Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Really Crazy Infection


  • This topic is locked This topic is locked
15 replies to this topic

#1 joshsmoses

joshsmoses

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 27 March 2009 - 02:34 PM

Gents,
First poster. I have to use another computer b/c whatever I have is able to shut down firefox and ie when I go to bleepingcomputer (and a lot of other sites, including trying to download ComboFix). I've run tons of different antivirus and antimalware files and can't find anything. Other things that happen:
*Get redirected to different sites in firefox and ie
*Command prompt crashes windows explorer (although renaming a copy allows me to launch)
*Can't launch regedit (although renaming a copy allows me to launch)
*ComboFix (which I got on my computer by downloading and saving to a cdrom) fails to launch
It's driving me nuts. Here is my HJT file, I had to email it to myself to get it to this computer:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:40 PM, on 3/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\testme.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?sourceid=navclient&ie=UTF-8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Network -p -pn "" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R380 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE /FU "C:\WINDOWS\TEMP\E_S1AB.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1118159676859
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe

I really appreciate the help!

Best,
Josh

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:05 PM

Posted 27 March 2009 - 07:17 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

Let's see if we can get combofix to work for you first. Can you rename combofix.exe to combo-fix.exe (with the hyphen)?
Then see if it will run for you and post the log back here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 joshsmoses

joshsmoses
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 28 March 2009 - 09:55 AM

Thanks, Sam. Unfortunately, it still doesn't work. When I double click on the program, The icon appears on the taskbar w/o the name and a loading bar that says "ComboFix" works its way across the screen. If I look in the task manager it appears momentarily and climbs up to 20 MB of memory, then drops to 10, and once the loading bar finishes out, drops back to zero. The nameless icon also disappears from the task bar. I would be inclined to disable antivirus software except that the same exact thing happened in safe mode when I tried it yesterday. Next thoughts?

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:05 PM

Posted 28 March 2009 - 11:16 AM

You should not run Combofix in safe mode. And you definitely need to disable your antivirus first. See if it will run without Symantec in the way.

If it still won't run, proceed with this next step.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 joshsmoses

joshsmoses
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 March 2009 - 11:03 AM

OK, so this is interesting. First, disabled antivirus and antispyware software and tried re-running combofix as renamed. No luck, same result. Then, renamed it to combofix.exe, no luck. Now, attempting to redownload. It is now downloading, which is a big change from before (was previously crashing firefox). However, it fails after download in Firefox, giving the error message "ComboFix.exe.part could not be saved, because the source file could not be read. Try again later, or contact the server administrator." In IE, the link for Combofix just takes me to the .exe URL and sits there. Regarding GMER,
I was able to download and run the application, and it's generated quite the lengthy list. Upon completion, however, the Copy button has disappeared. I was unable to copy the log file manually, either. I am re-running to see if I have better success on a second pass.

#6 joshsmoses

joshsmoses
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 March 2009 - 12:50 PM

OK, update: I reran the app, and was able to copy a portion of the file into a log, which is attached. Upon completion, I tried to recopy the file, at which point windows crashed, telling me system32 was corrupt. I ran chkdsk, and it made a ton of repairs. Upon restart, I can now:
*run cmd from a run prompt
*ditto for regedit
*go to bleepingcomputer.com from my own computer

sorry I had to paste in text, too large to attach otherwise. I had to cut it off this way, too, a huge number of things showing up in preboot. I'm going to try and run combofix again to see if I can now get a log...

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-03-29 11:33:12
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8679B230 ZwAlertResumeThread
SSDT 867A6378 ZwAlertThread
SSDT 8664DE58 ZwAllocateVirtualMemory
SSDT 8659EFC0 ZwConnectPort
SSDT 8649EAD0 ZwCreateMutant
SSDT 86620D40 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEE0F7CC0]
SSDT 8649DA80 ZwFreeVirtualMemory
SSDT 86431A78 ZwImpersonateAnonymousToken
SSDT 863E1A78 ZwImpersonateThread
SSDT 86600BF8 ZwMapViewOfSection
SSDT 86674E48 ZwOpenEvent
SSDT 8649EA90 ZwOpenProcessToken
SSDT 864A4C28 ZwOpenThreadToken
SSDT 865EAF58 ZwQueryValueKey
SSDT 8649AAF0 ZwResumeThread
SSDT 864A4C60 ZwSetContextThread
SSDT 8649FC30 ZwSetInformationProcess
SSDT 864A4D38 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEE0F7F20]
SSDT 867A18D8 ZwSuspendProcess
SSDT 86670BB8 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEB47EDF0]
SSDT 864A5C00 ZwTerminateThread
SSDT 86517BE8 ZwUnmapViewOfSection
SSDT 86616D50 ZwWriteVirtualMemory

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F7A227AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F7A2286E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F7A2286E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7A227AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7A227AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F7A2286E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F7A2286E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7A227AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7A2286E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7A227AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7A2286E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisRegisterProtocol] [F7A2286E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisDeregisterProtocol] [F7A227AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F7A2286E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7A227AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs ibmfilter.sys (IBM Rescue and Recovery filter driver/IBM)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0014a4d9b8d6
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cee88388
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\868868012880
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\868878010880
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\868968010880
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\868978010880
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0014a4d9b8d6
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016cee88388
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\868868012880
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\868878010880
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\868968010880
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\868978010880

