Database version _linenums:1749'>Malwarebytes' Anti-Malware 1.34Database version: 1749Windows 5.1.2600 Service Pack 327/02/2009 19:28:04mbam-log-2009-02-27 (19-28-04).txtScan type: Quick ScanObjects scanned: 74700Time elapsed: 5 minute(s), 28 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 5Registry Values Infected: 1Registry Data Items Infected: 2Folders Infected: 0Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Delete on reboot.C:\WINDOWS\system32\JcPtK2c0.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.C:\Documents and Settings\Taeshun\Local Settings\Temp\1883.exe (Trojan.FakeAlert) -> Delete on reboot.
I re-scanned again the day after and only 2 files remained, userinit.exe:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
However, after this, the tray icon in the bottom right of a red circle with a white x remained, stating 'Warning: You have a security problem!' This was coupled with pop-ups from a website named 'skfjkhcdcsh.com' which lead to a website relating to SR2009.
After this, I scanned with SUPERantispyware twice as it allegedly solved the problem and both times it came up with a large amount of 'Trace.Known Threat Sources' all from my temporary internet files:
Memory items scanned : 596Memory threats detected : 0Registry items scanned : 7214Registry threats detected : 0File items scanned : 61000File threats detected : 63Adware.Tracking Cookie C:\Documents and Settings\Taeshun\Cookies\taeshun@adtrafficsolution[1].txt C:\Documents and Settings\Taeshun\Cookies\taeshun@specificclick[1].txt C:\Documents and Settings\Taeshun\Cookies\taeshun@promo3[2].txt C:\Documents and Settings\Taeshun\Cookies\taeshun@bestvirusremover2009[1].txt G:\downstairs computer\old computer hard drives\old c drive\WINDOWS\Cookies\oldtimer@finder[1].txtApplication.PowerReg Scheduler C:\DOCUMENTS AND SETTINGS\TAESHUN\START MENU\PROGRAMS\STARTUP\POWERREG SCHEDULER V3.EXE C:\WINDOWS\PSS\POWERREG SCHEDULER V3.EXESTARTUP C:\WINDOWS\Prefetch\POWERREG SCHEDULER V3.EXE-039B2D94.pfTrace.Known Threat Sources C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\EHSBM5Q5\i35_icon4[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\6GTPJ5CG\14[1].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\OX6ZOXQB\i35_btn5[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\7A0RFLG1\i35_bg-btn3[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\EHSBM5Q5\closebutton[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\G1QRK9QN\i35_line2[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\9FNNDXWA\params[2].js C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\2P8M0Y1Y\spacer[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\MPHQN6TS\settings[2].js C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\GTY38HIJ\bg[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\45E3W5UV\i35_bg-btn1[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\CTMV0PIN\activex[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\7A0RFLG1\bleep2[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\W1MNCDI3\14[1].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\SHM78PIZ\i35_no_flash[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\6GTPJ5CG\14[2].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\GVXRAIRL\setcookies[2].js C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\45E3W5UV\14[2].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\G1QRK9QN\14[2].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\6V0ADO23\i35_icon1[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\MPHQN6TS\rght[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\EHSBM5Q5\5[1].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\45E3W5UV\i35_btn1[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\45E3W5UV\i35_bg1[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\CTMV0PIN\14[1].