Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible ZLOB infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 DDE12

DDE12

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 22 April 2009 - 08:58 PM

I am trying to clean up some viruses/malware/spyware from a computer. Several Antivirus scans have helped me to remove some of the problems but I still have some suspicious files in a Recycler folder and some other abnormalities in the HJT log. I have two csrss.exe and services.exe running. Any help and advice on cleaning up these remaining issues would be greatly appreciated.


DDS (Ver_09-03-16.01) - FAT32x86
Run by User at 20:55:11.79 on Wed 04/22/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.384.113 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
FW: Online Armor Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Online Armor\oacat.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Canon\BJCard\BJLaunch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Online Armor\oaui.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DynDNS Updater\DynUpPs.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Calendar\Calendar.exe
C:\Program Files\DynDNS Updater\DynTray.exe
C:\Program Files\Online Armor\oahlp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HackNo.exe
C:\Documents and Settings\User\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindows: load=c:\progra~1\omnipage\ocraware.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: {4e7bd74f-2b8d-469e-90f0-f66ab581a933} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [SystemTray] SysTray.Exe
mRun: [SMSI Loader] c:\program files\common files\smith micro shared\fax\SMLoader.exe /PRNDRV
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [DIAGENT] c:\program files\sblive\creative diagnostics 2.0\DIAGENT.EXE startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BJLaunchEXE] c:\program files\canon\bjcard\BJLaunch.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [@OnlineArmor GUI] "c:\program files\online armor\oaui.exe"
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [Microsoft Update Manager] msupdates.exe
mRun: [Service] c:\windows\system32\mui\softwaredistribution2\setup\servicestartup\wups.dll\winupdate\install.bat
mRunServices: [Microsoft Update Manager] msupdates.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\calendar.lnk - c:\program files\calendar\Calendar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dyndns~1.lnk - c:\program files\dyndns updater\DynUpPs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
uPolicies-explorer: <NO NAME> =
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\system\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://files.member.yahoo.com/dl/installs/sbc/yinst.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37810.7317939815
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} - hxxp://fdl.msn.com/public/investor/v9/ticker.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5587/mcfscan.cab
TCP: {B542D086-AD8C-4684-9C49-29113D212BE5} = 216.68.4.10,216.68.5.10
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\0u679xmw.default\
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-24 11840]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-2-24 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-2-24 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-2-24 28872]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-24 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-24 151297]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 lsass;lsass;c:\recycler\s-1-5-21-484763869-1614574334-18083462561-100\csrss.exe [2009-4-17 45056]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2009-2-24 1402568]
R2 smss;smss;c:\recycler\s-1-5-21-484763869-1614574334-18083462561-100\services.exe [2009-4-17 45056]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2009-2-24 3321032]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-24 52032]
S2 AVWUpSrv;AntiVir Update;c:\program files\avpersonal\avwupsrv.exe --> c:\program files\avpersonal\AVWUPSRV.EXE [?]
S2 Microsoft Security Center;Microsoft Security Center;c:\windows\system32\iis\svchost.exe --> c:\windows\system32\iis\svchost.exe [?]
S2 net-ip;IP / TCP Services;c:\windows\system32\drivers\aspi32.exe --> c:\windows\system32\drivers\aspi32.exe [?]
S3 L2XPSR;L2XPSR;\??\c:\progra~1\effici~1\tangom~1\app\l2xpsr.sys --> c:\progra~1\effici~1\tangom~1\app\L2XPSR.SYS [?]
S3 LOGNT;LOGNT;\??\c:\progra~1\effici~1\tangom~1\app\lognt.sys --> c:\progra~1\effici~1\tangom~1\app\lognt.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-04-21 12:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-21 12:30 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-21 12:30 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-04-21 12:29 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-21 10:48 <DIR> --d----- c:\program files\Process Explorer
2009-04-20 17:01 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-04-20 17:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-20 17:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 17:00 <DIR> --d----- c:\program files\Anti-Malware
2009-04-20 17:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-17 13:33 <DIR> --d----- c:\windows\McAfee.com
2009-04-17 03:31 <DIR> --d-h--- c:\windows\system32\IIS
2009-04-17 03:30 <DIR> --d----- c:\windows\system32\scripts
2009-04-17 03:30 <DIR> --d----- c:\windows\system32\download
2009-04-17 03:30 <DIR> --d----- c:\windows\system32\sounds
2009-04-17 03:30 <DIR> --d----- c:\windows\system32\logs
2009-04-17 03:30 <DIR> --d----- c:\windows\system32\channels
2009-04-17 03:29 812 a------- c:\windows\system32\ifx.ini
2009-04-17 03:29 18,794 a------- c:\windows\system32\instsrv.exe
2009-04-17 03:29 36 a------- c:\windows\system32\start.bat
2009-03-31 19:29 <DIR> --d----- c:\program files\Volume ID

==================== Find3M ====================

2009-03-23 16:46 744 -------- c:\windows\system32\drivers\shellsuccesslog.oxc
2009-03-23 16:46 1,316 -------- c:\windows\system32\drivers\shellconfig.oxc
2009-03-18 14:19 21,442 a------- c:\windows\mozver.dat
2009-03-18 14:18 118,784 a------- c:\windows\GREUninstall.exe
2009-03-05 11:10 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-03-05 11:10 1,632 a------- c:\windows\system32\d3d8caps.dat
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2008-04-13 20:12 22,040 ----h--- c:\docume~1\user\applic~1\addon.dat
2003-02-13 18:41 266 ---sh--- c:\program files\desktop.ini
2003-02-13 18:41 11,079 ----h--- c:\program files\folder.htt
2008-08-22 21:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 21:10:30.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:08 AM

Posted 05 May 2009 - 10:49 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 DDE12

DDE12
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 06 May 2009 - 11:11 AM

I am trying to clean up some viruses/malware/spyware from a computer. Several Antivirus scans have helped me to remove some of the problems but I still have some suspicious files in a Recycler folder and some other abnormalities in the HJT log. I have two csrss.exe and services.exe running. This computer is acting as a client in a home network and I can no longer access shared folders. I'm wondering if the viruses damaged some of my networking files. Any help and advice on cleaning up these remaining issues would be greatly appreciated.


DDS (Ver_09-03-16.01) - FAT32x86
Run by User at 11:23:48.86 on Wed 05/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.384.219 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
FW: Online Armor Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\A-squared\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Online Armor\oacat.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Canon\BJCard\BJLaunch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Online Armor\oaui.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DynDNS Updater\DynUpPs.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Calendar\Calendar.exe
C:\Program Files\Online Armor\oahlp.exe
C:\Program Files\DynDNS Updater\DynTray.exe
C:\Documents and Settings\User\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindows: load=c:\progra~1\omnipage\ocraware.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: {4e7bd74f-2b8d-469e-90f0-f66ab581a933} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot s&d\TeaTimer.exe
mRun: [SystemTray] SysTray.Exe
mRun: [SMSI Loader] c:\program files\common files\smith micro shared\fax\SMLoader.exe /PRNDRV
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [DIAGENT] c:\program files\sblive\creative diagnostics 2.0\DIAGENT.EXE startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BJLaunchEXE] c:\program files\canon\bjcard\BJLaunch.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [@OnlineArmor GUI] "c:\program files\online armor\oaui.exe"
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [Microsoft Update Manager] msupdates.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunServices: [Microsoft Update Manager] msupdates.exe
StartupFolder: c:\docume~1\User\startm~1\programs\startup\calendar.lnk - c:\program files\calendar\Calendar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dyndns~1.lnk - c:\program files\dyndns updater\DynUpPs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
uPolicies-explorer: <NO NAME> =
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\system\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://files.member.yahoo.com/dl/installs/sbc/yinst.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37810.7317939815
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} - hxxp://fdl.msn.com/public/investor/v9/ticker.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5587/mcfscan.cab
TCP: {B542D086-AD8C-4684-9C49-29113D212BE5} = 216.68.4.10,216.68.5.10
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\User\applic~1\mozilla\firefox\profiles\0u679xmw.default\
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-24 11840]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-2-24 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-2-24 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-2-24 28872]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 a2free;a-squared Free Service;c:\program files\a-squared\a2service.exe [2009-4-28 425080]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-24 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-24 151297]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 lsass;lsass;c:\recycler\s-1-5-21-484763869-1614574334-18083462561-100\csrss.exe [2009-4-17 45056]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-24 52032]
S2 AVWUpSrv;AntiVir Update;c:\program files\avpersonal\avwupsrv.exe --> c:\program files\avpersonal\AVWUPSRV.EXE [?]
S2 Microsoft Security Center;Microsoft Security Center;c:\windows\system32\iis\svchost.exe --> c:\windows\system32\iis\svchost.exe [?]
S3 L2XPSR;L2XPSR;\??\c:\progra~1\effici~1\tangom~1\app\l2xpsr.sys --> c:\progra~1\effici~1\tangom~1\app\L2XPSR.SYS [?]
S3 LOGNT;LOGNT;\??\c:\progra~1\effici~1\tangom~1\app\lognt.sys --> c:\progra~1\effici~1\tangom~1\app\lognt.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-04-28 13:42 <DIR> --d----- c:\program files\A-squared
2009-04-23 19:54 <DIR> --d----- c:\program files\Spybot S&D
2009-04-23 19:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-21 12:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-21 12:30 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-21 12:30 <DIR> --d----- c:\docume~1\User\applic~1\SUPERAntiSpyware.com
2009-04-21 12:29 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-21 10:48 <DIR> --d----- c:\program files\Process Explorer
2009-04-20 17:01 <DIR> --d----- c:\docume~1\User\applic~1\Malwarebytes
2009-04-20 17:00 15,504 -------- c:\windows\system32\drivers\mbam.sys
2009-04-20 17:00 38,496 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 17:00 <DIR> --d----- c:\program files\Anti-Malware
2009-04-20 17:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-17 13:33 <DIR> --d----- c:\windows\McAfee.com
2009-04-17 03:31 <DIR> --d-h--- c:\windows\system32\IIS
2009-04-17 03:30 <DIR> --d----- c:\windows\system32\scripts
2009-04-17 03:30 <DIR> --d----- c:\windows\system32\download
2009-04-17 03:30 <DIR> --d----- c:\windows\system32\sounds
2009-04-17 03:30 <DIR> --d----- c:\windows\system32\logs
2009-04-17 03:30 <DIR> --d----- c:\windows\system32\channels
2009-04-17 03:29 812 a------- c:\windows\system32\ifx.ini
2009-04-17 03:29 18,794 a------- c:\windows\system32\instsrv.exe
2009-04-17 03:29 36 a------- c:\windows\system32\start.bat

