Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR/Vundo.Gen


  • This topic is locked This topic is locked
24 replies to this topic

#1 therealmrbig

therealmrbig

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 19 February 2009 - 09:38 PM

Loaded Avira to detect and remove spyware, failed miserably. System is disabled by constant Avira spyware warnings. Trying to startup system with network cable unplugged results in blank desktop, no icons, taskbar, nothing. Please help.


DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by Administrator at 20:04:19.95 on Thu 02/19/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1781 [GMT -6:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell4me.com/myway
uDefault_Page_URL = hxxp://www.dell4me.com/myway
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {2a79a324-afe7-4c28-bba2-a9f3897451f8} - c:\windows\system32\urqQgFyW.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ipswitch\ws_ftp home\wsbho2k0.dll
BHO: {dbbd}: {7d6c6ed1-e83a-459e-9603-2ba603fde2c0} - c:\windows\system32\jgduxpna.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {06de54a8-ae59-b739-2b54-c88d9f9a464f}: {f464a9f9-d88c-45b2-937b-95ea8a45ed60} - c:\windows\system32\jkdpgk.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sonic RecordNow!]
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [Lexmark 5200 series] "c:\program files\lexmark 5200 series\lxbtbmgr.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [LXBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBTtime.dll,_RunDLLEntry@16
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192844169203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229744059312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_04-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: reset5e - reset5e.dll
AppInit_DLLs: jkdpgk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\urqQgFyW

============= SERVICES / DRIVERS ===============

R0 AACMgt;AACMgt;c:\windows\system32\drivers\aacmgt.sys [2003-4-25 70960]
R0 aar1210;aar1210;c:\windows\system32\drivers\aar1210.sys [2004-5-27 219880]
S1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-16 11840]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
S2 AAC_AGENT;Adaptec RAID Remote Services Agent;c:\program files\adaptec\smbe\afaagent.exe [2003-4-25 421041]
S2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-16 68865]
S2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-16 151297]
S2 ARCPD;Adaptec Web Server;c:\program files\adaptec\smbe\arcpd.exe [2003-5-8 430151]
S2 ASMBENotify;Adaptec Storage Manager Notifier;c:\program files\adaptec\smbe\notify.exe [2003-5-8 438351]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
S2 IOManager;Adaptec I/O Manager Server;c:\program files\adaptec\smbe\iomgr.exe [2003-5-8 364634]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-6-6 1821376]
S3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-16 52032]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-11-3 99376]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\system32\drivers\fd_dbus.sys [2005-8-21 51040]
S3 fd_dmdfl;FutureDial USB Modem Filter;c:\windows\system32\drivers\fd_dmdfl.sys [2005-8-21 6000]
S3 fd_dmdm;FutureDial USB Modem Drivers;c:\windows\system32\drivers\fd_dmdm.sys [2005-8-21 73984]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090216.005\naveng.sys [2009-2-16 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090216.005\navex15.sys [2009-2-16 876112]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-6-6 116928]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\vnetusbl.sys [2004-12-14 107648]

=============== Created Last 30 ================

2009-02-19 20:03 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-19 20:03 129,024 a------- c:\windows\system32\jkdpgk.dll
2009-02-19 20:03 129,024 a------- c:\windows\system32\xnydlkgr.dll
2009-02-16 22:17 <DIR> --d----- c:\program files\Avira
2009-02-16 22:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-02-16 15:23 1,571,663 a--sh--- c:\windows\system32\lkbaqgqq.ini
2009-02-10 20:42 1,559,263 a--sh--- c:\windows\system32\bdjhjfws.ini
2009-02-10 20:42 75,645 a------- c:\windows\system32\umwkfbct.dll
2009-02-09 20:06 1,622,925 a--sh--- c:\windows\system32\eknamgkd.ini
2009-02-09 20:04 75,645 a------- c:\windows\system32\gkxatqnx.dll
2009-02-06 18:15 1,569,682 a--sh--- c:\windows\system32\cjysvewm.ini
2009-02-06 18:15 75,645 a------- c:\windows\system32\nmuwaqyj.dll
2009-02-05 18:15 1,564,623 a--sh--- c:\windows\system32\swvqabnr.ini
2009-02-05 18:12 72,725 a------- c:\windows\system32\kkgfcrjn.dll
2009-02-02 01:25 1,564,623 a--sh--- c:\windows\system32\mmklycrj.ini
2009-02-02 01:24 4,434 a--sh--- c:\windows\system32\WyFgQqru.ini2
2009-02-02 01:24 4,077 a--sh--- c:\windows\system32\WyFgQqru.ini
2009-02-02 01:24 315,904 a------- c:\windows\system32\urqQgFyW.dll
2009-02-02 01:18 <DIR> --d----- c:\windows\pchealth
2009-02-01 02:28 75,645 a------- c:\windows\system32\uqgvarsx.dll
2009-02-01 02:22 1,465,183 a--sh--- c:\windows\system32\mnorbblp.ini
2009-02-01 01:56 75,645 a------- c:\windows\system32\onuemdod.dll
2009-02-01 01:54 1,465,183 a--sh--- c:\windows\system32\atnkqluu.ini
2009-01-30 08:25 1,465,183 a--sh--- c:\windows\system32\sqndmsad.ini
2009-01-30 08:25 34,712 a--sh--- c:\windows\system32\hPsYGfii.ini2
2009-01-30 08:25 34,712 a--sh--- c:\windows\system32\hPsYGfii.ini
2009-01-22 15:59 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-22 15:59 1,409 a------- c:\windows\QTFont.for
2009-01-21 12:39 880,640 a------- C:\XD_XPEnu.exe