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\GVXRAIRL\i35_icon2[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\MPHQN6TS\14[1].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\OX6ZOXQB\index_new[2].js C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\6V0ADO23\14[1].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\W1MNCDI3\i35_icon3[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\SHM78PIZ\crypt[2].js C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\8DEJ8DYN\secure_installers[2].js C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\4H4Z0VWV\managers[2].js C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\K12NC9UN\5[1].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\45E3W5UV\14[1].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\0VUSU26P\fileslist[2].js C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\6V0ADO23\i35_spacer[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\7A0RFLG1\14[2].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\MPHQN6TS\i35_t1[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\2P8M0Y1Y\styles[3].css C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\8DKP2345\progressbar[2].js C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\0VUSU26P\14[1].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\45E3W5UV\5[1].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\GVXRAIRL\down[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\G1QRK9QN\input[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\6GTPJ5CG\common[2].js C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\OX6ZOXQB\14[1].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\OX6ZOXQB\i35_btn3[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\W1MNCDI3\i35_line1[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\CTMV0PIN\i35_bg-btn2[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\7A0RFLG1\14[3].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\9FNNDXWA\secstat[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\OX6ZOXQB\bleep[1].gif C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\W1MNCDI3\14[3].htm C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\W1MNCDI3\14[2].htm
Somewhere along the line I also scanned with Antivir and that came up with this:
Avira AntiVir PersonalReport file date: 27 February 2009 23:33Scanning for 1270875 virus strains and unwanted programs.Licensed to: Avira AntiVir PersonalEdition ClassicSerial number: 0000149996-ADJIE-0001Platform: Windows XPWindows version: (Service Pack 3) [5.1.2600]Boot mode: Normally bootedUsername: SYSTEMComputer name: PICNICVersion information:BUILD.DAT : 8.2.0.337 16934 Bytes 18/11/2008 13:05:00AVSCAN.EXE : 8.1.4.10 315649 Bytes 06/12/2008 09:55:07AVSCAN.DLL : 8.1.4.0 40705 Bytes 19/07/2008 17:20:44LUKE.DLL : 8.1.4.5 164097 Bytes 19/07/2008 17:20:47LUKERES.DLL : 8.1.4.0 12033 Bytes 19/07/2008 17:20:47ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 17:59:07ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 11/02/2009 12:44:39ANTIVIR2.VDF : 7.1.2.55 248832 Bytes 20/02/2009 12:01:53ANTIVIR3.VDF : 7.1.2.95 183808 Bytes 27/02/2009 18:11:55Engineversion : 8.2.0.98 AEVDF.DLL : 8.1.1.0 106868 Bytes 30/01/2009 17:23:28AESCRIPT.DLL : 8.1.1.56 352634 Bytes 27/02/2009 18:12:18AESCN.DLL : 8.1.1.7 127347 Bytes 13/02/2009 12:44:45AERDL.DLL : 8.1.1.3 438645 Bytes 06/11/2008 17:59:39AEPACK.DLL : 8.1.3.8 397684 Bytes 07/02/2009 11:50:15AEOFFICE.DLL : 8.1.0.36 196987 Bytes 27/02/2009 18:12:14AEHEUR.DLL : 8.1.0.100 1618295 Bytes 27/02/2009 18:12:12AEHELP.DLL : 8.1.2.2 119158 Bytes 27/02/2009 18:11:58AEGEN.DLL : 8.1.1.22 336245 Bytes 27/02/2009 18:11:57AEEMU.DLL : 8.1.0.9 393588 Bytes 06/11/2008 17:59:18AECORE.DLL : 8.1.6.6 176501 Bytes 18/02/2009 10:37:33AEBB.DLL : 8.1.0.3 53618 Bytes 06/11/2008 17:59:14AVWINLL.DLL : 1.0.0.12 15105 Bytes 19/07/2008 17:20:45AVPREF.DLL : 8.0.2.0 38657 Bytes 19/07/2008 17:20:44AVREP.DLL : 8.0.0.2 