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 13: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\preboot\helps 0 bytes
File C:\preboot\helps\AR 0 bytes
File C:\preboot\helps\AR\2NDLEVEL.css 5598 bytes
File C:\preboot\helps\AR\bb99g464.gif 6493 bytes
File C:\preboot\helps\AR\bb99g483.gif 14782 bytes
File C:\preboot\helps\AR\Note2.gif 201 bytes
File C:\preboot\helps\AR\nwerror.htm 8208 bytes
File C:\preboot\helps\BR 0 bytes
File C:\preboot\helps\BR\2NDLEVEL.css 5598 bytes
File C:\preboot\helps\BR\accbios.htm 5461 bytes
File C:\preboot\helps\BR\accmail.htm 2615 bytes
File C:\preboot\helps\BR\asterisk.gif 859 bytes
File C:\preboot\helps\BR\attention2.gif 1033 bytes
File C:\preboot\helps\BR\Back.gif 944 bytes
File C:\preboot\helps\BR\bb99g464.gif 6493 bytes
File C:\preboot\helps\BR\bb99g483.gif 8811 bytes
File C:\preboot\helps\BR\bssctoc1.gif 866 bytes
File C:\preboot\helps\BR\bssctoc2.gif 865 bytes
File C:\preboot\helps\BR\bssctoc3.gif 145 bytes
File C:\preboot\helps\BR\buttonkv4.htm 2018 bytes
File C:\preboot\helps\BR\closed.gif 866 bytes
File C:\preboot\helps\BR\configpc.htm 3070 bytes
File C:\preboot\helps\BR\contentx.htm 9634 bytes
File C:\preboot\helps\BR\credisk.htm 4047 bytes
File C:\preboot\helps\BR\c_ftrend.htm 725 bytes
File C:\preboot\helps\BR\c_ftrloc.htm 725 bytes
File C:\preboot\helps\BR\c_ftropt.htm 725 bytes
File C:\preboot\helps\BR\c_ftrsel.htm 725 bytes
File C:\preboot\helps\BR\c_ftrstr.htm 725 bytes
File C:\preboot\helps\BR\c_ILA.htm 721 bytes
File C:\preboot\helps\BR\c_logwin.htm 727 bytes
File C:\preboot\helps\BR\c_mapwin.htm 727 bytes
File C:\preboot\helps\BR\c_pwcwin.htm 727 bytes
File C:\preboot\helps\BR\c_pwnwin.htm 727 bytes
File C:\preboot\helps\BR\c_rsbck.htm 723 bytes
File C:\preboot\helps\BR\c_rscon.htm 723 bytes
File C:\preboot\helps\BR\c_rsfac.htm 723 bytes
File C:\preboot\helps\BR\c_rsfile.htm 725 bytes
File C:\preboot\helps\BR\c_rsmiglo.htm 729 bytes
File C:\preboot\helps\BR\c_rsmigpa.htm 729 bytes
File C:\preboot\helps\BR\c_rsmigst.htm 729 bytes
File C:\preboot\helps\BR\c_rsopt.htm 723 bytes
File C:\preboot\helps\BR\c_rsstr.htm 723 bytes
File C:\preboot\helps\BR\c_syswin.htm 727 bytes
File C:\preboot\helps\BR\diagpro.htm 3522 bytes
File C:\preboot\helps\BR\dwnfiles.htm 3062 bytes
File C:\preboot\helps\BR\encryptp.htm 4958 bytes
File C:\preboot\helps\BR\EXPTXT.js 48440 bytes
File C:\preboot\helps\BR\Forward.gif 938 bytes
File C:\preboot\helps\BR\ftrdl.htm 2001 bytes
File C:\preboot\helps\BR\ftrend.htm 2063 bytes
File C:\preboot\helps\BR\ftrloc.htm 2698 bytes
File C:\preboot\helps\BR\ftropt.htm 5096 bytes
File C:\preboot\helps\BR\ftrsel.htm 3762 bytes
File C:\preboot\helps\BR\ftrsel.htm.bak 2678 bytes
File C:\preboot\helps\BR\ftrstr.htm 3265 bytes
File C:\preboot\helps\BR\f_configpc.htm 729 bytes
File C:\preboot\helps\BR\f_diagpro.htm 728 bytes
File C:\preboot\helps\BR\f_netcomm.htm 730 bytes
File C:\preboot\helps\BR\f_recovew.htm 730 bytes
File C:\preboot\helps\BR\f_recovop.htm 728 bytes
File C:\preboot\helps\BR\f_welcome.htm 728 bytes
File C:\preboot\helps\BR\hddfiles.htm 5646 bytes
File C:\preboot\helps\BR\ILA.htm 16700 bytes
File C:\preboot\helps\BR\ILABRA.htm 129211 bytes
File C:\preboot\helps\BR\ILABRAo.htm 95615 bytes
File C:\preboot\helps\BR\ILABRAw.htm 19311 bytes
File C:\preboot\helps\BR\ILACzh.htm 115501 bytes
File C:\preboot\helps\BR\ILACzho.htm 97784 bytes
File C:\preboot\helps\BR\ILACzhw.htm 14431 bytes
File C:\preboot\helps\BR\ILAENGo.htm 92301 bytes
File C:\preboot\helps\BR\ILAENGw.HTM 92373 bytes
File C:\preboot\helps\BR\ILAFRA.HTM 110435 bytes
File C:\preboot\helps\BR\ILAFRAo.htm 99316 bytes
File C:\preboot\helps\BR\ILAFRAw.HTM 100270 bytes
File C:\preboot\helps\BR\ILAGER.HTM 137895 bytes
File C:\preboot\helps\BR\ILAGERo.htm 115360 bytes
File C:\preboot\helps\BR\ILAGERw.HTM 115886 bytes
File C:\preboot\helps\BR\ILAITA.HTM 130122 bytes
File C:\preboot\helps\BR\ILAITAo.htm 97982 bytes
File C:\preboot\helps\BR\ILAITAw.HTM 102053 bytes
File C:\preboot\helps\BR\ILAPol.htm 121843 bytes
File C:\preboot\helps\BR\ILAPolo.htm 108740 bytes
File C:\preboot\helps\BR\ILAPolw.htm 109533 bytes
File C:\preboot\helps\BR\ILASPA.HTM 128597 bytes
File C:\preboot\helps\BR\ILASPAo.htm 111500 bytes
File C:\preboot\helps\BR\ILASPAw.HTM 112324 bytes
File C:\preboot\helps\BR\ILATur.htm 135902 bytes
File C:\preboot\helps\BR\ILATuro.htm 117373 bytes
File C:\preboot\helps\BR\indexx.htm 10376 bytes
File C:\preboot\helps\BR\Jpn.htm 95729 bytes
File C:\preboot\helps\BR\Jpno.htm 225450 bytes
File C:\preboot\helps\BR\Jpnw.htm 226604 bytes
File C:\preboot\helps\BR\Kor.htm 533369 bytes
File C:\preboot\helps\BR\Koro.htm 138101 bytes
File C:\preboot\helps\BR\Korw.htm 314747 bytes
File C:\preboot\helps\BR\LeftFrSt.htm 1051 bytes
File C:\preboot\helps\BR\legal.htm 6284 bytes
File C:\preboot\helps\BR\loginfo.htm 4607 bytes
File C:\preboot\helps\BR\logwin.htm 4402 bytes
File C:\preboot\helps\BR\mapdrive.htm 4093 bytes
File C:\preboot\helps\BR\mapwin.htm 3317 bytes
File C:\preboot\helps\BR\migback.htm 4005 bytes
File C:\preboot\helps\BR\MINUS.gif 1605 bytes
File C:\preboot\helps\BR\modpass.htm 7860 bytes
File C:\preboot\helps\BR\multwndw.htm 3133 bytes
File C:\preboot\helps\BR\m_configpc.htm 418 bytes
File C:\preboot\helps\BR\c_ftrdl.htm 723 bytes
File C:\preboot\helps\BR\ILAENG.HTM 85773 bytes
File C:\preboot\helps\BR\ILATurw.htm 116901 bytes
File C:\preboot\helps\BR\Prcw.htm 216457 bytes
File C:\preboot\helps\BR\rsstr.htm 3373 bytes
File C:\preboot\helps\BR\m_diagpro.htm 417 bytes
File C:\preboot\helps\BR\m_netcomm.htm 417 bytes
File C:\preboot\helps\BR\m_recovew.htm 417 bytes
File C:\preboot\helps\BR\m_recovop.htm 417 bytes
File C:\preboot\helps\BR\m_welcome.htm 417 bytes
File C:\preboot\helps\BR\netcomm.htm 4649 bytes
File C:\preboot\helps\BR\Note2.gif 201 bytes
File C:\preboot\helps\BR\nwerror.htm 7975 bytes
File C:\preboot\helps\BR\open.gif 863 bytes
File C:\preboot\helps\BR\partrec.htm 3548 bytes
File C:\preboot\helps\BR\PLUS.gif 1609 bytes
File C:\preboot\helps\BR\Prc.htm 207623 bytes
File C:\preboot\helps\BR\Prco.htm 216339 bytes
File C:\preboot\helps\BR\pwcwin.htm 7377 bytes
File C:\preboot\helps\BR\pwmwin.htm 8409 bytes
File C:\preboot\helps\BR\pwnwin.htm 6222 bytes
File C:\preboot\helps\BR\recback.htm 4791 bytes
File C:\preboot\helps\BR\recovcd2.htm 4782 bytes
File C:\preboot\helps\BR\recovew.htm 15808 bytes
File C:\preboot\helps\BR\recovop.htm 5482 bytes
File C:\preboot\helps\BR\recpass.htm 3916 bytes
File C:\preboot\helps\BR\rsbck.htm 2810 bytes
File C:\preboot\helps\BR\rscon.htm 3349 bytes
File C:\preboot\helps\BR\rscon2.0.htm 3238 bytes
File C:\preboot\helps\BR\rsfac.htm 2203 bytes
File C:\preboot\helps\BR\rsfile.htm 3242 bytes
File C:\preboot\helps\BR\rsmiglo.htm 2982 bytes
File C:\preboot\helps\BR\rsmigpa.htm 3161 bytes
File C:\preboot\helps\BR\rsmigst.htm 3089 bytes
File C:\preboot\helps\BR\rsopt.htm 4675 bytes
File C:\preboot\helps\BR\spacer.gif 44 bytes
File C:\preboot\helps\BR\startdiag.htm 3088 bytes
File C:\preboot\helps\BR\startpc.htm 5702 bytes
File C:\preboot\helps\BR\syswin.htm 11351 bytes
File C:\preboot\helps\BR\s_configpc.htm 428 bytes
File C:\preboot\helps\BR\s_diagpro.htm 427 bytes
File C:\preboot\helps\BR\s_netcomm.htm 427 bytes
File C:\preboot\helps\BR\s_recovew.htm 427 bytes
File C:\preboot\helps\BR\s_recovop.htm 427 bytes
File C:\preboot\helps\BR\s_welcome.htm 427 bytes
File C:\preboot\helps\BR\Tai.htm 265991 bytes
File C:\preboot\helps\BR\Taio.htm 208605 bytes
File C:\preboot\helps\BR\Taiw.htm 207712 bytes
File C:\preboot\helps\BR\testctab.htm 10248 bytes
File C:\preboot\helps\BR\testitab.htm 10247 bytes
File C:\preboot\helps\BR\TOC.CSS 6598 bytes
File C:\preboot\helps\BR\toc1.gif 866 bytes
File C:\preboot\helps\BR\toc2.gif 865 bytes
File C:\preboot\helps\BR\trobtik.htm 2831 bytes