==================== Find3M ====================

2009-03-23 16:46 744 -------- c:\windows\system32\drivers\shellsuccesslog.oxc
2009-03-23 16:46 1,316 -------- c:\windows\system32\drivers\shellconfig.oxc
2009-03-18 14:19 21,442 a------- c:\windows\mozver.dat
2009-03-18 14:18 118,784 a------- c:\windows\GREUninstall.exe
2009-03-05 11:10 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-03-05 11:10 1,632 a------- c:\windows\system32\d3d8caps.dat
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2008-04-13 20:12 22,040 ----h--- c:\docume~1\User\applic~1\addon.dat
2003-02-13 18:41 266 ---sh--- c:\program files\desktop.ini
2003-02-13 18:41 11,079 ----h--- c:\program files\folder.htt
2008-08-22 21:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 11:34:22.60 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 06 May 2009 - 04:26 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 DDE12

DDE12
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 08 May 2009 - 09:05 AM

Hi PP,
Thank you so much for helping me out with this. I ran ComboFix and it tried to install the Recovery Console but failed. ComboFix did run and it restarted the computer but didn't produce a log file. I then installed the Recovery Console and re-ran ComboFix and it produced a log file. I haven't made any changes to my computer since starting this topic.

ComboFix 09-05-06.08 - User 05/07/2009 23:54.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.384.209 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: Online Armor Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\User\Application Data\addon.dat
c:\windows\start.exe
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_0_0_106800.htm
c:\windows\system32\cache329\B_329_0_0_107400.htm
c:\windows\system32\cache329\B_329_1_0_449200.htm
c:\windows\system32\cache329\B_329_1_0_449600.htm
c:\windows\system32\cache329\B_329_1_0_454300.htm
c:\windows\system32\cache329\B_329_2_0_105300.htm
c:\windows\system32\cache329\B_329_2_0_106800.htm
c:\windows\system32\cache329\B_329_2_0_107400.htm
c:\windows\system32\cache329\B_329_3_0_106800.htm
c:\windows\system32\cache329\B_329_3_0_107400.htm
c:\windows\system32\cache329\B_329_4_0_111600.htm
c:\windows\system32\cache329\B_329_4_0_152400.htm
c:\windows\system32\cache329\B_329_4_0_155300.htm
c:\windows\system32\cache329\B_329_4_0_164100.htm
c:\windows\system32\cache329\t_B_329_0_0_106800.htm
c:\windows\system32\cache329\t_B_329_0_0_107400.htm
c:\windows\system32\cache329\t_B_329_1_0_449200.htm
c:\windows\system32\cache329\t_B_329_1_0_449600.htm
c:\windows\system32\cache329\t_B_329_1_0_454300.htm
c:\windows\system32\cache329\t_B_329_2_0_105300.htm
c:\windows\system32\cache329\t_B_329_2_0_106800.htm
c:\windows\system32\cache329\t_B_329_2_0_107400.htm
c:\windows\system32\cache329\t_B_329_3_0_106800.htm
c:\windows\system32\cache329\t_B_329_3_0_107400.htm
c:\windows\system32\cache329\t_B_329_4_0_111600.htm
c:\windows\system32\cache329\t_B_329_4_0_152400.htm
c:\windows\system32\cache329\t_B_329_4_0_155300.htm
c:\windows\system32\cache329\t_B_329_4_0_164100.htm
c:\windows\system32\encapi32.dll
c:\windows\system32\instsrv.exe
c:\windows\system32\k.txt
c:\windows\Web\default.htt
c:\windows\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LSASS
-------\Legacy_RPCPATCH
-------\Legacy_RPCTFTPD
-------\Legacy_SMSS
-------\Service_lsass
-------\Service_smss


((((((((((((((((((((((((( Files Created from 2009-04-08 to 2009-05-08 )))))))))))))))))))))))))))))))
.

