Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Blues


  • This topic is locked This topic is locked
14 replies to this topic

#1 Rascal

Rascal

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 10 April 2009 - 04:18 PM

I'm fixing a computer for a friend that is badly infected w/ Vundo.

I have run several different things (MalwareBytes AntiMalware, Microsoft Malicious Software tool, Super Anti Spyware, VundoFix, VirtuBeGone, FxVundoB, Norton) most of them found things and I think I'm clean but they keep coming back.

I also note that the Window Update service is not started. When I try to start it I get 'Access Denied'. I also note that the path to the service in the propertied files is %fystemroot%\system32\svchost.exe -k netsvcs.

Notice the f in %fystemroot% that can't be good.

I ran rootkitrevealer but am not having a lot of luck figuring out what do to w/ the result - I am unable to save the resulting file - rootkit revealer crashes whenever I try. Although I am very suspicious of the key that say hlkm\software\microsoft\windows\currentversion\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa etc.

I have a message in the start menu above all programs that tells me some items cannot be because there is not enough space - but it seems to me that there is room and when I add programs (installing all these tools) they do show up.

here is the dds:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Mayzee at 16:56:57.18 on Fri 04/10/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.182 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Mayzee\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\mayzee\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-c23a-453e-a040-c7c580bbf700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {44990301-3c9d-426d-81df-aab636fa4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {cafeefac-0016-0000-0013-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !saswinlogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LMIinit - LMIinit.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = cli

============= SERVICES / DRIVERS ===============

R1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-3-13 47640]
R3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S1 3d926d18;3d926d18;c:\windows\system32\drivers\3d926d18.sys [2009-3-19 0]
S2 DP1112;DP1112;\??\c:\windows\system32\drivers\dp.sys --> c:\windows\system32\drivers\DP.sys [?]
S3 PSTFVJXPLCDS;PSTFVJXPLCDS;c:\docume~1\mayzee\locals~1\temp\PSTFVJXPLCDS.exe [2009-4-10 560000]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-04-10 13:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-10 13:40 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-10 13:40 <DIR> --d----- c:\docume~1\mayzee\applic~1\SUPERAntiSpyware.com
2009-04-10 13:39 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-10 11:53 <DIR> --d----- c:\program files\Trend Micro
2009-04-05 17:27 0 a------- c:\windows\system32\sagobuho.dll
2009-04-05 17:09 <DIR> --d----- c:\program files\Symantec
2009-04-05 17:09 <DIR> --d----- c:\program files\Symantec AntiVirus
2009-04-05 13:55 <DIR> --d----- C:\VundoFix Backups
2009-04-05 11:18 <DIR> --d----- c:\docume~1\mayzee\applic~1\Malwarebytes
2009-04-05 11:18 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-05 11:18 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 11:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 11:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-05 11:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-05 11:00 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-04 16:06 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-04-04 16:06 12,160 a------- c:\windows\system32\dllcache\mouhid.sys
2009-04-04 16:06 9,600 a------- c:\windows\system32\drivers\hidusb.sys
2009-04-04 16:06 9,600 a------- c:\windows\system32\dllcache\hidusb.sys
2009-03-23 10:25 1,791,638 ---sh--- c:\windows\ikuteyor.ini
2009-03-19 17:15 0 a------- c:\windows\system32\drivers\4addcba9.sys
2009-03-19 17:15 65,536 a------- C:\pvnncaoo.exe
2009-03-19 17:14 0 a------- c:\windows\system32\drivers\3d926d18.sys
2009-03-19 17:14 0 a------- C:\lvsen.exe
2009-03-19 17:13 54,784 a------- C:\cpkhjmkl.exe
2009-03-18 20:51 1,821,896 ---sh--- c:\windows\system32\uboduseh.ini
2009-03-17 17:24 1 a------- c:\windows\system32\uniq.tll
2009-03-16 17:36 2 a------- C:\1552673077
2009-03-15 19:34 1,734,702 ---sh--- c:\windows\system32\arakubup.ini
2009-03-15 07:35 1,714,477 ---sh--- c:\windows\system32\osehupol.ini
2009-03-13 17:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LogMeIn
2009-03-13 17:17 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2009-03-13 17:17 47,640 a------- c:\windows\system32\drivers\LMIRfsDriver.sys
2009-03-13 17:17 28,984 a------- c:\windows\system32\LMIport.dll
2009-03-13 17:17 87,352 a------- c:\windows\system32\LMIinit.dll
2009-03-13 17:17 1,024 a------- C:\.rnd
2009-03-13 17:17 <DIR> --d----- c:\program files\LogMeIn
2009-03-12 09:28 1,808,081 ---sh--- c:\windows\system32\owojusiv.ini

==================== Find3M ====================

2009-03-23 10:21 102,912 a--sh--- c:\windows\royetuki.dll
2009-03-19 17:13 14,336 a------- c:\windows\system32\SVCHOST.EXE
2009-03-19 17:13 14,336 a------- c:\windows\system32\dllcache\svchost.exe
2009-02-02 20:49 17,588 ---sh--- c:\windows\system32\jarekine.exe
2009-02-02 20:49 30,147 ---sh--- c:\windows\system32\yiyawefo.exe
2009-01-22 21:29 28,927 ---sh--- c:\windows\system32\royomuya.exe
2009-01-22 21:29 23,467 ---sh--- c:\windows\system32\kawolumi.exe
2007-07-06 20:55 282,681 ac------ c:\program files\aunt catherine and uncle billy.exp
2007-07-06 20:36 43,724 ac------ c:\program files\beach pic.jpg
2006-05-07 14:40 96,054 ac------ c:\program files\eva 5.bmp
2006-05-07 14:36 34,884 ac------ c:\program files\eva is hott stuff.jpg
2006-05-07 14:35 2,840 ac------ c:\program files\eva 4.jpg
2006-05-07 14:33 18,978 ac------ c:\program files\eva 3.jpg
2006-05-07 14:31 1,092,075 ac------ c:\program files\eva is hott 2.jpg
2006-05-07 14:30 2,611 ac------ c:\program files\eva 2.jpg
2006-05-07 14:29 63,054 ac------ c:\program files\eva is hott.bmp
2006-01-16 14:11 40,854 ac------ c:\program files\pink smiley face.bmp
2006-01-16 14:10 40,854 ac------ c:\program files\smiley face.jpg
2005-12-23 20:12 27,136 ac------ c:\program files\letters for aunt's t-shirts.doc
2005-12-13 18:02 10,146 ac------ c:\program files\bowling for soup.bmp
2005-12-13 18:01 25,342 ac------ c:\program files\soup can.bmp
2005-12-13 18:00 4,006 ac------ c:\program files\four.bmp
2005-12-13 18:00 10,222 ac------ c:\program files\plus sign.bmp
2005-12-13 17:59 40,014 ac------ c:\program files\bowling ball.bmp
2005-12-11 17:01 285,654 ac------ c:\program files\eva.bmp
2005-12-11 16:41 27,382 ac------ c:\program files\eighth music note.bmp
2005-12-11 16:34 330,803 ac------ c:\program files\the sims 2.jpg
2005-12-11 11:54 1,479 ac------ c:\program files\one music note.jpg
2005-12-11 11:54 1,401 ac------ c:\program files\music note 2.jpg
2005-12-11 11:51 36,870 ac------ c:\program files\a music note.bmp
2005-12-10 19:56 1,142 ac------ c:\program files\blue music notes.bmp
2005-12-10 18:03 2,281 ac------ c:\program files\music notes.jpg
2005-12-10 18:02 2,281 ac------ c:\program files\music.jpg
2005-12-10 17:51 2,212 ac------ c:\program files\snowboarder.jpg
2005-12-10 17:35 234,102 ac------ c:\program files\hot pink.bmp
2005-12-10 17:34 231,310 ac------ c:\program files\blue.bmp
2005-12-10 17:34 236,058 ac------ c:\program files\yellow.bmp
2005-10-03 19:52 187,834 ac------ c:\program files\white.bmp
2005-10-03 19:43 203,958 ac------ c:\program files\light blue.bmp
2005-09-09 20:20 95,274 ac------ c:\program files\braves symbol.bmp
2005-09-09 20:19 111,798 ac------ c:\program files\red sox symbol.bmp
2005-09-09 20:19 63,546 ac------ c:\program files\mets symbol.bmp
2005-09-09 20:19 23,174 ac------ c:\program files\yankee symbol.bmp
2005-09-09 20:09 39,407 ac------ c:\program files\Aunt Ann.jpg
2005-09-09 20:09 897,206 ac------ c:\program files\Aunt Pam.jpg
2005-09-09 19:41 242,022 ac------ c:\program files\green.bmp
2005-09-09 19:38 244,014 ac------ c:\program files\purple.bmp
2005-09-05 10:03 9,170 ac------ c:\program files\red.bmp
2005-09-05 09:54 997,714 ac------ c:\program files\Good Charlotte 3.bmp
2005-09-05 09:53 299,610 ac------ c:\program files\Good Charlotte 2.bmp
2005-09-05 09:51 1,444,858 ac------ c:\program files\Good Charlotte.bmp
2005-01-08 12:25 487,424 ac------ c:\documents and settings\mayzee\chatlnk.exe
0000-00-00 00:00 2,048 a--sh--- c:\windows\system32\pominoje.dll
2006-07-04 09:34 1,080,584 ---sh--- c:\windows\system32\ututv.bak1
2006-07-22 11:12 1,204,273 ---sh--- c:\windows\system32\ututv.bak2
2006-07-22 11:19 1,207,354 ---sh--- c:\windows\system32\ututv.ini2

============= FINISH: 16:57:34.09 ===============

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:52 PM, on 4/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [tiwupizija] Rundll32.exe "C:\WINDOWS\system32\bugagoku.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [tiwupizija] Rundll32.exe "C:\WINDOWS\system32\bugagoku.dll",s (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {17492023-c23a-453e-a040-c7c580bbf700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3c9d-426d-81df-aab636fa4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: PSTFVJXPLCDS - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Mayzee\LOCALS~1\Temp\PSTFVJXPLCDS.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O23 - Service: ZZZYIEZEIW - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Mayzee\LOCALS~1\Temp\ZZZYIEZEIW.exe

--
End of file - 11295 bytes

The attach is attached

thanks in advance!

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:10:45 AM

Posted 24 April 2009 - 12:40 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Rascal

Rascal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 25 April 2009 - 06:38 AM

Thanks so much for responding!

Since my original post I've discovered the few more things - and a few things have happened:

The bit about the icons in the start menu was silly - I figured that one out

I found that both the windows update service and the BITS services had the %fystemroot% in the registry key. I manually changed the permissions and changed them back to %systemroot% and was then able to take the windows updates - all the way back to IE7.

I noticed that the windows backup utility was missing from the system and from the start menu

I noticed that the printer and faxes shortcut was missing from the start menu

Sadly, I saw that on 3/16 between 5:38 and 5:50 ALL of the jpg, doc, and xls files that were in a My Documents folder were overwritten and are no longer read-able.

Since the original post I've done a lot of research on malware...but note a lot on this computer - although I did have it running one day and Norton found another crop of Vundo artifacts.

