Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden policy/explorer/run reg entries blocking desktop modification


  • This topic is locked This topic is locked
4 replies to this topic

#1 Tootles

Tootles

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 14 March 2009 - 11:18 PM

The DDS log dose not show the hidden reg entries. But catchme.exe dose. I cant get it off.
it downloads more rootkits.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 0:03:08.45 on Sun 03/15/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.67 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
mURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mExplorerRun: [NoActiveDesktop] 0 (0x0)
mExplorerRun: [NoSaveSettings] 0 (0x0)
mExplorerRun: [ClassicShell] 0 (0x0)
mExplorerRun: [NoActiveDesktopChangesold] 00000000
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
IE: &Search
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236649759828
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236649857718
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-9 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-9 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-9 107912]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-9 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-9 298264]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 09f36;09f36;\??\c:\windows\system32\09f36.sys --> c:\windows\system32\09f36.sys [?]
S3 68237;68237;\??\c:\windows\system32\68237.sys --> c:\windows\system32\68237.sys [?]
S3 81332;81332;\??\c:\windows\system32\81332.sys --> c:\windows\system32\81332.sys [?]
S3 a7331;a7331;\??\c:\windows\system32\a7331.sys --> c:\windows\system32\a7331.sys [?]
S3 efd35;efd35;\??\c:\windows\system32\efd35.sys --> c:\windows\system32\efd35.sys [?]
S3 f0e33;f0e33;\??\c:\windows\system32\f0e33.sys --> c:\windows\system32\f0e33.sys [?]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-6-29 29744]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]