2009-05-08 01:13 . 2009-05-08 01:13 -------- d-----w c:\documents and settings\User\Application Data\ImgBurn
2009-05-07 16:34 . 2009-05-07 16:34 -------- d-----w C:\sp3
2009-05-07 16:31 . 2009-05-07 16:31 -------- d-----w c:\program files\ImgBurn
2009-05-07 16:19 . 2009-05-07 16:19 331805736 ----a-w C:\XPSP3.exe
2009-05-07 16:12 . 2000-07-21 14:40 2048 ----a-w C:\w2ksect.bin
2009-05-07 16:08 . 2009-05-07 16:08 -------- d-----w C:\XPSetup
2009-05-07 15:40 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-07 15:40 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-07 15:40 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-07 15:40 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-07 15:40 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-07 15:40 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-07 15:40 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-05-07 15:40 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-07 15:40 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-07 15:38 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-07 15:38 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-28 17:42 . 2009-04-28 17:42 -------- d-----w c:\program files\A-squared
2009-04-23 23:54 . 2009-04-23 23:54 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-23 23:54 . 2009-04-23 23:54 -------- d-----w c:\program files\Spybot S&D
2009-04-21 16:31 . 2009-04-21 16:32 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-21 16:30 . 2009-04-21 16:30 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-21 16:30 . 2009-04-21 16:30 -------- d-----w c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-04-21 16:29 . 2009-04-21 16:29 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-21 14:48 . 2009-04-21 14:48 -------- d-----w c:\program files\Process Explorer
2009-04-20 21:01 . 2009-04-20 21:01 -------- d-----w c:\documents and settings\User\Application Data\Malwarebytes
2009-04-20 21:00 . 2009-04-06 19:32 15504 ------w c:\windows\system32\drivers\mbam.sys
2009-04-20 21:00 . 2009-04-06 19:32 38496 ------w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 21:00 . 2009-04-20 21:00 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-20 21:00 . 2009-04-20 21:00 -------- d-----w c:\program files\Anti-Malware
2009-04-17 17:33 . 2009-04-17 17:33 -------- d-----w c:\windows\McAfee.com
2009-04-17 07:31 . 2009-04-17 07:31 -------- d--h--w c:\windows\system32\IIS
2009-04-17 07:30 . 2009-04-17 07:30 -------- d-----w c:\windows\system32\scripts
2009-04-17 07:30 . 2009-04-17 07:30 -------- d-----w c:\windows\system32\download
2009-04-17 07:30 . 2009-04-17 07:30 -------- d-----w c:\windows\system32\channels
2009-04-17 07:30 . 2009-04-17 07:30 -------- d-----w c:\windows\system32\sounds
2009-04-17 07:30 . 2009-04-17 07:30 -------- d-----w c:\windows\system32\logs
2009-04-17 07:29 . 2008-05-31 03:48 36 ----a-w c:\windows\system32\start.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 23:29 . 2009-03-31 23:29 -------- d-----w c:\program files\Volume ID
2009-03-23 20:46 . 2009-03-22 11:28 744 ------w c:\windows\system32\drivers\shellsuccesslog.oxc
2009-03-23 20:46 . 2009-03-22 11:27 1316 ------w c:\windows\system32\drivers\shellconfig.oxc
2009-03-20 15:20 . 2009-03-20 15:20 -------- d-----w c:\program files\iSilo
2009-03-19 17:02 . 2009-03-19 17:02 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-18 22:07 . 2009-03-18 22:07 -------- d-----w c:\program files\Kompozer
2009-03-18 18:42 . 2009-03-18 18:42 -------- d-----w c:\program files\Nvu
2009-03-18 18:19 . 2003-07-18 16:10 21442 ----a-w c:\windows\mozver.dat
2009-03-18 18:18 . 2009-03-18 18:18 118784 ----a-w c:\windows\GREUninstall.exe
2009-03-17 20:34 . 2009-03-17 20:34 -------- d-----w c:\program files\Display Shortcut Keys
2009-03-17 17:39 . 2009-03-17 17:39 -------- d-----w c:\program files\DriveImage XML
2009-03-06 14:22 . 2003-09-22 21:44 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 15:10 . 2006-04-29 17:49 1744 ----a-w c:\windows\system32\d3d9caps.dat
2009-03-05 15:10 . 2003-07-09 16:08 1632 ----a-w c:\windows\system32\d3d8caps.dat
2009-03-03 00:18 . 2004-02-06 22:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2001-08-23 15:00 729088 ------w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-04-17 17:42 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2001-08-23 16:00 714752 ------w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-23 16:00 617472 ------w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2001-08-23 16:00 1846784 ------w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2001-08-17 17:48 2066048 ------w c:\windows\system32\ntkrnlpa.exe
2003-02-13 22:41 . 2003-02-13 22:41 266 --sh--w c:\program files\desktop.ini
2003-02-13 22:41 . 2003-02-13 22:41 11079 ---h--w c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 18:02 8461312 ----a-w c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot S&D\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSI Loader"="c:\program files\Common Files\Smith Micro Shared\FAX\SMLoader.exe" [1999-06-18 32768]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-02-27 757760]
"DIAGENT"="c:\program files\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE" [2001-08-30 172122]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-02-24 86016]
"BJLaunchEXE"="c:\program files\Canon\BJCard\BJLaunch.exe" [2002-03-14 630784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"@OnlineArmor GUI"="c:\program files\Online Armor\oaui.exe" [2008-11-26 6223048]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-02-27 69632]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2002-11-08 19968]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2005-02-24 1495040]

c:\documents and settings\User\Start Menu\Programs\Startup\
Calendar.lnk - c:\program files\Calendar\Calendar.exe [2009-3-3 416256]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DynDNS Updater.lnk - c:\program files\DynDNS Updater\DynUpPs.exe [2008-6-23 94208]
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2009-2-27 286720]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
FriendlyName= J-Track: Satellite Tracking

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ------w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\America Online\\waol.exe"=
"c:\\Program Files\\Jedi Academy\\GameData\\jamp.exe"=
"c:\\Program Files\\RealPlayer\\RealPlay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\WINDOWS\\System32\\usmt\\migwiz.exe"=
"<NO NAME>"= :Microsoft Update Manager

R1 OADevice;OADriver;c:\windows\SYSTEM32\DRIVERS\OADriver.sys [2/24/2009 12:01 PM 178376]
R1 OAmon;OAmon;c:\windows\SYSTEM32\DRIVERS\OAmon.sys [2/24/2009 12:01 PM 30920]
R1 OAnet;OAnet;c:\windows\SYSTEM32\DRIVERS\OAnet.sys [2/24/2009 12:01 PM 28872]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [2/24/2009 12:01 PM 1402568]
S2 AVWUpSrv;AntiVir Update;c:\program files\AVPersonal\AVWUPSRV.EXE --> c:\program files\AVPersonal\AVWUPSRV.EXE [?]
S2 Microsoft Security Center;Microsoft Security Center;c:\windows\system32\IIS\svchost.exe --> c:\windows\system32\IIS\svchost.exe [?]
S2 net-ip;IP / TCP Services;c:\windows\SYSTEM32\DRIVERS\aspi32.exe --> c:\windows\SYSTEM32\DRIVERS\aspi32.exe [?]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [2/24/2009 12:01 PM 3321032]
S3 L2XPSR;L2XPSR;\??\c:\progra~1\EFFICI~1\TANGOM~1\app\L2XPSR.SYS --> c:\progra~1\EFFICI~1\TANGOM~1\app\L2XPSR.SYS [?]
S3 LOGNT;LOGNT;\??\c:\progra~1\EFFICI~1\TANGOM~1\app\lognt.sys --> c:\progra~1\EFFICI~1\TANGOM~1\app\lognt.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-05-06 c:\windows\Tasks\Data Files Incremental Backup.job
- c:\windows\system32\ntbackup.exe [2001-08-18 02:36]

2009-05-07 c:\windows\Tasks\Program Files Incremental Backup.job
- c:\windows\system32\ntbackup.exe [2001-08-18 02:36]

2009-03-26 c:\windows\Tasks\Data Files Normal Backup.job
- c:\windows\system32\ntbackup.exe [2001-08-18 02:36]

2009-03-26 c:\windows\Tasks\Program Files Normal Backup.job
- c:\windows\system32\ntbackup.exe [2001-08-18 02:36]

2009-05-04 c:\windows\Tasks\System Information.job
- c:\progra~1\COMMON~1\MICROS~1\MSINFO\msinfo32.exe [2003-02-13 11:00]

2009-05-05 c:\windows\Tasks\Regedit.job
- c:\windows\regedit.exe [2003-09-22 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
Trusted Zone: turbotax.com
TCP: {B542D086-AD8C-4684-9C49-29113D212BE5} = 216.68.4.10,216.68.5.10
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\0u679xmw.default\
FF - plugin: c:\progra~1\YAHOO!\COMMON\npyaxmpb.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-08 00:00
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(456)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3956)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
.
Completion time: 2009-05-08 0:05
ComboFix-quarantined-files.txt 2009-05-08 04:05

Pre-Run: 9,373,515,776 bytes free
Post-Run: 9,370,173,440 bytes free

258 --- E O F --- 2009-05-08 02:13




GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-08 01:03:39
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwAllocateVirtualMemory [0xECC6B0F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwAssignProcessToJobObject [0xECC6B6E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwConnectPort [0xECC6A370]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreateFile [0xECC77E80]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreateKey [0xECC761B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreatePort [0xECC6A1D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreateProcess [0xECC67A10]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreateProcessEx [0xECC67DE0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreateSection [0xECC67520]
SSDT F7CAF92C ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwDebugActiveProcess [0xECC697B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwDeleteFile [0xECC789C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwDeleteKey [0xECC76760]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwDeleteValueKey [0xECC770B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwEnumerateKey [0xECC77E20]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwEnumerateValueKey [0xECC77E50]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwLoadDriver [0xECC6ABC0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwOpenFile [0xECC785D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwOpenKey [0xECC769A0]
SSDT F7CAF918 ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwOpenSection [0xECC677A0]
SSDT F7CAF91D ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwProtectVirtualMemory [0xECC6B390]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwQueryKey [0xECC77DC0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwQueryValueKey [0xECC77DF0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwReplaceKey [0xECC778A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwRequestWaitReplyPort [0xECC6A750]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwRestoreKey [0xECC77B00]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwResumeThread [0xECC69E80]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSaveKey [0xECC77DA0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSetContextThread [0xECC695D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSetSystemInformation [0xECC69930]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSetValueKey [0xECC769C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwShutdownSystem [0xECC6AAC0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSuspendProcess [0xECC6A030]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSuspendThread [0xECC69CB0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSystemDebugControl [0xECC69B10]
SSDT F7CAF927 ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwTerminateThread [0xECC69400]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwUnloadDriver [0xECC6ADE0]
SSDT F7CAF922 ZwWriteVirtualMemory