98344 Bytes 09/08/2008 10:36:02AVREG.DLL : 8.0.0.1 33537 Bytes 19/07/2008 17:20:44AVARKT.DLL : 1.0.0.23 307457 Bytes 16/04/2008 15:48:03AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 19/07/2008 17:20:44SQLITE3.DLL : 3.3.17.1 339968 Bytes 16/04/2008 15:48:03SMTPLIB.DLL : 1.2.0.23 28929 Bytes 19/07/2008 17:20:47NETNT.DLL : 8.0.0.1 7937 Bytes 16/04/2008 15:48:03RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 19/07/2008 17:20:24RCTEXT.DLL : 8.0.52.0 86273 Bytes 19/07/2008 17:20:25Configuration settings for the scan:Jobname..........................: Complete system scanConfiguration file...............: c:\program files\antivir personaledition classic\sysscan.avpLogging..........................: lowPrimary action...................: interactiveSecondary action.................: ignoreScan master boot sector..........: onScan boot sector.................: onBoot sectors.....................: C:, G:, Process scan.....................: onScan registry....................: onSearch for rootkits..............: offScan all files...................: Intelligent file selectionScan archives....................: onRecursion depth..................: 20Smart extensions.................: onMacro heuristic..................: onFile heuristic...................: mediumStart of the scan: 27 February 2009 23:33The scan of running processes will be startedScan process 'avscan.exe' - '1' Module(s) have been scannedScan process 'avcenter.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'firefox.exe' - '1' Module(s) have been scannedScan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scannedScan process 'JcPtK2c0.exe' - '1' Module(s) have been scannedScan process 'ZDWlan.exe' - '1' Module(s) have been scannedScan process 'sistray.exe' - '1' Module(s) have been scannedScan process 'CCC.exe' - '1' Module(s) have been scannedScan process 'KMProcess.exe' - '1' Module(s) have been scannedScan process 'SUPERANTISPYWARE.EXE' - '1' Module(s) have been scannedScan process 'CTDetect.exe' - '1' Module(s) have been scannedScan process 'MOM.exe' - '1' Module(s) have been scannedScan process 'KMCONFIG.exe' - '1' Module(s) have been scannedScan process 'ctfmon.exe' - '1' Module(s) have been scannedScan process 'hpztsb07.exe' - '1' Module(s) have been scannedScan process 'StartAutorun.exe' - '1' Module(s) have been scannedScan process 'avgnt.exe' - '1' Module(s) have been scannedScan process 'jusched.exe' - '1' Module(s) have been scannedScan process 'AsusProb.exe' - '1' Module(s) have been scannedScan process 'SOUNDMAN.EXE' - '1' Module(s) have been scannedScan process 'explorer.exe' - '1' Module(s) have been scannedScan process 'alg.exe' - '1' Module(s) have been scannedScan process 'StarWindServiceAE.exe' - '1' Module(s) have been scannedScan process 'sqlwriter.exe' - '1' Module(s) have been scannedScan process 'RichVideo.exe' - '1' Module(s) have been scannedScan process 'NMSAccessU.exe' - '1' Module(s) have been scannedScan process 'sqlservr.exe' - '1' Module(s) have been scannedScan process 'mdm.exe' - '1' Module(s) have been scannedScan process 'jqs.exe' - '1' Module(s) have been scannedScan process 'CTSVCCDA.EXE' - '1' Module(s) have been scannedScan process 'mDNSResponder.exe' - '1' Module(s) have been scannedScan process 'ATKKBService.exe' - '1' Module(s) have been scannedScan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scannedScan process 'sched.exe' - '1' Module(s) have been scannedScan process 'avguard.exe' - '1' Module(s) have been scannedScan process 'spoolsv.exe' - '1' Module(s) have been scannedScan process 'userinit.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'ati2evxx.