Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Dropper Generic AFNC and possibly Downadup


  • This topic is locked This topic is locked
55 replies to this topic

#1 Yican

Yican

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 22 April 2009 - 10:39 PM

My AVG antivirus version 8.5 keeps detecting Trojan Horse Dropper Generic AFNC in files in my Temporary Internet Files directory. Everytime the Resident Shield detected one, I sent it straight to the Virus Vault, but it kept coming back.

I don't know if it's connected, but recently I have the Downadup infection. I can't access major antivirus sites. I've downloaded fixdownadup and run it, but the downadup kept coming back. Recently I tried the downadup removal tips in this site. I downloaded the Bit Defender downadup removal tool and run it. It says my system is clean but I still can't access major antivirus sites. I've installed the Windows updated and have deactivated the autorun feature in my computer.

This is my DDS log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by user at 10:00:37.43 on Thu 04/23/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.239.21 [GMT 7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: avast! antivirus 4.8.1335 [VPS 090422-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.yahoo.com/
uInternet Settings,ProxyServer = proxy:8080
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WordNet-Online] "c:\program files\wordnet-online\WordNet-Online.exe" /m
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
uRun: [SpyEmergency] "c:\program files\spy emergency 2005\SpyEmergency.exe"
uRun: [Spy-Kill Deluxe Edition] "c:\program files\spy-kill deluxe edition\Spy-Kill Deluxe Edition.exe" /s
uRun: [PhotoShow Deluxe Media Manager] \\Lutfi\Nero\data\xtras\mssysmgr.exe
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AAWTray] c:\program files\lavasoft\ad-aware 2007\AAWTray.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [BDSwitchAgent] c:\program files\softwin\bitdefender9\bdswitch.exe
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe
mRun: [SSC Service Utility] c:\program files\ssc service utility\ssc_serv.exe /s
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-16 09:46 <DIR> --d----- c:\program files\GameHouse
2009-04-06 13:57 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-06 13:48 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-06 13:48 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-06 13:48 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-06 13:47 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-06 13:47 <DIR> --d----- c:\docume~1\user\applic~1\AVGTOOLBAR
2009-04-06 13:47 <DIR> --d----- c:\program files\AVG
2009-04-06 13:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-01 16:48 2,784 a------- c:\windows\system32\tmp.reg
2009-03-31 10:08 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-03-31 10:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2008-06-20 08:15 0 ac------ c:\program files\temp01
2008-03-27 22:45 43,992 ac------ c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT
2006-12-15 04:03 56 -c-shr-- c:\windows\system32\EF0E575348.sys
2008-01-10 02:51 3,350 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 10:02:12.46 ===============


Please help me on this one!

Attached Files



BC AdBot (Login to Remove)

 


#2 Yican

Yican
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 30 April 2009 - 09:22 PM

An update:

I've managed to download an update for malware bytes from another site and run it on my computer on April 27. It caught 7 files infected with conficker and 2 registry. I deleted them all.

Here is the log:

Malwarebytes' Anti-Malware 1.34
Database version: 2015
Windows 5.1.2600 Service Pack 2

4/27/2009 4:04:25 PM
mbam-log-2009-04-27 (16-04-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 124131
Time elapsed: 1 hour(s), 30 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2T03VXE3\bcgqnf[1].gif (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2T03VXE3\glyw[1].bmp (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\3VUCWUF7\pzzp[1].gif (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\3VUCWUF7\uehpnl[1].jpg (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5S7N91Q3\enyq[1].png (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5S7N91Q3\hzjtsus[1].jpg (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D9WC1Q7P\zlotbhff[1].bmp (Worm.Conficker) -> Quarantined and deleted successfully.


BUT, three days later I ran Malware Bytes again, and this time it caught 13 files infected with conficker. Of course I deleted them all, but my computer still have the symptoms of Conficker infection, such as:
1. Can't access major antivirus site (such as AVG, Avast, Malware Bytes) or security sites (such as Microsoft)
2. Can't go into safe mode

Here is the second Malware logs:

Malwarebytes' Anti-Malware 1.34
Database version: 2015
Windows 5.1.2600 Service Pack 2

4/30/2009 12:20:31 PM
mbam-log-2009-04-30 (12-20-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 123531
Time elapsed: 1 hour(s), 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2T03VXE3\enyq[1].bmp (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2T03VXE3\ocykr[1].png (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2T03VXE3\odnt[1].bmp (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2T03VXE3\zwpy[1].bmp (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\3VUCWUF7\enyq[1].jpg (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\3VUCWUF7\pzhkao[1].bmp (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\3VUCWUF7\rcdmcw[1].gif (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5S7N91Q3\bvge[1].jpg (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5S7N91Q3\edcra[1].png (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5S7N91Q3\zhxxwczv[1].gif (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D9WC1Q7P\jqnlov[1].png (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D9WC1Q7P\lojkqd[1].gif (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D9WC1Q7P\zqyinh[1].gif (Worm.Conficker) -> Quarantined and deleted successfully.