Here is the current DDS:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Mayzee at 7:20:14.45 on Sat 04/25/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.96 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\SUPERAntiSpyware\8f4b99be-4138-45cc-93d0-24578731f356.exe
C:\Documents and Settings\Mayzee\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\mayzee\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-c23a-453e-a040-c7c580bbf700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {44990301-3c9d-426d-81df-aab636fa4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {cafeefac-0016-0000-0013-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !saswinlogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = cli scecli

============= SERVICES / DRIVERS ===============

R1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-10-4 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-10-4 177776]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-3-13 47640]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-11-15 1756912]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R2 windefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-20 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090422.005\naveng.sys [2009-4-22 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090422.005\navex15.sys [2009-4-22 876144]
R3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S1 3d926d18;3d926d18;c:\windows\system32\drivers\3d926d18.sys [2009-3-19 0]
S2 DP1112;DP1112;\??\c:\windows\system32\drivers\dp.sys --> c:\windows\system32\drivers\DP.sys [?]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-10-4 83568]
S3 PSTFVJXPLCDS;PSTFVJXPLCDS;c:\docume~1\mayzee\locals~1\temp\PSTFVJXPLCDS.exe [2009-4-10 560000]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200]
S3 ZZZYIEZEIW;ZZZYIEZEIW;c:\docume~1\mayzee\locals~1\temp\ZZZYIEZEIW.exe [2009-4-10 461696]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-04-22 15:51 85,955,256 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-04-22 15:29 606,208 a----r-- c:\windows\system32\hpotscl.dll
2009-04-22 15:29 258,122 a----r-- c:\windows\system32\hpovst08.dll
2009-04-22 15:29 278,528 a----r-- c:\windows\system32\hpgwiamd.dll
2009-04-20 17:35 108,168 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-20 17:35 87,768 a------- c:\windows\system32\S32EVNT1.DLL
2009-04-19 19:01 <DIR> --d----- c:\windows\system32\scripting
2009-04-19 19:01 <DIR> --d----- c:\windows\system32\en
2009-04-19 19:01 <DIR> --d----- c:\windows\l2schemas
2009-04-19 19:01 <DIR> --d----- c:\windows\system32\bits
2009-04-19 19:00 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-19 18:56 <DIR> --d----- c:\windows\EHome
2009-04-19 18:40 <DIR> --d----- c:\windows\network diagnostic
2009-04-19 18:23 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-19 18:23 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-10 13:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-10 13:40 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-10 13:40 <DIR> --d----- c:\docume~1\mayzee\applic~1\SUPERAntiSpyware.com
2009-04-10 13:39 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-10 11:53 <DIR> --d----- c:\program files\Trend Micro
2009-04-05 17:27 0 a------- c:\windows\system32\sagobuho.dll
2009-04-05 17:09 <DIR> --d----- c:\program files\Symantec
2009-04-05 17:09 <DIR> --d----- c:\program files\Symantec AntiVirus
2009-04-05 13:55 <DIR> --d----- C:\VundoFix Backups
2009-04-05 11:18 <DIR> --d----- c:\docume~1\mayzee\applic~1\Malwarebytes
2009-04-05 11:18 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-05 11:18 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 11:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 11:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-05 11:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-05 11:00 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-04 16:06 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-04-04 16:06 12,160 a------- c:\windows\system32\dllcache\mouhid.sys
2009-04-04 16:06 10,368 a------- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-04-19 19:03 77,915 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 17:15 0 a------- c:\windows\system32\drivers\4addcba9.sys
2009-03-19 17:15 65,536 a------- C:\pvnncaoo.exe
2009-03-19 17:14 0 a------- c:\windows\system32\drivers\3d926d18.sys
2009-03-19 17:14 0 a------- C:\lvsen.exe
2009-03-19 17:13 54,784 a------- C:\cpkhjmkl.exe
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 08:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 08:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 08:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 06:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-02-02 20:49 17,588 ---sh--- c:\windows\system32\jarekine.exe
2009-02-02 20:49 30,147 ---sh--- c:\windows\system32\yiyawefo.exe
2007-07-06 20:55 282,681 ac------ c:\program files\aunt catherine and uncle billy.exp
2007-07-06 20:36 43,724 ac------ c:\program files\beach pic.jpg
2006-05-07 14:40 96,054 ac------ c:\program files\eva 5.bmp
2006-05-07 14:36 34,884 ac------ c:\program files\eva is hott stuff.jpg
2006-05-07 14:35 2,840 ac------ c:\program files\eva 4.jpg
2006-05-07 14:33 18,978 ac------ c:\program files\eva 3.jpg
2006-05-07 14:31 1,092,075 ac------ c:\program files\eva is hott 2.jpg
2006-05-07 14:30 2,611 ac------ c:\program files\eva 2.jpg
2006-05-07 14:29 63,054 ac------ c:\program files\eva is hott.bmp
2006-01-16 14:11 40,854 ac------ c:\program files\pink smiley face.bmp
2006-01-16 14:10 40,854 ac------ c:\program files\smiley face.jpg
2005-12-23 20:12 27,136 ac------ c:\program files\letters for aunt's t-shirts.doc
2005-12-13 18:02 10,146 ac------ c:\program files\bowling for soup.bmp
2005-12-13 18:01 25,342 ac------ c:\program files\soup can.bmp
2005-12-13 18:00 4,006 ac------ c:\program files\four.bmp
2005-12-13 18:00 10,222 ac------ c:\program files\plus sign.bmp
2005-12-13 17:59 40,014 ac------ c:\program files\bowling ball.bmp
2005-12-11 17:01 285,654 ac------ c:\program files\eva.bmp
2005-12-11 16:41 27,382 ac------ c:\program files\eighth music note.bmp
2005-12-11 16:34 330,803 ac------ c:\program files\the sims 2.jpg
2005-12-11 11:54 1,479 ac------ c:\program files\one music note.jpg
2005-12-11 11:54 1,401 ac------ c:\program files\music note 2.jpg
2005-12-11 11:51 36,870 ac------ c:\program files\a music note.bmp
2005-12-10 19:56 1,142 ac------ c:\program files\blue music notes.bmp
2005-12-10 18:03 2,281 ac------ c:\program files\music notes.jpg
2005-12-10 18:02 2,281 ac------ c:\program files\music.jpg
2005-12-10 17:51 2,212 ac------ c:\program files\snowboarder.jpg
2005-12-10 17:35 234,102 ac------ c:\program files\hot pink.bmp
2005-12-10 17:34 231,310 ac------ c:\program files\blue.bmp
2005-12-10 17:34 236,058 ac------ c:\program files\yellow.bmp
2005-10-03 19:52 187,834 ac------ c:\program files\white.bmp
2005-10-03 19:43 203,958 ac------ c:\program files\light blue.bmp
2005-09-09 20:20 95,274 ac------ c:\program files\braves symbol.bmp
2005-09-09 20:19 111,798 ac------ c:\program files\red sox symbol.bmp
2005-09-09 20:19 63,546 ac------ c:\program files\mets symbol.bmp
2005-09-09 20:19 23,174 ac------ c:\program files\yankee symbol.bmp
2005-09-09 20:09 39,407 ac------ c:\program files\Aunt Ann.jpg
2005-09-09 20:09 897,206 ac------ c:\program files\Aunt Pam.jpg
2005-09-09 19:41 242,022 ac------ c:\program files\green.bmp
2005-09-09 19:38 244,014 ac------ c:\program files\purple.bmp
2005-09-05 10:03 9,170 ac------ c:\program files\red.bmp
2005-09-05 09:54 997,714 ac------ c:\program files\Good Charlotte 3.bmp
2005-09-05 09:53 299,610 ac------ c:\program files\Good Charlotte 2.bmp
2005-09-05 09:51 1,444,858 ac------ c:\program files\Good Charlotte.bmp
2005-01-08 12:25 487,424 ac------ c:\documents and settings\mayzee\chatlnk.exe
2009-01-22 21:29 23,467 ---sh--- c:\windows\system32\kawolumi.exe
0000-00-00 00:00 2,048 a--sh--- c:\windows\system32\pominoje.dll
2009-01-22 21:29 28,927 ---sh--- c:\windows\system32\royomuya.exe
2006-07-04 09:34 1,080,584 ---sh--- c:\windows\system32\ututv.bak1
2006-07-22 11:12 1,204,273 ---sh--- c:\windows\system32\ututv.bak2
2006-07-22 11:19 1,207,354 ---sh--- c:\windows\system32\ututv.ini2

============= FINISH: 7:20:51.37 ===============

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 25 April 2009 - 02:27 PM

Hello.

I still see some infections in those logs. We will run Combofix.

Install Recovery Console and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Please download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Rascal

Rascal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 26 April 2009 - 08:39 AM

Thanks for your help, Extremeboy!

I ran ComboFix as instructed:

ComboFix 09-04-25.A3 - Mayzee 04/26/2009 9:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.66 [GMT -4:00]
Running from: c:\documents and settings\Mayzee\Desktop\Pam's Folder\ComboFix\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\ikuteyor.ini
c:\windows\system32\adayufup.ini
c:\windows\system32\ahezofod.ini
c:\windows\system32\ajivatal.ini
c:\windows\system32\anevenoy.ini
c:\windows\system32\arakubup.ini
c:\windows\system32\azidadur.ini
c:\windows\system32\ehukakum.ini
c:\windows\system32\ejahetay.ini
c:\windows\system32\eseveyad.ini
c:\windows\system32\ijiranil.ini
c:\windows\system32\ijotujuj.ini
c:\windows\system32\ilekebez.ini
c:\windows\system32\ilodazab.ini
c:\windows\system32\inevijif.ini
c:\windows\system32\itefubif.ini
c:\windows\system32\iwuboboj.ini
c:\windows\system32\odonetoy.ini
c:\windows\system32\oguwator.ini
c:\windows\system32\ojotehel.ini
c:\windows\system32\opekepuh.ini
c:\windows\system32\osehupol.ini
c:\windows\system32\osisakis.ini
c:\windows\system32\osituzov.ini
c:\windows\system32\owojusiv.ini
c:\windows\system32\ozuronun.ini
c:\windows\system32\pominoje.dll
c:\windows\system32\sagobuho.dll
c:\windows\system32\ubayikit.ini
c:\windows\system32\uboduseh.ini
c:\windows\system32\ugijikak.ini
c:\windows\system32\uhegayed.ini
c:\windows\system32\ujigewuy.ini
c:\windows\system32\ulifoyom.ini
c:\windows\system32\uniq.tll
c:\windows\system32\urisonap.ini
c:\windows\system32\usebudan.ini
c:\windows\SYSTEM32\ututv.bak1
c:\windows\SYSTEM32\ututv.bak2
c:\windows\SYSTEM32\ututv.ini
c:\windows\SYSTEM32\ututv.ini2
c:\windows\SYSTEM32\ututv.tmp
c:\windows\system32\uvajiroh.ini
c:\windows\Temp\tmp3.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_icf