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'ati2evxx.exe' - '1' Module(s) have been scannedScan process 'lsass.exe' - '1' Module(s) have been scannedScan process 'services.exe' - '1' Module(s) have been scannedScan process 'winlogon.exe' - '1' Module(s) have been scannedScan process 'csrss.exe' - '1' Module(s) have been scannedScan process 'smss.exe' - '1' Module(s) have been scanned50 processes with 50 modules were scannedStarting master boot sector scan:Master boot sector HD0 [INFO] No virus was found!Master boot sector HD1 [INFO] No virus was found!Start scanning boot sectors:Boot sector 'C:\' [INFO] No virus was found!Boot sector 'G:\' [INFO] No virus was found!Starting to scan the registry.The registry was scanned ( '76' files ).Starting the file scan:Begin scan in 'C:\' <Twilight>C:\pagefile.sys [WARNING] The file could not be opened!C:\Program Files\3DO\Heroes 3 Complete\WoG Expansion\allinon1\wog358f.part02.rar [0] Archive type: RAR --> main2.wog [WARNING] No further files can be extracted from this archive. The archive will be closedC:\Program Files\3DO\Heroes 3 Complete\WoG Expansion\allinon1\wog358f.part04.rar [0] Archive type: RAR --> main3.wog [WARNING] No further files can be extracted from this archive. The archive will be closedC:\Program Files\3DO\Heroes 3 Complete\WoG Expansion\allinon1\wog358f.part05.rar [0] Archive type: RAR --> main4.wog [WARNING] No further files can be extracted from this archive. The archive will be closedC:\Program Files\3DO\Heroes 3 Complete\WoG Expansion\allinon1\wog358f.part06.rar [0] Archive type: RAR --> main5.wog [WARNING] No further files can be extracted from this archive. The archive will be closedC:\Program Files\3DO\Heroes 3 Complete\WoG Expansion\allinon1\wog358f.part07.rar [0] Archive type: RAR --> main6_optional.wog [WARNING] No further files can be extracted from this archive. The archive will be closedC:\Program Files\3DO\Heroes expansions (Probably useless)\Heroes 3\Expansion\allinon1.zip [0] Archive type: ZIP --> wog358f.part02.rar [1] Archive type: RAR --> main2.wog [WARNING] No further files can be extracted from this archive. The archive will be closed --> wog358f.part04.rar [1] Archive type: RAR --> main3.wog [WARNING] No further files can be extracted from this archive. The archive will be closed --> wog358f.part05.rar [1] Archive type: RAR --> main4.wog [WARNING] No further files can be extracted from this archive. The archive will be closed --> wog358f.part06.rar [1] Archive type: RAR --> main5.wog [WARNING] No further files can be extracted from this archive. The archive will be closed --> wog358f.part07.rar [1] Archive type: RAR --> main6_optional.wog [WARNING] No further files can be extracted from this archive. The archive will be closedC:\Program Files\Macromedia\Photoshop\Plug-Ins\Effects\Glowing Edges.8BF [DETECTION] Is the TR/IFrame.W.6 Trojan [NOTE] A backup was created as '4a178ba6.qua' ( QUARANTINE ) [NOTE] The file was deleted!C:\WINDOWS\system32\drivers\sptd.sys [WARNING] The file could not be opened!Begin scan in 'G:\' <MOG>G:\System Volume Information\_restore{1BCB6D44-5B4D-4086-9193-47EFACCD58C3}\RP954\A0167222.exe [DETECTION] Is the TR/Spy.Gampass.US Trojan [NOTE] A backup was created as '49d99846.qua' ( QUARANTINE ) [NOTE] The file was deleted!End of the scan: 28 February 2009 02:16Used time: 2:42:45 Hour(s)The scan has been done completely. 27866 Scanning directories 1171841 Files were scanned 2 viruses and/or unwanted programs were found 0 Files were classified as suspicious: 2 files were deleted 0 files were repaired 2 files were moved to quarantine 0 files were renamed 2 Files cannot be scanned 1171837 Files not concerned 15873 Archives were scanned 12 Warnings 2 Notes
So far, that is all I have done in ways of scanning. I have, however, rooted out one of the problems: userinit.exe. This process permanently runs on my computer and while it is running the popups from internet explore come up and so do the 'You have a security problem' from SR2009 itself. Thus, it was no coincidence that when I end-processed userinit.exe that they all stopped.
