Hi Thunder, I did as instructed and then ran an Avira Antivir scan, and it came back with 34 detections! I've posted my Antivir scan report, along with the combofix and dds logs below.
Antivir reportAvira AntiVir Personal
Report file date: 01 February 2009 01:42
Scanning for 1302306 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: JD-043BD9CCC83F
Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/26/2008 02:26:35
AVSCAN.DLL : 8.1.4.0 40705 Bytes 7/18/2008 02:29:52
LUKE.DLL : 8.1.4.5 164097 Bytes 7/18/2008 02:29:52
LUKERES.DLL : 8.1.4.0 12033 Bytes 7/18/2008 02:29:53
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 22:02:53
ANTIVIR1.VDF : 7.1.1.113 2817536 Bytes 1/14/2009 02:26:27
ANTIVIR2.VDF : 7.1.1.207 1359360 Bytes 1/30/2009 14:28:04
ANTIVIR3.VDF : 7.1.1.208 2048 Bytes 1/30/2009 14:28:05
Engineversion : 8.2.0.70
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/31/2009 14:29:16
AESCRIPT.DLL : 8.1.1.39 344443 Bytes 1/31/2009 14:29:09
AESCN.DLL : 8.1.1.6 127348 Bytes 1/31/2009 14:29:02
AERDL.DLL : 8.1.1.3 438645 Bytes 11/6/2008 12:25:26
AEPACK.DLL : 8.1.3.5 393588 Bytes 1/10/2009 02:26:12
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 12/12/2008 02:26:00
AEHEUR.DLL : 8.1.0.89 1569143 Bytes 1/31/2009 14:28:59
AEHELP.DLL : 8.1.2.0 119159 Bytes 11/20/2008 02:26:22
AEGEN.DLL : 8.1.1.12 328053 Bytes 1/31/2009 14:28:22
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/15/2008 17:21:42
AECORE.DLL : 8.1.6.3 176501 Bytes 1/31/2009 14:28:13
AEBB.DLL : 8.1.0.3 53618 Bytes 10/15/2008 17:21:39
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/18/2008 02:29:52
AVPREF.DLL : 8.0.2.0 38657 Bytes 7/18/2008 02:29:52
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 15:54:06
AVREG.DLL : 8.0.0.1 33537 Bytes 7/18/2008 02:29:52
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 09:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 7/18/2008 02:29:52
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 18:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 7/18/2008 02:29:53
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 13:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 7/18/2008 02:29:49
RCTEXT.DLL : 8.0.52.0 86273 Bytes 7/18/2008 02:29:49
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: quarantine
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: 01 February 2009 01:42
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sprtsvc.exe' - '1' Module(s) have been scanned
Scan process 'tcpsvcs.exe' - '1' Module(s) have been scanned
Scan process 'NinjaVideo Helper.exe' - '1' Module(s) have been scanned
Scan process 'NBService.exe' - '1' Module(s) have been scanned
Scan process 'KService.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'acrotray.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
46 processes with 46 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '56' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Zish\Desktop\ComboFix.exe
[0] Archive type: RAR SFX (self extracting)
--> 32788R22FWJFW\Prep.com
[DETECTION] Is the TR/Dropper.Gen Trojan
--> 32788R22FWJFW\Tail.com
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49f1ff2f.qua'!
