14 17:15 --d----- c:\windows\system32\xlive
2008-12-14 15:02 --d----- c:\docume~1\\applic~1\DMCache
2008-12-14 13:51 --d----- c:\documents and settings\\.flickrEditAuth-WRITE
2008-12-14 13:51 --d----- c:\documents and settings\\.flickrEditAuth-READ
2008-12-14 13:51 --d----- c:\documents and settings\\.flickrEditAuth-DELETE
2008-12-08 21:07 --d----- c:\program files\Intel Corporation

==================== Find3M ====================

2008-12-09 21:31 2,560 a------- c:\windows\_MSRSTRT.EXE
2008-11-17 20:04 2,306,113 a------- c:\windows\system32\GPhotos.scr
2008-11-07 14:23 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-08-27 20:02 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-06-23 06:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe
2008-05-07 18:22 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050720080508\index.dat

============= FINISH: 22:42:44.18 ===============


Thanks!

Attached Files


Edited by Orange Blossom, 04 January 2009 - 06:10 PM.
Fix link ~ OB


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 12 January 2009 - 05:21 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run DDS
If you already have a copy of DDS, there is not need to download a new one.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#3 djbanging

djbanging
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 12 January 2009 - 05:56 PM

Hi PP - thanks for coming back to me! The only change I've made in the last week was that I installed Office 2007. The problems remain the same as before i.e. when I copy/paste from Firefox it fails to connect until I restart the browser and I can't boot into safe mode.

Logs - DDS first:


DDS (Version 1.1.0) - NTFSx86
Run by <djbanging. at 22:31:11.29 on 12/01/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1056 [GMT 0:00]

AV: avast! antivirus 4.8.1296 [VPS 090112-0] *On-access scanning enabled* (Updated)
FW: COMODO Firewall Pro *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\abit\abit uGuru\AirPaceWifi.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\WinFlip\WinFlip.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Program Files\MediaMonkey\MediaMonkey.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\<djbanging.\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\<djbanging.\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: IEBookmark Class: {ef341f91-4715-46e2-b0af-724e3225e52e} - c:\program files\webmetalogic\bookmark synchronizer\Bookmark.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NWEReboot]
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [AirPaceWifi] "c:\program files\abit\abit uguru\AirPaceWifi.exe" -nogui
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\<djbanging.\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
StartupFolder: c:\docume~1\<djbanging.\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\<djbanging.\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
StartupFolder: c:\docume~1\<djbanging.\startm~1\programs\startup\SHORTC~1.LNK -
StartupFolder: c:\docume~1\<djbanging.\startm~1\programs\startup\shortc~2.lnk - c:\program files\winflip\WinFlip.exe
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xporteren naar Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {47685814-18BB-4659-8245-14A9C9EBDD76} - {EF341F91-4715-46E2-B0AF-724E3225E52E} - c:\program files\webmetalogic\bookmark synchronizer\Bookmark.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
TCP: {22093057-9BAB-47ED-91A2-F5A45676DDD2} = 208.67.222.222,208.67.220.220
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi1933~1\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\<djbanging.\applic~1\mozilla\firefox\profiles\79p7ph7g.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\<djbanging.\application data\mozilla\firefox\profiles\79p7ph7g.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\documents and settings\<djbanging.\application data\mozilla\firefox\profiles\79p7ph7g.default\extensions\ubiquity@labs.mozilla.com\platform\winnt_x86-msvc\components\ubiquity.dll
FF - component: c:\program files\evernote\evernote3\fftbclipper\components\enbar3.dll
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\<djbanging.\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\<djbanging.\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\google\lively\nplively.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-29 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 AR2425;abit AirPace Wi-Fi Wireless Network Adapter Service;c:\windows\system32\drivers\aw5006.sys [2008-12-1 556832]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2007-10-9 38656]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-4-29 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-4-29 352920]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2007-10-22 56960]
R4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-29 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-4-29 155160]
R4 CmdAgent;Comodo Application Agent;c:\program files\comodo\firewall\cmdagent.exe [2008-4-23 361040]
R4 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2007-10-22 46336]
S3 GoogleDesktopManager-121807-210419;Google Desktop Manager 5.7.712.18632;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-1-31 29744]
S3 ProtoWall;ProtoWall Defender;c:\windows\system32\drivers\ProtoWall.sys [2004-1-28 21376]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-11-16 550272]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [2007-10-19 1694592]
S4 gupdate1c8e2b184ebb42c;Google Update Service (gupdate1c8e2b184ebb42c);c:\program files\google\update\GoogleUpdate.exe [2008-7-10 133104]