Code \??\C:\DOCUME~1\User\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [D0, A1, C6, EC, 10, 7A, C6, ...]
.text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 12 Bytes [30, A0, C6, EC, B0, 9C, C6, ...]
? C:\DOCUME~1\User\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\CTsvcCDA.EXE[116] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\taskswitch.exe[120] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009F0001
.text C:\WINDOWS\system32\taskswitch.exe[120] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\taskswitch.exe[120] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\taskswitch.exe[120] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\taskswitch.exe[120] USER32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\taskswitch.exe[120] USER32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\taskswitch.exe[120] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F130F5A
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[192] KERNEL32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Java\jre6\bin\jqs.exe[344] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\nvsvc32.exe[412] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\csrss.exe[428] KERNEL32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\winlogon.exe[456] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text ...
.text C:\Program Files\Online Armor\oacat.exe[832] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00780001
.text C:\Program Files\Online Armor\oacat.exe[832] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Online Armor\oacat.exe[832] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Online Armor\oacat.exe[832] user32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F040F5A
.text C:\Program Files\Calendar\Calendar.exe[872] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00940001
.text C:\Program Files\Calendar\Calendar.exe[872] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F100F5A
.text C:\Program Files\Calendar\Calendar.exe[872] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Calendar\Calendar.exe[872] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Calendar\Calendar.exe[872] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Calendar\Calendar.exe[872] user32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F040F5A
.text C:\Program Files\Calendar\Calendar.exe[872] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\spoolsv.exe[1296] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1344] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text ...
.text C:\WINDOWS\system32\ctfmon.exe[1524] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AF0001
.text C:\WINDOWS\system32\ctfmon.exe[1524] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\ctfmon.exe[1524] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1524] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\ctfmon.exe[1524] USER32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1524] USER32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[1524] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\System32\MsPMSPSv.exe[1608] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Canon\BJCard\Bjmcmng.exe[1988] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Launchy\Launchy.exe[2060] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BD0001
.text C:\Program Files\Launchy\Launchy.exe[2060] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F100F5A
.text C:\Program Files\Launchy\Launchy.exe[2060] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Launchy\Launchy.exe[2060] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Launchy\Launchy.exe[2060] USER32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Launchy\Launchy.exe[2060] USER32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F040F5A
.text C:\Program Files\Launchy\Launchy.exe[2060] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F130F5A
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[2604] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe[3628] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AA0001
.text C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe[3628] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe[3628] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe[3628] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe[3628] USER32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe[3628] USER32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe[3628] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F130F5A
.text C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe[3664] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B90001
.text C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe[3664] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F100F5A
.text C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe[3664] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe[3664] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe[3664] USER32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe[3664] USER32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F040F5A
.text C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe[3664] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F130F5A
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3784] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B70001
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3784] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F100F5A
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3784] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3784] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3784] USER32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3784] USER32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F040F5A
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3784] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F130F5A
.text C:\Program Files\Canon\BJCard\BJLaunch.exe[3876] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BD0001
.text C:\Program Files\Canon\BJCard\BJLaunch.exe[3876] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F100F5A
.text C:\Program Files\Canon\BJCard\BJLaunch.exe[3876] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Canon\BJCard\BJLaunch.exe[3876] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Canon\BJCard\BJLaunch.exe[3876] USER32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Canon\BJCard\BJLaunch.exe[3876] USER32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F040F5A
.text C:\Program Files\Canon\BJCard\BJLaunch.exe[3876] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\devldr32.exe[3932] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00800001
.text C:\WINDOWS\system32\devldr32.exe[3932] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\devldr32.exe[3932] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\devldr32.exe[3932] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\devldr32.exe[3932] USER32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\devldr32.exe[3932] USER32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\devldr32.exe[3932] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\explorer.exe[3956] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Documents and Settings\User\Desktop\gu69s9uo.exe[3988] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F76AA3B0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F76AA410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F76AA6C0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F76AA700] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F76AA6C0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F76AA410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F76AA3B0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] [F76AA700] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisCloseAdapter] [F76AA3B0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisOpenAdapter] [F76AA410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] [F76AA6C0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F76AA6C0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F76AA700] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F76AA3B0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F76AA410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)
Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)
Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 08 May 2009 - 04:22 PM

Hello.

I see some leftovers of infection.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    @=-
    
    DirLook::
    c:\windows\system32\IIS
    
    Driver::
    Microsoft Security Center
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Update Java to Version 6 Update 13
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.

With Regards,
The Panda

#7 DDE12

DDE12
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 11 May 2009 - 11:33 PM

Hi Panda,

I ran ComboFix twice. The first time, it restarted the computer but did not produce a log file. Just before my desktop loaded, an error message came saying that Windows could not find some file and I clicked "Ok" and Windows finished loading normally. I didn't write the name of the file down but I know the first two letters were CF. So now I'm thinking that file was necessary for the production of the log file. The second time I ran ComboFix it did not restart the computer and did produce a log file.

Thank you.

ComboFix 09-05-11.01 - User 05/12/2009 0:04.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.384.139 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
FW: Online Armor Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MICROSOFT_SECURITY_CENTER
-------\Service_Microsoft Security Center


((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))
.

2009-05-11 23:28 . 2009-05-11 23:28 -------- d-----w c:\program files\Java
2009-05-08 01:13 . 2009-05-08 01:13 -------- d-----w c:\documents and settings\User\Application Data\ImgBurn
2009-05-07 16:31 . 2009-05-07 16:31 -------- d-----w c:\program files\ImgBurn
2009-05-07 15:40 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-07 15:40 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-07 15:40 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-07 15:40 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-07 15:40 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-07 15:40 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-07 15:40 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-05-07 15:40 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-07 15:40 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-07 15:38 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-07 15:38 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-28 17:42 . 2009-04-28 17:42 -------- d-----w c:\program files\A-squared
2009-04-23 23:54 . 2009-04-23 23:54 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-23 23:54 . 2009-04-23 23:54 -------- d-----w c:\program files\Spybot S&D
2009-04-21 16:31 . 2009-04-21 16:32 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-21 16:30 . 2009-04-21 16:30 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-21 16:30 . 2009-04-21 16:30 -------- d-----w c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-04-21 16:29 . 2009-04-21 16:29 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-21 14:48 . 2009-04-21 14:48 -------- d-----w c:\program files\Process Explorer
2009-04-20 21:01 . 2009-04-20 21:01 -------- d-----w c:\documents and settings\User\Application Data\Malwarebytes
2009-04-20 21:00 . 2009-04-06 19:32 15504 ------w c:\windows\system32\drivers\mbam.sys
2009-04-20 21:00 . 2009-04-06 19:32 38496 ------w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 21:00 . 2009-04-20 21:00 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-20 21:00 . 2009-04-20 21:00 -------- d-----w c:\program files\Anti-Malware
2009-04-17 17:33 . 2009-04-17 17:33 -------- d-----w c:\windows\McAfee.com
2009-04-17 07:31 . 2009-04-17 07:31 -------- d--h--w c:\windows\system32\IIS
2009-04-17 07:30 . 2009-04-17 07:30 -------- d-----w c:\windows\system32\scripts
2009-04-17 07:30 . 2009-04-17 07:30 -------- d-----w c:\windows\system32\download
2009-04-17 07:30 . 2009-04-17 07:30 -------- d-----w c:\windows\system32\channels
2009-04-17 07:30 . 2009-04-17 07:30 -------- d-----w c:\windows\system32\sounds
2009-04-17 07:30 . 2009-04-17 07:30 -------- d-----w c:\windows\system32\logs
2009-04-17 07:29 . 2008-05-31 03:48 36 ----a-w c:\windows\system32\start.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 23:29 . 2009-01-05 16:26 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-31 23:29 . 2009-03-31 23:29 -------- d-----w c:\program files\Volume ID
2009-03-23 20:46 . 2009-03-22 11:28 744 ------w c:\windows\system32\drivers\shellsuccesslog.oxc
2009-03-23 20:46 . 2009-03-22 11:27 1316 ------w c:\windows\system32\drivers\shellconfig.oxc
2009-03-20 15:20 . 2009-03-20 15:20 -------- d-----w c:\program files\iSilo
2009-03-19 17:02 . 2009-03-19 17:02 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-18 22:07 . 2009-03-18 22:07 -------- d-----w c:\program files\Kompozer
2009-03-18 18:42 . 2009-03-18 18:42 -------- d-----w c:\program files\Nvu
2009-03-18 18:19 . 2003-07-18 16:10 21442 ----a-w c:\windows\mozver.dat
2009-03-18 18:18 . 2009-03-18 18:18 118784 ----a-w c:\windows\GREUninstall.exe
2009-03-17 20:34 . 2009-03-17 20:34 -------- d-----w c:\program files\Display Shortcut Keys
2009-03-17 17:39 . 2009-03-17 17:39 -------- d-----w c:\program files\DriveImage XML
2009-03-06 14:22 . 2003-09-22 21:44 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 15:10 . 2006-04-29 17:49 1744 ----a-w c:\windows\system32\d3d9caps.dat
2009-03-05 15:10 . 2003-07-09 16:08 1632 ----a-w c:\windows\system32\d3d8caps.dat
2009-03-03 00:18 . 2004-02-06 22:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2003-02-13 22:41 . 2003-02-13 22:41 266 --sh--w c:\program files\desktop.ini
2003-02-13 22:41 . 2003-02-13 22:41 11079 ---h--w c:\program files\folder.htt
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\IIS ----