((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\system32\scripting
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\system32\en
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\l2schemas
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\system32\bits
2009-04-19 23:00 . 2009-04-19 23:02 -------- d-----w c:\windows\ServicePackFiles
2009-04-19 22:56 . 2009-04-19 22:56 -------- d-----w c:\windows\EHome
2009-04-19 22:23 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-19 22:23 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-19 21:24 . 2009-04-19 21:24 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-19 20:58 . 2009-04-19 20:58 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-19 18:44 . 2009-04-19 18:44 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2009-04-10 17:40 . 2009-04-10 17:40 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-10 17:40 . 2009-04-25 11:19 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-10 17:40 . 2009-04-10 17:40 -------- d-----w c:\documents and settings\Mayzee\Application Data\SUPERAntiSpyware.com
2009-04-10 17:39 . 2009-04-10 17:39 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-10 15:59 . 2009-04-10 16:04 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-10 15:53 . 2009-04-10 15:53 -------- d-----w c:\program files\Trend Micro
2009-04-05 22:21 . 2009-04-05 22:21 -------- d-----w c:\documents and settings\Mayzee\Local Settings\Application Data\PCHealth
2009-04-05 21:09 . 2009-04-20 21:35 -------- d-----w c:\program files\Symantec
2009-04-05 21:09 . 2009-04-26 13:15 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-05 19:17 . 2009-04-05 19:17 -------- d-----w c:\program files\Windows Defender
2009-04-05 17:55 . 2009-04-05 17:55 -------- d-----w C:\VundoFix Backups
2009-04-05 15:18 . 2009-04-05 15:18 -------- d-----w c:\documents and settings\Mayzee\Application Data\Malwarebytes
2009-04-05 15:18 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 15:18 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 15:17 . 2009-04-20 17:45 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:17 . 2009-04-05 15:17 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 15:07 . 2009-04-05 15:07 -------- d-----w c:\documents and settings\Mayzee\Local Settings\Application Data\{1C92D8C6-2D88-496E-B693-310733415B4B}
2009-04-05 15:00 . 2009-04-05 14:59 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-05 15:00 . 2009-04-05 14:59 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-04 20:06 . 2001-08-17 17:48 12160 ----a-w c:\windows\system32\drivers\mouhid.sys
2009-04-04 20:06 . 2001-08-17 17:48 12160 ----a-w c:\windows\system32\dllcache\mouhid.sys
2009-04-04 20:06 . 2008-04-13 18:45 10368 ----a-w c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 12:53 . 2009-03-13 21:17 -------- d-----w c:\program files\LogMeIn
2009-04-22 19:51 . 2009-04-22 19:51 85955256 ----a-w C:\SYM_REGISTRY_BACKUP.reg
2009-04-22 15:57 . 2004-11-29 15:18 -------- d-----w c:\program files\Modem On Hold
2009-04-20 21:37 . 2004-11-29 15:21 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-20 21:35 . 2004-11-29 15:21 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-20 19:28 . 2009-04-19 18:43 62824 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 23:11 . 2005-01-02 20:46 62824 -c--a-w c:\documents and settings\Mayzee\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 23:03 . 2004-08-10 19:13 77915 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-04-19 22:59 . 2004-08-04 11:00 250048 --sha-r C:\NTLDR
2009-04-05 18:29 . 2009-04-05 17:55 135 ----a-w C:\VundoFix.txt
2009-04-05 16:00 . 2005-03-05 15:50 -------- d-----w c:\program files\Greetings Workshop
2009-04-05 14:59 . 2004-11-29 15:16 -------- d-----w c:\program files\Java
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\DLLCACHE\kernel32.dll
2009-03-19 21:15 . 2009-03-19 21:15 0 ----a-w c:\windows\system32\drivers\4addcba9.sys
2009-03-19 21:15 . 2009-03-19 21:15 65536 ----a-w C:\pvnncaoo.exe
2009-03-19 21:14 . 2009-03-19 21:14 0 ----a-w c:\windows\system32\drivers\3d926d18.sys
2009-03-19 21:14 . 2009-03-19 21:14 0 ----a-w C:\lvsen.exe
2009-03-19 21:14 . 2009-03-16 21:36 2 ----a-w C:\1552673077
2009-03-19 21:13 . 2009-03-19 21:13 54784 ----a-w C:\cpkhjmkl.exe
2009-03-13 21:17 . 2009-03-13 21:17 -------- d-----w c:\documents and settings\All Users\Application Data\LogMeIn
2009-03-13 21:17 . 2009-03-13 21:17 1024 ----a-w C:\.rnd
2009-03-11 19:46 . 2008-11-23 15:33 210759 ----a-w C:\mombi.log
2009-03-06 14:22 . 2009-04-19 22:27 284160 ------w c:\windows\SYSTEM32\DLLCACHE\pdh.dll
2009-03-06 14:22 . 2004-08-04 11:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-03 00:18 . 2006-05-10 05:23 826368 ------w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
2009-03-03 00:18 . 2004-08-04 11:00 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-02-28 04:54 . 2007-08-13 22:43 636072 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2009-02-20 10:20 . 2009-04-19 22:43 13824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2009-02-20 10:20 . 2007-08-13 22:39 70656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2009-02-20 05:14 . 2007-08-13 21:56 161792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2009-02-09 12:10 . 2009-04-19 22:27 729088 ------w c:\windows\SYSTEM32\DLLCACHE\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 11:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2009-04-19 22:27 401408 ------w c:\windows\SYSTEM32\DLLCACHE\rpcss.dll
2009-02-09 12:10 . 2009-04-19 22:27 473600 ------w c:\windows\SYSTEM32\DLLCACHE\fastprox.dll
2009-02-09 12:10 . 2009-04-19 22:27 453120 ------w c:\windows\SYSTEM32\DLLCACHE\wmiprvsd.dll
2009-02-09 12:10 . 2009-04-19 22:27 714752 ------w c:\windows\SYSTEM32\DLLCACHE\ntdll.dll
2009-02-09 12:10 . 2009-04-19 22:27 617472 ------w c:\windows\SYSTEM32\DLLCACHE\advapi32.dll
2009-02-09 12:10 . 2004-08-04 11:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 11:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 11:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 11:13 . 2008-10-15 11:22 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2004-08-04 11:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-07 23:02 . 2009-02-07 23:02 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-06 11:11 . 2009-04-19 22:27 110592 ------w c:\windows\SYSTEM32\DLLCACHE\services.exe
2009-02-06 11:11 . 2004-08-04 11:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2009-04-19 22:27 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 11:06 . 2009-04-19 22:27 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 11:06 . 1980-01-01 06:00 2145280 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 10:39 . 2009-04-19 22:27 35328 ------w c:\windows\SYSTEM32\DLLCACHE\sc.exe
2009-02-06 10:39 . 2004-08-04 11:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:32 . 2009-04-19 22:27 2023936 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-02-06 10:32 . 1980-01-01 06:00 2023936 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-06 10:10 . 2009-04-19 22:27 227840 ------w c:\windows\SYSTEM32\DLLCACHE\wmiprvse.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\DLLCACHE\secur32.dll
2009-02-03 19:59 . 2004-08-04 11:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2009-02-03 00:49 . 2009-02-03 00:49 17588 --sh--w c:\windows\SYSTEM32\jarekine.exe
2009-02-03 00:49 . 2009-02-03 00:49 30147 --sh--w c:\windows\SYSTEM32\yiyawefo.exe
2007-07-07 00:55 . 2007-07-07 00:55 282681 -c--a-w c:\program files\aunt catherine and uncle billy.exp
2007-07-07 00:36 . 2007-07-07 00:37 43724 -c--a-w c:\program files\beach pic.jpg
2006-05-07 18:40 . 2006-05-07 18:40 96054 -c--a-w c:\program files\eva 5.bmp
2006-05-07 18:36 . 2006-05-07 18:36 34884 -c--a-w c:\program files\eva is hott stuff.jpg
2006-05-07 18:35 . 2006-05-07 18:35 2840 -c--a-w c:\program files\eva 4.jpg
2006-05-07 18:33 . 2006-05-07 18:33 18978 -c--a-w c:\program files\eva 3.jpg
2006-05-07 18:31 . 2006-05-07 18:31 1092075 -c--a-w c:\program files\eva is hott 2.jpg
2006-05-07 18:30 . 2006-05-07 18:32 2611 -c--a-w c:\program files\eva 2.jpg
2006-05-07 18:29 . 2006-05-07 18:29 63054 -c--a-w c:\program files\eva is hott.bmp
2006-01-16 18:11 . 2006-01-16 18:11 40854 -c--a-w c:\program files\pink smiley face.bmp
2006-01-16 18:10 . 2006-01-16 18:05 40854 -c--a-w c:\program files\smiley face.jpg
2005-12-24 00:12 . 2005-12-24 00:02 27136 -c--a-w c:\program files\letters for aunt's t-shirts.doc
2005-12-13 22:02 . 2005-12-12 22:26 10146 -c--a-w c:\program files\bowling for soup.bmp
2005-12-13 22:01 . 2005-12-12 22:26 25342 -c--a-w c:\program files\soup can.bmp
2005-12-13 22:00 . 2005-12-12 22:25 4006 -c--a-w c:\program files\four.bmp
2005-12-13 22:00 . 2005-12-12 22:29 10222 -c--a-w c:\program files\plus sign.bmp
2005-12-13 21:59 . 2005-12-12 22:25 40014 -c--a-w c:\program files\bowling ball.bmp
2005-12-11 21:01 . 2005-12-11 21:01 285654 -c--a-w c:\program files\eva.bmp
2005-12-11 20:41 . 2005-12-11 20:41 27382 -c--a-w c:\program files\eighth music note.bmp
2005-12-11 20:34 . 2005-12-11 20:34 330803 -c--a-w c:\program files\the sims 2.jpg
2005-12-11 15:54 . 2005-12-11 15:54 1401 -c--a-w c:\program files\music note 2.jpg
2005-12-11 15:54 . 2005-12-11 15:54 1479 -c--a-w c:\program files\one music note.jpg
2005-12-11 15:51 . 2005-12-11 15:51 36870 -c--a-w c:\program files\a music note.bmp
2005-12-10 23:56 . 2005-12-10 23:56 1142 -c--a-w c:\program files\blue music notes.bmp
2005-12-10 22:03 . 2005-12-10 22:03 2281 -c--a-w c:\program files\music notes.jpg
2005-12-10 22:02 . 2005-12-10 22:01 2281 -c--a-w c:\program files\music.jpg
2005-12-10 21:51 . 2005-12-10 21:52 2212 -c--a-w c:\program files\snowboarder.jpg
2005-12-10 21:35 . 2005-12-10 21:35 234102 -c--a-w c:\program files\hot pink.bmp
2005-12-10 21:34 . 2005-10-03 23:48 231310 -c--a-w c:\program files\blue.bmp
2005-12-10 21:34 . 2005-12-10 21:34 236058 -c--a-w c:\program files\yellow.bmp
2005-10-03 23:52 . 2005-10-03 23:52 187834 -c--a-w c:\program files\white.bmp
2005-10-03 23:43 . 2005-10-03 23:43 203958 -c--a-w c:\program files\light blue.bmp
2005-09-10 00:20 . 2005-09-10 00:20 95274 -c--a-w c:\program files\braves symbol.bmp
2005-09-10 00:19 . 2005-09-10 00:19 111798 -c--a-w c:\program files\red sox symbol.bmp
2005-09-10 00:19 . 2005-09-10 00:19 63546 -c--a-w c:\program files\mets symbol.bmp
2005-09-10 00:19 . 2005-09-09 23:43 23174 -c--a-w c:\program files\yankee symbol.bmp
2005-09-10 00:09 . 2005-09-10 00:09 39407 -c--a-w c:\program files\Aunt Ann.jpg
2005-09-10 00:09 . 2005-09-10 00:09 897206 -c--a-w c:\program files\Aunt Pam.jpg
2005-09-09 23:41 . 2005-09-09 23:39 242022 -c--a-w c:\program files\green.bmp
2005-09-09 23:38 . 2005-09-09 23:38 244014 -c--a-w c:\program files\purple.bmp
2005-09-05 14:03 . 2005-09-05 14:03 9170 -c--a-w c:\program files\red.bmp
2005-09-05 13:54 . 2005-09-05 13:54 997714 -c--a-w c:\program files\Good Charlotte 3.bmp
2005-09-05 13:53 . 2005-09-05 13:53 299610 -c--a-w c:\program files\Good Charlotte 2.bmp
2008-12-31 17:29 . 2008-12-31 17:29 120 --sh--w c:\windows\SYSTEM32\agitedif.tmp
2009-01-23 01:29 . 2009-01-23 01:29 23467 --sh--w c:\windows\SYSTEM32\kawolumi.exe
2009-01-23 01:29 . 2009-01-23 01:29 28927 --sh--w c:\windows\SYSTEM32\royomuya.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 53248]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 131072]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-11-29 26112]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-08 176128]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-05 148888]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Mayzee\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2003-3-17 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 00:35 87352 ----a-w c:\windows\SYSTEM32\LMIinit.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ cli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147658444\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147658444\\ee\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WLService.exe"=
"c:\\WINDOWS\\SYSTEM32\\ati2evxx.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccEvtMgr.exe"=
"c:\\Program Files\\Symantec AntiVirus\\DefWatch.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\WINDOWS\\SYSTEM32\\WSCNTFY.EXE"=
"c:\\Program Files\\Symantec AntiVirus\\DoScan.exe"=
"c:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"c:\\Program Files\\Viewpoint\\Common\\ViewpointService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 3d926d18;3d926d18;c:\windows\System32\drivers\3d926d18.sys [2009-03-19 0]
R2 DP1112;DP1112; [x]
R3 PSTFVJXPLCDS;PSTFVJXPLCDS; [x]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-11-15 169200]
R3 ZZZYIEZEIW;ZZZYIEZEIW; [x]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S1 sasdifsv;sasdifsv;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 saskutil;saskutil;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-07-24 47640]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 windefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-15 101936]
S3 sasenum;sasenum;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]

