Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slowdown after Vundo.gen.i


  • Please log in to reply
5 replies to this topic

#1 JasonTD

JasonTD

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 16 January 2009 - 02:58 AM

I began experiencing lots of pop-ups and browser slow-downs the other day, so I scanned with my usual checker, McAfee, which found nothing at all. I then checked with AdAware, which found vundo.gen.i. It seemed to remove it, but then vundo reappeared after another scan. After doing some research about vundo, I eventually scanned with MBAM, as well as SuperAntiSpyware Free, and I used VundoFix. The programs claim to have found and removed the vundo, and all scans now are coming up clear. I'm not getting the popups anymore, but both Firefox 3.0.5 and the newest version of IE are running unbearably slowly still, even after I uninstalled and reinstalled Firefox. Stuck, I posted this thread:

http://www.bleepingcomputer.com/forums/t/194743/firefox-slow-after-removing-vundoi/

and garmanma gave me some advice that I tried. The browser slowdowns seemed to go away and get better, but now it's back and as bad as ever. It seems that Firefox now behaves normally when I first start the computer, but it becomes rapidly slow after I've been using it for a while. As I type this, pages barely will load at all. I've noticed no slowdowns or problems with anything other than the browsers now, and I've been able to use Photoshop and play games without incident. The browser situation is really threatening my work schedule, though, so I'd appreciate any help you can give me with this. As instructed, I ran HJT and saved the logs. In the logs I've edited my last name to be just "D" but otherwise have left everything as-is. I am attaching Attach.txt, and here's the pasted DDS.txt. Thanks in advance for any help!


DDS (Ver_09-01-07.01) - NTFSx86
Run by Jason D at 2:31:28.15 on Fri 01/16/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2446 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Updater.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Wacom\TabUserW.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Digg Alerter\diggalerter.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jason D\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Digg Alerter]
uRun: [ABIT uGuruIII] c:\program files\u-abit\uguru\uGuru.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [cogad] "c:\documents and settings\jason d\application data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Windows Media Connect 2] "c:\program files\windows media connect 2\WMCCFG.exe" /StartQuiet
mRun: [iRiver Updater] \Updater.exe
mRun: [pdfSaver3]
mRun: [Launch LGDCore] "c:\program files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "c:\program files\logitech\g-series software\LCDMon.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Alcmtr] ALCMTR.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\jasond~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuserw.lnk - c:\program files\wacom\TabUserW.exe
IE: Copy to Semagic - c:\program files\semagic\copy.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Semagic - c:\program files\semagic\link.htm
IE: {09E11E5C-8B60-46F2-9C72-50067FCB8E42} - c:\documents and settings\jason d\local settings\application data\difolders software\blogjet\blogthis.js
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - {AC41D38F-B56D-40AD-94E0-B493D130C959}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: fllycq.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jasond~1\applic~1\mozilla\firefox\profiles\7fta4u4b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: XUL Cache: {B67D3B12-FFEA-43A4-9913-ADAAA3319D21} - c:\windows\system32\config\systemprofile\local settings\application data\{b67d3b12-ffea-43a4-9913-adaaa3319d21}\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.00.12); user_pref(general.useragent.extra.zencast, Creative ZENcast v1.02.10
============= SERVICES / DRIVERS ===============

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2007-2-3 17792]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-3 207656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2008-5-28 14592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-3 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-3 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-3 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-3 40488]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-8-1 358736]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-3 144704]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-3 34152]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-12-15 194304]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S4 Active Common Service;Active Common Service;c:\windows\system32\commserv.exe --> c:\windows\system32\commserv.exe [?]