=============== Created Last 30 ================

2009-03-15 00:02 368,961 a------- C:\dds.scr
2009-03-14 19:14 <DIR> --d----- C:\drv
2009-03-13 02:31 1,728,150 a------- C:\McafeeRootkitDetective.zip
2009-03-13 02:24 <DIR> --d----- C:\Rustbfix
2009-03-13 02:14 87,354 a------- C:\20071210_182632_rku37300509.rar
2009-03-12 23:55 1,663,873 a------- C:\SmitfraudFix.exe
2009-03-12 23:53 <DIR> --d----- c:\documents and settings\administrator\SmitfraudFix
2009-03-12 23:53 <DIR> --d----- C:\SmitfraudFix
2009-03-12 23:51 1,663,873 a------- C:\llFix.exe
2009-03-12 13:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-12 13:20 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-12 13:20 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-03-12 13:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-11 14:56 <DIR> --d----- c:\program files\CrackSoft
2009-03-11 14:42 918 a------- C:\Fixhide.reg
2009-03-11 14:35 94,208 a------- C:\GooredFix.exe
2009-03-11 14:28 28,672 a------- C:\catchme.exe
2009-03-11 11:39 <DIR> --d----- C:\quarantine
2009-03-11 01:53 0 a------- C:\rootkt.bat
2009-03-11 01:53 0 a------- C:\rootkt.reg
2009-03-11 01:50 285,184 a------- C:\rootkt.exe
2009-03-11 00:41 <DIR> --d----- c:\program files\Trend Micro
2009-03-11 00:39 <DIR> --d----- c:\windows\system32\appmgmt
2009-03-11 00:35 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-11 00:11 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-11 00:11 <DIR> --d----- c:\program files\Lavasoft
2009-03-10 23:58 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-03-10 23:58 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-03-10 23:58 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-03-10 23:58 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2009-03-10 23:58 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2009-03-10 23:56 35,871 ac------ c:\windows\system32\dllcache\wbfirdma.sys
2009-03-10 23:55 113,762 ac------ c:\windows\system32\dllcache\usrpda.sys
2009-03-10 23:54 47,616 ac------ c:\windows\system32\dllcache\umaxcam.dll
2009-03-10 23:53 230,912 ac------ c:\windows\system32\dllcache\tosdvd03.sys
2009-03-10 23:52 28,384 ac------ c:\windows\system32\dllcache\sym_hi.sys
2009-03-10 23:51 61,824 ac------ c:\windows\system32\dllcache\speed.sys
2009-03-10 23:50 45,568 ac------ c:\windows\system32\dllcache\smb3w.dll
2009-03-10 23:49 161,568 ac------ c:\windows\system32\dllcache\sgsmusb.sys
2009-03-10 23:48 77,824 ac------ c:\windows\system32\dllcache\s3sav4m.sys
2009-03-10 23:47 79,104 ac------ c:\windows\system32\dllcache\rocket.sys
2009-03-10 23:46 128,286 ac------ c:\windows\system32\dllcache\ptserli.sys
2009-03-10 23:45 27,296 ac------ c:\windows\system32\dllcache\perc2.sys
2009-03-10 23:44 54,186 ac------ c:\windows\system32\dllcache\otcsercb.sys
2009-03-10 23:43 39,264 ac------ c:\windows\system32\dllcache\neo20xx.sys
2009-03-10 23:42 12,416 ac------ c:\windows\system32\dllcache\msriffwv.sys
2009-03-10 23:41 164,586 ac------ c:\windows\system32\dllcache\mdgndis5.sys
2009-03-10 23:40 37,376 ac------ c:\windows\system32\dllcache\kousd.dll
2009-03-10 23:39 90,200 ac------ c:\windows\system32\dllcache\io8ports.dll
2009-03-10 23:38 9,216 ac------ c:\windows\system32\dllcache\ibmsgnet.dll
2009-03-10 23:37 289,887 ac------ c:\windows\system32\dllcache\hsf_fall.sys
2009-03-10 23:36 28,288 ac------ c:\windows\system32\dllcache\grserial.sys
2009-03-10 23:35 11,850 ac------ c:\windows\system32\dllcache\f3ab18xj.sys
2009-03-10 23:34 70,174 ac------ c:\windows\system32\dllcache\el98xn5.sys
2009-03-10 23:33 102,484 ac------ c:\windows\system32\dllcache\digiinf.dll
2009-03-10 23:32 48,640 ac------ c:\windows\system32\dllcache\cwrwdm.sys
2009-03-10 23:31 17,024 ac------ c:\windows\system32\dllcache\ccdecode.sys
2009-03-10 23:30 5,120 ac------ c:\windows\system32\dllcache\brscnrsm.dll
2009-03-10 23:29 77,568 ac------ c:\windows\system32\dllcache\ati.sys
2009-03-10 23:04 1,710 a------- C:\wallpaperenable.reg
2009-03-10 22:50 <DIR> --d----- C:\desktopclean
2009-03-10 22:49 80,621 a------- C:\cleandesktop.exe
2009-03-10 21:42 81,984 a------- c:\windows\system32\bdod.bin
2009-03-10 21:35 <DIR> --d----- c:\program files\common files\Softwin
2009-03-10 18:56 <DIR> --d----- c:\windows\Downloaded Installations
2009-03-10 18:51 266,360 a------- c:\windows\system32\TweakUI.exe
2009-03-10 18:51 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-03-10 18:46 1,405 a------- C:\enabledisabledesktopicons.vbs
2009-03-10 17:42 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-10 17:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-10 15:05 <DIR> --d----- c:\windows\system32\NtmsData
2009-03-10 13:38 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-10 11:21 <DIR> --d----- c:\windows\system32\XPSViewer
2009-03-10 11:19 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-10 11:19 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-10 11:19 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-10 11:19 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-03-10 11:19 117,760 -------- c:\windows\system32\prntvpt.dll
2009-03-10 11:19 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-03-10 11:19 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-03-10 11:19 <DIR> --d----- C:\b95262a6c35a8af432f0
2009-03-10 11:10 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-10 11:03 <DIR> --d----- c:\docume~1\admini~1\applic~1\Windows Desktop Search
2009-03-10 11:02 <DIR> --d----- c:\program files\Windows Desktop Search
2009-03-10 11:02 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-03-10 10:59 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-03-10 10:59 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-10 10:59 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-03-10 10:59 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-03-10 10:59 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-03-10 10:59 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-03-10 10:59 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-10 10:59 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-03-10 10:59 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-03-10 03:06 <DIR> --d----- c:\windows\system32\URTTemp
2009-03-10 02:51 2,189,184 ac------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-10 02:51 2,066,048 ac------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-10 01:18 221,184 a------- c:\windows\system32\wmpns.dll
2009-03-09 23:06 <DIR> --d----- c:\windows\system32\scripting
2009-03-09 23:06 <DIR> --d----- c:\windows\l2schemas
2009-03-09 23:06 <DIR> --d----- c:\windows\system32\en
2009-03-09 23:06 <DIR> --d----- c:\windows\system32\bits
2009-03-09 23:00 <DIR> --d----- c:\windows\ServicePackFiles
2009-03-09 22:56 <DIR> --d----- c:\windows\network diagnostic
2009-03-09 22:25 327,040 ac------ c:\windows\system32\dllcache\ati2mtaa.sys
2009-03-09 21:49 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-03-09 19:50 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-09 19:30 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-09 19:30 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-09 19:30 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-09 19:30 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-09 19:30 <DIR> --d----- c:\docume~1\admini~1\applic~1\AVGTOOLBAR
2009-03-09 19:29 <DIR> --d----- c:\program files\AVG
2009-03-09 19:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-09 19:09 62,270,256 a------- C:\avg_free_stf_en_85_278a1439.exe
2009-03-09 18:17 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-03-09 18:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-09 18:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-09 18:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-09 18:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-09 18:16 2,876,728 a------- C:\mbam-setup.exe
2009-03-09 17:48 <DIR> a-dshr-- C:\cmdcons
2009-03-09 17:45 161,792 a------- c:\windows\SWREG.exe
2009-03-09 17:45 98,816 a------- c:\windows\sed.exe
2009-03-09 17:44 2,933,599 a----r-- C:\Norbury3-11.exe
2009-03-09 16:36 <DIR> --d----- c:\windows\system32\Dell
2009-03-09 16:36 <DIR> --d----- c:\program files\Dell
2009-03-09 16:24 42,368 ac------ c:\windows\system32\dllcache\agp440.sys
2009-03-09 16:24 42,368 a------- c:\windows\system32\drivers\agp440.sys
2009-03-09 16:21 2,636,672 ac------ c:\windows\system32\dllcache\ati3duag.dll
2009-03-09 16:21 860,480 ac------ c:\windows\system32\dllcache\ativvaxx.dll
2009-03-09 16:21 2,636,672 a------- c:\windows\system32\ati3duag.dll
2009-03-09 16:21 860,480 a------- c:\windows\system32\ativvaxx.dll
2009-03-09 16:21 1,505,792 ac------ c:\windows\system32\dllcache\ati2mtag.sys
2009-03-09 16:21 1,505,792 a------- c:\windows\system32\drivers\ati2mtag.sys
2009-03-09 16:21 870,784 ac------ c:\windows\system32\dllcache\ati3d1ag.dll
2009-03-09 16:21 870,784 a------- c:\windows\system32\ati3d1ag.dll
2009-03-09 16:21 256,512 ac------ c:\windows\system32\dllcache\ati2dvag.dll
2009-03-09 16:21 256,512 a------- c:\windows\system32\ati2dvag.dll
2009-03-09 16:21 258,048 ac------ c:\windows\system32\dllcache\ati2cqag.dll
2009-03-09 16:21 258,048 a------- c:\windows\system32\ati2cqag.dll
2009-03-07 13:52 <DIR> --d----- c:\program files\Bonjour
2009-03-07 13:51 <DIR> --d----- c:\program files\iPod
2009-03-07 13:51 <DIR> --d----- c:\program files\iTunes
2009-03-07 13:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-23 17:43 <DIR> --d----- c:\program files\Bonjour(2)