Now the IT supervisor in my office complain that I spread the Conficker virus into the company's server! Please help me before my computer gets sacked!

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:12:06 PM

Posted 05 May 2009 - 10:55 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 Yican

Yican
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 05 May 2009 - 09:47 PM

Hi, thanks for the response.

Here is my new DDS log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by user at 9:34:00.50 on Wed 05/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.239.45 [GMT 7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\System32\dllhost.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.yahoo.com/
uInternet Settings,ProxyServer = proxy:8080
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WordNet-Online] "c:\program files\wordnet-online\WordNet-Online.exe" /m
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
uRun: [SpyEmergency] "c:\program files\spy emergency 2005\SpyEmergency.exe"
uRun: [Spy-Kill Deluxe Edition] "c:\program files\spy-kill deluxe edition\Spy-Kill Deluxe Edition.exe" /s
uRun: [PhotoShow Deluxe Media Manager] \\Lutfi\Nero\data\xtras\mssysmgr.exe
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AAWTray] c:\program files\lavasoft\ad-aware 2007\AAWTray.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [BDSwitchAgent] c:\program files\softwin\bitdefender9\bdswitch.exe
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe
mRun: [SSC Service Utility] c:\program files\ssc service utility\ssc_serv.exe /s
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-6 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-6 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-6 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-6 298264]
R2 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\SCFBPNT.SYS [2009-5-4 16288]
S1 SpyEmrg;Spy Emergency Driver;c:\windows\system32\drivers\spyemrg.sys --> c:\windows\system32\drivers\spyemrg.sys [?]
S2 NtmsService;Boot Framework;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S4 Windows System Tray;Windows System Tray;"c:\windows\systay.exe" --> c:\windows\systay.exe [?]

=============== Created Last 30 ================

2009-05-05 13:05 <DIR> --d----- c:\documents and settings\user\DoctorWeb
2009-05-05 12:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-05 12:48 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-05 12:48 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-05-05 12:48 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-05 11:56 <DIR> --d----- c:\program files\SpywareBlaster
2009-05-05 11:44 <DIR> --d----- C:\hosts
2009-05-04 15:59 161,792 a------- c:\windows\SWREG.exe
2009-05-04 15:59 98,816 a------- c:\windows\sed.exe
2009-05-04 14:50 96,256 a------- c:\windows\system32\CSP_OSU.DLL
2009-05-04 14:50 16,896 a------- c:\windows\system32\CSP_UTL.DLL
2009-05-04 14:50 16,288 a------- c:\windows\system32\drivers\SCFBPNT.SYS
2009-05-04 14:50 307,712 a------- c:\windows\system32\UCS32.DLL
2009-05-04 14:50 34,304 a------- c:\windows\SCFBPPM.DLL
2009-05-04 14:50 <DIR> --d----- c:\program files\Canon
2009-05-04 14:41 <DIR> --d----- C:\temp
2009-04-30 15:29 <DIR> --d----- c:\program files\Great Secrets Da Vinci
2009-04-30 12:21 <DIR> --d----- c:\program files\MonteCristo
2009-04-29 12:52 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-04-27 14:18 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-27 14:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 14:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-06 13:57 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-06 13:48 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-06 13:48 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-06 13:48 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-06 13:47 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-06 13:47 <DIR> --d----- c:\docume~1\user\applic~1\AVGTOOLBAR
2009-04-06 13:47 <DIR> --d----- c:\program files\AVG
2009-04-06 13:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

==================== Find3M ====================

2008-06-20 08:15 0 ac------ c:\program files\temp01
2008-03-27 22:45 43,992 ac------ c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT
2006-12-15 04:03 56 -c-shr-- c:\windows\system32\EF0E575348.sys
2008-01-10 02:51 3,350 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 9:34:45.42 ===============