2009-04-25 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2004-06-07 04:53]

2009-04-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-04-25 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2009-04-05 21:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 09:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,15,b6,9d,37,c6,
3f,24,0f,e2,63,26,f1,3f,c8,ff,68,27,62,3a,45,33,6e,19,b7,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,9a,dd,6c,9f,ff,
31,a7,54,6a,9c,d6,61,af,45,84,18,db,3b,e3,03,e6,9d,2a,e0,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,70,02,76,5e,c5,
41,37,bb,ff,7c,85,e0,43,d4,0e,fe,0b,29,06,0e,b2,c7,b2,33,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,e2,ba,cd,f5,79,
04,e2,b8,86,8c,21,01,be,91,eb,e7,2d,ec,21,f2,30,3d,4b,25,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,8d,e0,ce,1d,46,
c8,a9,bf,f5,1d,4d,73,a8,13,5c,05,27,a3,9b,cc,10,a1,e2,bb,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,04,4a,8b,88,6b,
a4,ab,62,df,20,58,62,78,6b,cf,c8,ff,1e,e2,64,d4,41,91,b7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,0c,f7,0a,2d,94,
ac,76,86,fb,a7,78,e6,12,2f,9a,ea,73,8c,c5,cb,6a,3a,2f,ac,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,0a,7e,23,57,59,
91,11,1e,01,3a,48,fc,e8,04,4a,f1,43,4f,64,3d,6e,00,71,83,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,f1,d8,57,b2,82,
6a,a8,a0,f6,0f,4e,58,98,5b,89,c9,33,38,16,4a,72,4e,2b,17,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,03,b8,01,22,23,
85,1d,11,3d,ce,ea,26,2d,45,aa,78,40,a1,60,9a,57,e8,28,89,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,b6,a1,8b,6a,59,
9a,7c,fe,2a,b7,cc,b5,b9,7f,41,e7,ae,34,53,20,38,da,94,f7,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,94,44,81,b1,11,
84,40,5d,6c,43,2d,1e,aa,22,2f,9c,f2,8b,14,c3,0d,0c,ea,8a,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3728)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\digital imaging\bin\hpqste08.exe
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
.
**************************************************************************
.
Completion time: 2009-04-26 9:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 13:23

Pre-Run: 125,535,858,688 bytes free
Post-Run: 125,720,866,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

456 --- E O F --- 2009-04-25 11:24

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 26 April 2009 - 10:37 AM

Hello.

Let's continue.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/218378/vundo-blues/
    
    KillAll::
    
    Collect::[68]
    C:\pvnncaoo.exe
    C:\lvsen.exe
    C:\cpkhjmkl.exe
    c:\windows\SYSTEM32\jarekine.exe
    c:\windows\SYSTEM32\yiyawefo.exe
    c:\windows\SYSTEM32\kawolumi.exe
    c:\windows\SYSTEM32\royomuya.exe
    File::
    c:\windows\system32\drivers\3d926d18.sys
    c:\windows\system32\drivers\4addcba9.sys
    C:\1552673077
    Driver::
    DP1112
    PSTFVJXPLCDS
    ZZZYIEZEIW
    LMIRfsClientNP
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".
**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.
Let me know how it goes and if the upload went successfully or not in your next reply.

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Post back with:
-Did you/Combofix upload the Samples?
-Combofix log
-MBAM log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Rascal

Rascal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 26 April 2009 - 03:07 PM

Ok, Extremeboy -

I have to confess that I walked away from the computer as ComboFix was running - when I came back there was no dialog and the combofix report was presenting. So I don't believe that it uploaded - I did that myself.

MBAM was clean

ComboFix 09-04-25.A3 - Mayzee 04/26/2009 15:23.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.167 [GMT -4:00]
Running from: c:\documents and settings\Mayzee\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mayzee\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\1552673077
c:\windows\system32\drivers\3d926d18.sys
c:\windows\system32\drivers\4addcba9.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1552673077
C:\cpkhjmkl.exe
C:\lvsen.exe
C:\pvnncaoo.exe
c:\windows\system32\drivers\3d926d18.sys
c:\windows\system32\drivers\4addcba9.sys
c:\windows\SYSTEM32\jarekine.exe
c:\windows\SYSTEM32\kawolumi.exe
c:\windows\SYSTEM32\royomuya.exe
c:\windows\SYSTEM32\yiyawefo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DP1112
-------\Legacy_LMIRFSCLIENTNP
-------\Legacy_PSTFVJXPLCDS
-------\Legacy_ZZZYIEZEIW
-------\Service_DP1112
-------\Service_LMIRfsClientNP
-------\Service_PSTFVJXPLCDS
-------\Service_ZZZYIEZEIW