2009-04-22 21:06 . 2009-04-20 19:43 65333 ----a-w c:\windows\system32\IIS\Fridays coupons.GIF
2009-04-17 07:32 . 2009-04-17 07:32 45 ----a-w c:\windows\system32\IIS\svchost.log
2009-04-17 07:31 . 2009-04-17 07:32 452 ----a-w c:\windows\system32\IIS\svchost.ini
2009-04-17 07:31 . 2003-12-09 09:35 363 ----a-w c:\windows\system32\IIS\uninstall.uni
2009-04-17 07:31 . 2005-04-08 20:37 17 ----a-w c:\windows\system32\IIS\radmin.txt
2009-04-17 07:31 . 2004-09-27 02:51 42 ----a-w c:\windows\system32\IIS\aliases.ini
2009-04-17 07:31 . 2009-04-17 07:32 25248 ----a-w c:\windows\system32\IIS\regedit


((((((((((((((((((((((((((((( SnapShot@2009-05-08_04.00.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-12 03:40 . 2009-05-12 03:40 16384 c:\windows\TEMP\Perflib_Perfdata_508.dat
+ 2001-08-23 16:00 . 2009-05-08 14:27 63528 c:\windows\SYSTEM32\perfc009.dat
- 2001-08-23 16:00 . 2009-05-08 02:41 63528 c:\windows\SYSTEM32\perfc009.dat
+ 2001-08-23 16:00 . 2009-05-08 14:27 406328 c:\windows\SYSTEM32\perfh009.dat
- 2001-08-23 16:00 . 2009-05-08 02:41 406328 c:\windows\SYSTEM32\perfh009.dat
+ 2009-05-11 23:30 . 2009-05-11 23:29 148888 c:\windows\SYSTEM32\javaws.exe
- 2009-01-05 16:26 . 2009-01-05 16:25 148888 c:\windows\SYSTEM32\javaws.exe
+ 2009-05-11 23:30 . 2009-05-11 23:29 144792 c:\windows\SYSTEM32\javaw.exe
- 2009-01-05 16:26 . 2009-01-05 16:25 144792 c:\windows\SYSTEM32\javaw.exe
+ 2009-05-11 23:30 . 2009-05-11 23:29 144792 c:\windows\SYSTEM32\java.exe
- 2009-01-05 16:26 . 2009-01-05 16:25 144792 c:\windows\SYSTEM32\java.exe
+ 2001-08-23 16:00 . 2008-06-20 11:59 361600 c:\windows\SYSTEM32\DRIVERS\tcpip.sys
- 2001-08-23 16:00 . 2008-06-20 11:51 361600 c:\windows\SYSTEM32\DRIVERS\tcpip.sys
+ 2001-08-23 16:00 . 2008-06-20 11:59 361600 c:\windows\SYSTEM32\dllcache\tcpip.sys
- 2008-06-20 11:51 . 2008-06-20 11:51 361600 c:\windows\SYSTEM32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 18:02 8461312 ----a-w c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSI Loader"="c:\program files\Common Files\Smith Micro Shared\FAX\SMLoader.exe" [1999-06-18 32768]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-02-27 757760]
"DIAGENT"="c:\program files\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE" [2001-08-30 172122]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-02-24 86016]
"BJLaunchEXE"="c:\program files\Canon\BJCard\BJLaunch.exe" [2002-03-14 630784]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"@OnlineArmor GUI"="c:\program files\Online Armor\oaui.exe" [2008-11-26 6223048]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-02-27 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-11 148888]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2002-11-08 19968]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2005-02-24 1495040]

c:\documents and settings\User\Start Menu\Programs\Startup\
Calendar.lnk - c:\program files\Calendar\Calendar.exe [2009-3-3 416256]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DynDNS Updater.lnk - c:\program files\DynDNS Updater\DynUpPs.exe [2008-6-23 94208]
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2009-2-27 286720]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
FriendlyName= J-Track: Satellite Tracking

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ------w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\America Online\\waol.exe"=
"c:\\Program Files\\Jedi Academy\\GameData\\jamp.exe"=
"c:\\Program Files\\RealPlayer\\RealPlay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\WINDOWS\\System32\\usmt\\migwiz.exe"=

R1 OADevice;OADriver;c:\windows\SYSTEM32\DRIVERS\OADriver.sys [2/24/2009 12:01 PM 178376]
R1 OAmon;OAmon;c:\windows\SYSTEM32\DRIVERS\OAmon.sys [2/24/2009 12:01 PM 30920]
R1 OAnet;OAnet;c:\windows\SYSTEM32\DRIVERS\OAnet.sys [2/24/2009 12:01 PM 28872]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [2/24/2009 12:01 PM 1402568]
S2 AVWUpSrv;AntiVir Update;c:\program files\AVPersonal\AVWUPSRV.EXE --> c:\program files\AVPersonal\AVWUPSRV.EXE [?]
S2 net-ip;IP / TCP Services;c:\windows\SYSTEM32\DRIVERS\aspi32.exe --> c:\windows\SYSTEM32\DRIVERS\aspi32.exe [?]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [2/24/2009 12:01 PM 3321032]
S3 L2XPSR;L2XPSR;\??\c:\progra~1\EFFICI~1\TANGOM~1\app\L2XPSR.SYS --> c:\progra~1\EFFICI~1\TANGOM~1\app\L2XPSR.SYS [?]
S3 LOGNT;LOGNT;\??\c:\progra~1\EFFICI~1\TANGOM~1\app\lognt.sys --> c:\progra~1\EFFICI~1\TANGOM~1\app\lognt.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-05-06 c:\windows\Tasks\Data Files Incremental Backup.job
- c:\windows\system32\ntbackup.exe [2001-08-18 02:36]

2009-05-07 c:\windows\Tasks\Program Files Incremental Backup.job
- c:\windows\system32\ntbackup.exe [2001-08-18 02:36]

2009-03-26 c:\windows\Tasks\Data Files Normal Backup.job
- c:\windows\system32\ntbackup.exe [2001-08-18 02:36]

2009-03-26 c:\windows\Tasks\Program Files Normal Backup.job
- c:\windows\system32\ntbackup.exe [2001-08-18 02:36]

2009-05-11 c:\windows\Tasks\System Information.job
- c:\progra~1\COMMON~1\MICROS~1\MSINFO\msinfo32.exe [2003-02-13 11:00]

2009-05-11 c:\windows\Tasks\Regedit.job
- c:\windows\regedit.exe [2003-09-22 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\0u679xmw.default\
FF - plugin: c:\progra~1\YAHOO!\COMMON\npyaxmpb.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-12 00:10
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(428)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1608)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
Completion time: 2009-05-12 0:15
ComboFix-quarantined-files.txt 2009-05-12 04:15
ComboFix2.txt 2009-05-08 04:05

Pre-Run: 9,556,262,912 bytes free
Post-Run: 9,539,977,216 bytes free

232 --- E O F --- 2009-05-08 02:13

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 12 May 2009 - 07:06 AM

Hello.

Looks better. Let's get one more scan off to check for anything we've missed.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Also take a new DDS.txt log after.

How is your computer running now?

With Regards,
The Panda

#9 DDE12

DDE12
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 15 May 2009 - 03:13 PM

Hi Panda,

I completed all of your suggestions and used my computer for a couple of days to see how it was running. I'm still having network issues and I get weird results from the ipconfig/all command but that might be outside the scope of this forum. Thank you for your help.