#7 joshsmoses

joshsmoses
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 March 2009 - 01:24 PM

OK, combofix now runs. Here is the log. Note that it claims antivirus is still running although it has been disabled.

ComboFix 09-03-28.06 - jsm207 2009-03-29 13:19:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.510 [GMT -5:00]
Running from: d:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-27 14:49 . 2009-03-26 04:32 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-03-27 14:02 . 2009-03-27 14:02 <DIR> d-------- c:\windows\system32\backups
2009-03-27 14:02 . 2009-03-27 14:02 <DIR> d-------- c:\windows\system32\backupreg
2009-03-27 14:02 . 2008-04-14 05:42 146,432 --a------ c:\windows\system32\editreg.exe
2009-03-27 14:02 . 2008-04-14 05:42 27,136 --a------ c:\windows\system32\rtsdnif.exe
2009-03-27 14:02 . 2004-08-04 07:00 9,216 --a------ c:\windows\system32\dnif.exe
2009-03-27 13:54 . 2009-03-27 14:02 <DIR> d-------- C:\SDFix
2009-03-27 11:08 . 2009-03-27 11:08 <DIR> d-------- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-27 11:08 . 2009-03-27 11:08 <DIR> d-------- d:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-27 11:08 . 2009-03-27 11:08 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-27 10:26 . 2009-03-27 10:26 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-27 10:26 . 2009-03-27 10:26 <DIR> d-------- d:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-27 10:26 . 2009-03-27 10:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 10:26 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 10:26 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-22 23:58 . 2009-03-22 23:58 <DIR> d-------- c:\windows\ServicePackFiles
2009-03-22 23:55 . 2006-12-29 00:31 19,569 --a------ c:\windows\003250_.tmp
2009-03-22 23:48 . 2009-03-22 23:49 <DIR> d-------- C:\7b11d06b824f69f0cdc42c89
2009-03-22 23:41 . 2009-03-23 07:52 6,473 --a------ c:\windows\system32\spupdsvc.inf
2009-03-22 23:11 . 2008-04-13 23:09 2,897,920 --a------ c:\windows\system32\xpsp2res.dll
2009-03-22 23:03 . 2009-03-22 23:05 <DIR> d-------- C:\a084df65f82e7bb9a1
2009-03-22 19:27 . 2009-03-22 19:27 <DIR> d-------- C:\rt
2009-03-22 18:01 . 2009-03-22 18:01 <DIR> d-------- c:\program files\Trend Micro
2009-03-18 18:23 . 2009-03-18 18:23 <DIR> d-------- C:\mxt company
2009-03-18 11:58 . 2004-08-04 07:00 388,608 --a------ c:\windows\system32\test2.exe
2009-03-18 11:58 . 2004-08-04 07:00 388,608 --a------ c:\windows\system32\Copy of cmd.exe
2009-03-18 11:47 . 2004-08-04 07:00 146,432 --a------ c:\windows\testme.exe
2009-03-18 11:24 . 2009-03-18 11:25 <DIR> d-------- c:\windows\system32\NtmsData
2009-03-17 23:18 . 2006-12-29 00:31 19,569 --a------ c:\windows\003248_.tmp
2009-03-17 23:10 . 2009-03-17 23:11 <DIR> d-------- C:\91597a62cef849d2171e
2009-03-17 21:41 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-17 21:39 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-17 21:39 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-17 21:39 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-17 21:39 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-17 21:37 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-03-17 21:36 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-17 21:36 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-17 21:36 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-17 21:36 . 2008-12-11 05:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-03-17 20:20 . 2006-12-29 00:31 19,569 --a------ c:\windows\003247_.tmp
2009-03-17 20:10 . 2009-03-17 20:11 <DIR> d-------- C:\f780c4fa5963383254aac6824e4c6eeb
2009-03-17 07:41 . 2009-03-23 07:28 23,392 --a------ c:\windows\system32\nscompat.tlb
2009-03-17 07:41 . 2009-03-23 07:28 16,832 --a------ c:\windows\system32\amcompat.tlb
2009-03-17 00:57 . 2009-03-23 00:00 <DIR> d-------- c:\windows\system32\scripting
2009-03-17 00:57 . 2009-03-23 00:00 <DIR> d-------- c:\windows\system32\en
2009-03-17 00:57 . 2009-03-23 00:00 <DIR> d-------- c:\windows\system32\bits
2009-03-17 00:57 . 2009-03-23 00:00 <DIR> d-------- c:\windows\l2schemas
2009-03-16 00:23 . 2009-03-17 00:30 <DIR> d-------- C:\Financial
2009-03-12 22:09 . 2009-03-12 22:46 4,260,800 --a------ C:\BARON_CIM_v25.docx
2009-03-11 08:16 . 2009-02-09 06:13 1,846,784 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-03-11 08:15 . 2008-12-05 01:54 144,896 -----c--- c:\windows\system32\dllcache\schannel.dll
2009-03-06 20:36 . 2009-03-06 09:17 2,397,186 --a------ C:\BARON_CIM_v10(KMO).docx
2009-03-03 22:33 . 2006-10-26 20:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-03-03 22:31 . 2009-03-03 22:31 <DIR> d-------- c:\program files\MSBuild
2009-03-03 22:31 . 2009-03-03 22:31 <DIR> d-------- c:\program files\Microsoft Works
2009-03-03 22:29 . 2009-03-03 22:29 <DIR> d-------- c:\program files\Microsoft.NET
2009-03-03 22:24 . 2009-03-03 22:24 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-03-03 22:23 . 2009-03-11 20:45 <DIR> d-------- d:\documents and settings\All Users\Application Data\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 14:10 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-29 05:00 5,427 ----a-w c:\windows\system32\EGATHDRV.SYS
2009-03-27 16:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-18 06:57 --------- d-----w c:\program files\Lavasoft
2009-03-18 06:54 --------- d-----w d:\documents and settings\All Users\Application Data\Lavasoft
2009-03-14 00:34 --------- d-----w c:\program files\PassAlong
2009-02-18 03:23 --------- d-----w c:\program files\Google
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 06:00 --------- d-----w c:\program files\PokerStars
2007-01-22 03:54 1,276,704 ----a-w d:\documents and settings\Administrator\Firefox Setup 2.0.0.1.exe
2000-06-05 22:47 32,768 ------w c:\program files\mozilla firefox\plugins\AppSub32.dll
2007-11-09 21:10 30,288 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-11-09 21:10 79,440 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-11-09 21:10 75,344 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2007-11-09 21:10 140,880 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-11-09 21:10 42,576 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2007-11-09 21:10 50,768 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-11-09 21:10 34,384 ----a-w c:\program files\mozilla firefox\plugins\logging.dll
2007-11-09 21:11 685,648 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-11-09 21:11 30,288 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-07 68856]
"EPSON Stylus Photo R380 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE" [2006-05-29 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-08 40960]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-05-10 94208]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-03-23 151552]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-01-25 106496]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"HPLJ Config"="c:\program files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe" [2003-03-31 28672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-03-23 208896]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
"TpShocks"="TpShocks.exe" [2005-11-07 c:\windows\system32\TpShocks.exe]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-01-08 1528880]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 13:01 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 23:45 28672 c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 20:16 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"= c:\windows\system32\..\wnynatm.ukc