=============== Created Last 30 ================

2009-01-12 21:49 32,592 a------- c:\windows\system32\msonpmon.dll
2009-01-12 21:47 <DIR> --d----- c:\program files\common files\ODBC
2009-01-12 21:45 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-01-12 21:44 <DIR> --d----- c:\windows\SHELLNEW
2009-01-10 19:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MediaMonkey
2009-01-04 14:48 <DIR> --d----- c:\program files\Trend Micro
2009-01-04 00:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-04 00:59 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-04 00:59 <DIR> --d----- c:\docume~1\<djbanging.\applic~1\SUPERAntiSpyware.com
2009-01-03 19:22 <DIR> --d----- C:\fsaua.data
2009-01-03 18:11 <DIR> --d----- C:\SDFix
2009-01-03 15:58 <DIR> --d----- c:\docume~1\<djbanging.\applic~1\Canneverbe_Limited
2009-01-03 14:55 <DIR> --d----- C:\temp
2009-01-03 14:08 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-03 14:08 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 20:11 <DIR> --d----- c:\program files\Evernote
2008-12-22 23:18 <DIR> --d----- c:\program files\HandBrake
2008-12-14 17:25 <DIR> --d----- c:\windows\Logs
2008-12-14 17:17 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-14 17:16 14,048 -------- c:\windows\system32\spmsg2.dll
2008-12-14 17:15 <DIR> --d----- c:\windows\system32\xlive
2008-12-14 15:02 <DIR> --d----- c:\docume~1\<djbanging.\applic~1\DMCache
2008-12-14 13:51 <DIR> --d----- c:\documents and settings\<djbanging.\.flickrEditAuth-WRITE
2008-12-14 13:51 <DIR> --d----- c:\documents and settings\<djbanging.\.flickrEditAuth-READ
2008-12-14 13:51 <DIR> --d----- c:\documents and settings\<djbanging.\.flickrEditAuth-DELETE

==================== Find3M ====================

2008-12-09 21:31 2,560 a------- c:\windows\_MSRSTRT.EXE
2008-11-17 20:04 2,306,113 a------- c:\windows\system32\GPhotos.scr
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-08-27 20:02 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-06-23 06:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe
2008-05-07 18:22 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050720080508\index.dat

============= FINISH: 22:31:38.95 ===============







And the gmer scan log:


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-12 22:48:56
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xABEC5576]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwConnectPort [0xAC0C40D2]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreateFile [0xAC0C6302]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xABEC5432]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreatePort [0xAC0C402C]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreateSection [0xAC0C4AAE]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreateThread [0xAC0C3D12]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwDeleteFile [0xAC0C5CB0]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwDeleteKey [0xAC0C4EC0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xABEC5910]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xABEC500A]
SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xABEC550C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xABEC4F4A]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwOpenSection [0xAC0C49E0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xABEC4FAE]
SSDT sptd.sys ZwQueryKey [0xB9EC4418]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xABEC562C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xABEC55EC]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwSetContextThread [0xAC0C3BB4]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwSetInformationFile [0xAC0C5DE0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xABEC576C]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwShutdownSystem [0xAC0C4FA0]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwTerminateProcess [0xAC0C3F66]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwWriteFile [0xAC0C614A]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwWriteFileGather [0xAC0C5FB4]