So far the steps I've taken are:
1. Run Malwarebytes in normal mode - the antispyware detected and cleaned Conficker, but it kept coming back.
2. Run Malwarebytes in safe mode - the result was the same as above
3. Run AVG 8.5 free in normal mode - the antivirus detected and cleaned Trojan Horse Dropper Generic. AFNC and I-Worm Generic.CJO, but they kept coming back.
4. Run AVG 8.5 in safe mode - the result was the same as above
5. I installed SpywareBlaster
6. Run Dr.Web CureIt - the antivirus deleted my SmitFraudFix
7. I've installed Windows update MS08-067 and disabled the autorun feature in my computer

So far the virus (Downadup?) always coming back into my system as picture files in Temporary Internet Files. I can't access major antivirus or security sites. Only recently I managed to get my computer into safe mode, by downloading and installing the Safe Boot registry.

Please help!

Attached Files



#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 06 May 2009 - 04:25 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#6 Yican

Yican
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 06 May 2009 - 09:56 PM

Hi PP, glad for your assistance!

I ran ComboFix and it can't install the Windows Recovery Console in my computer, so I continue with the malware removal anyway.

Here is the ComboFix log:

ComboFix 09-05-03.3 - user 05/07/2009 8:11.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.239.82 [GMT 7:00]
Running from: c:\documents and settings\user\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.

2009-05-05 06:05 . 2009-05-05 06:05 -------- d-----w c:\documents and settings\user\DoctorWeb
2009-05-05 05:49 . 2009-05-05 05:49 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-05 05:48 . 2009-05-05 05:48 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-05 05:48 . 2009-05-05 05:48 -------- d-----w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-05-05 05:48 . 2009-05-05 05:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-05 04:56 . 2009-05-05 05:00 -------- d-----w c:\program files\SpywareBlaster
2009-05-05 04:44 . 2009-05-05 04:45 -------- d-----w C:\hosts
2009-05-04 07:50 . 2001-02-08 20:06 16896 ----a-w c:\windows\system32\CSP_UTL.DLL
2009-05-04 07:50 . 2001-02-08 20:06 96256 ----a-w c:\windows\system32\CSP_OSU.DLL
2009-05-04 07:50 . 2000-02-08 03:33 16288 ----a-w c:\windows\system32\drivers\SCFBPNT.SYS
2009-05-04 07:50 . 2000-02-08 03:33 34304 ----a-w c:\windows\SCFBPPM.DLL
2009-05-04 07:50 . 2001-02-08 20:06 307712 ----a-w c:\windows\system32\UCS32.DLL
2009-05-04 07:50 . 2009-05-04 07:50 -------- d-----w c:\program files\Canon
2009-04-30 08:29 . 2009-05-01 05:26 -------- d-----w c:\program files\Great Secrets Da Vinci
2009-04-29 05:52 . 2009-04-29 05:52 -------- d--h--r c:\documents and settings\user\Application Data\SecuROM
2009-04-29 05:52 . 2009-04-29 05:52 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-04-27 07:18 . 2009-02-11 03:19 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-27 07:17 . 2009-02-11 03:19 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 07:17 . 2009-04-27 07:18 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 01:10 . 2006-02-23 23:59 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-06 07:03 . 2007-10-07 22:15 -------- d-----w c:\program files\GetRight
2009-05-04 08:56 . 2009-03-17 08:58 472 ----a-w c:\windows\Tasks\Ad-Aware Update (Weekly).job
2009-04-06 06:48 . 2009-04-06 06:48 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-06 06:48 . 2009-04-06 06:48 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-06 06:48 . 2009-04-06 06:48 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-06 06:47 . 2009-04-06 06:47 -------- d-----w c:\program files\AVG
2009-03-17 03:42 . 2008-07-04 04:28 -------- d-----w c:\program files\Free Music Zilla
2009-03-13 05:19 . 2009-03-13 05:19 -------- d-----w c:\program files\Trend Micro
2009-02-13 04:31 . 2009-03-18 04:24 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-02-10 09:44 . 2009-02-10 09:44 0 ----a-w c:\windows\nsreg.dat
2008-06-20 01:15 . 2008-06-20 01:15 0 -c--a-w c:\program files\temp01
2006-12-14 21:03 . 2006-10-30 15:48 56 -csh--r c:\windows\system32\EF0E575348.sys
2008-01-09 19:51 . 2006-10-30 15:04 3350 -csha-w c:\windows\system32\KGyGaAvL.sys
2007-09-11 18:24 . 2007-09-11 18:24 679364 --sha-w c:\windows\system32\oqtwa.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-05-04_09.03.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-06 04:40 . 2009-05-06 04:40 16384 c:\windows\Temp\Perflib_Perfdata_6b0.dat
+ 2009-05-05 05:48 . 2009-05-05 05:48 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-05-05 05:48 . 2009-05-05 05:48 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-01-06 00:32 . 2009-05-07 00:26 218250 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-09-24 05:30 . 2006-01-13 03:52 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe
2009-03-10 07:18 . 2008-04-22 19:08 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