=============== Created Last 30 ================

2009-01-13 22:56 --d----- c:\documents and settings\jason d\DoctorWeb
2009-01-13 03:31 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-13 03:31 --d----- c:\program files\SUPERAntiSpyware
2009-01-13 03:31 --d----- c:\docume~1\jasond~1\applic~1\SUPERAntiSpyware.com
2009-01-13 01:44 --d----- c:\program files\Capitalism 2
2009-01-10 22:57 --d----- c:\program files\common files\Symantec Shared
2009-01-09 11:27 --d----- c:\windows\pss
2009-01-09 01:42 --d----- c:\docume~1\jasond~1\applic~1\Malwarebytes
2009-01-09 01:42 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-09 01:42 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 01:42 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 01:42 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-08 23:19 --d----- C:\VundoFix Backups
2009-01-08 20:00 --d----- c:\docume~1\jasond~1\applic~1\cogad
2009-01-08 01:31 --d-h--- c:\docume~1\alluse~1\applic~1\{0E8E33D8-193A-414A-A909-0F101A142D26}
2009-01-08 01:29 --d----- c:\program files\Stardock Games
2009-01-02 23:39 --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2009-01-02 23:39 --d----- c:\docume~1\alluse~1\applic~1\NeoEdge Networks
2008-12-24 02:55 --d----- c:\docume~1\alluse~1\applic~1\Tages
2008-12-24 02:55 279,712 a------- c:\windows\system32\drivers\atksgt.sys
2008-12-24 02:55 25,888 a------- c:\windows\system32\drivers\lirsgt.sys
2008-12-21 23:24 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2008-12-21 23:24 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2008-12-21 23:24 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2008-12-21 23:24 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-21 23:24 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2008-12-21 23:24 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2008-12-21 23:24 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-21 23:24 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2008-12-21 23:24 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll

==================== Find3M ====================

2009-01-14 21:04 14,180 a------- c:\windows\system32\wacom.dat
2008-12-15 03:05 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-03-08 17:39 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 2:32:01.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:18 PM

Posted 16 January 2009 - 07:18 AM

Hello JasonTD and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :)

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 JasonTD

JasonTD
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 16 January 2009 - 08:29 PM

Hi Thunder, and thanks for the reply. I've downloaded and run both programs as directed. Here are the logs from each...

GooredLog.txt:

GooredFix v1.83 by jpshortstuff
Log created at 11:17 on 16/01/2009 running Option #2 (Jason D)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B67D3B12-FFEA-43A4-9913-ADAAA3319D21}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{B67D3B12-FFEA-43A4-9913-ADAAA3319D21}\"
->Backing up value... Done.
->Deleting value... Done.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{B67D3B12-FFEA-43A4-9913-ADAAA3319D21}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"



ComboFix.txt:

ComboFix 09-01-16.02 - Jason D 2009-01-16 17:57:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2671 [GMT -5:00]
Running from: c:\documents and settings\Jason D\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACTIVE_COMMON_SERVICE
-------\Service_Active Common Service
-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-13 22:56 . 2009-01-13 22:56 <DIR> d-------- c:\documents and settings\Jason D\DoctorWeb
2009-01-13 03:31 . 2009-01-13 03:31 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-13 03:31 . 2009-01-13 03:31 <DIR> d-------- c:\documents and settings\Jason D\Application Data\SUPERAntiSpyware.com
2009-01-13 03:31 . 2009-01-13 03:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-13 01:44 . 2009-01-13 02:30 <DIR> d-------- c:\program files\Capitalism 2
2009-01-10 22:57 . 2009-01-13 04:14 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-09 01:42 . 2009-01-14 21:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 01:42 . 2009-01-09 01:42 <DIR> d-------- c:\documents and settings\Jason D\Application Data\Malwarebytes
2009-01-09 01:42 . 2009-01-09 01:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 01:42 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 01:42 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 23:19 . 2009-01-08 23:19 <DIR> d-------- C:\VundoFix Backups
2009-01-08 21:14 . 2009-01-08 21:31 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-08 20:00 . 2009-01-10 23:09 <DIR> d-------- c:\documents and settings\Jason D\Application Data\cogad
2009-01-08 01:31 . 2009-01-08 01:32 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2009-01-08 01:29 . 2009-01-08 01:29 <DIR> d-------- c:\program files\Stardock Games
2009-01-02 23:39 . 2009-01-02 23:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-01-02 23:39 . 2009-01-02 23:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\NeoEdge Networks
2008-12-24 02:55 . 2008-12-24 02:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Tages
2008-12-24 02:55 . 2008-12-24 02:55 279,712 --a------ c:\windows\system32\drivers\atksgt.sys
2008-12-24 02:55 . 2008-12-24 02:55 25,888 --a------ c:\windows\system32\drivers\lirsgt.sys
2008-12-21 23:24 . 2008-10-16 15:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-12-21 23:24 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-21 23:24 . 2007-03-08 00:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-21 23:24 . 2008-10-16 15:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-12-21 23:24 . 2008-10-16 15:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-21 23:24 . 2008-10-16 15:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-12-21 23:24 . 2008-10-16 15:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-12-21 23:24 . 2008-10-16 15:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-21 23:24 . 2008-10-16 08:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 22:48 --------- d-----w c:\program files\Trillian
2009-01-16 22:48 --------- d-----w c:\program files\Digg Alerter
2009-01-16 22:14 --------- d-----w c:\program files\Semagic
2009-01-15 23:00 --------- d-----w c:\program files\Microsoft Money
2009-01-13 08:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-13 06:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-08 22:14 --------- d-----w c:\program files\PeerGuardian2
2009-01-08 22:14 --------- d-----w c:\documents and settings\Jason D\Application Data\uTorrent
2009-01-08 06:20 --------- d-----w c:\documents and settings\Jason D\Application Data\Roxio
2008-12-26 21:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-22 07:56 --------- d-----w c:\program files\Bonjour
2008-12-15 08:05 21,035 ----a-w c:\windows\system32\drivers\AegisP.sys
2008-11-25 21:10 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-18 16:41 --------- d-----w c:\documents and settings\Jason D\Application Data\Artisteer
2008-11-18 16:40 --------- d-----w c:\program files\Artisteer
2008-11-17 20:19 --------- d-----w c:\program files\McAfee
2008-03-08 22:39 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ABIT uGuruIII"="c:\program files\U-ABIT\uGuru\uGuru.exe" [2007-04-11 425984]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-09 8523776]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Windows Media Connect 2"="c:\program files\Windows Media Connect 2\WMCCFG.exe" [2005-10-06 368128]
"iRiver Updater"="\Updater.exe" [2004-07-01 212992]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-09 81920]
"nwiz"="nwiz.exe" [2008-01-09 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\Jason D\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TabUserW.lnk - c:\program files\Wacom\TabUserW.exe [2006-07-12 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=fllycq.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v2 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v2 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111v2 Smart Wizard.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-22 19:42 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 17:23 102400 c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
--------- 2006-08-07 09:06 700416 c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMReminderService]
-ra------ 2006-08-16 17:53 31232 c:\program files\Mindjet\MindManager 6\MmReminderService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfSaver3]
--a------ 2004-09-05 17:20 380928 c:\program files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 08:56 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 13:49 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-01-30 05:54 16116224 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 05:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Previews on Windows\\rteng6.exe"=
"c:\\Program Files\\Ws_ftp32\\Ws_ftp32.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\Previews on Windows\\preorder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"57349:TCP"= 57349:TCP:Pando P2P TCP Listening Port
"57349:UDP"= 57349:UDP:Pando P2P UDP Listening Port

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2007-02-03 17792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2008-05-28 14592]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-12-15 194304]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - InCDrec

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2009-01-17 c:\windows\Tasks\zxjxklgs.job
- c:\windows\system32\rundll32.exe [2004-08-04 02:56]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-cogad - c:\documents and settings\Jason D\Application Data\cogad\cogad.exe
HKCU-Run-Digg Alerter - (no file)
HKLM-Run-pdfSaver3 - (no file)
MSConfigStartUp-36X Raid Configurer - c:\windows\system32\xRaidSetup.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Copy to Semagic - c:\program files\Semagic\copy.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Semagic - c:\program files\Semagic\link.htm
IE: {{09E11E5C-8B60-46F2-9C72-50067FCB8E42} - c:\documents and settings\Jason D\Local Settings\Application Data\DiFolders Software\BlogJet\blogthis.js