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2005-08-24 07:51 442455 c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-03-23 14:07 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\ipsecdialer.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7000:UDP"= 7000:UDP:129.105.223.0/255.255.255.128:enabled:NUTV - Channel Guide
"7070:UDP"= 7070:UDP:129.105.223.0/255.255.255.128:Enabled:NUTV - Video Streams
"3389:TCP"= 3389:TCP:*:disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2005-12-21 6912]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2006-06-07 85760]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-06-07 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-06-07 6016]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-06-07 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2006-06-07 4442]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-21 12544]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [2005-12-21 3968]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-06-15 115952]
S3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [2005-11-10 14336]
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/nwshp?sourceid=navclient&ie=UTF-8
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: skyper
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vft3qma2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.kellogg.northwestern.edu/student/serial/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NpIpx32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 13:20:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
Completion time: 2009-03-29 13:22:07
ComboFix-quarantined-files.txt 2009-03-29 18:21:46
ComboFix2.txt 2009-03-29 18:13:39

Pre-Run: 13,316,587,520 bytes free
Post-Run: 13,298,765,824 bytes free

236 --- E O F --- 2009-03-24 02:35:07

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:05 PM

Posted 29 March 2009 - 01:48 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\003250_.tmp
c:\windows\003248_.tmp
c:\windows\003247_.tmp
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 joshsmoses

joshsmoses
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 March 2009 - 09:13 PM

The computer seems to be running better, although I won't necessarily be able to tell w/Firefox until I do some surfing (especially being that most of the redirects seemed to come when trying to pull up malware-related pages). I note that combofix has an updated version which my computer downloaded before running. Can you tell me what I have, how I got it, anything of that nature?