Relative to this, two files were changed without my knowing at exactly the same time, when I got the virus:
C:\WINDOWS\system32 userinit.exe
C:\WINDOWS\Prefetch USERINIT.EXE-30B18140.pf
Finally, here are the DDS Logs:
DDS (Ver_09-02-01.01) - NTFSx86 Run by Taeshun at 16:56:43.95 on 02/03/2009Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1462 [GMT 0:00]AV: Norton Internet Security *On-access scanning enabled* (Updated)AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)FW: Norton Internet Security *enabled*============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\WINDOWS\system32\Ati2evxx.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\ATKKBService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\CDBurnerXP\NMSAccessU.exeC:\Program Files\Cyberlink\Shared files\RichVideo.exeC:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\Documents and Settings\Taeshun\Desktop\Scan Plox\Alcohol 120\StarWind\StarWindServiceAE.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\ASUS\Asus Probe\AsusProb.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\AntiVir PersonalEdition Classic\avgnt.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Creative\MediaSource\Detector\CTDetect.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\system32\sistray.exeC:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\System32\svchost.exe -k imgsvcC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Documents and Settings\Taeshun\Desktop\Scan Plox\DDS\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.scroogle.org/cgi-bin/scraper.htmuSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/iemDefault_Search_URL = hxxp://www.google.com/iemSearch Page = hxxp://www.google.commStart Page = hxxp://www.google.co.uk/uSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%smSearchAssistant = hxxp://www.google.com/ieBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dllBHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dllBHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dllBHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No FileBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dllBHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dllBHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dllTB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dllTB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No FileEB: {32683183-48a0-441b-a342-7c2a440a9478} - No FileuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /RuRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0uRun: [Steam] "c:\program files\steam\Steam.exe" -silentuRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exemRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgentmRun: [SiSUSBRG] c:\windows\SiSUSBrg.exemRun: [SoundMan] SOUNDMAN.EXEmRun: [ASUS Probe] c:\program files\asus\asus probe\AsusProb.exemRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [RemoteControl] "c:\documents and settings\taeshun\desktop\powerdvd\PDVDServ.exe"mRun: [LanguageShortcut] "c:\documents and settings\taeshun\desktop\powerdvd\language\Language.exe"mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [nwiz] nwiz.exe /installmRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /minmRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exemRun: [StormCodec_Helper] "c:\documents and settings\taeshun\desktop\sams stuff\storm codec (real)\StormSet.exe" /S /optimRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRundRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXEdRunOnce: [RunNarrator] Narrator.exeStartupFolder: c:\documents and settings\taeshun\start menu\programs\startup\PowerReg Scheduler V3.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zdwlan~1.lnk - c:\program files\zydas technology corporation\zydas_802.11g_utility\ZDWlan.exeIE: &Download All with FlashGet - c:\progra~1\flashget\jc_all.htmIE: &Download the file(s) in D.S.Code - c:\documents and settings\taeshun\desktop\dslite-2.07.45\dslite2\dl_text.htmlIE: &Download the file(s) in D.S.Code-File - c:\documents and settings\taeshun\desktop\dslite-2.07.45\dslite2\dl_url.htmlIE: &Download with FlashGet - c:\progra~1\flashget\jc_link.htmIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exeIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {F8475519-8412-4D40-A46E-692D9D04DF7F} - c:\documents and settings\taeshun\desktop\dslite-2.07.45\dslite2\DSLite.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLLDPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cabDPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cabDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cabDPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cabDPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cabDPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabDPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cabTCP: {92A57FF6-85CB-4D6A-AB0B-1DF2274424C6} = 192.168.0.1Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dllNotify: AtiExtEvent - Ati2evxx.