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Jason D\Application Data\Mozilla\Firefox\Profiles\7fta4u4b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.00.12); user_pref(general.useragent.extra.zencast, Creative ZENcast v1.02.10.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 20:07:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1123561945-746137067-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:88,5e,68,b2,30,7b,fd,fe,16,2e,44,2b,70,ba,6b,aa,98,33,de,0c,70,
ec,28,21,0d,d5,53,e5,ab,f7,a0,5f,18,51,62,11,91,4b,fb,9f,a8,f2,28,de,c9,44,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\RtlGina2.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\inetsrv\inetinfo.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Windows Media Connect 2\wmccds.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\wscntfy.exe
C:\Updater.exe
c:\program files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
c:\program files\Logitech\G-series Software\Applets\LCDClock.exe
.
**************************************************************************
.
Completion time: 2009-01-16 20:13:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-17 01:13:09

Pre-Run: 191,442,767,872 bytes free
Post-Run: 191,538,900,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

285 --- E O F --- 2008-12-26 21:06:13

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:18 PM

Posted 17 January 2009 - 06:06 PM

Hello JasonTD,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
c:\windows\Tasks\zxjxklgs.job
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update11.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windowsi586-p.exe to install the newest version.
Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 JasonTD

JasonTD
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 17 January 2009 - 10:53 PM

Hi again,

I ran ComboFix with the file as instructed, and here's the new log:

ComboFix 09-01-17.03 - Jason D 2009-01-17 22:35:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2708 [GMT -5:00]
Running from: c:\documents and settings\Jason D\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jason D\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\Tasks\zxjxklgs.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\zxjxklgs.job