C:\QooBox\Quarantine\[4]-Submit_2009-02-01@1.30.zip
[0] Archive type: ZIP
--> dibawumi.dll
[DETECTION] Is the TR/PSW.OnlineGames.uifs Trojan
--> nuhufise.dll
[DETECTION] Is the TR/Spy.Agent.olx Trojan
[NOTE] The file was moved to '49e20396.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\barinoka.dll.tmp.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49f703c3.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\depubedu.dll.tmp.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49f503c8.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\geroyumo.dll.tmp.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49f703c8.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\yipabojo.dll.tmp.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49f503cd.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP1007\A0127066.com
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49b603a5.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP1008\A0127077.dll
[DETECTION] Is the TR/PSW.OnlineGames.uifs Trojan
[NOTE] The file was moved to '49b603aa.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP1008\A0127083.dll
[DETECTION] Is the TR/Spy.Agent.olx Trojan
[NOTE] The file was moved to '48be55bb.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP1008\A0127149.com
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49b603ac.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP1008\A0127156.exe
[0] Archive type: RAR SFX (self extracting)
--> 32788R22FWJFW\Prep.com
[DETECTION] Is the TR/Dropper.Gen Trojan
--> 32788R22FWJFW\Tail.com
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49b603ad.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP978\A0119378.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49b603b7.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP978\A0119379.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48be55a8.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP978\A0119380.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49b603b9.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP982\A0124501.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49b603bd.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP982\A0124502.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48be55ae.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP982\A0124503.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49b603bf.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP983\A0124541.dll
[DETECTION] Is the TR/Monder.amdq Trojan
[NOTE] The file was moved to '48be55d0.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP986\A0125958.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49b603e0.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP986\A0125959.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48be55f1.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP986\A0125960.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49b603e2.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP988\A0126015.dll
[DETECTION] Is the TR/Spy.Agent.qfs Trojan
[NOTE] The file was moved to '48be55f3.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP988\A0126016.dll
[DETECTION] Is the TR/Spy.Agent.qfs Trojan
[NOTE] The file was moved to '49b603e4.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP988\A0126018.dll
[DETECTION] Is the TR/Monder.alpa.1 Trojan
[NOTE] The file was moved to '49b603e3.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP988\A0126019.dll
[DETECTION] Is the TR/Monder.alpa.1 Trojan
[NOTE] The file was moved to '48be55f4.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP988\A0126020.dll
[DETECTION] Is the TR/Monder.alpa.1 Trojan
[NOTE] The file was moved to '49b603e5.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP988\A0126038.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48be55f6.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP988\A0126039.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49b603e7.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP988\A0126040.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48be55f8.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP988\A0126041.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49b603e9.qua'!
C:\System Volume Information\_restore{BB7CCE15-DDC6-4AE8-A281-D89F488005E6}\RP992\A0126240.dll
[DETECTION] Is the TR/Spy.Agent.NFA.1 Trojan
[NOTE] The file was moved to '49b603ea.qua'!
End of the scan: 01 February 2009 02:16
Used time: 33:48 Minute(s)
The scan has been done completely.
7680 Scanning directories
403864 Files were scanned
34 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
31 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
403829 Files not concerned
2764 Archives were scanned
1 Warnings
31 Notes
Combofix reportComboFix 09-01-31.01 - Zish 2009-02-01 1:30:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.634 [GMT 0:00]
Running from: c:\documents and settings\Zish\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Zish\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\system32\adupuhow.ini
c:\windows\system32\afeyewey.ini
c:\windows\system32\ehipibap.ini
c:\windows\system32\emideziv.ini
c:\windows\system32\epirewon.ini
c:\windows\system32\ihirarus.ini
c:\windows\system32\izowuden.ini
c:\windows\system32\ometelos.ini
c:\windows\system32\ozonadel.ini
c:\windows\system32\upimolon.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
c:\windows\system32\adupuhow.ini
c:\windows\system32\afeyewey.ini
c:\windows\system32\barinoka.dll.tmp
c:\windows\system32\depubedu.dll.tmp
c:\windows\system32\dibawumi.dll
c:\windows\system32\ehipibap.ini
c:\windows\system32\emideziv.ini
c:\windows\system32\epirewon.ini
c:\windows\system32\geroyumo.dll.tmp
c:\windows\system32\ihirarus.ini
c:\windows\system32\izowuden.ini
c:\windows\system32\nuhufise.dll
c:\windows\system32\ometelos.ini
c:\windows\system32\ozonadel.ini
c:\windows\system32\puzokaya.dll
c:\windows\system32\upimolon.ini
c:\windows\system32\yipabojo.dll.tmp
.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.