ComboFix 09-03-29.02 - jsm207 2009-03-29 21:05:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.509 [GMT -5:00]
Running from: d:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-29 15:56 . 2008-12-20 18:15 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-03-29 15:56 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-03-29 15:56 . 2007-03-08 00:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-29 15:56 . 2008-12-20 18:15 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-03-29 15:56 . 2008-12-20 18:15 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-29 15:56 . 2008-12-20 18:15 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-03-29 15:56 . 2008-12-20 18:15 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-03-29 15:56 . 2008-12-20 18:15 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-29 15:56 . 2008-12-19 04:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-03-27 14:49 . 2009-03-26 04:32 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-03-27 14:02 . 2009-03-27 14:02 <DIR> d-------- c:\windows\system32\backups
2009-03-27 14:02 . 2009-03-27 14:02 <DIR> d-------- c:\windows\system32\backupreg
2009-03-27 14:02 . 2008-04-14 05:42 146,432 --a------ c:\windows\system32\editreg.exe
2009-03-27 14:02 . 2008-04-14 05:42 27,136 --a------ c:\windows\system32\rtsdnif.exe
2009-03-27 14:02 . 2004-08-04 07:00 9,216 --a------ c:\windows\system32\dnif.exe
2009-03-27 13:54 . 2009-03-27 14:02 <DIR> d-------- C:\SDFix
2009-03-27 11:08 . 2009-03-27 11:08 <DIR> d-------- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-27 11:08 . 2009-03-27 11:08 <DIR> d-------- d:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-27 11:08 . 2009-03-27 11:08 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-27 10:26 . 2009-03-27 10:26 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-27 10:26 . 2009-03-27 10:26 <DIR> d-------- d:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-27 10:26 . 2009-03-27 10:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 10:26 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 10:26 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-22 23:58 . 2009-03-22 23:58 <DIR> d-------- c:\windows\ServicePackFiles
2009-03-22 23:55 . 2006-12-29 00:31 19,569 --a------ c:\windows\003250_.tmp
2009-03-22 23:48 . 2009-03-22 23:49 <DIR> d-------- C:\7b11d06b824f69f0cdc42c89
2009-03-22 23:41 . 2009-03-23 07:52 6,473 --a------ c:\windows\system32\spupdsvc.inf
2009-03-22 23:11 . 2008-04-13 23:09 2,897,920 --a------ c:\windows\system32\xpsp2res.dll
2009-03-22 23:03 . 2009-03-22 23:05 <DIR> d-------- C:\a084df65f82e7bb9a1
2009-03-22 19:27 . 2009-03-22 19:27 <DIR> d-------- C:\rt
2009-03-22 18:01 . 2009-03-22 18:01 <DIR> d-------- c:\program files\Trend Micro
2009-03-18 18:23 . 2009-03-18 18:23 <DIR> d-------- C:\mxt company
2009-03-18 11:58 . 2004-08-04 07:00 388,608 --a------ c:\windows\system32\test2.exe
2009-03-18 11:58 . 2004-08-04 07:00 388,608 --a------ c:\windows\system32\Copy of cmd.exe
2009-03-18 11:47 . 2004-08-04 07:00 146,432 --a------ c:\windows\testme.exe
2009-03-18 11:24 . 2009-03-18 11:25 <DIR> d-------- c:\windows\system32\NtmsData
2009-03-17 23:18 . 2006-12-29 00:31 19,569 --a------ c:\windows\003248_.tmp
2009-03-17 23:10 . 2009-03-17 23:11 <DIR> d-------- C:\91597a62cef849d2171e
2009-03-17 21:41 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-17 21:39 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-17 21:39 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-17 21:39 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-17 21:39 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-17 21:37 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-03-17 21:36 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-17 21:36 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-17 21:36 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-17 21:36 . 2008-12-11 05:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-03-17 20:20 . 2006-12-29 00:31 19,569 --a------ c:\windows\003247_.tmp
2009-03-17 20:10 . 2009-03-17 20:11 <DIR> d-------- C:\f780c4fa5963383254aac6824e4c6eeb
2009-03-17 07:41 . 2009-03-23 07:28 23,392 --a------ c:\windows\system32\nscompat.tlb
2009-03-17 07:41 . 2009-03-23 07:28 16,832 --a------ c:\windows\system32\amcompat.tlb
2009-03-17 00:57 . 2009-03-23 00:00 <DIR> d-------- c:\windows\system32\scripting
2009-03-17 00:57 . 2009-03-23 00:00 <DIR> d-------- c:\windows\system32\en
2009-03-17 00:57 . 2009-03-23 00:00 <DIR> d-------- c:\windows\system32\bits
2009-03-17 00:57 . 2009-03-23 00:00 <DIR> d-------- c:\windows\l2schemas
2009-03-16 00:23 . 2009-03-17 00:30 <DIR> d-------- C:\Financial
2009-03-12 22:09 . 2009-03-12 22:46 4,260,800 --a------ C:\BARON_CIM_v25.docx
2009-03-11 08:16 . 2009-02-09 06:13 1,846,784 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-03-11 08:15 . 2008-12-05 01:54 144,896 -----c--- c:\windows\system32\dllcache\schannel.dll
2009-03-06 20:36 . 2009-03-06 09:17 2,397,186 --a------ C:\BARON_CIM_v10(KMO).docx
2009-03-03 22:33 . 2006-10-26 20:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-03-03 22:31 . 2009-03-03 22:31 <DIR> d-------- c:\program files\MSBuild
2009-03-03 22:31 . 2009-03-03 22:31 <DIR> d-------- c:\program files\Microsoft Works
2009-03-03 22:29 . 2009-03-03 22:29 <DIR> d-------- c:\program files\Microsoft.NET
2009-03-03 22:24 . 2009-03-03 22:24 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-03-03 22:23 . 2009-03-11 20:45 <DIR> d-------- d:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-09 21:24 . 2009-02-09 15:22 177,664 --a------ C:\decision tree.ppt
2009-02-03 22:32 . 2009-02-03 16:02 101,341 --a------ C:\Board Presentation(02.03.09).pdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 02:02 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-29 05:00 5,427 ----a-w c:\windows\system32\EGATHDRV.SYS
2009-03-27 16:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-18 06:57 --------- d-----w c:\program files\Lavasoft
2009-03-18 06:54 --------- d-----w d:\documents and settings\All Users\Application Data\Lavasoft
2009-03-14 00:34 --------- d-----w c:\program files\PassAlong
2009-02-18 03:23 --------- d-----w c:\program files\Google
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 06:00 --------- d-----w c:\program files\PokerStars
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-05 06:54 144,896 ----a-w c:\windows\system32\schannel.dll
2007-01-22 03:54 1,276,704 ----a-w d:\documents and settings\Administrator\Firefox Setup 2.0.0.1.exe
2000-06-05 22:47 32,768 ------w c:\program files\mozilla firefox\plugins\AppSub32.dll