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CE2 8050457E 2 Bytes [ EC, B9 ]
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B8AD58AC 5 Bytes JMP 8AC1D1C8
? System32\Drivers\ao2avbs2.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EBEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EBEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EBEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EBF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EBF61E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9ED429A] sptd.sys
IAT \SystemRoot\system32\DRIVERS\bridge.sys[NDIS.SYS!NdisRegisterProtocol] [BA18B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\bridge.sys[NDIS.SYS!NdisOpenAdapter] [BA18B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\bridge.sys[NDIS.SYS!NdisCloseAdapter] [BA18B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\bridge.sys[NDIS.SYS!NdisDeregisterProtocol] [BA18B950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BA18B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BA18B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [BA18B950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BA18B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [BA18B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [BA18B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [BA18B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [BA18B950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [BA18B950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [BA18B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [BA18B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [BA18B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BA18B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BA18B950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BA18B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BA18B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BA18B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BA18B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BA18B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BA18B950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BA18B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BA18B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BA18B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [BA18B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [BA18B950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [BA18B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [BA18B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[1020] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002
IAT C:\WINDOWS\system32\services.exe[1020] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8AFF71E8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom 88AA61E8

AttachedDevice \Driver\Tcpip \Device\Ip cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbuhci \Device\USBPDO-0 8AC1C1E8
Device \Driver\usbuhci \Device\USBPDO-1 8AC1C1E8
Device \Driver\usbuhci \Device\USBPDO-2 8AC1C1E8
Device \Driver\usbehci \Device\USBPDO-3 8AC061E8
Device \Driver\usbuhci \Device\USBPDO-4 8AC1C1E8

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)

Device \Driver\usbuhci \Device\USBPDO-5 8AC1C1E8
Device \Driver\usbuhci \Device\USBPDO-6 8AC1C1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2FF2C10A-6C47-48AB-99D8-FEE080385A2E} 8AAAE5F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8B01B1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8B01B1E8
Device \Driver\Cdrom \Device\CdRom0 8AC961E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{9E9EB170-2615-4EEB-A819-2F07B8F59D03} 8AAAE5F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8B01B1E8
Device \Driver\Cdrom \Device\CdRom1 8AC961E8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8B01B1E8
Device \Driver\Cdrom \Device\CdRom2 8AC961E8
Device \Driver\PCI_NTPNP4322 \Device\00000080 sptd.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 8AAAE5F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{82376932-EDF8-470A-8CF5-F4DDB958693D} 8AAAE5F8
Device \Driver\NetBT \Device\NetbiosSmb 8AAAE5F8

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbuhci \Device\USBFDO-0 8AC1C1E8
Device \Driver\usbuhci \Device\USBFDO-1 8AC1C1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A8F5790
Device \Driver\usbuhci \Device\USBFDO-2 8AC1C1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A8F5790
Device \Driver\usbehci \Device\USBFDO-3 8AC061E8
Device \Driver\usbuhci \Device\USBFDO-4 8AC1C1E8
Device \Driver\Ftdisk \Device\FtControl 8B01B1E8
Device \Driver\usbuhci \Device\USBFDO-5 8AC1C1E8
Device \Driver\usbuhci \Device\USBFDO-6 8AC1C1E8
Device \Driver\USBSTOR \Device\000000be 8A22E1E8
Device \Driver\USBSTOR \Device\000000bf 8A22E1E8
Device \Driver\imagedrv \Device\Scsi\imagedrv1 8AFF91E8
Device \Driver\ao2avbs2 \Device\Scsi\ao2avbs21Port7Path0Target0Lun0 8ABEA1E8
Device \Driver\imagedrv \Device\Scsi\imagedrv1Port6Path0Target0Lun0 8AFF91E8
Device \Driver\ao2avbs2 \Device\Scsi\ao2avbs21 8ABEA1E8
Device \FileSystem\Fastfat \Fat 88AA61E8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs 88FAA1E8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x6E 0x42 0xF4 0x63 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x25 0x8D 0x13 0xA8 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x39 0x6D 0x63 0x41 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x6F 0x6E 0x4E 0x0E ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x2D 0xA3 0x37 0x0E ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x2D 0xA3 0x37 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x6E 0x42 0xF4 0x63 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x25 0x8D 0x13 0xA8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD7 0xA8 0x20 0xB5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x6F 0x6E 0x4E 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x2D 0xA3 0x37 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x2D 0xA3 0x37 0x0E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0D 0x77 0x9A 0x56 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x25 0x8D 0x13 0xA8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xED 0xF3 0xC3 0xA0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x6F 0x6E 0x4E 0x0E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x2D 0xA3 0x37 0x0E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x2D 0xA3 0x37 0x0E ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x6E 0x42 0xF4 0x63 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x25 0x8D 0x13 0xA8 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCC 0xC1 0x99 0xCE ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x6F 0x6E 0x4E 0x0E ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x2D 0xA3 0x37 0x0E ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x2D 0xA3 0x37 0x0E ...