==================== Find3M ====================

2009-03-09 23:10 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-12-20 19:15 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 0:03:54.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Tootles

Tootles
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 15 March 2009 - 10:51 AM

Here is the catchme.exe log

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63
NoActiveDesktopChangesold = 3F 00 00 00

scanning hidden files ...

#3 Tootles

Tootles
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 22 March 2009 - 07:17 PM

I was able to solve this problem. I ran all of the antivirus / anti malware /root kit detectors I could find.
http://www.lavasoft.com
http://www.safer-networking.org
http://www.SUPERAntiSpyware.com
http://www.avg.com
http://www.gmer.net/
http://technet.microsoft.com/en-us/sysinte...s/bb897445.aspx
http://www.sunbeltsoftware.com
[etc,etc]

and none would help. Though Sunbelt did fond a rootkit.bagel in the registry and removed it.


I tried a plethora of desktop restore scripts.
http://www.thespykiller.co.uk/files/cleandesktop.exe seemed to be the most useful but not effective.

I had to use system restore and loaded a restore point back to January first and that fixed the desktop missing problem. Now there are other issues, I immediately ran all the antivirus / anti malware /root kit detectors again and found some restore reg settings but no files.

System restore caused a few problems with IE7's advanced settings dialog. So, I had to install IE8 to get around it. Then I was able to use windows update and reinstall AVG. I have backups of the registry from both points, I want to go though and see what the difference is, but I don't have time this week.

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:02 PM

Posted 25 March 2009 - 02:41 AM

If your problem is actually solved, then I'll close this thread.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:02 PM

Posted 29 March 2009 - 07:56 PM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users