DDS (Ver_09-03-16.01) - FAT32x86
Run by User at 12:45:20.39 on Wed 05/13/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.384.221 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: Online Armor Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Online Armor\oacat.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Canon\BJCard\BJLaunch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Calendar\Calendar.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\User\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [SMSI Loader] c:\program files\common files\smith micro shared\fax\SMLoader.exe /PRNDRV
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [DIAGENT] c:\program files\sblive\creative diagnostics 2.0\DIAGENT.EXE startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BJLaunchEXE] c:\program files\canon\bjcard\BJLaunch.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [@OnlineArmor GUI] "c:\program files\online armor\oaui.exe"
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\User\startm~1\programs\startup\calendar.lnk - c:\program files\calendar\Calendar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dyndns~1.lnk - c:\program files\dyndns updater\DynUpPs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
uPolicies-explorer: <NO NAME> =
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\system\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://files.member.yahoo.com/dl/installs/sbc/yinst.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37810.7317939815
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} - hxxp://fdl.msn.com/public/investor/v9/ticker.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5587/mcfscan.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\User\applic~1\mozilla\firefox\profiles\0u679xmw.default\
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-24 11840]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-2-24 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-2-24 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-2-24 28872]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-24 68865]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2009-2-24 1402568]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-24 52032]
S2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-24 151297]
S2 AVWUpSrv;AntiVir Update;c:\program files\avpersonal\avwupsrv.exe --> c:\program files\avpersonal\AVWUPSRV.EXE [?]
S2 net-ip;IP / TCP Services;c:\windows\system32\drivers\aspi32.exe --> c:\windows\system32\drivers\aspi32.exe [?]
S2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2009-2-24 3321032]
S3 a2free;a-squared Free Service;c:\program files\a-squared\a2service.exe [2009-4-28 425080]
S3 L2XPSR;L2XPSR;\??\c:\progra~1\effici~1\tangom~1\app\l2xpsr.sys --> c:\progra~1\effici~1\tangom~1\app\L2XPSR.SYS [?]
S3 LOGNT;LOGNT;\??\c:\progra~1\effici~1\tangom~1\app\lognt.sys --> c:\progra~1\effici~1\tangom~1\app\lognt.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-05-11 19:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-07 21:59 <DIR> --dshr-- C:\cmdcons
2009-05-07 21:59 <DIR> --d----- c:\windows\setupupd
2009-05-07 11:40 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-05-07 11:40 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-05-07 11:40 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-05-07 11:40 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-05-07 11:40 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-07 11:40 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-07 11:40 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-05-07 11:40 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-05-07 11:40 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-05-07 11:38 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-07 11:38 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-05-07 11:38 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-05-07 11:12 161,792 a------- c:\windows\SWREG.exe
2009-05-07 11:12 98,816 a------- c:\windows\sed.exe
2009-04-28 13:42 <DIR> --d----- c:\program files\A-squared
2009-04-23 19:54 <DIR> --d----- c:\program files\Spybot S&D
2009-04-23 19:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-21 12:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-21 12:30 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-21 12:30 <DIR> --d----- c:\docume~1\User\applic~1\SUPERAntiSpyware.com
2009-04-21 12:29 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-21 10:48 <DIR> --d----- c:\program files\Process Explorer
2009-04-20 17:01 <DIR> --d----- c:\docume~1\User\applic~1\Malwarebytes
2009-04-20 17:00 15,504 -------- c:\windows\system32\drivers\mbam.sys
2009-04-20 17:00 38,496 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 17:00 <DIR> --d----- c:\program files\Anti-Malware
2009-04-20 17:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-17 13:33 <DIR> --d----- c:\windows\McAfee.com
2009-04-17 03:31 <DIR> --d-h--- c:\windows\system32\IIS
2009-04-17 03:30 <DIR> --d----- c:\windows\system32\scripts
2009-04-17 03:30 <DIR> --d----- c:\windows\system32\download
2009-04-17 03:30 <DIR> --d----- c:\windows\system32\sounds
2009-04-17 03:30 <DIR> --d----- c:\windows\system32\logs
2009-04-17 03:30 <DIR> --d----- c:\windows\system32\channels
2009-04-17 03:29 812 a------- c:\windows\system32\ifx.ini
2009-04-17 03:29 36 a------- c:\windows\system32\start.bat

==================== Find3M ====================

2009-05-11 19:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-23 16:46 744 -------- c:\windows\system32\drivers\shellsuccesslog.oxc
2009-03-23 16:46 1,316 -------- c:\windows\system32\drivers\shellconfig.oxc
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-18 14:19 21,442 a------- c:\windows\mozver.dat
2009-03-18 14:18 118,784 a------- c:\windows\GREUninstall.exe
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 11:10 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-03-05 11:10 1,632 a------- c:\windows\system32\d3d8caps.dat
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2003-02-13 18:41 266 ---sh--- c:\program files\desktop.ini
2003-02-13 18:41 11,079 ----h--- c:\program files\folder.htt
2008-08-22 21:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 12:47:10.94 ===============

Attached Files



#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 15 May 2009 - 03:16 PM

Hello DDE12.

Were you able to run the F-Secure scan?

Please tell me what entries in IPConfig you are refering to.

With Regards,
The Panda

#11 DDE12

DDE12
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 15 May 2009 - 08:33 PM

Hi Panda,

I did run F-secure and I apologize as I forgot to paste the log into the post. So here is that log and the ipconfig/all info. I changed a couple of lines in the ipconfig info (to protect my anonymity lol) but made notes as to what I changed. Most of it I don't understand at all. F-secure deleted part of my VNC calling it spyware. I used that for remote desktop and don't know if it is truly spyware.

Scanning Report
Wednesday, May 13, 2009 21:35:09 - 12:18:38

Computer name: DESKTOP
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ F:\
2 malware found
RemoteAdmin.Win32.WinVNC (spyware)

* System (Disinfected)

Backdoor.IRC.Zapchast (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{1E7FC868-0A57-4232-8904-EDCDDBF84EFF}\RP1505\A0764346.INI (Renamed & Submitted)

Statistics
Scanned:

* Files: 56370
* System: 3913
* Not scanned: 6

Actions:

* Disinfected: 1
* Renamed: 1
* Deleted: 0
* Not cleaned: 0
* Submitted: 1

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.8.9080, 2009-05-12
* F-Secure AVP: 7.0.171, 2009-05-12
* F-Secure Pegasus: 1.20.0
* F-Secure Blacklight

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use advanced heuristics



Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\User>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DESKTOP
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : route.name.com

Ethernet adapter Ethernet Connection:

Connection-specific DNS Suffix . : router.name.com
Description . . . . . . . . . . . : Linksys NC100 Fast Ethernet Adapter
Physical Address. . . . . . . . . : 12:34:56:78:9A:BC (I changed this from the actual one for the post but it was normal)
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.## (I changed this from the actual one for the post but it was normal)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : fe80::20c:41ff:feea:a7ca%6
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
192.168.1.1
fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Lease Obtained. . . . . . . . . . : Friday, May 15, 2009 12:04:18 PM
Lease Expires . . . . . . . . . . : Saturday, May 16, 2009 12:04:18 PM

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%5
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Automatic Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . : router.name.com
Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : C0-A8-01-11
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : fe80::5efe:192.168.1.17%2
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 16 May 2009 - 08:14 AM

Hello.

Which entries were of conccern?

With Regards,
The Panda

#13 DDE12

DDE12
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 16 May 2009 - 01:20 PM

Ipconfig/all used to look like the following... but a virus or the cleanup process seems to have damaged the IP/TCP Protocol. The Service Control Manager is reporting "The IP/TCP services failed to start due to the following error: The system cannot find the specified file." Because of this (I think), my computers on my network can't communicate with each other because I can't get them to find each other.

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\User>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Desktop
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : router.name.com

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . : router.name.com
Description . . . . . . . . . . . : Dell Wireless 1370 WLAN Mini-PCI Card
Physical Address. . . . . . . . . : 12:34:56:78:9A:BC
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.##
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
192.168.1.1
Lease Obtained. . . . . . . . . . : Saturday, May 16, 2009 1:56:30 PM
Lease Expires . . . . . . . . . . : Sunday, May 17, 2009 1:56:30 PM

C:\Documents and Settings\User>

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 16 May 2009 - 01:35 PM

Hello.

It looks like a system file was damaged.

Let's run the system file checker.

Run System File Checker for XP SP3 Without Disk
Download the standalone windows XP SP3 package from here:
http://www.microsoft.com/downloads/details...;displaylang=en
and save it to your desktop.