---- EOF - GMER 1.0.14 ----

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 12 January 2009 - 06:28 PM

Hello.

There doesn't appear to be an infection causing that.

Have you tried reinstalling FireFox?

I'm trying to find a registry export for repairing the safe boot. I don't have one for Home addition at the moment.

With Regards,
The Panda

Edited by PropagandaPanda, 12 January 2009 - 06:30 PM.


#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 12 January 2009 - 06:31 PM

Nevermind. Got one.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Repair Safe Boot
We will use a registry script to try to repair your Safe Boot.

Please download SafeBoot.zip to your desktop.

Double click SafeBoot.zip. Extract the .reg file appropriate for your operating system to your desktop.

Double click the registry script and answer Yes to the prompts. You should recieve the message that the entries have been successfully merged. If not, post back with the error message.

Delete the files after use.
----
Can you boot into Safe Mode now?

With Regards,
The Panda

#6 djbanging

djbanging
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 12 January 2009 - 06:35 PM

Hi,

I reinstalled about two weeks ago - this was before I ran the scans recommended in the other thread. I followed the advice from http://forums.mozillazine.org/viewtopic.ph...5&p=4885215 but it didn't work either.

Should I try reinstalling again?

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 12 January 2009 - 07:07 PM

Hello.

No, let's try repairing the Safe Boot first.

Refer to my above post.

With Regards,
The Panda

#8 djbanging

djbanging
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 12 January 2009 - 07:20 PM

Hi,

No, I still can't boot into safe mode.

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 12 January 2009 - 07:47 PM

Hello.

Let's see if ComboFix can repair your Safe Boot.

Please make sure Avast! is disabled. Disable Avast!'s realtime protection by right clicking on the try icon beside your clock that looks like Posted Image and selecting Stop On-Access Protection.

In the settings:
Posted Image

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.
With Regards,
The Panda

#10 djbanging

djbanging
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 12 January 2009 - 08:04 PM