2005-08-12 00:30 . 2005-08-12 00:30 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
2005-08-12 00:30 . 2005-08-12 00:30 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

2005-08-12 00:30 . 2005-08-12 00:30 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\bak\isuspm.exe
2005-08-12 00:30 . 2005-08-12 00:30 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

2005-08-12 00:30 . 2005-08-12 00:30 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\bak\isuspm.exe

2004-02-29 23:44 . 2004-02-29 23:44 66680 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2006-10-17 14:44 . 2006-10-17 14:44 163576 c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe

2002-08-29 12:00 . 2002-08-29 12:00 13312 c:\windows\system32\bak\ctfmon.exe
2002-08-29 12:00 . 2004-08-04 07:56 15360 c:\windows\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"WordNet-Online"="c:\program files\WordNet-Online\WordNet-Online.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [N/A]
"SpyEmergency"="c:\program files\Spy Emergency 2005\SpyEmergency.exe" [N/A]
"Spy-Kill Deluxe Edition"="c:\program files\Spy-Kill Deluxe Edition\Spy-Kill Deluxe Edition.exe" [N/A]
"PhotoShow Deluxe Media Manager"="\\Lutfi\Nero\data\xtras\mssysmgr.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-22 483328]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-12 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 81920]
"AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [N/A]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [N/A]
"BDSwitchAgent"="c:\program files\Softwin\BitDefender9\bdswitch.exe" [N/A]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [N/A]
"SSC Service Utility"="c:\program files\SSC Service Utility\ssc_serv.exe" [N/A]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-06 1932568]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-03-11 147456]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HDAShCut.exe [2004-10-27 61952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 04:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-06 06:48 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"40056:TCP"= 40056:TCP:HelpMicrosoft BootDefender
"37652:UDP"= 37652:UDP:HelpMicrosoft registrationNET
"63444:TCP"= 63444:TCP:HelpMicrosoft OptionsProgram
"54711:UDP"= 54711:UDP:HelpMicrosoft ReportsAdobe
"5311:TCP"= 5311:TCP:gxucyjo

R1 SpyEmrg;Spy Emergency Driver; [x]
R2 NtmsService;Boot Framework;c:\windows\system32\svchost.exe [2004-08-04 14336]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R4 Windows System Tray;Windows System Tray; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-06 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-06 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-01-15 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-01-15 55024]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-06 298264]
S2 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\ScFBPNT.SYS [2000-02-08 16288]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NtmsService
qohwvkuz
sbknrj
qmvnhhan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12d3a643-b55d-11dc-996a-0015f283974b}]
\Shell\AutoRun\command - bltkcde.exe
\Shell\explore\Command - bltkcde.exe
\Shell\open\Command - bltkcde.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{833f6616-8893-11dc-9932-0015f283974b}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL cvlu.exe
\Shell\Explore\Command - cvlu.exe
\Shell\Open\Command - cvlu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90f9bb1c-f72c-11db-9862-0015f283974b}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL cvlu.exe
\Shell\Explore\Command - cvlu.exe
\Shell\Open\Command - cvlu.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
uInternet Settings,ProxyServer = proxy:8080
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 08:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsService]
"ServiceDll"="c:\windows\system32\mykvvcqc.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qmvnhhan]
"ServiceDll"="c:\windows\system32\quxos.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-1979792683-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:df,e0,46,d4,5d,d5,3b,eb,d3,6a,00,62,b7,9a,3e,b8,91,3b,3e,63,32,
8c,71,ae,65,66,80,46,42,38,70,a3,10,8f,1e,f0,c9,8d,66,75,09,c6,2f,6c,47,b6,\
"rkeysecu"=hex:82,bf,de,a9,c0,47,c3,c9,36,a3,b4,2a,bb,5f,db,db
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-05-07 8:18
ComboFix-quarantined-files.txt 2009-05-07 01:18
ComboFix2.txt 2009-05-04 09:07
ComboFix3.txt 2009-03-16 07:14