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL================= FIREFOX ===================FF - ProfilePath - c:\docume~1\taeshun\applic~1\mozilla\firefox\profiles\bqxljhwi.default\FF - prefs.js: browser.search.selectedEngine - ScroogleFF - prefs.js: browser.startup.homepage - hxxp://www.anthemro.com/forums/index.phpFF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dllFF - plugin: c:\program files\mozilla firefox\plugins\npclntax.dllFF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dllFF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll============= SERVICES / DRIVERS ===============R1 avgio;avgio;c:\program files\antivir personaledition classic\avgio.sys [2007-6-2 11840]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\antivir personaledition classic\sched.exe [2007-6-2 68865]R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\antivir personaledition classic\avguard.exe [2007-6-2 151297]R3 avgntflt;avgntflt;c:\program files\antivir personaledition classic\avgntflt.sys [2007-6-2 52032]S2 ccosm;Contrl Center of Storm Media;c:\documents and settings\taeshun\desktop\sams stuff\storm codec\stormliv.exe /asservice --> c:\documents and settings\taeshun\desktop\sams stuff\storm codec\stormliv.exe [?]S2 IBG_gds_db;InterBase 7.5 Guardian gds_db;c:\program files\borland\interbase\bin\ibguard.exe -i "c:\program files\borland\interbase" -p gds_db --> c:\program files\borland\interbase\bin\ibguard.exe -i c:\program files\borland\InterBase [?]S2 Stormser;Stormser;c:\docume~1\taeshun\desktop\samsst~1\stormc~1\stormser.exe --> c:\docume~1\taeshun\desktop\samsst~1\stormc~1\Stormser.exe [?]S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2006-3-24 20608]S3 cpuz130;cpuz130;\??\c:\docume~1\taeshun\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\taeshun\locals~1\temp\cpuz130\cpuz_x32.sys [?]S3 IBS_gds_db;InterBase 7.5 Server gds_db;c:\program files\borland\interbase\bin\ibserver.exe -i "c:\program files\borland\interbase" -p gds_db --> c:\program files\borland\interbase\bin\ibserver.exe -i c:\program files\borland\InterBase [?]S3 musbehco;musbehco;c:\docume~1\taeshun\locals~1\temp\musbehco.sys [2002-2-27 15872]S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2009.sp2\RpcAgentSrv.exe [2008-12-25 98488]S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-11 47128]S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-11 369688]=============== Created Last 30 ================2009-02-27 19:21 77,824 a------- c:\windows\system32\JcPtK2c0.exe2009-02-25 19:00 <DIR> --d----- c:\docume~1\taeshun\applic~1\GrabPro2009-02-25 15:33 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat2009-02-11 19:46 15,504 a------- c:\windows\system32\drivers\mbam.sys2009-02-11 19:46 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys2009-02-11 19:03 <DIR> --d----- c:\docume~1\taeshun\applic~1\Malwarebytes2009-02-11 19:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes2009-02-06 17:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com2009-02-06 17:28 <DIR> --d----- c:\program files\SUPERAntiSpyware2009-02-06 17:28 <DIR> --d----- c:\docume~1\taeshun\applic~1\SUPERAntiSpyware.com2009-02-04 15:37 <DIR> --d----- c:\windows\system32\xlive2009-02-04 15:36 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE2009-02-04 15:24 1,124,720 a------- c:\windows\system32\D3DCompiler_34.dll2009-02-04 15:24 443,752 a------- c:\windows\system32\d3dx10_34.dll2009-02-04 15:24 3,497,832 a------- c:\windows\system32\d3dx9_34.dll2009-02-04 15:24 261,480 a------- c:\windows\system32\xactengine2_7.dll2009-02-04 15:24 1,123,696 a------- c:\windows\system32\D3DCompiler_33.dll2009-02-04 15:24 443,752 a------- c:\windows\system32\d3dx10_33.dll2009-02-04 15:24 3,495,784 a------- c:\windows\system32\d3dx9_33.dll2009-02-04 15:24 255,848 a------- c:\windows\system32\xactengine2_6.dll2009-02-04 07:45 <DIR> --d----- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP==================== Find3M ====================2009-02-27 19:21 56,832 a------- c:\windows\system32\userinit.exe2009-01-01 13:05 21,840 a------t c:\windows\system32\SIntfNT.dll2009-01-01 13:05 17,212 a------t c:\windows\system32\SIntf32.dll2009-01-01 13:05 12,067 a------t c:\windows\system32\SIntf16.dll2008-12-21 12:56 413,696 a------- c:\windows\system32\wrap_oal.dll2008-12-21 12:56 110,592 a------- c:\windows\system32\OpenAL32.dll2008-12-09 15:24 410,984 a------- c:\windows\system32\deploytk.dll2008-10-17 18:05 35,008,838 a------- c:\docume~1\alluse~1\applic~1\Storm3.exe2008-07-12 10:33 274 a------- c:\program files\INSTALL.LOG2008-03-24 17:03 0 a------- c:\program files\temp012007-03-07 17:46 1,207 a------- c:\documents and settings\taeshun\scoreth095.dat============= FINISH: 16:57:22.93 ===============(The userinit.exe process won't be running now as I ended it)
And as a side note, I didn't have either SR.exe in my processes or any of the other files/folders known to accompany SpywareRemover2009, and the red-circle-white-x in the tray is no longer present.