Hi,

ComboFix 09-01-11.04 - <djbanging> 2009-01-13 0:58:40.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1420 [GMT 0:00]
Running from: c:\documents and settings\<djbanging>\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090112-0] *On-access scanning disabled* (Updated)
FW: COMODO Firewall Pro *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-13 00:10 . 2009-01-13 00:10 <DIR> d-------- c:\program files\ERUNT
2009-01-12 22:35 . 2009-01-12 22:35 250 --a------ c:\windows\gmer.ini
2009-01-12 21:49 . 2009-01-12 21:49 <DIR> d-------- c:\program files\Microsoft Works
2009-01-12 21:49 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-01-12 21:47 . 2009-01-12 21:47 <DIR> d-------- c:\program files\Microsoft.NET
2009-01-12 21:45 . 2009-01-12 21:45 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-01-12 21:44 . 2009-01-12 22:14 <DIR> d-------- c:\windows\SHELLNEW
2009-01-12 21:44 . 2009-01-12 22:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-12 21:43 . 2009-01-12 21:43 <DIR> dr-h----- C:\MSOCache
2009-01-10 19:24 . 2009-01-10 19:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\MediaMonkey
2009-01-04 14:48 . 2009-01-04 14:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-04 00:59 . 2009-01-04 22:13 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-04 00:59 . 2009-01-04 00:59 <DIR> d-------- c:\documents and settings\<djbanging>\Application Data\SUPERAntiSpyware.com
2009-01-04 00:59 . 2009-01-04 00:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-03 19:22 . 2009-01-03 19:22 <DIR> d-------- C:\fsaua.data
2009-01-03 18:11 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-01-03 15:58 . 2009-01-03 15:58 <DIR> d-------- c:\program files\CDBurnerXP
2009-01-03 15:58 . 2009-01-03 15:58 <DIR> d-------- c:\documents and settings\<djbanging>\Application Data\Canneverbe_Limited
2009-01-03 14:55 . 2009-01-03 14:55 <DIR> d-------- C:\temp
2009-01-03 14:08 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 14:08 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-31 20:11 . 2008-12-31 20:11 <DIR> d-------- c:\program files\Evernote
2008-12-22 23:18 . 2008-12-22 23:18 <DIR> d-------- c:\program files\HandBrake
2008-12-14 17:26 . 2008-12-14 17:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fallout3
2008-12-14 17:25 . 2008-12-14 17:25 <DIR> d-------- c:\windows\Logs
2008-12-14 17:21 . 2009-01-12 21:48 <DIR> d-------- c:\program files\MSBuild
2008-12-14 17:17 . 2008-12-14 17:17 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-14 17:17 . 2008-12-14 17:17 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-14 17:16 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-14 17:15 . 2008-12-14 17:15 <DIR> d-------- c:\windows\system32\xlive
2008-12-14 15:02 . 2008-12-14 15:13 <DIR> d-------- c:\documents and settings\<djbanging>\Application Data\DMCache
2008-12-14 13:51 . 2008-12-14 13:51 <DIR> d-------- c:\documents and settings\<djbanging>\.flickrEditAuth-WRITE
2008-12-14 13:51 . 2008-12-14 13:52 <DIR> d-------- c:\documents and settings\<djbanging>\.flickrEditAuth-READ
2008-12-14 13:51 . 2008-12-14 13:51 <DIR> d-------- c:\documents and settings\<djbanging>\.flickrEditAuth-DELETE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 00:18 --------- d-----w c:\program files\WinFlip
2009-01-12 23:51 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-12 21:23 --------- d-----w c:\documents and settings\<djbanging>\Application Data\OpenOffice.org2
2009-01-10 19:46 --------- d-----w c:\documents and settings\<djbanging>\Application Data\Skype
2009-01-10 16:04 --------- d-----w c:\documents and settings\<djbanging>\Application Data\skypePM
2009-01-05 17:38 --------- d-----w c:\program files\MediaMonkey
2009-01-04 00:59 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-03 19:16 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-01-03 19:13 --------- d-----w c:\documents and settings\<djbanging>\Application Data\.purple
2009-01-03 18:43 --------- d-----w c:\documents and settings\<djbanging>\Application Data\Hamachi
2009-01-03 14:08 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-31 20:11 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-22 22:00 --------- d-----w c:\documents and settings\<djbanging>\Application Data\SiteAdvisor
2008-12-17 17:39 --------- d-----w c:\program files\Digsby
2008-12-14 17:26 --------- d-----w c:\program files\Bethesda Softworks
2008-12-12 17:53 --------- d-----w c:\program files\Google
2008-12-12 01:02 --------- d-----w c:\documents and settings\<djbanging>\Application Data\BookmarkPlugin
2008-12-09 21:32 --------- d-----w c:\program files\Common Files\Stardock
2008-12-09 21:31 2,560 ----a-w c:\windows\_MSRSTRT.EXE
2008-12-08 21:07 --------- d-----w c:\program files\Intel Corporation
2008-12-06 16:09 --------- d-----w c:\documents and settings\<djbanging>\Application Data\vlc
2008-12-04 23:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-04 20:20 --------- d-----w c:\program files\Stardock
2008-12-04 18:22 --------- d-----w c:\program files\Kontiki
2008-12-03 22:54 --------- d-----w c:\program files\Steam
2008-12-03 21:13 --------- d-----w c:\program files\Rainmeter
2008-12-03 18:37 --------- d-----w c:\documents and settings\<djbanging>\Application Data\Digsby
2008-12-03 18:37 --------- d-----w c:\documents and settings\All Users\Application Data\Digsby
2008-12-01 23:34 --------- d-----w c:\program files\Hotspot Shield
2008-12-01 22:19 --------- d-----w c:\program files\iTunes
2008-12-01 22:19 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-01 22:18 --------- d-----w c:\program files\iPod
2008-12-01 22:18 --------- d-----w c:\program files\Common Files\Apple
2008-12-01 22:18 --------- d-----w c:\program files\Bonjour
2008-12-01 22:17 --------- d-----w c:\program files\QuickTime
2008-12-01 21:15 --------- d-----w c:\program files\Apple Software Update
2008-12-01 18:57 --------- d-----w c:\program files\abit
2008-12-01 18:54 --------- d-----w c:\documents and settings\All Users\Application Data\Universal abit
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-08-27 20:02 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
2008-01-31 20:08 117,760 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-05-07 18:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050720080508\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2008-12-01 23:34 204248 --a------ c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"snp2std"="c:\windows\vsnp2std.exe" [2006-09-15 675840]
"AirPaceWifi"="c:\program files\abit\abit uGuru\AirPaceWifi.exe" [2007-02-08 2240512]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 c:\windows\system32\sbusbdll.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\<djbanging>\Start Menu\Programs\Startup\
digsby.lnk - c:\program files\Digsby\digsby.exe [2008-10-10 137728]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2007-12-17 274432]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2006-01-21 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.tm2x"= TM2X.dll TrueMotion® 2X VFW Codec
"vidc.tm2a"= TM2A.dll TrueMotion® 2X Archiver