Then extract the files from the package by going to Start -> Run and entering:
"%userprofile%\Desktop\WindowsXP-KB936929-SP3-x86-ENU.exe" -x:C:\xpsp3
This will place the service pack 3 updates to the i386 folder into your C drive under the folder "xpsp3".

You should then be able to point SFC at this folder for the files it can't find from your windows disk or i386 folder.

Tell me how it goes.

Take a new DDS.txt log after.

With Regards,
The Panda

#15 DDE12

DDE12
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 22 May 2009 - 12:05 AM

Hi Panda,

Ok, I did everything you suggested in the previous post and my ipconfig/all settings are back to normal and my network is working again BUT I was having a problem browsing the internet and I've been doing some tinkering. I have found that my firewall, Online Armor, is preventing me from browsing the internet by domain name. For instance, I could navigate to Google via ip address but not google.com. This behavior occurs sporadically though. Sometimes when I restart the computer and Online Armor is running I can browse normally and sometimes I can only connect by ip address. I uninstalled Online Armor and reinstalled but this did not solve anything. Do you have any thoughts on what to try to fix this? Thank you for your help.


DDS (Ver_09-03-16.01) - FAT32x86
Run by User at 0:39:38.83 on Fri 05/22/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.384.185 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
FW: Online Armor Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Online Armor\OAcat.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Canon\BJCard\BJLaunch.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Calendar\Calendar.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\DynDNS Updater\DynTray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [SMSI Loader] c:\program files\common files\smith micro shared\fax\SMLoader.exe /PRNDRV
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [DIAGENT] c:\program files\sblive\creative diagnostics 2.0\DIAGENT.EXE startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BJLaunchEXE] c:\program files\canon\bjcard\BJLaunch.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [@OnlineArmor GUI] "c:\program files\online armor\oaui.exe"
StartupFolder: c:\docume~1\User\startm~1\programs\startup\calendar.lnk - c:\program files\calendar\Calendar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dyndns~1.lnk - c:\program files\dyndns updater\DynUpPs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
uPolicies-explorer: <NO NAME> =
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\system\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://files.member.yahoo.com/dl/installs/sbc/yinst.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37810.7317939815
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} - hxxp://fdl.msn.com/public/investor/v9/ticker.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5587/mcfscan.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\User\applic~1\mozilla\firefox\profiles\0u679xmw.default\
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-24 11840]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-5-21 196688]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-5-21 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-5-21 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-24 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-24 151297]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2009-5-21 361160]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-24 52032]
S2 AVWUpSrv;AntiVir Update;c:\program files\avpersonal\avwupsrv.exe --> c:\program files\avpersonal\AVWUPSRV.EXE [?]
S2 net-ip;IP / TCP Services;c:\windows\system32\drivers\aspi32.exe --> c:\windows\system32\drivers\aspi32.exe [?]
S2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2009-5-21 3049160]
S3 a2free;a-squared Free Service;c:\program files\a-squared\a2service.exe [2009-4-28 425080]
S3 L2XPSR;L2XPSR;\??\c:\progra~1\effici~1\tangom~1\app\l2xpsr.sys --> c:\progra~1\effici~1\tangom~1\app\L2XPSR.SYS [?]
S3 LOGNT;LOGNT;\??\c:\progra~1\effici~1\tangom~1\app\lognt.sys --> c:\progra~1\effici~1\tangom~1\app\lognt.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-05-21 23:45 <DIR> --d----- c:\program files\HOTTProxy
2009-05-21 19:01 <DIR> --d----- c:\docume~1\User\applic~1\OnlineArmor
2009-05-21 19:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OnlineArmor
2009-05-21 19:01 196,688 a------- c:\windows\system32\drivers\OADriver.sys
2009-05-21 19:01 31,824 a------- c:\windows\system32\drivers\OAmon.sys
2009-05-21 19:01 29,776 a------- c:\windows\system32\drivers\OAnet.sys
2009-05-21 10:57 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-05-16 19:20 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-16 19:19 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-05-16 19:19 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-05-16 19:19 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-05-16 19:19 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-05-16 19:19 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-05-16 19:19 28,288 a------- c:\windows\system32\dllcache\xjis.nls
2009-05-16 19:19 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-05-16 19:19 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys
2009-05-16 19:19 12,063 a------- c:\windows\system32\dllcache\wsiintxx.sys
2009-05-16 19:19 8,192 a------- c:\windows\system32\dllcache\wshirda.dll
2009-05-16 19:18 8,832 a------- c:\windows\system32\dllcache\wmiacpi.sys
2009-05-16 19:18 154,624 a------- c:\windows\system32\dllcache\wlluc48.sys
2009-05-16 19:18 34,890 a------- c:\windows\system32\dllcache\wlandrv2.sys
2009-05-16 19:18 771,581 a------- c:\windows\system32\dllcache\winacisa.sys
2009-05-16 19:18 53,760 a------- c:\windows\system32\dllcache\wiamsmud.dll
2009-05-16 19:18 87,040 a------- c:\windows\system32\dllcache\wiafbdrv.dll
2009-05-16 19:18 701,386 a------- c:\windows\system32\dllcache\wdhaalba.sys
2009-05-16 19:16 765,884 a------- c:\windows\system32\dllcache\usrti.sys
2009-05-16 19:15 166,784 a------- c:\windows\system32\dllcache\tridxpm.sys
2009-05-16 19:14 32,640 a------- c:\windows\system32\dllcache\symc8xx.sys
2009-05-16 19:13 58,368 a------- c:\windows\system32\dllcache\smiminib.sys
2009-05-16 19:13 147,200 a------- c:\windows\system32\dllcache\smidispb.dll
2009-05-16 19:13 25,034 a------- c:\windows\system32\dllcache\smcpwr2n.sys
2009-05-16 19:13 35,913 a------- c:\windows\system32\dllcache\smcirda.sys
2009-05-16 19:13 24,576 a------- c:\windows\system32\dllcache\smc8000n.sys
2009-05-16 19:13 6,784 a------- c:\windows\system32\dllcache\smbhc.sys
2009-05-16 19:13 6,912 a------- c:\windows\system32\dllcache\smbclass.sys
2009-05-16 19:13 16,000 a------- c:\windows\system32\dllcache\smbbatt.sys
2009-05-16 19:13 45,568 a------- c:\windows\system32\dllcache\smb3w.dll
2009-05-16 19:13 33,792 a------- c:\windows\system32\dllcache\smb0w.dll
2009-05-16 19:13 28,672 a------- c:\windows\system32\dllcache\sma0w.dll
2009-05-16 19:13 28,160 a------- c:\windows\system32\dllcache\sm91w.dll
2009-05-16 19:11 11,648 a------- c:\windows\system32\dllcache\scsiprnt.sys
2009-05-16 19:10 9,216 a------- c:\windows\system32\dllcache\rsmgrstr.dll
2009-05-16 19:09 130,942 a------- c:\windows\system32\dllcache\ptserlv.sys
2009-05-16 19:08 27,904 a------- c:\windows\system32\dllcache\perm2.sys
2009-05-16 19:07 61,696 a------- c:\windows\system32\dllcache\ohci1394.sys
2009-05-16 19:07 198,144 a------- c:\windows\system32\dllcache\nv3.sys
2009-05-16 19:07 123,776 a------- c:\windows\system32\dllcache\nv3.dll