((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-22 21:35 . 2009-04-22 21:35 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-04-22 19:51 . 2009-04-22 19:51 85955256 ----a-w C:\SYM_REGISTRY_BACKUP.reg
2009-04-22 19:29 . 2005-04-08 01:51 258122 ----a-r c:\windows\system32\hpovst08.dll
2009-04-22 19:29 . 2005-04-08 01:51 606208 ----a-r c:\windows\system32\hpotscl.dll
2009-04-22 19:29 . 2005-04-08 01:51 278528 ----a-r c:\windows\system32\hpgwiamd.dll
2009-04-20 21:35 . 2005-09-17 04:20 87768 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-04-20 21:35 . 2005-09-17 04:20 108168 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\system32\scripting
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\system32\en
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\l2schemas
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\system32\bits
2009-04-19 23:00 . 2009-04-19 23:02 -------- d-----w c:\windows\ServicePackFiles
2009-04-19 22:56 . 2009-04-19 22:56 -------- d-----w c:\windows\EHome
2009-04-19 22:23 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-19 22:23 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-19 21:24 . 2009-04-19 21:24 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-19 20:58 . 2009-04-19 20:58 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-19 18:44 . 2009-04-19 18:44 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2009-04-10 17:40 . 2009-04-10 17:40 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-10 17:40 . 2009-04-25 11:19 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-10 17:40 . 2009-04-10 17:40 -------- d-----w c:\documents and settings\Mayzee\Application Data\SUPERAntiSpyware.com
2009-04-10 17:39 . 2009-04-10 17:39 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-10 15:59 . 2009-04-10 16:04 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-10 15:53 . 2009-04-10 15:53 -------- d-----w c:\program files\Trend Micro
2009-04-05 22:21 . 2009-04-05 22:21 -------- d-----w c:\documents and settings\Mayzee\Local Settings\Application Data\PCHealth
2009-04-05 21:09 . 2009-04-20 21:35 -------- d-----w c:\program files\Symantec
2009-04-05 21:09 . 2009-04-26 19:27 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-05 19:17 . 2009-04-05 19:17 -------- d-----w c:\program files\Windows Defender
2009-04-05 17:55 . 2009-04-05 17:55 -------- d-----w C:\VundoFix Backups
2009-04-05 15:18 . 2009-04-05 15:18 -------- d-----w c:\documents and settings\Mayzee\Application Data\Malwarebytes
2009-04-05 15:18 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 15:18 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 15:17 . 2009-04-20 17:45 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:17 . 2009-04-05 15:17 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 15:07 . 2009-04-05 15:07 -------- d-----w c:\documents and settings\Mayzee\Local Settings\Application Data\{1C92D8C6-2D88-496E-B693-310733415B4B}
2009-04-05 15:00 . 2009-04-05 14:59 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-05 15:00 . 2009-04-05 14:59 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-04 20:06 . 2001-08-17 17:48 12160 ----a-w c:\windows\system32\drivers\mouhid.sys
2009-04-04 20:06 . 2001-08-17 17:48 12160 ----a-w c:\windows\system32\dllcache\mouhid.sys
2009-04-04 20:06 . 2008-04-13 18:45 10368 ----a-w c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 12:53 . 2009-03-13 21:17 -------- d-----w c:\program files\LogMeIn
2009-04-22 15:57 . 2004-11-29 15:18 -------- d-----w c:\program files\Modem On Hold
2009-04-20 21:37 . 2004-11-29 15:21 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-20 21:35 . 2004-11-29 15:21 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-20 19:28 . 2009-04-19 18:43 62824 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 23:11 . 2005-01-02 20:46 62824 -c--a-w c:\documents and settings\Mayzee\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 23:03 . 2004-08-10 19:13 77915 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-04-19 22:59 . 2004-08-04 11:00 250048 --sha-r C:\NTLDR
2009-04-05 18:29 . 2009-04-05 17:55 135 ----a-w C:\VundoFix.txt
2009-04-05 16:00 . 2005-03-05 15:50 -------- d-----w c:\program files\Greetings Workshop
2009-04-05 14:59 . 2004-11-29 15:16 -------- d-----w c:\program files\Java
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\DLLCACHE\kernel32.dll
2009-03-13 21:17 . 2009-03-13 21:17 -------- d-----w c:\documents and settings\All Users\Application Data\LogMeIn
2009-03-13 21:17 . 2009-03-13 21:17 1024 ----a-w C:\.rnd
2009-03-11 19:46 . 2008-11-23 15:33 210759 ----a-w C:\mombi.log
2009-03-06 14:22 . 2009-04-19 22:27 284160 ------w c:\windows\SYSTEM32\DLLCACHE\pdh.dll
2009-03-06 14:22 . 2004-08-04 11:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-03 00:18 . 2006-05-10 05:23 826368 ------w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
2009-03-03 00:18 . 2004-08-04 11:00 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-02-28 04:54 . 2007-08-13 22:43 636072 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2009-02-20 10:20 . 2009-04-19 22:43 13824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2009-02-20 10:20 . 2007-08-13 22:39 70656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2009-02-20 05:14 . 2007-08-13 21:56 161792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2009-02-09 12:10 . 2009-04-19 22:27 729088 ------w c:\windows\SYSTEM32\DLLCACHE\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 11:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2009-04-19 22:27 401408 ------w c:\windows\SYSTEM32\DLLCACHE\rpcss.dll
2009-02-09 12:10 . 2009-04-19 22:27 473600 ------w c:\windows\SYSTEM32\DLLCACHE\fastprox.dll
2009-02-09 12:10 . 2009-04-19 22:27 453120 ------w c:\windows\SYSTEM32\DLLCACHE\wmiprvsd.dll
2009-02-09 12:10 . 2009-04-19 22:27 714752 ------w c:\windows\SYSTEM32\DLLCACHE\ntdll.dll
2009-02-09 12:10 . 2009-04-19 22:27 617472 ------w c:\windows\SYSTEM32\DLLCACHE\advapi32.dll
2009-02-09 12:10 . 2004-08-04 11:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 11:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 11:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 11:13 . 2008-10-15 11:22 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2004-08-04 11:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-07 23:02 . 2009-02-07 23:02 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-06 11:11 . 2009-04-19 22:27 110592 ------w c:\windows\SYSTEM32\DLLCACHE\services.exe
2009-02-06 11:11 . 2004-08-04 11:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2009-04-19 22:27 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 11:06 . 2009-04-19 22:27 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 11:06 . 1980-01-01 06:00 2145280 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 10:39 . 2009-04-19 22:27 35328 ------w c:\windows\SYSTEM32\DLLCACHE\sc.exe
2009-02-06 10:39 . 2004-08-04 11:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:32 . 2009-04-19 22:27 2023936 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-02-06 10:32 . 1980-01-01 06:00 2023936 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-06 10:10 . 2009-04-19 22:27 227840 ------w c:\windows\SYSTEM32\DLLCACHE\wmiprvse.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\DLLCACHE\secur32.dll
2009-02-03 19:59 . 2004-08-04 11:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2007-07-07 00:55 . 2007-07-07 00:55 282681 -c--a-w c:\program files\aunt catherine and uncle billy.exp
2007-07-07 00:36 . 2007-07-07 00:37 43724 -c--a-w c:\program files\beach pic.jpg
2006-05-07 18:40 . 2006-05-07 18:40 96054 -c--a-w c:\program files\eva 5.bmp
2006-05-07 18:36 . 2006-05-07 18:36 34884 -c--a-w c:\program files\eva is hott stuff.jpg
2006-05-07 18:35 . 2006-05-07 18:35 2840 -c--a-w c:\program files\eva 4.jpg
2006-05-07 18:33 . 2006-05-07 18:33 18978 -c--a-w c:\program files\eva 3.jpg
2006-05-07 18:31 . 2006-05-07 18:31 1092075 -c--a-w c:\program files\eva is hott 2.jpg
2006-05-07 18:30 . 2006-05-07 18:32 2611 -c--a-w c:\program files\eva 2.jpg
2006-05-07 18:29 . 2006-05-07 18:29 63054 -c--a-w c:\program files\eva is hott.bmp
2006-01-16 18:11 . 2006-01-16 18:11 40854 -c--a-w c:\program files\pink smiley face.bmp
2006-01-16 18:10 . 2006-01-16 18:05 40854 -c--a-w c:\program files\smiley face.jpg
2005-12-24 00:12 . 2005-12-24 00:02 27136 -c--a-w c:\program files\letters for aunt's t-shirts.doc
2005-12-13 22:02 . 2005-12-12 22:26 10146 -c--a-w c:\program files\bowling for soup.bmp
2005-12-13 22:01 . 2005-12-12 22:26 25342 -c--a-w c:\program files\soup can.bmp
2005-12-13 22:00 . 2005-12-12 22:25 4006 -c--a-w c:\program files\four.bmp
2005-12-13 22:00 . 2005-12-12 22:29 10222 -c--a-w c:\program files\plus sign.bmp
2005-12-13 21:59 . 2005-12-12 22:25 40014 -c--a-w c:\program files\bowling ball.bmp
2005-12-11 21:01 . 2005-12-11 21:01 285654 -c--a-w c:\program files\eva.bmp
2005-12-11 20:41 . 2005-12-11 20:41 27382 -c--a-w c:\program files\eighth music note.bmp
2005-12-11 20:34 . 2005-12-11 20:34 330803 -c--a-w c:\program files\the sims 2.jpg
2005-12-11 15:54 . 2005-12-11 15:54 1401 -c--a-w c:\program files\music note 2.jpg
2005-12-11 15:54 . 2005-12-11 15:54 1479 -c--a-w c:\program files\one music note.jpg
2005-12-11 15:51 . 2005-12-11 15:51 36870 -c--a-w c:\program files\a music note.bmp
2005-12-10 23:56 . 2005-12-10 23:56 1142 -c--a-w c:\program files\blue music notes.bmp
2005-12-10 22:03 . 2005-12-10 22:03 2281 -c--a-w c:\program files\music notes.jpg
2005-12-10 22:02 . 2005-12-10 22:01 2281 -c--a-w c:\program files\music.jpg
2005-12-10 21:51 . 2005-12-10 21:52 2212 -c--a-w c:\program files\snowboarder.jpg
2005-12-10 21:35 . 2005-12-10 21:35 234102 -c--a-w c:\program files\hot pink.bmp
2005-12-10 21:34 . 2005-10-03 23:48 231310 -c--a-w c:\program files\blue.bmp
2005-12-10 21:34 . 2005-12-10 21:34 236058 -c--a-w c:\program files\yellow.bmp
2005-10-03 23:52 . 2005-10-03 23:52 187834 -c--a-w c:\program files\white.bmp
2005-10-03 23:43 . 2005-10-03 23:43 203958 -c--a-w c:\program files\light blue.bmp
2005-09-10 00:20 . 2005-09-10 00:20 95274 -c--a-w c:\program files\braves symbol.bmp
2005-09-10 00:19 . 2005-09-10 00:19 111798 -c--a-w c:\program files\red sox symbol.bmp
2005-09-10 00:19 . 2005-09-10 00:19 63546 -c--a-w c:\program files\mets symbol.bmp
2005-09-10 00:19 . 2005-09-09 23:43 23174 -c--a-w c:\program files\yankee symbol.bmp
2005-09-10 00:09 . 2005-09-10 00:09 39407 -c--a-w c:\program files\Aunt Ann.jpg
2005-09-10 00:09 . 2005-09-10 00:09 897206 -c--a-w c:\program files\Aunt Pam.jpg
2005-09-09 23:41 . 2005-09-09 23:39 242022 -c--a-w c:\program files\green.bmp
2005-09-09 23:38 . 2005-09-09 23:38 244014 -c--a-w c:\program files\purple.bmp
2005-09-05 14:03 . 2005-09-05 14:03 9170 -c--a-w c:\program files\red.bmp
2005-09-05 13:54 . 2005-09-05 13:54 997714 -c--a-w c:\program files\Good Charlotte 3.bmp
2005-09-05 13:53 . 2005-09-05 13:53 299610 -c--a-w c:\program files\Good Charlotte 2.bmp
2005-09-05 13:51 . 2005-09-05 13:51 1444858 -c--a-w c:\program files\Good Charlotte.bmp
2005-07-09 20:40 . 2005-07-09 20:40 129 ----a-w c:\documents and settings\Mayzee\Local Settings\Application Data\fusioncache.dat
2005-01-08 16:25 . 2005-01-08 16:25 487424 -c--a-w c:\documents and settings\Mayzee\chatlnk.exe
2008-12-31 17:29 . 2008-12-31 17:29 120 --sh--w c:\windows\SYSTEM32\agitedif.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-04-26_13.15.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-26 19:26 . 2009-04-26 19:26 16384 c:\windows\temp\Perflib_Perfdata_240.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 53248]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 131072]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-11-29 26112]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-08 176128]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-05 148888]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Mayzee\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2003-3-17 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 00:35 87352 ----a-w c:\windows\SYSTEM32\LMIinit.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ cli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147658444\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147658444\\ee\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WLService.exe"=
"c:\\WINDOWS\\SYSTEM32\\ati2evxx.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccEvtMgr.exe"=
"c:\\Program Files\\Symantec AntiVirus\\DefWatch.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\WINDOWS\\SYSTEM32\\WSCNTFY.EXE"=
"c:\\Program Files\\Symantec AntiVirus\\DoScan.exe"=
"c:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"c:\\Program Files\\Viewpoint\\Common\\ViewpointService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 3d926d18;3d926d18; [x]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-11-15 169200]
S1 sasdifsv;sasdifsv;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 saskutil;saskutil;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-07-24 47640]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 windefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-15 101936]
S3 sasenum;sasenum;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]

2009-04-26 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2004-06-07 04:53]

2009-04-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-04-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2009-04-05 21:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 15:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,15,b6,9d,37,c6,
3f,24,0f,e2,63,26,f1,3f,c8,ff,68,27,62,3a,45,33,6e,19,b7,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,9a,dd,6c,9f,ff,
31,a7,54,6a,9c,d6,61,af,45,84,18,db,3b,e3,03,e6,9d,2a,e0,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,70,02,76,5e,c5,
41,37,bb,ff,7c,85,e0,43,d4,0e,fe,0b,29,06,0e,b2,c7,b2,33,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,e2,ba,cd,f5,79,
04,e2,b8,86,8c,21,01,be,91,eb,e7,2d,ec,21,f2,30,3d,4b,25,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,8d,e0,ce,1d,46,
c8,a9,bf,f5,1d,4d,73,a8,13,5c,05,27,a3,9b,cc,10,a1,e2,bb,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,04,4a,8b,88,6b,
a4,ab,62,df,20,58,62,78,6b,cf,c8,ff,1e,e2,64,d4,41,91,b7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,0c,f7,0a,2d,94,
ac,76,86,fb,a7,78,e6,12,2f,9a,ea,73,8c,c5,cb,6a,3a,2f,ac,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,0a,7e,23,57,59,
91,11,1e,01,3a,48,fc,e8,04,4a,f1,43,4f,64,3d,6e,00,71,83,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,f1,d8,57,b2,82,
6a,a8,a0,f6,0f,4e,58,98,5b,89,c9,33,38,16,4a,72,4e,2b,17,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,03,b8,01,22,23,
85,1d,11,3d,ce,ea,26,2d,45,aa,78,40,a1,60,9a,57,e8,28,89,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,b6,a1,8b,6a,59,
9a,7c,fe,2a,b7,cc,b5,b9,7f,41,e7,ae,34,53,20,38,da,94,f7,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,94,44,81,b1,11,
84,40,5d,6c,43,2d,1e,aa,22,2f,9c,f2,8b,14,c3,0d,0c,ea,8a,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3704)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\digital imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-04-26 15:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 19:35
ComboFix2.txt 2009-04-26 13:24

Pre-Run: 125,704,900,608 bytes free
Post-Run: 125,685,571,584 bytes free

424 --- E O F --- 2009-04-25 11:24



Malwarebytes' Anti-Malware 1.36
Database version: 2045
Windows 5.1.2600 Service Pack 3

4/26/2009 3:59:10 PM
mbam-log-2009-04-26 (15-59-10).txt

Scan type: Quick Scan
Objects scanned: 85728
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 26 April 2009 - 04:05 PM

Hello.

Don't worry about it. I see you uploaded it already so thanks. :thumbup2:

One more driver we need to remove. Run an online scan as well.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    Driver::
    3d926d18
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-Combofix log
-Kaspersky log
-How's your computer running? Any more smyptoms?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Rascal

Rascal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 27 April 2009 - 07:46 PM

Ok, Extremeboy - the logs are below.

Regarding your question about how the computer is doing - I don't really know because I haven't been using this computer for anything but running your scans. Assuming that it looks ok to you, can we keep the thread open for a couple days so I can kick the tires?

In the meantime, because of the corrupted jpg, doc, and xls files that I described in my second post (all of the files in the My Documents folders became corrupted on 3/16 - pretty much at the same time) - the doc and xls will not open - Word and Excel offer a file conversion dialog - but all I am looking at is gibberish. And the jpg give me 'no preview available' or 'invalid jpeg header' (or something very close to that) depending on what I try to open it in. I put up a posting on the jpg issue - it's in the Windows XP forum - garmanma picked it up but asked me to first ask you if you can help me try to recover - the jpg's at least - before coming back to him. Can you help?