2007-11-09 21:10 30,288 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-11-09 21:10 79,440 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-11-09 21:10 75,344 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2007-11-09 21:10 140,880 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-11-09 21:10 42,576 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2007-11-09 21:10 50,768 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-11-09 21:10 34,384 ----a-w c:\program files\mozilla firefox\plugins\logging.dll
2007-11-09 21:11 685,648 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-11-09 21:11 30,288 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-29_13.12.56.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-30 12:39:22 26,488 -c----w c:\windows\$NtUninstallKB951978$\spcustom.dll
+ 2007-11-30 12:39:22 17,272 -c----w c:\windows\$NtUninstallKB951978$\spmsg.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB951978$\spuninst.exe
+ 2007-11-30 12:39:18 755,576 -c----w c:\windows\$NtUninstallKB951978$\update.exe
+ 2007-11-30 12:39:19 382,840 -c----w c:\windows\$NtUninstallKB951978$\updspapi.dll
+ 2007-11-30 12:39:22 26,488 -c----w c:\windows\$NtUninstallKB954459$\spcustom.dll
+ 2007-11-30 12:39:22 17,272 -c----w c:\windows\$NtUninstallKB954459$\spmsg.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB954459$\spuninst.exe
+ 2007-11-30 12:39:22 755,576 -c----w c:\windows\$NtUninstallKB954459$\update.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\$NtUninstallKB954459$\updspapi.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\updspapi.dll
+ 2007-08-13 23:54:10 765,952 -c----w c:\windows\ie7updates\KB938127-v2-IE7\vgx.dll
+ 2007-08-13 23:39:00 123,904 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2007-08-13 23:35:46 346,624 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2007-08-13 23:35:38 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2007-08-13 23:54:10 131,584 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2007-08-13 23:36:26 61,952 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2007-08-13 23:39:06 54,784 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2007-08-13 23:39:26 152,064 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2007-08-13 23:39:54 229,376 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2007-08-13 22:56:54 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2007-02-12 21:10:12 2,451,312 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dat
+ 2007-07-11 17:27:48 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2007-08-13 23:39:50 382,976 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2007-08-13 23:54:10 6,049,280 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2007-08-13 23:39:10 43,008 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2007-08-13 23:34:04 266,752 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2007-08-13 23:39:10 13,312 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2007-08-13 23:43:56 622,080 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2007-08-13 23:54:10 27,136 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2007-08-13 23:54:10 458,752 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2007-08-13 23:54:10 50,688 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2007-08-13 23:54:12 3,578,368 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2007-08-13 23:54:10 475,648 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2007-08-13 23:44:26 192,000 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2007-08-13 23:54:10 670,720 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2007-08-13 23:44:06 101,376 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2007-08-13 23:36:12 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2007-08-13 23:44:30 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2007-08-13 23:54:10 1,162,240 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2007-08-13 23:54:10 231,424 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2007-08-13 23:54:10 818,688 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
- 2007-08-13 23:39:00 123,904 ----a-w c:\windows\system32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-04-14 10:42:16 139,264 ----a-w c:\windows\system32\cscript.exe
+ 2008-05-07 09:07:23 135,168 ----a-w c:\windows\system32\cscript.exe
- 2007-08-13 23:39:00 123,904 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-12-20 23:15:11 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-05-07 09:07:23 135,168 -c----w c:\windows\system32\dllcache\cscript.exe
- 2007-08-13 23:35:46 346,624 -c----w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 -c----w c:\windows\system32\dllcache\dxtmsft.dll
- 2007-08-13 23:35:38 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
- 2007-08-13 23:54:10 131,584 -c----w c:\windows\system32\dllcache\extmgr.dll
+ 2008-12-20 23:15:13 133,120 -c----w c:\windows\system32\dllcache\extmgr.dll
- 2007-08-13 23:39:06 54,784 -c----w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-13 23:39:26 152,064 -c----w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
- 2007-08-13 23:39:54 229,376 -c----w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
- 2007-08-13 22:56:54 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-12-19 05:23:56 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
- 2007-08-13 23:39:50 382,976 -c----w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
- 2007-08-13 23:39:10 43,008 -c----w c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-20 23:15:21 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
- 2007-08-13 23:43:56 622,080 -c----w c:\windows\system32\dllcache\iexplore.exe
+ 2008-12-19 05:25:25 634,024 -c----w c:\windows\system32\dllcache\iexplore.exe
- 2007-08-13 23:38:04 491,520 -c----w c:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53:39 512,000 -c----w c:\windows\system32\dllcache\jscript.dll
- 2007-08-13 23:54:10 27,136 -c----w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 -c----w c:\windows\system32\dllcache\jsproxy.dll
- 2007-08-13 23:54:12 3,578,368 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-17 02:35:14 3,594,752 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2007-08-13 23:54:10 475,648 -c----w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 -c----w c:\windows\system32\dllcache\mshtmled.dll
- 2007-08-13 23:44:26 192,000 -c----w c:\windows\system32\dllcache\msrating.dll
+ 2008-12-20 23:15:31 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
- 2007-08-13 23:54:10 670,720 -c----w c:\windows\system32\dllcache\mstime.dll
+ 2008-12-20 23:15:32 671,232 -c----w c:\windows\system32\dllcache\mstime.dll