==================== Find3M ====================

2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 04:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2005-12-21 10:21 557,108 a--sh--- c:\windows\system32\awtqq.dll
2005-12-21 10:21 332,209 a--sh--- c:\windows\system32\qqtwa.bak1
2005-12-26 22:43 336,258 a--sh--- c:\windows\system32\qqtwa.bak2
2005-11-23 16:45 472,687 a--sh--- c:\windows\system32\rttss.bak1
2005-11-24 10:01 339,546 a--sh--- c:\windows\system32\rttss.bak2
2008-09-20 13:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 20:05:21.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 01 March 2009 - 04:20 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-Combofix log
-GMER log
-New Hijackthis log
-Description of any problem you still have


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 therealmrbig

therealmrbig
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 04 March 2009 - 08:02 AM

Thank you for answering my post. I will post the logs later today.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 04 March 2009 - 01:01 PM

Okay.

Thanks for letting me know :thumbup2:

-Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 therealmrbig

therealmrbig
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 05 March 2009 - 02:16 AM

ComboFix.txt:

ComboFix 09-03-04.01 - Darrell 2009-03-05 0:17:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1663 [GMT -6:00]
Running from: c:\downloads\MalwareTools\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jennifer\My Documents\SMBOLS~1
c:\documents and settings\Jennifer\My Documents\SMBOLS~1\s?mbols\
c:\windows\system32\atnkqluu.ini
c:\windows\system32\bdjhjfws.ini
c:\windows\system32\cjysvewm.ini
c:\windows\system32\comrepl.exe
c:\windows\system32\dntwvvet.ini
c:\windows\system32\eknamgkd.ini
c:\windows\SYSTEM32\hPsYGfii.ini
c:\windows\system32\hPsYGfii.ini2
c:\windows\system32\lkbaqgqq.ini
c:\windows\system32\mmklycrj.ini
c:\windows\system32\mnorbblp.ini
c:\windows\system32\sqndmsad.ini
c:\windows\system32\swvqabnr.ini

.
((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.

2009-02-28 09:26 . 2009-02-28 09:26 <DIR> d-------- c:\program files\Xvid
2009-02-28 09:26 . 2008-12-04 21:42 815,104 --a------ c:\windows\SYSTEM32\xvidcore.dll
2009-02-28 09:26 . 2008-12-04 21:46 180,224 --a------ c:\windows\SYSTEM32\xvidvfw.dll
2009-02-28 09:26 . 2008-12-13 20:01 77,824 --a------ c:\windows\SYSTEM32\xvid.ax
2009-02-26 19:47 . 2009-02-26 19:47 <DIR> d-------- c:\program files\Seagate
2009-02-26 19:47 . 2009-02-26 19:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Seagate
2009-02-26 19:46 . 2009-02-26 19:46 <DIR> d--hs---- c:\windows\ftpcache
2009-02-25 17:39 . 2009-02-25 17:39 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-25 17:36 . 2009-02-26 19:40 <DIR> d-------- c:\program files\NOS
2009-02-25 17:36 . 2009-02-26 19:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-02-23 23:37 . 2009-02-23 23:37 <DIR> d-------- c:\program files\iTunes
2009-02-23 23:37 . 2009-02-23 23:37 <DIR> d-------- c:\program files\iPod
2009-02-23 23:37 . 2009-02-23 23:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-23 23:35 . 2009-02-23 23:36 <DIR> d-------- c:\program files\QuickTime
2009-02-23 23:35 . 2009-02-23 23:35 <DIR> d-------- c:\program files\Avira
2009-02-23 23:35 . 2009-02-23 23:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-02-23 23:34 . 2009-02-24 20:20 <DIR> d----c--- c:\windows\SYSTEM32\DRVSTORE
2009-02-23 23:33 . 2009-02-24 20:20 <DIR> d-------- c:\program files\Common Files\Apple
2009-02-23 00:36 . 2009-02-23 00:36 <DIR> d-------- c:\documents and settings\Jennifer\Application Data\Malwarebytes
2009-02-22 22:21 . 2009-02-22 22:21 <DIR> d-------- c:\documents and settings\Darrell\Application Data\Malwarebytes
2009-02-20 19:28 . 2009-02-20 19:28 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 19:28 . 2009-02-20 19:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-20 19:28 . 2009-02-20 19:28 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-20 19:28 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-20 19:28 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-19 20:21 . 2009-02-23 21:41 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-19 20:21 . 2009-02-23 21:42 <DIR> d-------- c:\documents and settings\Darrell\Application Data\SUPERAntiSpyware.com
2009-02-19 20:21 . 2009-02-19 20:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-19 20:03 . 2009-02-19 20:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Ipswitch