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-08-30 02:52 133104 c:\documents and settings\<djbanging>\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Touchpad Pro\\Touchpad Media Server Trial\\TouchpadMediaServer.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\<djbanging>\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\<djbanging>\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\<djbanging>\\Desktop\\iMonkey.exe"=
"c:\\Program Files\\MediaMonkey\\MediaMonkey.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3689:TCP"= 3689:TCP:iPhone Remote 1
"5353:UDP"= 5353:UDP:iPhone Remote
"6001:TCP"= 6001:TCP:iMonkey
"6001:UDP"= 6001:UDP:iMonkey2

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-29 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 AR2425;abit AirPace Wi-Fi Wireless Network Adapter Service;c:\windows\system32\drivers\aw5006.sys [2008-12-01 556832]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2007-10-09 38656]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2007-10-22 56960]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-29 20560]
R4 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2007-10-22 46336]
S3 GoogleDesktopManager-121807-210419;Google Desktop Manager 5.7.712.18632;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-01-31 29744]
S3 ProtoWall;ProtoWall Defender;c:\windows\system32\drivers\ProtoWall.sys [2004-01-28 21376]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-11-16 550272]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [2007-10-19 1694592]
S4 gupdate1c8e2b184ebb42c;Google Update Service (gupdate1c8e2b184ebb42c);c:\program files\Google\Update\GoogleUpdate.exe [2008-07-10 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80f3ec53-985b-11dc-afc3-000000000000}]
\Shell\Auto\command - adp.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL adp.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-07-08 c:\windows\Tasks\Command Prompt.job
- c:\windows\system32\cmd.exe [2008-04-14 00:12]

2009-01-11 c:\windows\Tasks\End MM.job
- c:\program files\MediaMonkey\Tasks\endMM.bat [2008-07-05 11:53]

2009-01-13 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-08-30 02:52]

2009-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3973027035-3559160337-4037048367-1007.job
- c:\documents and settings\<djbanging>\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-08-30 02:52]

2009-01-10 c:\windows\Tasks\MM.job
- c:\program files\MediaMonkey\Tasks\Play Playlists Randomized.vbs" "Favorits - 1 MP3 CD Worth (650 MB)" []

2008-09-02 c:\windows\Tasks\Scandisk.job
- c:\windows\system32\cmd.exe [2008-04-14 00:12]