.
((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-16 17:52 . 2009-01-16 17:52 0 --a------ c:\windows\LCDMedia.INI
2009-01-13 22:56 . 2009-01-13 22:56 <DIR> d-------- c:\documents and settings\Jason D\DoctorWeb
2009-01-13 03:31 . 2009-01-13 03:31 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-13 03:31 . 2009-01-13 03:31 <DIR> d-------- c:\documents and settings\Jason D\Application Data\SUPERAntiSpyware.com
2009-01-13 03:31 . 2009-01-13 03:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-13 01:44 . 2009-01-13 02:30 <DIR> d-------- c:\program files\Capitalism 2
2009-01-10 22:57 . 2009-01-13 04:14 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-09 01:42 . 2009-01-14 21:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 01:42 . 2009-01-09 01:42 <DIR> d-------- c:\documents and settings\Jason D\Application Data\Malwarebytes
2009-01-09 01:42 . 2009-01-09 01:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 01:42 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 01:42 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 23:19 . 2009-01-08 23:19 <DIR> d-------- C:\VundoFix Backups
2009-01-08 21:14 . 2009-01-08 21:31 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-08 20:00 . 2009-01-10 23:09 <DIR> d-------- c:\documents and settings\Jason D\Application Data\cogad
2009-01-08 01:31 . 2009-01-08 01:32 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2009-01-08 01:29 . 2009-01-08 01:29 <DIR> d-------- c:\program files\Stardock Games
2009-01-02 23:39 . 2009-01-02 23:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-01-02 23:39 . 2009-01-02 23:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\NeoEdge Networks
2008-12-24 02:55 . 2008-12-24 02:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Tages
2008-12-24 02:55 . 2008-12-24 02:55 279,712 --a------ c:\windows\system32\drivers\atksgt.sys
2008-12-24 02:55 . 2008-12-24 02:55 25,888 --a------ c:\windows\system32\drivers\lirsgt.sys
2008-12-21 23:24 . 2008-10-16 15:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-12-21 23:24 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-21 23:24 . 2007-03-08 00:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-21 23:24 . 2008-10-16 15:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-12-21 23:24 . 2008-10-16 15:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-21 23:24 . 2008-10-16 15:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-12-21 23:24 . 2008-10-16 15:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-12-21 23:24 . 2008-10-16 15:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-21 23:24 . 2008-10-16 08:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 21:06 --------- d-----w c:\program files\Microsoft Money
2009-01-16 22:48 --------- d-----w c:\program files\Trillian
2009-01-16 22:48 --------- d-----w c:\program files\Digg Alerter
2009-01-16 22:14 --------- d-----w c:\program files\Semagic
2009-01-13 08:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-13 06:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-08 22:14 --------- d-----w c:\program files\PeerGuardian2
2009-01-08 22:14 --------- d-----w c:\documents and settings\Jason D\Application Data\uTorrent
2009-01-08 06:20 --------- d-----w c:\documents and settings\Jason D\Application Data\Roxio
2008-12-26 21:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-22 07:56 --------- d-----w c:\program files\Bonjour
2008-12-15 08:05 21,035 ----a-w c:\windows\system32\drivers\AegisP.sys
2008-11-25 21:10 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-18 16:41 --------- d-----w c:\documents and settings\Jason D\Application Data\Artisteer
2008-11-18 16:40 --------- d-----w c:\program files\Artisteer
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-03-08 22:39 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-16_20.12.14.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-17 00:25:09 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-17 23:22:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-17 00:25:09 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-17 23:22:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-17 00:25:09 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-17 23:22:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ABIT uGuruIII"="c:\program files\U-ABIT\uGuru\uGuru.exe" [2007-04-11 425984]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-09 8523776]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Windows Media Connect 2"="c:\program files\Windows Media Connect 2\WMCCFG.exe" [2005-10-06 368128]
"iRiver Updater"="\Updater.exe" [2004-07-01 212992]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-09 81920]
"nwiz"="nwiz.exe" [2008-01-09 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\Jason D\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TabUserW.lnk - c:\program files\Wacom\TabUserW.exe [2006-07-12 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v2 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v2 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111v2 Smart Wizard.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-22 19:42 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 17:23 102400 c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
--------- 2006-08-07 09:06 700416 c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMReminderService]
-ra------ 2006-08-16 17:53 31232 c:\program files\Mindjet\MindManager 6\MmReminderService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfSaver3]
--a------ 2004-09-05 17:20 380928 c:\program files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 08:56 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 13:49 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-01-30 05:54 16116224 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 05:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Previews on Windows\\rteng6.exe"=
"c:\\Program Files\\Ws_ftp32\\Ws_ftp32.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\Previews on Windows\\preorder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"57349:TCP"= 57349:TCP:Pando P2P TCP Listening Port
"57349:UDP"= 57349:UDP:Pando P2P UDP Listening Port

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2007-02-03 17792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2008-05-28 14592]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-12-15 194304]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - InCDrec

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Copy to Semagic - c:\program files\Semagic\copy.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Semagic - c:\program files\Semagic\link.htm
IE: {{09E11E5C-8B60-46F2-9C72-50067FCB8E42} - c:\documents and settings\Jason D\Local Settings\Application Data\DiFolders Software\BlogJet\blogthis.js

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Jason D\Application Data\Mozilla\Firefox\Profiles\7fta4u4b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.00.12); user_pref(general.useragent.extra.zencast, Creative ZENcast v1.02.10.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 22:39:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1123561945-746137067-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:88,5e,68,b2,30,7b,fd,fe,16,2e,44,2b,70,ba,6b,aa,98,33,de,0c,70,
ec,28,21,0d,d5,53,e5,ab,f7,a0,5f,18,51,62,11,91,4b,fb,9f,a8,f2,28,de,c9,44,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\RtlGina2.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-01-17 22:42:51
ComboFix-quarantined-files.txt 2009-01-18 03:41:33
ComboFix2.txt 2009-01-17 01:14:00