- 2008-04-14 10:42:02 1,306,624 -c----w c:\windows\system32\dllcache\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 -c----w c:\windows\system32\dllcache\msxml6.dll
- 2007-08-13 23:44:06 101,376 -c----w c:\windows\system32\dllcache\occache.dll
+ 2008-12-20 23:15:38 102,912 -c----w c:\windows\system32\dllcache\occache.dll
- 2007-08-13 23:36:12 44,544 -c----w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 -c----w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-05-09 10:53:39 180,224 -c----w c:\windows\system32\dllcache\scrobj.dll
+ 2008-05-09 10:53:40 172,032 -c----w c:\windows\system32\dllcache\scrrun.dll
- 2007-08-13 23:44:30 105,984 -c----w c:\windows\system32\dllcache\url.dll
+ 2008-12-20 23:15:39 105,984 -c----w c:\windows\system32\dllcache\url.dll
- 2007-08-13 23:54:10 1,162,240 -c----w c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 -c----w c:\windows\system32\dllcache\urlmon.dll
- 2007-08-13 23:54:10 413,696 -c----w c:\windows\system32\dllcache\vbscript.dll
+ 2008-05-09 10:53:40 430,080 -c----w c:\windows\system32\dllcache\vbscript.dll
- 2007-08-13 23:54:10 765,952 -c----w c:\windows\system32\dllcache\VGX.dll
+ 2008-05-27 17:23:58 765,952 -c----w c:\windows\system32\dllcache\vgx.dll
- 2007-08-13 23:54:10 231,424 -c----w c:\windows\system32\dllcache\webcheck.dll
+ 2008-12-20 23:15:40 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
- 2007-08-13 23:54:10 818,688 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-12-20 23:15:41 826,368 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-05-08 11:24:44 155,648 -c----w c:\windows\system32\dllcache\wscript.exe
+ 2008-05-09 10:53:40 90,112 -c----w c:\windows\system32\dllcache\wshext.dll
- 2007-08-13 23:35:46 346,624 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2007-08-13 23:35:38 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2007-08-13 23:54:10 131,584 ----a-w c:\windows\system32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2007-08-13 23:36:26 61,952 ------w c:\windows\system32\icardie.dll
+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll
- 2007-08-13 23:39:06 54,784 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2007-08-13 23:39:26 152,064 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2007-08-13 23:39:54 229,376 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2007-08-13 22:56:54 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2007-02-12 21:10:12 2,451,312 ------w c:\windows\system32\ieapfltr.dat
+ 2007-04-17 09:32:38 2,455,488 ----a-w c:\windows\system32\ieapfltr.dat
- 2007-07-11 17:27:48 383,488 ------w c:\windows\system32\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2007-08-13 23:39:50 382,976 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2007-08-13 23:54:10 6,049,280 ------w c:\windows\system32\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll
- 2007-08-13 23:39:10 43,008 ----a-w c:\windows\system32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2007-08-13 23:34:04 266,752 ------w c:\windows\system32\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2007-08-13 23:39:10 13,312 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-04-14 10:41:58 512,000 ----a-w c:\windows\system32\jscript.dll
+ 2008-05-09 10:53:39 512,000 ----a-w c:\windows\system32\jscript.dll
- 2007-08-13 23:54:10 27,136 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2007-08-13 23:54:10 458,752 ------w c:\windows\system32\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2007-08-13 23:54:10 50,688 ------w c:\windows\system32\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2007-08-13 23:54:12 3,578,368 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-17 02:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll
- 2007-08-13 23:54:10 475,648 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2007-08-13 23:44:26 192,000 ----a-w c:\windows\system32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ----a-w c:\windows\system32\msrating.dll
- 2007-08-13 23:54:10 670,720 ----a-w c:\windows\system32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ----a-w c:\windows\system32\mstime.dll
- 2008-04-14 10:42:02 1,306,624 ------w c:\windows\system32\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 ------w c:\windows\system32\msxml6.dll
- 2007-08-13 23:44:06 101,376 ----a-w c:\windows\system32\occache.dll
+ 2008-12-20 23:15:38 102,912 ----a-w c:\windows\system32\occache.dll
- 2007-08-13 23:36:12 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2008-04-14 10:42:06 180,224 ----a-w c:\windows\system32\scrobj.dll
+ 2008-05-09 10:53:39 180,224 ----a-w c:\windows\system32\scrobj.dll
- 2008-04-14 10:42:06 172,032 ----a-w c:\windows\system32\scrrun.dll
+ 2008-05-09 10:53:40 172,032 ----a-w c:\windows\system32\scrrun.dll
- 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
- 2007-08-13 23:44:30 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll
- 2007-08-13 23:54:10 1,162,240 ----a-w c:\windows\system32\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-04-14 10:42:10 434,176 ----a-w c:\windows\system32\vbscript.dll
+ 2008-05-09 10:53:40 430,080 ----a-w c:\windows\system32\vbscript.dll
- 2007-08-13 23:54:10 231,424 ----a-w c:\windows\system32\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-04-14 10:42:42 155,648 ----a-w c:\windows\system32\wscript.exe
+ 2008-05-08 11:24:44 155,648 ----a-w c:\windows\system32\wscript.exe
- 2008-04-14 10:42:12 90,112 ----a-w c:\windows\system32\wshext.dll
+ 2008-05-09 10:53:40 90,112 ----a-w c:\windows\system32\wshext.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-07 68856]
"EPSON Stylus Photo R380 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE" [2006-05-29 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-08 40960]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-05-10 94208]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-03-23 151552]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-01-25 106496]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"HPLJ Config"="c:\program files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe" [2003-03-31 28672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-03-23 208896]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
"TpShocks"="TpShocks.exe" [2005-11-07 c:\windows\system32\TpShocks.exe]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-01-08 1528880]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 13:01 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 23:45 28672 c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 20:16 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"= c:\windows\system32\..\wnynatm.ukc