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-04 05:54 --------- d-----w c:\program files\Lx_cats
2009-03-03 04:27 --------- d-----w c:\documents and settings\Jennifer\Application Data\Ulead Systems
2009-02-27 01:47 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-25 23:38 --------- d-----w c:\program files\Common Files\Adobe
2009-02-25 02:22 --------- d-----w c:\program files\BUFFALO
2009-02-24 05:35 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-24 02:35 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-24 02:34 --------- d-----w c:\program files\Symantec AntiVirus
2009-02-24 02:34 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-23 06:25 --------- d-----w c:\program files\BitTorrent
2009-01-21 18:39 880,640 ----a-w C:\XD_XPEnu.exe
2008-04-03 03:24 59,160 ----a-w c:\documents and settings\Darrell\Application Data\GDIPFONTCACHEV1.DAT
2007-05-29 11:39 59,160 ----a-w c:\documents and settings\Jennifer\Application Data\GDIPFONTCACHEV1.DAT
2007-03-26 04:26 2,034 ----a-w c:\documents and settings\Jennifer\Application Data\SAS7_000.DAT
2005-06-29 03:18 54,584 ----a-w c:\documents and settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2008-09-20 19:42 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2003-09-14 126976]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-24 335872]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"Lexmark 5200 series"="c:\program files\Lexmark 5200 series\lxbtbmgr.exe" [2004-06-04 57344]
"LXBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 65536]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\SYSTEM32\Ati2mdxx.exe]
"CTHelper"="CTHELPER.EXE" [2003-02-20 c:\windows\SYSTEM32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-02-20 c:\windows\SYSTEM32\CTASIO.DLL]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sphjvi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.I263"= i263_32.drv
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe"=
"c:\\Program Files\\Real\\RealPlayer\\trueplay.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 AACMgt;AACMgt;c:\windows\SYSTEM32\DRIVERS\aacmgt.sys [2003-04-25 70960]
R0 aar1210;aar1210;c:\windows\SYSTEM32\DRIVERS\aar1210.sys [2004-05-27 219880]
R2 AAC_AGENT;Adaptec RAID Remote Services Agent;c:\program files\Adaptec\SMBE\afaagent.exe [2003-04-25 421041]
R2 ARCPD;Adaptec Web Server;c:\program files\Adaptec\SMBE\arcpd.exe [2003-05-08 430151]
R2 ASMBENotify;Adaptec Storage Manager Notifier;c:\program files\Adaptec\SMBE\notify.exe [2003-05-08 438351]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-10-28 156968]
R2 IOManager;Adaptec I/O Manager Server;c:\program files\Adaptec\SMBE\iomgr.exe [2003-05-08 364634]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\SYSTEM32\DRIVERS\fd_dbus.sys [2005-08-21 51040]
S3 fd_dmdfl;FutureDial USB Modem Filter;c:\windows\SYSTEM32\DRIVERS\fd_dmdfl.sys [2005-08-21 6000]
S3 fd_dmdm;FutureDial USB Modem Drivers;c:\windows\SYSTEM32\DRIVERS\fd_dmdm.sys [2005-08-21 73984]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\SYSTEM32\DRIVERS\vnetusbl.sys [2004-12-14 107648]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 00:21:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Lexmark 5200 series\lxbtbmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\locator.exe
.
**************************************************************************
.
Completion time: 2009-03-05 0:27:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-05 06:27:04

Pre-Run: 26,894,188,544 bytes free
Post-Run: 28,361,826,304 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
183 --- E O F --- 2009-02-24 23:44:23


gmer.txt:

2009-03-05 00:36:16 gmer.sys System [4]: LoadDriver System32\DRIVERS\ipnat.sys
2009-03-05 00:36:16 gmer.sys System [4]: LoadDriver System32\DRIVERS\wanarp.sys
2009-03-05 00:36:19 gmer.sys System [4]: LoadDriver System32\DRIVERS\arp1394.sys
2009-03-05 00:36:19 gmer.sys System [4]: CreateProcess C:\WINDOWS\SYSTEM32\smss.exe
2009-03-05 00:36:19 gmer.sys smss.exe [708]: CreateProcess C:\WINDOWS\SYSTEM32\autochk.exe
2009-03-05 00:36:20 gmer.sys smss.exe [708]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Cdfs
2009-03-05 00:36:21 gmer.sys smss.exe [708]: CreateProcess C:\WINDOWS\SYSTEM32\csrss.exe
2009-03-05 00:36:21 gmer.sys csrss.exe [756]: LoadDriver \SystemRoot\System32\drivers\dxg.sys
2009-03-05 00:36:22 gmer.sys csrss.exe [756]: LoadDriver \SystemRoot\System32\ati2dvag.dll
2009-03-05 00:36:22 gmer.sys csrss.exe [756]: LoadDriver \SystemRoot\System32\vga.dll
2009-03-05 00:36:22 gmer.sys csrss.exe [756]: LoadDriver \SystemRoot\System32\ati2dvag.dll
2009-03-05 00:36:22 gmer.sys csrss.exe [756]: LoadDriver \SystemRoot\System32\ati3duag.dll
2009-03-05 00:36:22 gmer.sys smss.exe [708]: CreateProcess C:\WINDOWS\SYSTEM32\winlogon.exe
2009-03-05 00:36:22 gmer.sys winlogon.exe [780]: CreateProcess C:\WINDOWS\SYSTEM32\services.exe
2009-03-05 00:36:22 gmer.sys winlogon.exe [780]: CreateProcess C:\WINDOWS\SYSTEM32\lsass.exe
2009-03-05 00:36:23 gmer.sys services.exe [824]: LoadDriver system32\drivers\drvnddm.sys
2009-03-05 00:36:23 gmer.sys services.exe [824]: LoadDriver system32\dla\tfsndres.sys
2009-03-05 00:36:23 gmer.sys services.exe [824]: LoadDriver system32\dla\tfsnifs.sys
2009-03-05 00:36:23 gmer.sys services.exe [824]: LoadDriver system32\dla\tfsnopio.sys
2009-03-05 00:36:23 gmer.sys services.exe [824]: LoadDriver system32\dla\tfsnpool.sys
2009-03-05 00:36:23 gmer.sys services.exe [824]: LoadDriver system32\dla\tfsnboio.sys
2009-03-05 00:36:23 gmer.sys services.exe [824]: LoadDriver system32\dla\tfsncofs.sys
2009-03-05 00:36:23 gmer.sys services.exe [824]: LoadDriver system32\dla\tfsndrct.sys
2009-03-05 00:36:23 gmer.sys services.exe [824]: LoadDriver system32\dla\tfsnudf.sys
2009-03-05 00:36:23 gmer.sys services.exe [824]: LoadDriver system32\dla\tfsnudfa.sys
2009-03-05 00:36:23 gmer.sys services.exe [824]: CreateProcess C:\WINDOWS\SYSTEM32\ati2evxx.exe
2009-03-05 00:36:23 gmer.sys services.exe [824]: CreateProcess C:\WINDOWS\SYSTEM32\svchost.exe
2009-03-05 00:36:24 gmer.sys services.exe [824]: CreateProcess C:\WINDOWS\SYSTEM32\svchost.exe
2009-03-05 00:36:24 gmer.sys services.exe [824]: CreateProcess C:\WINDOWS\SYSTEM32\svchost.exe
2009-03-05 00:36:24 gmer.sys services.exe [824]: LoadDriver System32\DRIVERS\ndisuio.sys
2009-03-05 00:36:24 gmer.sys services.exe [824]: CreateProcess C:\WINDOWS\SYSTEM32\svchost.exe
2009-03-05 00:36:24 gmer.sys services.exe [824]: CreateProcess C:\WINDOWS\SYSTEM32\svchost.exe
2009-03-05 00:36:25 gmer.sys winlogon.exe [780]: CreateProcess C:\WINDOWS\SYSTEM32\logonui.exe
2009-03-05 00:36:25 gmer.sys services.exe [824]: CreateProcess C:\WINDOWS\SYSTEM32\spoolsv.exe
2009-03-05 00:36:25 gmer.sys services.exe [824]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
2009-03-05 00:36:25 gmer.sys svchost.exe [1156]: LoadDriver System32\DRIVERS\rdbss.sys
2009-03-05 00:36:25 gmer.sys svchost.exe [1156]: LoadDriver System32\DRIVERS\mrxsmb.sys
2009-03-05 00:36:25 gmer.sys sched.exe [1492]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
2009-03-05 00:36:25 gmer.sys services.exe [824]: LoadDriver System32\DRIVERS\mrxdav.sys
2009-03-05 00:36:26 gmer.sys services.exe [824]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\ParVdm
2009-03-05 00:36:26 gmer.sys services.exe [824]: CreateProcess C:\Program Files\Adaptec\SMBE\afaagent.exe
2009-03-05 00:36:26 gmer.sys services.exe [824]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
2009-03-05 00:36:26 gmer.sys services.exe [824]: CreateProcess C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
2009-03-05 00:36:26 gmer.sys services.exe [824]: CreateProcess C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
2009-03-05 00:36:27 gmer.sys services.exe [824]: LoadDriver System32\Drivers\HTTP.sys
2009-03-05 00:36:27 gmer.sys avguard.exe [1584]: LoadDriver \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
2009-03-05 00:36:27 gmer.sys services.exe [824]: CreateProcess C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
2009-03-05 00:36:28 gmer.sys services.exe [824]: CreateProcess C:\Program Files\Adaptec\SMBE\iomgr.exe
2009-03-05 00:36:28 gmer.sys services.exe [824]: LoadDriver \??\C:\WINDOWS\System32\drivers\PfModNT.sys
2009-03-05 00:36:28 gmer.sys services.exe [824]: CreateProcess C:\WINDOWS\SYSTEM32\svchost.exe
2009-03-05 00:36:28 gmer.sys svchost.exe [1156]: LoadDriver System32\DRIVERS\srv.sys
2009-03-05 00:36:28 gmer.sys FreeAgentServic [1660]: CreateProcess C:\Program Files\Seagate\SeagateManager\Backup\MaxBackServiceInt.exe
2009-03-05 00:36:28 gmer.sys services.exe [824]: CreateProcess C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
2009-03-05 00:36:28 gmer.sys svchost.exe [1156]: LoadDriver System32\DRIVERS\ipnat.sys
2009-03-05 00:36:29 gmer.sys services.exe [824]: CreateProcess C:\Program Files\Canon\CAL\CALMAIN.exe
2009-03-05 00:36:31 gmer.sys services.exe [824]: CreateProcess C:\Program Files\Adaptec\SMBE\arcpd.exe
2009-03-05 00:36:31 gmer.sys services.exe [824]: CreateProcess C:\Program Files\Adaptec\SMBE\notify.exe
2009-03-05 00:36:32 gmer.sys sched.exe [1492]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
2009-03-05 00:36:33 gmer.sys services.exe [824]: CreateProcess C:\WINDOWS\SYSTEM32\alg.exe
2009-03-05 00:36:40 gmer.sys winlogon.exe [780]: CreateProcess C:\WINDOWS\SYSTEM32\userinit.exe
2009-03-05 00:36:40 gmer.sys winlogon.exe [780]: CreateProcess C:\WINDOWS\SYSTEM32\WgaTray.exe
2009-03-05 00:36:41 gmer.sys userinit.exe [1876]: CreateProcess C:\WINDOWS\explorer.exe
2009-03-05 00:36:41 gmer.sys svchost.exe [1044]: CreateProcess C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe
2009-03-05 00:36:42 gmer.sys explorer.exe [2184]: CreateProcess C:\WINDOWS\SYSTEM32\Ati2mdxx.exe
2009-03-05 00:36:42 gmer.sys explorer.exe [2184]: CreateProcess C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
2009-03-05 00:36:42 gmer.sys explorer.exe [2184]: CreateProcess C:\Program Files\Intel\Intel Application Accelerator\IAAnotif.exe
2009-03-05 00:36:42 gmer.sys explorer.exe [2184]: CreateProcess C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
2009-03-05 00:36:42 gmer.sys explorer.exe [2184]: CreateProcess C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
2009-03-05 00:36:42 gmer.sys explorer.exe [2184]: CreateProcess C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
2009-03-05 00:36:42 gmer.sys explorer.exe [2184]: CreateProcess C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe
2009-03-05 00:36:42 gmer.sys explorer.exe [2184]: CreateProcess C:\WINDOWS\SYSTEM32\CTHELPER.EXE
2009-03-05 00:36:42 gmer.sys explorer.exe [2184]: CreateProcess C:\WINDOWS\SYSTEM32\regsvr32.exe
2009-03-05 00:36:42 gmer.sys explorer.exe [2184]: CreateProcess C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
2009-03-05 00:36:42 gmer.sys explorer.exe [2184]: CreateProcess C:\WINDOWS\SYSTEM32\rundll32.exe
2009-03-05 00:36:43 gmer.sys explorer.exe [2184]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
2009-03-05 00:36:43 gmer.sys explorer.exe [2184]: CreateProcess C:\Program Files\QuickTime\QTTask.exe
2009-03-05 00:36:43 gmer.sys explorer.exe [2184]: CreateProcess C:\Program Files\iTunes\iTunesHelper.exe
2009-03-05 00:36:43 gmer.sys explorer.exe [2184]: CreateProcess C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
2009-03-05 00:36:43 gmer.sys lxbtbmgr.exe [2424]: CreateProcess C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
2009-03-05 00:36:43 gmer.sys explorer.exe [2184]: CreateProcess C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
2009-03-05 00:36:43 gmer.sys explorer.exe [2184]: CreateProcess C:\WINDOWS\SYSTEM32\dumprep.exe
2009-03-05 00:36:43 gmer.sys explorer.exe [2184]: CreateProcess C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
2009-03-05 00:36:44 gmer.sys sched.exe [1492]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
2009-03-05 00:36:44 gmer.sys explorer.exe [2184]: CreateProcess C:\WINDOWS\SYSTEM32\ctfmon.exe
2009-03-05 00:36:44 gmer.sys dumprep.exe [2528]: CreateProcess C:\WINDOWS\SYSTEM32\dumprep.exe
2009-03-05 00:36:44 gmer.sys spoolsv.exe [1428]: CreateProcess C:\WINDOWS\SYSTEM32\lxbtcoms.exe
2009-03-05 00:36:47 gmer.sys services.exe [824]: CreateProcess C:\WINDOWS\SYSTEM32\imapi.exe
2009-03-05 00:36:47 gmer.sys services.exe [824]: CreateProcess C:\Program Files\iPod\bin\iPodService.exe
2009-03-05 00:36:54 gmer.sys sched.exe [1492]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
2009-03-05 00:37:06 gmer.sys explorer.exe [2184]: CreateProcess C:\WINDOWS\explorer.exe
2009-03-05 00:37:13 gmer.sys svchost.exe [1156]: CreateProcess C:\WINDOWS\SYSTEM32\wuauclt.exe
2009-03-05 00:37:22 gmer.sys explorer.exe [2184]: CreateProcess C:\WINDOWS\SYSTEM32\verclsid.exe
2009-03-05 00:37:23 gmer.sys explorer.exe [2184]: CreateProcess C:\Downloads\MalwareTools\GMER\gmer.exe