Pre-Run: 191,409,524,736 bytes free
Post-Run: 191,391,682,560 bytes free

249 --- E O F --- 2008-12-26 21:06:13


I also ran DDS again, and here's the new DDS.txt:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Jason D at 22:45:53.96 on Sat 01/17/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2696 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Updater.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jason D\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ABIT uGuruIII] c:\program files\u-abit\uguru\uGuru.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Windows Media Connect 2] "c:\program files\windows media connect 2\WMCCFG.exe" /StartQuiet
mRun: [iRiver Updater] \Updater.exe
mRun: [Launch LGDCore] "c:\program files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "c:\program files\logitech\g-series software\LCDMon.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\jasond~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuserw.lnk - c:\program files\wacom\TabUserW.exe
IE: Copy to Semagic - c:\program files\semagic\copy.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Semagic - c:\program files\semagic\link.htm
IE: {09E11E5C-8B60-46F2-9C72-50067FCB8E42} - c:\documents and settings\jason d\local settings\application data\difolders software\blogjet\blogthis.js
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - {AC41D38F-B56D-40AD-94E0-B493D130C959}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jasond~1\applic~1\mozilla\firefox\profiles\7fta4u4b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.00.12); user_pref(general.useragent.extra.zencast, Creative ZENcast v1.02.10
============= SERVICES / DRIVERS ===============

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2007-2-3 17792]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-3 207656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2008-5-28 14592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-3 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-3 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-3 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-3 40488]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-8-1 358736]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-3 144704]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-3 34152]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-12-15 194304]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]

=============== Created Last 30 ================

2009-01-17 22:34 <DIR> --d----- C:\ComboFix
2009-01-16 17:53 <DIR> a-dshr-- C:\cmdcons
2009-01-16 17:52 161,792 a------- c:\windows\SWREG.exe
2009-01-16 17:52 98,816 a------- c:\windows\sed.exe
2009-01-16 17:52 0 a------- c:\windows\LCDMedia.INI
2009-01-13 22:56 <DIR> --d----- c:\documents and settings\jason d\DoctorWeb
2009-01-13 03:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-13 03:31 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-13 03:31 <DIR> --d----- c:\docume~1\jasond~1\applic~1\SUPERAntiSpyware.com
2009-01-13 01:44 <DIR> --d----- c:\program files\Capitalism 2
2009-01-10 22:57 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-01-09 11:27 <DIR> --d----- c:\windows\pss
2009-01-09 01:42 <DIR> --d----- c:\docume~1\jasond~1\applic~1\Malwarebytes
2009-01-09 01:42 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-09 01:42 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 01:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 01:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-08 23:19 <DIR> --d----- C:\VundoFix Backups
2009-01-08 20:00 <DIR> --d----- c:\docume~1\jasond~1\applic~1\cogad
2009-01-08 01:31 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\{0E8E33D8-193A-414A-A909-0F101A142D26}
2009-01-08 01:29 <DIR> --d----- c:\program files\Stardock Games
2009-01-02 23:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2009-01-02 23:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NeoEdge Networks
2008-12-24 02:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Tages
2008-12-24 02:55 279,712 a------- c:\windows\system32\drivers\atksgt.sys
2008-12-24 02:55 25,888 a------- c:\windows\system32\drivers\lirsgt.sys
2008-12-21 23:24 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2008-12-21 23:24 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2008-12-21 23:24 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2008-12-21 23:24 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-21 23:24 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2008-12-21 23:24 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2008-12-21 23:24 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-21 23:24 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2008-12-21 23:24 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll

==================== Find3M ====================

2009-01-16 18:01 14,180 a------- c:\windows\system32\wacom.dat
2008-12-15 03:05 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-03-08 17:39 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 22:46:18.18 ===============


I am about to update my Java and so far have not encountered any slowdowns tonight. I'm going to be working online for a while, so if the problem still exists, it should manifest in a little while. Here's hoping it doesn't!

Thanks again :)

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:18 PM

Posted 18 January 2009 - 06:22 AM

Hello JasonTD,

Your log looks good now. :)

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please download and install HijackThis v2.0.2
  • Save HJTInstall.exe to your Desktop.
  • Double-click on HJTInstall.exe to run the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Accept the license agreement by clicking the I Accept button.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save log to save the log file and then the log will open in Notepad.
  • Click on Edit -> Select All then click on Edit -> Copy to copy the entire contents of the log.
  • Come back here to this thread and paste the log in your next reply.
  • Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users