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2005-08-24 07:51 442455 c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-03-23 14:07 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\ipsecdialer.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7000:UDP"= 7000:UDP:129.105.223.0/255.255.255.128:enabled:NUTV - Channel Guide
"7070:UDP"= 7070:UDP:129.105.223.0/255.255.255.128:Enabled:NUTV - Video Streams
"3389:TCP"= 3389:TCP:*:disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2005-12-21 6912]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2006-06-07 85760]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-06-07 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-06-07 6016]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-06-07 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2006-06-07 4442]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-21 12544]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [2005-12-21 3968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-28 101936]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-06-15 115952]
S3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [2005-11-10 14336]
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/nwshp?sourceid=navclient&ie=UTF-8
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: skyper
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vft3qma2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.kellogg.northwestern.edu/student/serial/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NpIpx32.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 21:08:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
Completion time: 2009-03-29 21:10:19
ComboFix-quarantined-files.txt 2009-03-30 02:10:07
ComboFix2.txt 2009-03-29 18:22:08
ComboFix3.txt 2009-03-29 18:13:39

Pre-Run: 13,079,736,320 bytes free
Post-Run: 13,060,345,856 bytes free

433 --- E O F --- 2009-03-30 00:01:27

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:05 PM

Posted 30 March 2009 - 11:46 AM

Search redirections are a very common symptom right now, although I haven't seen enough to be able to pinpoint a specific trojan for you.

Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 joshsmoses

joshsmoses
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 30 March 2009 - 08:39 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, March 30, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 30, 2009 23:44:34
Records in database: 1988079
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 116821
Threat name: 2
Infected objects: 1
Suspicious objects: 1
Duration of the scan: 02:40:32


File name / Threat name / Threats count
D:\Documents and Settings\Administrator\My Documents\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D640000\4DEEA86D.VBN Infected: Exploit.JS.XMLCore.a 1

The selected area was scanned.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:05 PM

Posted 31 March 2009 - 01:03 PM

Be careful in Outlook as you have some infected emails in there. Might be a good idea to empty your deleted items folder.
Aside from that, it looks pretty good to me.

How are things on your end?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 joshsmoses

joshsmoses
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 31 March 2009 - 05:54 PM

seems better so far. I'm emptying the trash in outlook to be safe (although I don't use that application much any more). I will keep my eye on it. Thanks for the help!

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:05 PM

Posted 01 April 2009 - 10:19 AM

Glad to do it! :)


Let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2: :step4:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 joshsmoses

joshsmoses
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 02 April 2009 - 10:27 AM

Great, Sam. Thanks very much.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users