#6 therealmrbig

therealmrbig
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 05 March 2009 - 02:18 AM

DDS.txt:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Darrell at 1:08:29.14 on Thu 03/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1649 [GMT -6:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Adaptec\SMBE\afaagent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Adaptec\SMBE\iomgr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Adaptec\SMBE\arcpd.exe
C:\Program Files\Adaptec\SMBE\notify.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Darrell\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ipswitch\ws_ftp home\wsbho2k0.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [Lexmark 5200 series] "c:\program files\lexmark 5200 series\lxbtbmgr.exe"
mRun: [LXBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBTtime.dll,_RunDLLEntry@16
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192844169203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229744059312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_04-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: sphjvi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AACMgt;AACMgt;c:\windows\system32\drivers\aacmgt.sys [2003-4-25 70960]
R0 aar1210;aar1210;c:\windows\system32\drivers\aar1210.sys [2004-5-27 219880]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-23 11840]
R2 AAC_AGENT;Adaptec RAID Remote Services Agent;c:\program files\adaptec\smbe\afaagent.exe [2003-4-25 421041]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-23 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-23 151297]
R2 ARCPD;Adaptec Web Server;c:\program files\adaptec\smbe\arcpd.exe [2003-5-8 430151]
R2 ASMBENotify;Adaptec Storage Manager Notifier;c:\program files\adaptec\smbe\notify.exe [2003-5-8 438351]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 IOManager;Adaptec I/O Manager Server;c:\program files\adaptec\smbe\iomgr.exe [2003-5-8 364634]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-23 52032]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\system32\drivers\fd_dbus.sys [2005-8-21 51040]
S3 fd_dmdfl;FutureDial USB Modem Filter;c:\windows\system32\drivers\fd_dmdfl.sys [2005-8-21 6000]
S3 fd_dmdm;FutureDial USB Modem Drivers;c:\windows\system32\drivers\fd_dmdm.sys [2005-8-21 73984]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\vnetusbl.sys [2004-12-14 107648]