Here are the logs:

ComboFix 09-04-25.A3 - Mayzee 04/26/2009 15:23.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.167 [GMT -4:00]
Running from: c:\documents and settings\Mayzee\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mayzee\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\1552673077
c:\windows\system32\drivers\3d926d18.sys
c:\windows\system32\drivers\4addcba9.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1552673077
C:\cpkhjmkl.exe
C:\lvsen.exe
C:\pvnncaoo.exe
c:\windows\system32\drivers\3d926d18.sys
c:\windows\system32\drivers\4addcba9.sys
c:\windows\SYSTEM32\jarekine.exe
c:\windows\SYSTEM32\kawolumi.exe
c:\windows\SYSTEM32\royomuya.exe
c:\windows\SYSTEM32\yiyawefo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DP1112
-------\Legacy_LMIRFSCLIENTNP
-------\Legacy_PSTFVJXPLCDS
-------\Legacy_ZZZYIEZEIW
-------\Service_DP1112
-------\Service_LMIRfsClientNP
-------\Service_PSTFVJXPLCDS
-------\Service_ZZZYIEZEIW


((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-22 21:35 . 2009-04-22 21:35 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-04-22 19:51 . 2009-04-22 19:51 85955256 ----a-w C:\SYM_REGISTRY_BACKUP.reg
2009-04-22 19:29 . 2005-04-08 01:51 258122 ----a-r c:\windows\system32\hpovst08.dll
2009-04-22 19:29 . 2005-04-08 01:51 606208 ----a-r c:\windows\system32\hpotscl.dll
2009-04-22 19:29 . 2005-04-08 01:51 278528 ----a-r c:\windows\system32\hpgwiamd.dll
2009-04-20 21:35 . 2005-09-17 04:20 87768 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-04-20 21:35 . 2005-09-17 04:20 108168 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\system32\scripting
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\system32\en
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\l2schemas
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\system32\bits
2009-04-19 23:00 . 2009-04-19 23:02 -------- d-----w c:\windows\ServicePackFiles
2009-04-19 22:56 . 2009-04-19 22:56 -------- d-----w c:\windows\EHome
2009-04-19 22:23 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-19 22:23 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-19 21:24 . 2009-04-19 21:24 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-19 20:58 . 2009-04-19 20:58 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-19 18:44 . 2009-04-19 18:44 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2009-04-10 17:40 . 2009-04-10 17:40 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-10 17:40 . 2009-04-25 11:19 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-10 17:40 . 2009-04-10 17:40 -------- d-----w c:\documents and settings\Mayzee\Application Data\SUPERAntiSpyware.com
2009-04-10 17:39 . 2009-04-10 17:39 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-10 15:59 . 2009-04-10 16:04 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-10 15:53 . 2009-04-10 15:53 -------- d-----w c:\program files\Trend Micro
2009-04-05 22:21 . 2009-04-05 22:21 -------- d-----w c:\documents and settings\Mayzee\Local Settings\Application Data\PCHealth
2009-04-05 21:09 . 2009-04-20 21:35 -------- d-----w c:\program files\Symantec
2009-04-05 21:09 . 2009-04-26 19:27 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-05 19:17 . 2009-04-05 19:17 -------- d-----w c:\program files\Windows Defender
2009-04-05 17:55 . 2009-04-05 17:55 -------- d-----w C:\VundoFix Backups
2009-04-05 15:18 . 2009-04-05 15:18 -------- d-----w c:\documents and settings\Mayzee\Application Data\Malwarebytes
2009-04-05 15:18 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 15:18 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 15:17 . 2009-04-20 17:45 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:17 . 2009-04-05 15:17 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 15:07 . 2009-04-05 15:07 -------- d-----w c:\documents and settings\Mayzee\Local Settings\Application Data\{1C92D8C6-2D88-496E-B693-310733415B4B}
2009-04-05 15:00 . 2009-04-05 14:59 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-05 15:00 . 2009-04-05 14:59 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-04 20:06 . 2001-08-17 17:48 12160 ----a-w c:\windows\system32\drivers\mouhid.sys
2009-04-04 20:06 . 2001-08-17 17:48 12160 ----a-w c:\windows\system32\dllcache\mouhid.sys
2009-04-04 20:06 . 2008-04-13 18:45 10368 ----a-w c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 12:53 . 2009-03-13 21:17 -------- d-----w c:\program files\LogMeIn
2009-04-22 15:57 . 2004-11-29 15:18 -------- d-----w c:\program files\Modem On Hold
2009-04-20 21:37 . 2004-11-29 15:21 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-20 21:35 . 2004-11-29 15:21 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-20 19:28 . 2009-04-19 18:43 62824 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 23:11 . 2005-01-02 20:46 62824 -c--a-w c:\documents and settings\Mayzee\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 23:03 . 2004-08-10 19:13 77915 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-04-19 22:59 . 2004-08-04 11:00 250048 --sha-r C:\NTLDR
2009-04-05 18:29 . 2009-04-05 17:55 135 ----a-w C:\VundoFix.txt
2009-04-05 16:00 . 2005-03-05 15:50 -------- d-----w c:\program files\Greetings Workshop
2009-04-05 14:59 . 2004-11-29 15:16 -------- d-----w c:\program files\Java
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\DLLCACHE\kernel32.dll
2009-03-13 21:17 . 2009-03-13 21:17 -------- d-----w c:\documents and settings\All Users\Application Data\LogMeIn
2009-03-13 21:17 . 2009-03-13 21:17 1024 ----a-w C:\.rnd
2009-03-11 19:46 . 2008-11-23 15:33 210759 ----a-w C:\mombi.log
2009-03-06 14:22 . 2009-04-19 22:27 284160 ------w c:\windows\SYSTEM32\DLLCACHE\pdh.dll
2009-03-06 14:22 . 2004-08-04 11:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-03 00:18 . 2006-05-10 05:23 826368 ------w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
2009-03-03 00:18 . 2004-08-04 11:00 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-02-28 04:54 . 2007-08-13 22:43 636072 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2009-02-20 10:20 . 2009-04-19 22:43 13824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2009-02-20 10:20 . 2007-08-13 22:39 70656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2009-02-20 05:14 . 2007-08-13 21:56 161792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2009-02-09 12:10 . 2009-04-19 22:27 729088 ------w c:\windows\SYSTEM32\DLLCACHE\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 11:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2009-04-19 22:27 401408 ------w c:\windows\SYSTEM32\DLLCACHE\rpcss.dll
2009-02-09 12:10 . 2009-04-19 22:27 473600 ------w c:\windows\SYSTEM32\DLLCACHE\fastprox.dll
2009-02-09 12:10 . 2009-04-19 22:27 453120 ------w c:\windows\SYSTEM32\DLLCACHE\wmiprvsd.dll
2009-02-09 12:10 . 2009-04-19 22:27 714752 ------w c:\windows\SYSTEM32\DLLCACHE\ntdll.dll
2009-02-09 12:10 . 2009-04-19 22:27 617472 ------w c:\windows\SYSTEM32\DLLCACHE\advapi32.dll
2009-02-09 12:10 . 2004-08-04 11:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 11:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 11:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 11:13 . 2008-10-15 11:22 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2004-08-04 11:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-07 23:02 . 2009-02-07 23:02 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-06 11:11 . 2009-04-19 22:27 110592 ------w c:\windows\SYSTEM32\DLLCACHE\services.exe
2009-02-06 11:11 . 2004-08-04 11:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2009-04-19 22:27 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 11:06 . 2009-04-19 22:27 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 11:06 . 1980-01-01 06:00 2145280 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 10:39 . 2009-04-19 22:27 35328 ------w c:\windows\SYSTEM32\DLLCACHE\sc.exe
2009-02-06 10:39 . 2004-08-04 11:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:32 . 2009-04-19 22:27 2023936 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-02-06 10:32 . 1980-01-01 06:00 2023936 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-06 10:10 . 2009-04-19 22:27 227840 ------w c:\windows\SYSTEM32\DLLCACHE\wmiprvse.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\DLLCACHE\secur32.dll
2009-02-03 19:59 . 2004-08-04 11:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2007-07-07 00:55 . 2007-07-07 00:55 282681 -c--a-w c:\program files\aunt catherine and uncle billy.exp
2007-07-07 00:36 . 2007-07-07 00:37 43724 -c--a-w c:\program files\beach pic.jpg
2006-05-07 18:40 . 2006-05-07 18:40 96054 -c--a-w c:\program files\eva 5.bmp
2006-05-07 18:36 . 2006-05-07 18:36 34884 -c--a-w c:\program files\eva is hott stuff.jpg
2006-05-07 18:35 . 2006-05-07 18:35 2840 -c--a-w c:\program files\eva 4.jpg
2006-05-07 18:33 . 2006-05-07 18:33 18978 -c--a-w c:\program files\eva 3.jpg
2006-05-07 18:31 . 2006-05-07 18:31 1092075 -c--a-w c:\program files\eva is hott 2.jpg
2006-05-07 18:30 . 2006-05-07 18:32 2611 -c--a-w c:\program files\eva 2.jpg
2006-05-07 18:29 . 2006-05-07 18:29 63054 -c--a-w c:\program files\eva is hott.bmp
2006-01-16 18:11 . 2006-01-16 18:11 40854 -c--a-w c:\program files\pink smiley face.bmp
2006-01-16 18:10 . 2006-01-16 18:05 40854 -c--a-w c:\program files\smiley face.jpg
2005-12-24 00:12 . 2005-12-24 00:02 27136 -c--a-w c:\program files\letters for aunt's t-shirts.doc
2005-12-13 22:02 . 2005-12-12 22:26 10146 -c--a-w c:\program files\bowling for soup.bmp
2005-12-13 22:01 . 2005-12-12 22:26 25342 -c--a-w c:\program files\soup can.bmp
2005-12-13 22:00 . 2005-12-12 22:25 4006 -c--a-w c:\program files\four.bmp
2005-12-13 22:00 . 2005-12-12 22:29 10222 -c--a-w c:\program files\plus sign.bmp
2005-12-13 21:59 . 2005-12-12 22:25 40014 -c--a-w c:\program files\bowling ball.bmp
2005-12-11 21:01 . 2005-12-11 21:01 285654 -c--a-w c:\program files\eva.bmp
2005-12-11 20:41 . 2005-12-11 20:41 27382 -c--a-w c:\program files\eighth music note.bmp
2005-12-11 20:34 . 2005-12-11 20:34 330803 -c--a-w c:\program files\the sims 2.jpg
2005-12-11 15:54 . 2005-12-11 15:54 1401 -c--a-w c:\program files\music note 2.jpg
2005-12-11 15:54 . 2005-12-11 15:54 1479 -c--a-w c:\program files\one music note.jpg
2005-12-11 15:51 . 2005-12-11 15:51 36870 -c--a-w c:\program files\a music note.bmp
2005-12-10 23:56 . 2005-12-10 23:56 1142 -c--a-w c:\program files\blue music notes.bmp
2005-12-10 22:03 . 2005-12-10 22:03 2281 -c--a-w c:\program files\music notes.jpg
2005-12-10 22:02 . 2005-12-10 22:01 2281 -c--a-w c:\program files\music.jpg
2005-12-10 21:51 . 2005-12-10 21:52 2212 -c--a-w c:\program files\snowboarder.jpg
2005-12-10 21:35 . 2005-12-10 21:35 234102 -c--a-w c:\program files\hot pink.bmp
2005-12-10 21:34 . 2005-10-03 23:48 231310 -c--a-w c:\program files\blue.bmp
2005-12-10 21:34 . 2005-12-10 21:34 236058 -c--a-w c:\program files\yellow.bmp
2005-10-03 23:52 . 2005-10-03 23:52 187834 -c--a-w c:\program files\white.bmp
2005-10-03 23:43 . 2005-10-03 23:43 203958 -c--a-w c:\program files\light blue.bmp
2005-09-10 00:20 . 2005-09-10 00:20 95274 -c--a-w c:\program files\braves symbol.bmp
2005-09-10 00:19 . 2005-09-10 00:19 111798 -c--a-w c:\program files\red sox symbol.bmp
2005-09-10 00:19 . 2005-09-10 00:19 63546 -c--a-w c:\program files\mets symbol.bmp
2005-09-10 00:19 . 2005-09-09 23:43 23174 -c--a-w c:\program files\yankee symbol.bmp
2005-09-10 00:09 . 2005-09-10 00:09 39407 -c--a-w c:\program files\Aunt Ann.jpg
2005-09-10 00:09 . 2005-09-10 00:09 897206 -c--a-w c:\program files\Aunt Pam.jpg
2005-09-09 23:41 . 2005-09-09 23:39 242022 -c--a-w c:\program files\green.bmp
2005-09-09 23:38 . 2005-09-09 23:38 244014 -c--a-w c:\program files\purple.bmp
2005-09-05 14:03 . 2005-09-05 14:03 9170 -c--a-w c:\program files\red.bmp
2005-09-05 13:54 . 2005-09-05 13:54 997714 -c--a-w c:\program files\Good Charlotte 3.bmp
2005-09-05 13:53 . 2005-09-05 13:53 299610 -c--a-w c:\program files\Good Charlotte 2.bmp
2005-09-05 13:51 . 2005-09-05 13:51 1444858 -c--a-w c:\program files\Good Charlotte.bmp
2005-07-09 20:40 . 2005-07-09 20:40 129 ----a-w c:\documents and settings\Mayzee\Local Settings\Application Data\fusioncache.dat
2005-01-08 16:25 . 2005-01-08 16:25 487424 -c--a-w c:\documents and settings\Mayzee\chatlnk.exe
2008-12-31 17:29 . 2008-12-31 17:29 120 --sh--w c:\windows\SYSTEM32\agitedif.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-04-26_13.15.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-26 19:26 . 2009-04-26 19:26 16384 c:\windows\temp\Perflib_Perfdata_240.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 53248]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 131072]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-11-29 26112]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-08 176128]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-05 148888]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Mayzee\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2003-3-17 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 00:35 87352 ----a-w c:\windows\SYSTEM32\LMIinit.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ cli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147658444\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147658444\\ee\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WLService.exe"=
"c:\\WINDOWS\\SYSTEM32\\ati2evxx.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccEvtMgr.exe"=
"c:\\Program Files\\Symantec AntiVirus\\DefWatch.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\WINDOWS\\SYSTEM32\\WSCNTFY.EXE"=
"c:\\Program Files\\Symantec AntiVirus\\DoScan.exe"=
"c:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"c:\\Program Files\\Viewpoint\\Common\\ViewpointService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 3d926d18;3d926d18; [x]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-11-15 169200]
S1 sasdifsv;sasdifsv;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 saskutil;saskutil;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-07-24 47640]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 windefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-15 101936]
S3 sasenum;sasenum;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]