2009-01-21 16:32 . 2009-01-21 16:52 1,905 --a------ c:\windows\diagwrn.xml
2009-01-21 16:32 . 2009-01-21 16:52 1,905 --a------ c:\windows\diagerr.xml
2009-01-21 14:35 . 2009-01-21 14:35 <DIR> d-------- c:\program files\Microsoft Windows Vista Upgrade Advisor
2009-01-17 21:05 . 2009-01-17 21:05 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\DivX
2009-01-12 17:31 . 2009-01-12 17:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-12 17:31 . 2009-01-12 17:31 <DIR> d-------- c:\documents and settings\Zish\Application Data\Malwarebytes
2009-01-12 17:31 . 2009-01-12 17:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-12 17:31 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-12 17:31 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-11 18:19 . 2009-01-11 18:19 <DIR> d-------- C:\install
2009-01-05 15:50 . 2009-01-05 15:52 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-05 15:50 . 2009-01-05 15:50 <DIR> d-------- c:\documents and settings\Zish\Application Data\PC Tools
2009-01-05 15:50 . 2009-01-05 16:03 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-05 15:50 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-05 15:50 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-05 15:50 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-05 15:50 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 01:35 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-01-21 14:35 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Corporation
2009-01-16 17:16 --------- d-----w c:\documents and settings\Zish\Application Data\LimeWire
2009-01-16 04:53 79,064 ----a-w c:\documents and settings\Zish\Application Data\GDIPFONTCACHEV1.DAT
2009-01-12 16:40 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-12 16:40 --------- d-----w c:\documents and settings\Zish\Application Data\SUPERAntiSpyware.com
2009-01-12 16:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-11 18:25 --------- d-----w c:\documents and settings\Zish\Application Data\Autodesk
2008-12-16 18:58 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-16 18:58 --------- d-----w c:\program files\Java
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-03-11 14:40 6,252,136 ----a-w c:\program files\winzip100.exe
2007-03-09 13:26 34,722,920 ----a-w c:\program files\DWGTrueConvert.exe
2007-03-09 13:09 125,768,816 ----a-w c:\program files\SetupDWGTrueView2007.exe
2007-03-06 16:04 259,585,360 ----a-w c:\program files\X13-11296.exe
2007-03-06 15:40 407,010,384 ----a-w c:\program files\X12-30196.exe
2007-03-05 17:45 3,439,176 ----a-w c:\program files\pcdocpro35.exe
2007-03-05 17:42 1,351,040 ----a-w c:\program files\MNavi19.exe
2008-08-26 07:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
2008-08-26 07:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-31_ 4.00.36.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-13 09:57:10 163,328 ----a-w c:\windows\erdnt\subs\ERDNT.EXE
+ 2005-10-20 20:02:28 163,328 ----a-w c:\windows\erdnt\subs\ERDNT.EXE
- 2000-08-31 08:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 08:00:00 286,720 ----a-w c:\windows\SWREG.exe
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
+ 2009-01-09 17:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-01 01:34:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_45c.dat
+ 2009-02-01 01:34:34 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"PDF3 Registry Controller"="c:\program files\ScanSoft\PDF Professional 3.0\\RegistryController.exe" [2006-01-13 106496]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-02 267048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-23 185896]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497]
"O2"="c:\program files\O2\bin\sprtcmd.exe" [2008-03-28 198184]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2007-03-03 25214]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-08-23 17:19 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus D88 Series]
--a------ 2005-01-27 04:00 98304 c:\windows\system32\spool\drivers\w32x86\3\E_FATIABE.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-04-23 15:35 214560 c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-09-29 23:14 155648 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 12:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-23 15:35 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Netgear\\sph101\\WiFiPhone Update.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\update.exe"=
"c:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\guardgui.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11296:TCP"= 11296:TCP:BitComet 11296 TCP
"11296:UDP"= 11296:UDP:BitComet 11296 UDP
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R4 NinjaVideo Helper.exe;NinjaVideo Helper;c:\program files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe [2008-04-10 110592]
R4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [2007-06-07 202280]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-05 356920]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fd5f72a-8b68-11db-bc47-00038a000015}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{659aa1cb-6bfc-11db-bc13-00038a000015}]
\Shell\AutoRun\command - ie.exe
\Shell\explore\Command - ie.exe
\Shell\open\Command - ie.exe
.
Contents of the 'Scheduled Tasks' folder
2009-02-01 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -
BHO-{D187A56B-A33F-4CBE-9D77-459FC0BAE012} - c:\program files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
Toolbar-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/webhp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: ImTranslator - c:\progra~1\SMARTL~1\IMTRAN~1\startup.html
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?ac7b786f4b96441ab85607279d0ea8b2
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?ac7b786f4b96441ab85607279d0ea8b2
IE: Open with Scansoft PDF Converter 3.0 - c:\program files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-02-01 01:34:47
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"=expand:"iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3051"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3014"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\
00(MsiInstaller,Application)\
00\
00"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
.