=============== Created Last 30 ================

2009-03-05 00:29 345 a------- c:\windows\gmer.ini
2009-03-05 00:14 <DIR> a-dshr-- C:\cmdcons
2009-03-05 00:13 161,792 a------- c:\windows\SWREG.exe
2009-03-05 00:13 98,816 a------- c:\windows\sed.exe
2009-02-28 09:26 815,104 a------- c:\windows\system32\xvidcore.dll
2009-02-28 09:26 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-02-28 09:26 77,824 a------- c:\windows\system32\xvid.ax
2009-02-28 09:26 <DIR> --d----- c:\program files\Xvid
2009-02-26 19:47 <DIR> --d----- c:\program files\Seagate
2009-02-26 19:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Seagate
2009-02-26 19:46 <DIR> --dsh--- c:\windows\ftpcache
2009-02-23 23:37 <DIR> --d----- c:\program files\iPod
2009-02-23 23:37 <DIR> --d----- c:\program files\iTunes
2009-02-23 23:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-23 23:35 <DIR> --d----- c:\program files\Avira
2009-02-23 23:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-02-22 22:21 <DIR> --d----- c:\docume~1\darrell\applic~1\Malwarebytes
2009-02-20 19:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-20 19:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 19:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 19:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-19 20:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-19 20:21 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-19 20:21 <DIR> --d----- c:\docume~1\darrell\applic~1\SUPERAntiSpyware.com

==================== Find3M ====================

2009-01-21 12:39 880,640 a------- C:\XD_XPEnu.exe
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 03:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 03:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 23:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 23:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 04:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-04-02 21:24 59,160 a------- c:\docume~1\darrell\applic~1\GDIPFONTCACHEV1.DAT
2008-09-20 13:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 1:08:38.90 ===============

Attached Files



#7 therealmrbig

therealmrbig
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 05 March 2009 - 02:24 AM

It seems as though the malware is gone, however, I can no longer run msconfig. It says, "Windows cannot find 'msconfig'. Also, I have two user accounts on this computer. When the other account logs in, it immediately gets a RUNDLL error dialog box which reads, "Error loading C:\WINDOWS\system32\urqQgFyW.dll. The specified module could not be found." And now on startup I get a splash screen for a brief second which asks me to choose between Windows XP Professional and the Windows Recovery Catalog (or something similar).

Thanks for your help.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 05 March 2009 - 01:12 PM

Hello.

That error means that a registry key needs to be deleted which we will do soon. Msconfig might be damaged and may require to be repaired. On boot up, you have 2 choices because Microsoft's Recovery Console was installed by Combofix, no need to worry about that. If you want to remove it I will show you how, but why would you want to remove it? It's very helpful in some situations espically if your computer no longer boots up..

GMER log was not complete and was not the log I wanted to see. I would like to see a full GMER log using the ROOTKIT tab please.

Post back with the correct GMER log in your next reply pelase.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 therealmrbig

therealmrbig
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 06 March 2009 - 08:26 PM

Sorry about that:

GMER.txt:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-06 19:24:52
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT A9A8E1CC ZwCreateThread
SSDT A9A8E1B8 ZwOpenProcess
SSDT A9A8E1BD ZwOpenThread
SSDT A9A8E1C7 ZwTerminateProcess
SSDT A9A8E1C2 ZwWriteVirtualMemory

---- Devices - GMER 1.0.14 ----

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A83DFD20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.14 ----

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 06 March 2009 - 08:48 PM

Hello.

That looks good. GMER log is clean. Let's cleanup the rest.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    DDS::
    TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - 
    EB: {32683183-48a0-441b-a342-7c2a440a9478} -
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - 
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - 
    BHO: {2a79a324-afe7-4c28-bba2-a9f3897451f8} - 
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000000
    "UpdatesDisableNotify"=dword:00000000
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Update Java to Version 6 Update 12

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 Update 12 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 12.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-Combofix log
-Kaspersky log
-New Hijackthis log
-How's your computer running now? Any more problems?


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 therealmrbig

therealmrbig
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 07 March 2009 - 11:35 PM

ComboFix Log:

ComboFix 09-03-06.02 - Darrell 2009-03-07 19:59:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1645 [GMT -6:00]
Running from: c:\documents and settings\Darrell\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Darrell\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))
.