2009-04-26 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2004-06-07 04:53]

2009-04-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-04-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2009-04-05 21:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 15:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,15,b6,9d,37,c6,
3f,24,0f,e2,63,26,f1,3f,c8,ff,68,27,62,3a,45,33,6e,19,b7,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,9a,dd,6c,9f,ff,
31,a7,54,6a,9c,d6,61,af,45,84,18,db,3b,e3,03,e6,9d,2a,e0,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,70,02,76,5e,c5,
41,37,bb,ff,7c,85,e0,43,d4,0e,fe,0b,29,06,0e,b2,c7,b2,33,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,e2,ba,cd,f5,79,
04,e2,b8,86,8c,21,01,be,91,eb,e7,2d,ec,21,f2,30,3d,4b,25,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,8d,e0,ce,1d,46,
c8,a9,bf,f5,1d,4d,73,a8,13,5c,05,27,a3,9b,cc,10,a1,e2,bb,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,04,4a,8b,88,6b,
a4,ab,62,df,20,58,62,78,6b,cf,c8,ff,1e,e2,64,d4,41,91,b7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,0c,f7,0a,2d,94,
ac,76,86,fb,a7,78,e6,12,2f,9a,ea,73,8c,c5,cb,6a,3a,2f,ac,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,0a,7e,23,57,59,
91,11,1e,01,3a,48,fc,e8,04,4a,f1,43,4f,64,3d,6e,00,71,83,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,f1,d8,57,b2,82,
6a,a8,a0,f6,0f,4e,58,98,5b,89,c9,33,38,16,4a,72,4e,2b,17,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,03,b8,01,22,23,
85,1d,11,3d,ce,ea,26,2d,45,aa,78,40,a1,60,9a,57,e8,28,89,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,b6,a1,8b,6a,59,
9a,7c,fe,2a,b7,cc,b5,b9,7f,41,e7,ae,34,53,20,38,da,94,f7,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,94,44,81,b1,11,
84,40,5d,6c,43,2d,1e,aa,22,2f,9c,f2,8b,14,c3,0d,0c,ea,8a,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3704)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\digital imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-04-26 15:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 19:35
ComboFix2.txt 2009-04-26 13:24

Pre-Run: 125,704,900,608 bytes free
Post-Run: 125,685,571,584 bytes free

424 --- E O F --- 2009-04-25 11:24


Monday, April 27, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, April 27, 2009 03:24:50
Records in database: 2082093


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 97871
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 02:01:08

No malware has been detected. The scan area is clean.
The selected area was scanned.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 27 April 2009 - 08:02 PM

Hello.

Assuming that it looks ok to you, can we keep the thread open for a couple days so I can kick the tires?

We aren't done, but once we are done, I'll let you know :thumbup2:

Regarding the JPG, we'll see what we can do later on, but let's make sure we get the malware out of the systen first. Did you run Combofix with the CFScript yet? That log is the same as the previous post...

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Rascal

Rascal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 28 April 2009 - 06:16 AM

oops! Posted the wrong log...too many days, too many scans...
the correct one is posted below.

Also I forgot to mention this last night - but Symantec has three things in quarantine (from before you started helping me, obviously) - that it tried to repair w/ each definition update. and fails. They are yofolufe.dll.tmp, rurirovi.dll.tmp, and gehotimi.tmp. Does that matter?



ComboFix 09-04-25.A3 - Mayzee 04/26/2009 19:03.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.193 [GMT -4:00]
Running from: c:\documents and settings\Mayzee\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mayzee\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_3d926d18