2009-05-16 19:07 51,552 a------- c:\windows\system32\dllcache\ntgrip.sys
2009-05-16 19:07 9,344 a------- c:\windows\system32\dllcache\ntapm.sys
2009-05-16 19:07 7,552 a------- c:\windows\system32\dllcache\nsmmc.sys
2009-05-16 19:07 28,672 a------- c:\windows\system32\dllcache\nscirda.sys
2009-05-16 19:07 87,040 a------- c:\windows\system32\dllcache\nm6wdm.sys
2009-05-16 19:07 126,080 a------- c:\windows\system32\dllcache\nm5a2wdm.sys
2009-05-16 19:05 49,024 a------- c:\windows\system32\dllcache\mstape.sys
2009-05-16 19:05 12,416 a------- c:\windows\system32\dllcache\msriffwv.sys
2009-05-16 19:05 2,944 a------- c:\windows\system32\dllcache\msmpu401.sys
2009-05-16 19:05 22,016 a------- c:\windows\system32\dllcache\msircomm.sys
2009-05-16 19:05 35,200 a------- c:\windows\system32\dllcache\msgame.sys
2009-05-16 19:05 6,016 a------- c:\windows\system32\dllcache\msfsio.sys
2009-05-16 19:05 17,280 a------- c:\windows\system32\dllcache\mraid35x.sys
2009-05-16 19:03 606,684 a------- c:\windows\system32\dllcache\ltmdmnt.sys
2009-05-16 19:02 8,704 a------- c:\windows\system32\dllcache\kbdjpn.dll
2009-05-16 19:02 14,592 a------- c:\windows\system32\dllcache\kbdhid.sys
2009-05-16 19:02 6,144 a------- c:\windows\system32\dllcache\kbd106.dll
2009-05-16 19:02 5,632 a------- c:\windows\system32\dllcache\kbd103.dll
2009-05-16 19:02 6,144 a------- c:\windows\system32\dllcache\kbd101c.dll
2009-05-16 19:02 6,144 a------- c:\windows\system32\dllcache\kbd101b.dll
2009-05-16 19:02 26,624 a------- c:\windows\system32\dllcache\irstusb.sys
2009-05-16 19:02 18,688 a------- c:\windows\system32\dllcache\irsir.sys
2009-05-16 19:02 28,160 a------- c:\windows\system32\dllcache\irmon.dll
2009-05-16 19:02 23,552 a------- c:\windows\system32\dllcache\irmk7.sys
2009-05-16 19:02 151,552 a------- c:\windows\system32\dllcache\irftp.exe
2009-05-16 19:02 88,192 a------- c:\windows\system32\dllcache\irda.sys
2009-05-16 19:01 45,632 a------- c:\windows\system32\dllcache\ip5515.sys
2009-05-16 19:01 90,200 a------- c:\windows\system32\dllcache\io8ports.dll
2009-05-16 19:01 38,784 a------- c:\windows\system32\dllcache\io8.sys
2009-05-16 19:01 13,056 a------- c:\windows\system32\dllcache\inport.sys
2009-05-16 19:01 16,000 a------- c:\windows\system32\dllcache\ini910u.sys
2009-05-16 19:01 372,824 a------- c:\windows\system32\dllcache\iconf32.dll
2009-05-16 18:59 488,383 a------- c:\windows\system32\dllcache\hsf_v124.sys
2009-05-16 18:58 5,760 a------- c:\windows\system32\dllcache\hpt4qic.sys
2009-05-16 18:57 455,296 a------- c:\windows\system32\dllcache\fusbbase.sys
2009-05-16 18:57 455,680 a------- c:\windows\system32\dllcache\fus2base.sys
2009-05-16 18:57 442,240 a------- c:\windows\system32\dllcache\fpnpbase.sys
2009-05-16 18:57 441,728 a------- c:\windows\system32\dllcache\fpcmbase.sys
2009-05-16 18:57 444,416 a------- c:\windows\system32\dllcache\fpcibase.sys
2009-05-16 18:57 34,173 a------- c:\windows\system32\dllcache\forehe.sys
2009-05-16 18:57 27,165 a------- c:\windows\system32\dllcache\fetnd5.sys
2009-05-16 18:57 22,090 a------- c:\windows\system32\dllcache\fem556n5.sys
2009-05-16 18:57 24,618 a------- c:\windows\system32\dllcache\fa410nd5.sys
2009-05-16 18:57 16,074 a------- c:\windows\system32\dllcache\fa312nd5.sys
2009-05-16 18:57 11,850 a------- c:\windows\system32\dllcache\f3ab18xj.sys
2009-05-16 18:57 12,362 a------- c:\windows\system32\dllcache\f3ab18xi.sys
2009-05-16 18:57 7,040 a------- c:\windows\system32\dllcache\exabyte2.sys
2009-05-16 18:55 241,206 a------- c:\windows\system32\dllcache\el656se5.sys
2009-05-16 18:54 26,698 a------- c:\windows\system32\dllcache\dlh5xnd5.sys
2009-05-16 18:53 14,720 a------- c:\windows\system32\dllcache\dac960nt.sys
2009-05-16 18:52 39,936 a------- c:\windows\system32\dllcache\cnxt1803.sys
2009-05-16 18:52 44,032 a------- c:\windows\system32\dllcache\cnusd.dll
2009-05-16 18:52 6,656 a------- c:\windows\system32\dllcache\cmdide.sys
2009-05-16 18:52 20,736 a------- c:\windows\system32\dllcache\cmbp0wdm.sys
2009-05-16 18:52 13,952 a------- c:\windows\system32\dllcache\cmbatt.sys
2009-05-16 18:52 248,064 a------- c:\windows\system32\dllcache\cl546xm.sys
2009-05-16 18:52 170,880 a------- c:\windows\system32\dllcache\cl546x.dll
2009-05-16 18:52 111,232 a------- c:\windows\system32\dllcache\cl5465.dll
2009-05-16 18:52 45,696 a------- c:\windows\system32\dllcache\cirrus.sys
2009-05-16 18:52 91,264 a------- c:\windows\system32\dllcache\cirrus.dll
2009-05-16 18:52 272,640 a------- c:\windows\system32\dllcache\cinemclc.sys
2009-05-16 18:52 980,034 a------- c:\windows\system32\dllcache\cicap.sys
2009-05-16 15:23 171,264 a------- c:\windows\system32\dllcache\camdrv30.sys
2009-05-16 15:22 66,082 a------- c:\windows\system32\dllcache\c_20105.nls
2009-05-16 15:21 41,472 a------- c:\windows\system32\dllcache\brmfusb.dll
2009-05-16 15:20 38,912 a------- c:\windows\system32\dllcache\avc.sys
2009-05-16 15:19 16,969 a------- c:\windows\system32\dllcache\amb8002.sys
2009-05-16 15:19 5,248 a------- c:\windows\system32\dllcache\aliide.sys
2009-05-16 15:19 26,624 a------- c:\windows\system32\dllcache\alifir.sys
2009-05-16 15:19 27,678 a------- c:\windows\system32\dllcache\ali5261.sys
2009-05-16 15:19 56,960 a------- c:\windows\system32\dllcache\aic78xx.sys
2009-05-16 15:19 55,168 a------- c:\windows\system32\dllcache\aic78u2.sys
2009-05-16 15:19 12,800 a------- c:\windows\system32\dllcache\aha154x.sys
2009-05-16 15:19 24,576 a------- c:\windows\system32\dllcache\agcgauge.ax
2009-05-16 15:17 101,888 a------- c:\windows\system32\dllcache\adpu160m.sys
2009-05-16 15:17 46,112 a------- c:\windows\system32\dllcache\adptsf50.sys
2009-05-16 15:17 10,880 a------- c:\windows\system32\dllcache\admjoy.sys
2009-05-16 15:17 747,392 a------- c:\windows\system32\dllcache\adm8830.sys
2009-05-16 15:17 553,984 a------- c:\windows\system32\dllcache\adm8820.sys
2009-05-16 15:17 584,448 a------- c:\windows\system32\dllcache\adm8810.sys
2009-05-16 15:17 20,160 a------- c:\windows\system32\dllcache\adm8511.sys
2009-05-16 15:17 7,424 a------- c:\windows\system32\dllcache\adicvls.sys
2009-05-16 15:15 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll
2009-05-11 19:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-07 21:59 <DIR> --dshr-- C:\cmdcons
2009-05-07 21:59 <DIR> --d----- c:\windows\setupupd
2009-05-07 11:38 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-07 11:12 161,792 a------- c:\windows\SWREG.exe
2009-05-07 11:12 98,816 a------- c:\windows\sed.exe
2009-04-28 13:42 <DIR> --d----- c:\program files\A-squared
2009-04-23 19:54 <DIR> --d----- c:\program files\Spybot S&D
2009-04-23 19:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-05-21 10:39 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-05-11 19:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-06 15:32 38,496 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 -------- c:\windows\system32\drivers\mbam.sys
2009-03-23 16:46 744 -------- c:\windows\system32\drivers\shellsuccesslog.oxc
2009-03-23 16:46 1,316 -------- c:\windows\system32\drivers\shellconfig.oxc
2009-03-21 10:06 989,696 a------- c:\windows\system32\dllcache\kernel32.dll
2009-03-18 14:19 21,442 a------- c:\windows\mozver.dat
2009-03-18 14:18 118,784 a------- c:\windows\GREUninstall.exe
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\dllcache\pdh.dll
2009-03-05 11:10 1,632 a------- c:\windows\system32\d3d8caps.dat
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2003-02-13 18:41 266 ---sh--- c:\program files\desktop.ini
2003-02-13 18:41 11,079 ----h--- c:\program files\folder.htt
2008-08-22 21:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 0:41:49.90 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users