2009-03-05 00:29 . 2009-03-06 19:07 345 --a------ c:\windows\gmer.ini
2009-02-28 09:26 . 2009-02-28 09:26 <DIR> d-------- c:\program files\Xvid
2009-02-28 09:26 . 2008-12-04 21:42 815,104 --a------ c:\windows\SYSTEM32\xvidcore.dll
2009-02-28 09:26 . 2008-12-04 21:46 180,224 --a------ c:\windows\SYSTEM32\xvidvfw.dll
2009-02-28 09:26 . 2008-12-13 20:01 77,824 --a------ c:\windows\SYSTEM32\xvid.ax
2009-02-26 19:47 . 2009-02-26 19:47 <DIR> d-------- c:\program files\Seagate
2009-02-26 19:47 . 2009-02-26 19:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Seagate
2009-02-26 19:46 . 2009-02-26 19:46 <DIR> d--hs---- c:\windows\ftpcache
2009-02-25 17:39 . 2009-02-25 17:39 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-25 17:36 . 2009-02-26 19:40 <DIR> d-------- c:\program files\NOS
2009-02-25 17:36 . 2009-02-26 19:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-02-23 23:37 . 2009-02-23 23:37 <DIR> d-------- c:\program files\iTunes
2009-02-23 23:37 . 2009-02-23 23:37 <DIR> d-------- c:\program files\iPod
2009-02-23 23:37 . 2009-02-23 23:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-23 23:35 . 2009-02-23 23:36 <DIR> d-------- c:\program files\QuickTime
2009-02-23 23:35 . 2009-02-23 23:35 <DIR> d-------- c:\program files\Avira
2009-02-23 23:35 . 2009-02-23 23:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-02-23 23:34 . 2009-02-24 20:20 <DIR> d----c--- c:\windows\SYSTEM32\DRVSTORE
2009-02-23 23:33 . 2009-02-24 20:20 <DIR> d-------- c:\program files\Common Files\Apple
2009-02-23 00:36 . 2009-02-23 00:36 <DIR> d-------- c:\documents and settings\Jennifer\Application Data\Malwarebytes
2009-02-22 22:21 . 2009-02-22 22:21 <DIR> d-------- c:\documents and settings\Darrell\Application Data\Malwarebytes
2009-02-20 19:28 . 2009-02-20 19:28 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 19:28 . 2009-02-20 19:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-20 19:28 . 2009-02-20 19:28 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-20 19:28 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-20 19:28 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-19 20:21 . 2009-02-23 21:41 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-19 20:21 . 2009-02-19 20:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-19 20:03 . 2009-02-19 20:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Ipswitch

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 15:57 --------- d-----w c:\program files\Lx_cats
2009-03-03 04:27 --------- d-----w c:\documents and settings\Jennifer\Application Data\Ulead Systems
2009-02-27 01:47 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-25 23:38 --------- d-----w c:\program files\Common Files\Adobe
2009-02-25 02:22 --------- d-----w c:\program files\BUFFALO
2009-02-24 05:35 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-24 02:35 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-24 02:34 --------- d-----w c:\program files\Symantec AntiVirus
2009-02-24 02:34 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-23 06:25 --------- d-----w c:\program files\BitTorrent
2009-01-21 18:39 880,640 ----a-w C:\XD_XPEnu.exe
2009-01-17 03:35 3,594,752 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-19 09:10 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-04-03 03:24 59,160 ----a-w c:\documents and settings\Darrell\Application Data\GDIPFONTCACHEV1.DAT
2007-05-29 11:39 59,160 ----a-w c:\documents and settings\Jennifer\Application Data\GDIPFONTCACHEV1.DAT
2007-03-26 04:26 2,034 ----a-w c:\documents and settings\Jennifer\Application Data\SAS7_000.DAT
2005-06-29 03:18 54,584 ----a-w c:\documents and settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2008-09-20 19:42 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-05_ 0.26.20.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-05 06:29:55 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 03:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2009-03-05 06:29:55 85,969 ----a-w c:\windows\SYSTEM32\DRIVERS\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2003-09-14 126976]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-24 335872]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"Lexmark 5200 series"="c:\program files\Lexmark 5200 series\lxbtbmgr.exe" [2004-06-04 57344]
"LXBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 65536]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\SYSTEM32\Ati2mdxx.exe]
"CTHelper"="CTHELPER.EXE" [2003-02-20 c:\windows\SYSTEM32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-02-20 c:\windows\SYSTEM32\CTASIO.DLL]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.I263"= i263_32.drv
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe"=
"c:\\Program Files\\Real\\RealPlayer\\trueplay.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 AACMgt;AACMgt;c:\windows\SYSTEM32\DRIVERS\aacmgt.sys [2003-04-25 70960]
R0 aar1210;aar1210;c:\windows\SYSTEM32\DRIVERS\aar1210.sys [2004-05-27 219880]
R2 AAC_AGENT;Adaptec RAID Remote Services Agent;c:\program files\Adaptec\SMBE\afaagent.exe [2003-04-25 421041]
R2 ARCPD;Adaptec Web Server;c:\program files\Adaptec\SMBE\arcpd.exe [2003-05-08 430151]
R2 ASMBENotify;Adaptec Storage Manager Notifier;c:\program files\Adaptec\SMBE\notify.exe [2003-05-08 438351]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-10-28 156968]
R2 IOManager;Adaptec I/O Manager Server;c:\program files\Adaptec\SMBE\iomgr.exe [2003-05-08 364634]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\SYSTEM32\DRIVERS\fd_dbus.sys [2005-08-21 51040]
S3 fd_dmdfl;FutureDial USB Modem Filter;c:\windows\SYSTEM32\DRIVERS\fd_dmdfl.sys [2005-08-21 6000]
S3 fd_dmdm;FutureDial USB Modem Drivers;c:\windows\SYSTEM32\DRIVERS\fd_dmdm.sys [2005-08-21 73984]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\SYSTEM32\DRIVERS\vnetusbl.sys [2004-12-14 107648]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 20:04:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-07 20:07:13
ComboFix-quarantined-files.txt 2009-03-08 02:07:08
ComboFix2.txt 2009-03-05 06:27:08