((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-22 21:35 . 2009-04-22 21:35 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-04-22 19:51 . 2009-04-22 19:51 85955256 ----a-w C:\SYM_REGISTRY_BACKUP.reg
2009-04-22 19:29 . 2005-04-08 01:51 258122 ----a-r c:\windows\system32\hpovst08.dll
2009-04-22 19:29 . 2005-04-08 01:51 606208 ----a-r c:\windows\system32\hpotscl.dll
2009-04-22 19:29 . 2005-04-08 01:51 278528 ----a-r c:\windows\system32\hpgwiamd.dll
2009-04-20 21:35 . 2005-09-17 04:20 87768 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-04-20 21:35 . 2005-09-17 04:20 108168 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\system32\scripting
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\system32\en
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\l2schemas
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\windows\system32\bits
2009-04-19 23:00 . 2009-04-19 23:02 -------- d-----w c:\windows\ServicePackFiles
2009-04-19 22:56 . 2009-04-19 22:56 -------- d-----w c:\windows\EHome
2009-04-19 22:23 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-19 22:23 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-19 21:24 . 2009-04-19 21:24 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-19 20:58 . 2009-04-19 20:58 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-19 18:44 . 2009-04-19 18:44 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2009-04-10 17:40 . 2009-04-10 17:40 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-10 17:40 . 2009-04-25 11:19 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-10 17:40 . 2009-04-10 17:40 -------- d-----w c:\documents and settings\Mayzee\Application Data\SUPERAntiSpyware.com
2009-04-10 17:39 . 2009-04-10 17:39 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-10 15:59 . 2009-04-10 16:04 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-10 15:53 . 2009-04-10 15:53 -------- d-----w c:\program files\Trend Micro
2009-04-05 22:21 . 2009-04-05 22:21 -------- d-----w c:\documents and settings\Mayzee\Local Settings\Application Data\PCHealth
2009-04-05 21:09 . 2009-04-20 21:35 -------- d-----w c:\program files\Symantec
2009-04-05 21:09 . 2009-04-26 23:07 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-05 19:17 . 2009-04-05 19:17 -------- d-----w c:\program files\Windows Defender
2009-04-05 17:55 . 2009-04-05 17:55 -------- d-----w C:\VundoFix Backups
2009-04-05 15:18 . 2009-04-05 15:18 -------- d-----w c:\documents and settings\Mayzee\Application Data\Malwarebytes
2009-04-05 15:18 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 15:18 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 15:17 . 2009-04-20 17:45 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:17 . 2009-04-05 15:17 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 15:07 . 2009-04-05 15:07 -------- d-----w c:\documents and settings\Mayzee\Local Settings\Application Data\{1C92D8C6-2D88-496E-B693-310733415B4B}
2009-04-05 15:00 . 2009-04-05 14:59 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-05 15:00 . 2009-04-05 14:59 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-04 20:06 . 2001-08-17 17:48 12160 ----a-w c:\windows\system32\drivers\mouhid.sys
2009-04-04 20:06 . 2001-08-17 17:48 12160 ----a-w c:\windows\system32\dllcache\mouhid.sys
2009-04-04 20:06 . 2008-04-13 18:45 10368 ----a-w c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 12:53 . 2009-03-13 21:17 -------- d-----w c:\program files\LogMeIn
2009-04-22 15:57 . 2004-11-29 15:18 -------- d-----w c:\program files\Modem On Hold
2009-04-20 21:37 . 2004-11-29 15:21 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-20 21:35 . 2004-11-29 15:21 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-20 19:28 . 2009-04-19 18:43 62824 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 23:11 . 2005-01-02 20:46 62824 -c--a-w c:\documents and settings\Mayzee\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 23:03 . 2004-08-10 19:13 77915 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-04-19 22:59 . 2004-08-04 11:00 250048 --sha-r C:\NTLDR
2009-04-05 18:29 . 2009-04-05 17:55 135 ----a-w C:\VundoFix.txt
2009-04-05 16:00 . 2005-03-05 15:50 -------- d-----w c:\program files\Greetings Workshop
2009-04-05 14:59 . 2004-11-29 15:16 -------- d-----w c:\program files\Java
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\DLLCACHE\kernel32.dll
2009-03-13 21:17 . 2009-03-13 21:17 -------- d-----w c:\documents and settings\All Users\Application Data\LogMeIn
2009-03-13 21:17 . 2009-03-13 21:17 1024 ----a-w C:\.rnd
2009-03-11 19:46 . 2008-11-23 15:33 210759 ----a-w C:\mombi.log
2009-03-06 14:22 . 2009-04-19 22:27 284160 ------w c:\windows\SYSTEM32\DLLCACHE\pdh.dll
2009-03-06 14:22 . 2004-08-04 11:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-03 00:18 . 2006-05-10 05:23 826368 ------w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
2009-03-03 00:18 . 2004-08-04 11:00 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-02-28 04:54 . 2007-08-13 22:43 636072 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2009-02-20 10:20 . 2009-04-19 22:43 13824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2009-02-20 10:20 . 2007-08-13 22:39 70656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2009-02-20 05:14 . 2007-08-13 21:56 161792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2009-02-09 12:10 . 2009-04-19 22:27 729088 ------w c:\windows\SYSTEM32\DLLCACHE\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 11:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2009-04-19 22:27 401408 ------w c:\windows\SYSTEM32\DLLCACHE\rpcss.dll
2009-02-09 12:10 . 2009-04-19 22:27 473600 ------w c:\windows\SYSTEM32\DLLCACHE\fastprox.dll
2009-02-09 12:10 . 2009-04-19 22:27 453120 ------w c:\windows\SYSTEM32\DLLCACHE\wmiprvsd.dll
2009-02-09 12:10 . 2009-04-19 22:27 714752 ------w c:\windows\SYSTEM32\DLLCACHE\ntdll.dll
2009-02-09 12:10 . 2009-04-19 22:27 617472 ------w c:\windows\SYSTEM32\DLLCACHE\advapi32.dll
2009-02-09 12:10 . 2004-08-04 11:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 11:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 11:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 11:13 . 2008-10-15 11:22 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2004-08-04 11:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-07 23:02 . 2009-02-07 23:02 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-06 11:11 . 2009-04-19 22:27 110592 ------w c:\windows\SYSTEM32\DLLCACHE\services.exe
2009-02-06 11:11 . 2004-08-04 11:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2009-04-19 22:27 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 11:06 . 2009-04-19 22:27 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 11:06 . 1980-01-01 06:00 2145280 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 10:39 . 2009-04-19 22:27 35328 ------w c:\windows\SYSTEM32\DLLCACHE\sc.exe
2009-02-06 10:39 . 2004-08-04 11:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:32 . 2009-04-19 22:27 2023936 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-02-06 10:32 . 1980-01-01 06:00 2023936 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-06 10:10 . 2009-04-19 22:27 227840 ------w c:\windows\SYSTEM32\DLLCACHE\wmiprvse.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\DLLCACHE\secur32.dll
2009-02-03 19:59 . 2004-08-04 11:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2007-07-07 00:55 . 2007-07-07 00:55 282681 -c--a-w c:\program files\aunt catherine and uncle billy.exp
2007-07-07 00:36 . 2007-07-07 00:37 43724 -c--a-w c:\program files\beach pic.jpg
2006-05-07 18:40 . 2006-05-07 18:40 96054 -c--a-w c:\program files\eva 5.bmp
2006-05-07 18:36 . 2006-05-07 18:36 34884 -c--a-w c:\program files\eva is hott stuff.jpg
2006-05-07 18:35 . 2006-05-07 18:35 2840 -c--a-w c:\program files\eva 4.jpg
2006-05-07 18:33 . 2006-05-07 18:33 18978 -c--a-w c:\program files\eva 3.jpg
2006-05-07 18:31 . 2006-05-07 18:31 1092075 -c--a-w c:\program files\eva is hott 2.jpg
2006-05-07 18:30 . 2006-05-07 18:32 2611 -c--a-w c:\program files\eva 2.jpg
2006-05-07 18:29 . 2006-05-07 18:29 63054 -c--a-w c:\program files\eva is hott.bmp
2006-01-16 18:11 . 2006-01-16 18:11 40854 -c--a-w c:\program files\pink smiley face.bmp
2006-01-16 18:10 . 2006-01-16 18:05 40854 -c--a-w c:\program files\smiley face.jpg
2005-12-24 00:12 . 2005-12-24 00:02 27136 -c--a-w c:\program files\letters for aunt's t-shirts.doc
2005-12-13 22:02 . 2005-12-12 22:26 10146 -c--a-w c:\program files\bowling for soup.bmp
2005-12-13 22:01 . 2005-12-12 22:26 25342 -c--a-w c:\program files\soup can.bmp
2005-12-13 22:00 . 2005-12-12 22:25 4006 -c--a-w c:\program files\four.bmp
2005-12-13 22:00 . 2005-12-12 22:29 10222 -c--a-w c:\program files\plus sign.bmp
2005-12-13 21:59 . 2005-12-12 22:25 40014 -c--a-w c:\program files\bowling ball.bmp
2005-12-11 21:01 . 2005-12-11 21:01 285654 -c--a-w c:\program files\eva.bmp
2005-12-11 20:41 . 2005-12-11 20:41 27382 -c--a-w c:\program files\eighth music note.bmp
2005-12-11 20:34 . 2005-12-11 20:34 330803 -c--a-w c:\program files\the sims 2.jpg
2005-12-11 15:54 . 2005-12-11 15:54 1401 -c--a-w c:\program files\music note 2.jpg
2005-12-11 15:54 . 2005-12-11 15:54 1479 -c--a-w c:\program files\one music note.jpg
2005-12-11 15:51 . 2005-12-11 15:51 36870 -c--a-w c:\program files\a music note.bmp
2005-12-10 23:56 . 2005-12-10 23:56 1142 -c--a-w c:\program files\blue music notes.bmp
2005-12-10 22:03 . 2005-12-10 22:03 2281 -c--a-w c:\program files\music notes.jpg
2005-12-10 22:02 . 2005-12-10 22:01 2281 -c--a-w c:\program files\music.jpg
2005-12-10 21:51 . 2005-12-10 21:52 2212 -c--a-w c:\program files\snowboarder.jpg
2005-12-10 21:35 . 2005-12-10 21:35 234102 -c--a-w c:\program files\hot pink.bmp
2005-12-10 21:34 . 2005-10-03 23:48 231310 -c--a-w c:\program files\blue.bmp
2005-12-10 21:34 . 2005-12-10 21:34 236058 -c--a-w c:\program files\yellow.bmp
2005-10-03 23:52 . 2005-10-03 23:52 187834 -c--a-w c:\program files\white.bmp
2005-10-03 23:43 . 2005-10-03 23:43 203958 -c--a-w c:\program files\light blue.bmp
2005-09-10 00:20 . 2005-09-10 00:20 95274 -c--a-w c:\program files\braves symbol.bmp
2005-09-10 00:19 . 2005-09-10 00:19 111798 -c--a-w c:\program files\red sox symbol.bmp
2005-09-10 00:19 . 2005-09-10 00:19 63546 -c--a-w c:\program files\mets symbol.bmp
2005-09-10 00:19 . 2005-09-09 23:43 23174 -c--a-w c:\program files\yankee symbol.bmp
2005-09-10 00:09 . 2005-09-10 00:09 39407 -c--a-w c:\program files\Aunt Ann.jpg
2005-09-10 00:09 . 2005-09-10 00:09 897206 -c--a-w c:\program files\Aunt Pam.jpg
2005-09-09 23:41 . 2005-09-09 23:39 242022 -c--a-w c:\program files\green.bmp
2005-09-09 23:38 . 2005-09-09 23:38 244014 -c--a-w c:\program files\purple.bmp
2005-09-05 14:03 . 2005-09-05 14:03 9170 -c--a-w c:\program files\red.bmp
2005-09-05 13:54 . 2005-09-05 13:54 997714 -c--a-w c:\program files\Good Charlotte 3.bmp
2005-09-05 13:53 . 2005-09-05 13:53 299610 -c--a-w c:\program files\Good Charlotte 2.bmp
2005-09-05 13:51 . 2005-09-05 13:51 1444858 -c--a-w c:\program files\Good Charlotte.bmp
2005-07-09 20:40 . 2005-07-09 20:40 129 ----a-w c:\documents and settings\Mayzee\Local Settings\Application Data\fusioncache.dat
2005-01-08 16:25 . 2005-01-08 16:25 487424 -c--a-w c:\documents and settings\Mayzee\chatlnk.exe
2008-12-31 17:29 . 2008-12-31 17:29 120 --sh--w c:\windows\SYSTEM32\agitedif.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-04-26_13.15.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-26 23:07 . 2009-04-26 23:07 16384 c:\windows\temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 53248]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 131072]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-11-29 26112]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-08 176128]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-05 148888]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Mayzee\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2003-3-17 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 00:35 87352 ----a-w c:\windows\SYSTEM32\LMIinit.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ cli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147658444\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147658444\\ee\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WLService.exe"=
"c:\\WINDOWS\\SYSTEM32\\ati2evxx.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccEvtMgr.exe"=
"c:\\Program Files\\Symantec AntiVirus\\DefWatch.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\WINDOWS\\SYSTEM32\\WSCNTFY.EXE"=
"c:\\Program Files\\Symantec AntiVirus\\DoScan.exe"=
"c:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"c:\\Program Files\\Viewpoint\\Common\\ViewpointService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-11-15 169200]
S1 sasdifsv;sasdifsv;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 saskutil;saskutil;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-07-24 47640]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 windefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-15 101936]
S3 sasenum;sasenum;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]

2009-04-26 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2004-06-07 04:53]

2009-04-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-04-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2009-04-05 21:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 19:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,15,b6,9d,37,c6,
3f,24,0f,e2,63,26,f1,3f,c8,ff,68,27,62,3a,45,33,6e,19,b7,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,9a,dd,6c,9f,ff,
31,a7,54,6a,9c,d6,61,af,45,84,18,db,3b,e3,03,e6,9d,2a,e0,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,70,02,76,5e,c5,
41,37,bb,ff,7c,85,e0,43,d4,0e,fe,0b,29,06,0e,b2,c7,b2,33,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,e2,ba,cd,f5,79,
04,e2,b8,86,8c,21,01,be,91,eb,e7,2d,ec,21,f2,30,3d,4b,25,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,8d,e0,ce,1d,46,
c8,a9,bf,f5,1d,4d,73,a8,13,5c,05,27,a3,9b,cc,10,a1,e2,bb,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,04,4a,8b,88,6b,
a4,ab,62,df,20,58,62,78,6b,cf,c8,ff,1e,e2,64,d4,41,91,b7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,0c,f7,0a,2d,94,
ac,76,86,fb,a7,78,e6,12,2f,9a,ea,73,8c,c5,cb,6a,3a,2f,ac,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,0a,7e,23,57,59,
91,11,1e,01,3a,48,fc,e8,04,4a,f1,43,4f,64,3d,6e,00,71,83,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,f1,d8,57,b2,82,
6a,a8,a0,f6,0f,4e,58,98,5b,89,c9,33,38,16,4a,72,4e,2b,17,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,03,b8,01,22,23,
85,1d,11,3d,ce,ea,26,2d,45,aa,78,40,a1,60,9a,57,e8,28,89,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,b6,a1,8b,6a,59,
9a,7c,fe,2a,b7,cc,b5,b9,7f,41,e7,ae,34,53,20,38,da,94,f7,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,94,44,81,b1,11,
84,40,5d,6c,43,2d,1e,aa,22,2f,9c,f2,8b,14,c3,0d,0c,ea,8a,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(2672)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\digital imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-04-26 19:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 23:15
ComboFix2.txt 2009-04-26 19:35
ComboFix3.txt 2009-04-26 13:24

Pre-Run: 125,687,599,104 bytes free
Post-Run: 125,676,896,256 bytes free

403 --- E O F --- 2009-04-25 11:24

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 28 April 2009 - 02:52 PM

Hello.

Log looks good now. We'll cleanup.

Regarding your corrupted jpg files and doc files, they are difficult to repair depending on what exactly happened. .JPG files are even more difficult to repair from what I have researched. I would continue that thread where you start in the Windows XP forum.

I have found some tools that may help.

.jpg recovery programs

http://www.officerecovery.com/download/pirdemo.exe
http://www.download3k.com/DownloadLink1-JPEG-Recovery.html

.doc recovery programs.

http://www.recoverytoolbox.com/download/Re...WordInstall.exe
http://www.nucleusdatarecovery.org/dl/dl.php?id=5


Please follow/read the steps below to remove the tools we used and for some more information. :step5:

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • When shown the disclaimer, Select "2"
This will remove files/folders assoicated with combofix and uninstall it.

Download and Run OTCleanIt

We will now remove the tools we used during this fix.
  • Download OTCleanIt by OldTimer to your desktop.
  • Double click OTCleanIt.exe to start the program.
  • Click the big CleanUp! button.
  • When asked if you want to proceed witht the cleanup process, click Yes. Restart your computer when prompted.
System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! :step1: :) :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :step4:


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Rascal

Rascal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 28 April 2009 - 06:29 PM

extremeboy -


EXTRAORDINARY!!!!


thanks so much - I really thought that this install was a lost cause. I'll follow on the file recovery and prevention - of course, we all know how hard it is to control friends and relatives!

What you guys do is really, really special


you are the best, Rascal

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 28 April 2009 - 06:58 PM

Thank you Rascal for your kind comment.

I appreciate it. :)

I'm glad I was an assist to your malware problem. Take care and happy surfing again! :thumbup2:

Best Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 28 April 2009 - 07:03 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad I could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users