2009-01-11 c:\windows\Tasks\{4C73281C-C79F-4EE1-B08E-A8A3CC5DA6B8}_<djbanging>_<djbanging>.job
- c:\windows\system32\mobsync.exe [2008-04-14 00:12]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: {22093057-9BAB-47ED-91A2-F5A45676DDD2} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\<djbanging>\Application Data\Mozilla\Firefox\Profiles\79p7ph7g.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\<djbanging>\Application Data\Mozilla\Firefox\Profiles\79p7ph7g.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\documents and settings\<djbanging>\Application Data\Mozilla\Firefox\Profiles\79p7ph7g.default\extensions\ubiquity@labs.mozilla.com\platform\WINNT_x86-msvc\components\ubiquity.dll
FF - component: c:\program files\Evernote\Evernote3\FfTbClipper\components\enbar3.dll
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\<djbanging>\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\<djbanging>\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\Google\Lively\nplively.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 00:59:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3973027035-3559160337-4037048367-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,15"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{208D2C60-3AEA-1069-A2D7-08002B30309D}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,22"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,23"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,24"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="c:\\WINDOWS\\system32\\shell32.dll,-175"
"{21EC2020-3AEA-1069-A2DD-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-137"
"{2227A280-3AEA-1069-A2DE-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-138"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="c:\\WINDOWS\\system32\\shell32.dll,38"
"AudioCD"="c:\\WINDOWS\\System32\\shell32.dll,40"
"{FBF23B42-E3F0-101B-8488-00AA003E56F8}"="c:\\WINDOWS\\system32\\shell32.dll,220"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="c:\\WINDOWS\\system32\\mydocs.dll,0"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="c:\\WINDOWS\\system32\\main.cpl,10"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="c:\\WINDOWS\\system32\\wiashext.dll,0"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="c:\\WINDOWS\\system32\\mstask.dll,-100"
"{88C6C381-2E85-11D0-94DE-444553540000}"="c:\\WINDOWS\\System32\\occache.dll,0"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="c:\\Program Files\\COMMON~1\\MICROS~1\\WEBFOL~1\\MSONSEXT.DLL,0"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="c:\\WINDOWS\\System32\\shdocvw.dll,-20785"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="c:\\WINDOWS\\System32\\webcheck.dll,0"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="c:\\WINDOWS\\system32\\syncui.dll,0"

[HKEY_USERS\S-1-5-21-3973027035-3559160337-4037048367-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:22,f2,31,62,a4,99,6b,ab,81,5c,d3,96,2c,73,ee,6f,28,b1,a1,39,aa,0c,94,
f7,6d,f9,6f,ee,7c,20,f4,ab,cb,59,c1,e4,6d,2d,e5,57,4b,df,cc,66,a0,fd,32,13,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-13 1:01:44
ComboFix-quarantined-files.txt 2009-01-13 01:01:07
ComboFix2.txt 2008-04-29 18:11:39

Pre-Run: 64,857,583,616 bytes free
Post-Run: 65,863,307,264 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Normal"
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Audio"
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
307 --- E O F --- 2008-12-19 19:51:42


I'm off to bed now (I'm in London) so I won't be posting until tomorrow. Thanks for your help so far!

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 12 January 2009 - 08:12 PM

That's fine with me.

Please try to boot into Safe Mode again.

With Regards,
The Panda

#12 djbanging

djbanging
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 13 January 2009 - 11:54 AM

I have a multi-boot system but when it gets to the OS selection screen it doesn't give me any time to make my choice - it just jumps into straight into the other boot of XP. This also means I can't choose safe mode on that screen. I also notice an option for the Windows Recovery console now?

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 13 January 2009 - 12:29 PM

Hello.

Restart your computer. After you hear the beep, hit F8 repeatetively until the boot selection menu appears. You should see Safe Mode there.

With Regards,
The Panda

#14 djbanging

djbanging
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 13 January 2009 - 01:00 PM

That worked - I'm in safe mode now.

#15 djbanging

djbanging
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 13 January 2009 - 01:01 PM

Posting from my phone by the way.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users