Pre-Run: 47,161,978,880 bytes free
Post-Run: 47,278,288,896 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
150 --- E O F --- 2009-02-24 23:44:23


Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, March 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, March 08, 2009 03:11:44
Records in database: 1878821
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 136350
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:47:43

No malware has been detected. The scan area is clean.

The selected area was scanned.

#12 therealmrbig

therealmrbig
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 07 March 2009 - 11:37 PM

HJT log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Darrell at 22:24:36.57 on Sat 03/07/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1528 [GMT -6:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adaptec\SMBE\afaagent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Adaptec\SMBE\iomgr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Adaptec\SMBE\arcpd.exe
C:\Program Files\Adaptec\SMBE\notify.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Darrell\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ipswitch\ws_ftp home\wsbho2k0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [Lexmark 5200 series] "c:\program files\lexmark 5200 series\lxbtbmgr.exe"
mRun: [LXBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBTtime.dll,_RunDLLEntry@16
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192844169203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229744059312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AACMgt;AACMgt;c:\windows\system32\drivers\aacmgt.sys [2003-4-25 70960]
R0 aar1210;aar1210;c:\windows\system32\drivers\aar1210.sys [2004-5-27 219880]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-23 11840]
R2 AAC_AGENT;Adaptec RAID Remote Services Agent;c:\program files\adaptec\smbe\afaagent.exe [2003-4-25 421041]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-23 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-23 151297]
R2 ARCPD;Adaptec Web Server;c:\program files\adaptec\smbe\arcpd.exe [2003-5-8 430151]
R2 ASMBENotify;Adaptec Storage Manager Notifier;c:\program files\adaptec\smbe\notify.exe [2003-5-8 438351]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 IOManager;Adaptec I/O Manager Server;c:\program files\adaptec\smbe\iomgr.exe [2003-5-8 364634]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-23 52032]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\system32\drivers\fd_dbus.sys [2005-8-21 51040]
S3 fd_dmdfl;FutureDial USB Modem Filter;c:\windows\system32\drivers\fd_dmdfl.sys [2005-8-21 6000]
S3 fd_dmdm;FutureDial USB Modem Drivers;c:\windows\system32\drivers\fd_dmdm.sys [2005-8-21 73984]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\vnetusbl.sys [2004-12-14 107648]

=============== Created Last 30 ================

2009-03-07 20:18 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-07 20:18 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-07 19:58 <DIR> --d----- C:\ComboFix
2009-03-05 00:29 345 a------- c:\windows\gmer.ini
2009-03-05 00:14 <DIR> a-dshr-- C:\cmdcons
2009-03-05 00:13 161,792 a------- c:\windows\SWREG.exe
2009-03-05 00:13 98,816 a------- c:\windows\sed.exe
2009-02-28 09:26 815,104 a------- c:\windows\system32\xvidcore.dll
2009-02-28 09:26 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-02-28 09:26 77,824 a------- c:\windows\system32\xvid.ax
2009-02-28 09:26 <DIR> --d----- c:\program files\Xvid
2009-02-26 19:47 <DIR> --d----- c:\program files\Seagate
2009-02-26 19:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Seagate
2009-02-26 19:46 <DIR> --dsh--- c:\windows\ftpcache
2009-02-23 23:37 <DIR> --d----- c:\program files\iPod
2009-02-23 23:37 <DIR> --d----- c:\program files\iTunes
2009-02-23 23:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-23 23:35 <DIR> --d----- c:\program files\Avira
2009-02-23 23:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-02-22 22:21 <DIR> --d----- c:\docume~1\darrell\applic~1\Malwarebytes
2009-02-20 19:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-20 19:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 19:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 19:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-19 20:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-19 20:21 <DIR> --d----- c:\program files\SUPERAntiSpyware

==================== Find3M ====================

2009-01-21 12:39 880,640 a------- C:\XD_XPEnu.exe
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 03:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 03:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 23:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 23:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 04:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-04-02 21:24 59,160 a------- c:\docume~1\darrell\applic~1\GDIPFONTCACHEV1.DAT
2008-09-20 13:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 22:24:50.90 ===============

Attached Files



#13 therealmrbig

therealmrbig
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 07 March 2009 - 11:40 PM

Problems include:

Now the icon next to every url in IE is Kaspersky's.

msconfig still gone.

On login for user Jennifer, RUNDLL error dialog: "Error loading C:\WINDOWS\system32\urqQgFyW.dll. The specified module could not be found."

#14 therealmrbig

therealmrbig
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 08 March 2009 - 12:24 AM

It's very frustrating.

Attached Files



#15 therealmrbig

therealmrbig
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 08 March 2009 - 12:30 AM

My bad. All I had to do was clear my cache for the normal icons to return.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users