------------------------ Other Running Processes ------------------------
.
c:\program filest\Ad-Aware\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-01 1:37:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 01:37:25
ComboFix2.txt 2009-01-31 04:01:31
Pre-Run: 83,841,380,352 bytes free
Post-Run: 83,862,970,368 bytes free
462 --- E O F --- 2009-01-31 08:19:09
DDSDDS (Ver_09-01-07.01) - NTFSx86
Run by Zish at 1:41:16.57 on 01/02/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.592 [GMT 0:00]
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Filest\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Zish\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/webhp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: EWPP - No File
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: SYSTRAN Premium 5.0 : {9a0844db-84cf-4440-bdb1-1f4f7c4f7fb0} - c:\program files\systran\5.0\premium\IEPlugIn.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: SYSTRAN Premium 5.0 : {fc3c24d3-4b56-4d13-bc64-ef3cca1498be} - c:\program files\systran\5.0\premium\IEPlugIn.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PDF3 Registry Controller] "c:\program files\scansoft\pdf professional 3.0\\RegistryController.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [O2] "c:\program files\o2\bin\sprtcmd.exe" /P O2
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\zish\startm~1\programs\startup\skysca~1.lnk - c:\program files\common files\skyscape\smARTupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: ImTranslator - c:\progra~1\smartl~1\imtran~1\startup.html
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/229?ac7b786f4b96441ab85607279d0ea8b2
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/230?ac7b786f4b96441ab85607279d0ea8b2
IE: Open with Scansoft PDF Converter 3.0 - c:\program files\scansoft\pdf professional 3.0\IEShellExt.dll /100
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
================= FIREFOX ===================
FF - ProfilePath -
============= SERVICES / DRIVERS ===============
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 4096]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-5-14 3968]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-7-26 11840]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-7-26 52032]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program filest\ad-aware\aawservice.exe [2008-5-12 611664]
R4 AntiVirScheduler;Avira AntiVir Personal – Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-7-26 68865]
R4 AntiVirService;Avira AntiVir Personal – Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-7-26 151297]
R4 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 204800]
R4 NinjaVideo Helper.exe;NinjaVideo Helper;c:\program files\ninjavideo\ninjavideo helper\NinjaVideo Helper.exe [2008-4-10 110592]
R4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-5 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-5 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-5 81288]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-5 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-5 1079176]
=============== Created Last 30 ================
2009-02-01 01:29 286,720 a------- c:\windows\SWREG.exe
2009-02-01 01:29 98,816 a------- c:\windows\sed.exe
2009-01-31 03:57 <DIR> a-dshr-- C:\cmdcons
2009-01-21 16:32 1,905 a------- c:\windows\diagwrn.xml
2009-01-21 16:32 1,905 a------- c:\windows\diagerr.xml
2009-01-21 14:35 <DIR> --d----- c:\program files\Microsoft Windows Vista Upgrade Advisor
2009-01-12 17:31 <DIR> --d----- c:\docume~1\zish\applic~1\Malwarebytes
2009-01-12 17:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-12 17:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-12 17:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-12 17:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-11 18:19 <DIR> --d----- C:\install
2009-01-05 15:50 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-05 15:50 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-05 15:50 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-05 15:50 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-05 15:50 <DIR> --d----- c:\program files\Spyware Doctor
2009-01-05 15:50 <DIR> --d----- c:\docume~1\zish\applic~1\PC Tools
==================== Find3M ====================
2009-01-16 04:53 79,064 a------- c:\docume~1\zish\applic~1\GDIPFONTCACHEV1.DAT
2008-12-16 18:58 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2007-03-11 14:40 6,252,136 a------- c:\program files\winzip100.exe
2007-03-09 13:26 34,722,920 a------- c:\program files\DWGTrueConvert.exe
2007-03-09 13:09 125,768,816 a------- c:\program files\SetupDWGTrueView2007.exe
2007-03-06 16:04 259,585,360 a------- c:\program files\X13-11296.exe
2007-03-06 15:40 407,010,384 a------- c:\program files\X12-30196.exe
2007-03-05 17:45 3,439,176 a------- c:\program files\pcdocpro35.exe
2007-03-05 17:42 1,351,040 a------- c:\program files\MNavi19.exe
2008-08-26 07:53 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat
2008-08-26 07:53 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
============= FINISH: 1:41:31.59 ===============
This topic is locked
Attach.txt 9.64KB
1 downloads
Back to top