Pre-Run: 24,923,394,048 bytes free
Post-Run: 24,957,509,632 bytes free

206 --- E O F --- 2008-09-11 09:05



And here is my GMER log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-07 09:41:13
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[876] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 052DADBD
.text C:\WINDOWS\System32\svchost.exe[876] NETAPI32.dll!NetpwPathCanonicalize 5B86A0F9 5 Bytes JMP 052DAD54
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 0078ADBD

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] NtmsService <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] qmvnhhan <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\NtmsService@DisplayName Boot Framework
Reg HKLM\SYSTEM\CurrentControlSet\Services\NtmsService@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\NtmsService@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\NtmsService@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\NtmsService@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\NtmsService@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\NtmsService@Description Allows error reporting for services and applictions running in non-standard environments.
Reg HKLM\SYSTEM\CurrentControlSet\Services\NtmsService\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\NtmsService\Parameters@ServiceDll C:\WINDOWS\system32\mykvvcqc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\qmvnhhan@DisplayName Update Server
Reg HKLM\SYSTEM\CurrentControlSet\Services\qmvnhhan@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\qmvnhhan@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\qmvnhhan@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\qmvnhhan@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\qmvnhhan@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\qmvnhhan@Description Maintains links between NTFS files within a computer or across computers in a network domain.
Reg HKLM\SYSTEM\CurrentControlSet\Services\qmvnhhan\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\qmvnhhan\Parameters@ServiceDll C:\WINDOWS\system32\quxos.dll
Reg HKLM\SYSTEM\ControlSet003\Services\NtmsService@DisplayName Boot Framework
Reg HKLM\SYSTEM\ControlSet003\Services\NtmsService@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\NtmsService@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\NtmsService@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\NtmsService@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\NtmsService@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\NtmsService@Description Allows error reporting for services and applictions running in non-standard environments.
Reg HKLM\SYSTEM\ControlSet003\Services\NtmsService\Parameters
Reg HKLM\SYSTEM\ControlSet003\Services\NtmsService\Parameters@ServiceDll C:\WINDOWS\system32\mykvvcqc.dll

---- EOF - GMER 1.0.15 ----

What I've done after starting this thread:
1. Ran a scheduled AVG scan. It found Trojan Horse Dropper Generic. AFNC in Temporary Internet Files and deleted them, but they kept coming back. Recently it found I-Worm Generic.CJO in Temporary Internet Files and deleted them, but they kept coming back.
2. Ran MalwareBytes scan. It found Conficker in Temporary Internet Files and deleted them, but they kept coming back.
3. Downloaded a Safe Boot registry and install it. Managed to get my computer into safe mode.
4. Ran AVG and Malwarebytes scan in safe mode. The result was the same as no. 1 and 2.
5. Tried to follow the steps here:
http://www.bleepingcomputer.com/forums/t/200792/unable-to-access-anti-virus-web-sites/
up until installing SuperAntiSpyware, but I haven't done any safe mode scan with it.
6. Installed some casual games from a CD, and installed a scanner driver.

Waiting for your next assistance!

Edited by Yican, 06 May 2009 - 10:19 PM.


#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 07 May 2009 - 07:24 AM

Hello.

Please manually install the Recovery Console per the instructions here. When ComboFix asks if you wish to continue scanning for malware, select No.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    KILLALL::
    File::
    c:\windows\system32\oqtwa.tmp
    c:\windows\system32\mykvvcqc.dll
    c:\windows\system32\quxos.dll
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12d3a643-b55d-11dc-996a-0015f283974b}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{833f6616-8893-11dc-9932-0015f283974b}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90f9bb1c-f72c-11db-9862-0015f283974b}]
    
    Driver::
    NtmsService
    qohwvkuz
    sbknrj
    qmvnhhan
    
    NetSvc::
    NtmsService
    qohwvkuz
    sbknrj
    qmvnhhan
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Please followup with a new GMER scan too.

With Regards,
The Panda

#8 Yican

Yican
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 07 May 2009 - 09:29 PM

Hi PP,

I've installed the Windows Recovery Console.

Here is my ComboFix log:

ComboFix 09-05-03.3 - user 05/08/2009 9:00.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.239.75 [GMT 7:00]
Running from: c:\documents and settings\user\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

FILE ::
c:\windows\system32\mykvvcqc.dll
c:\windows\system32\oqtwa.tmp
c:\windows\system32\quxos.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\oqtwa.tmp
c:\windows\system32\quxos.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTMSSERVICE
-------\Legacy_QMVNHHAN
-------\Legacy_QOHWVKUZ
-------\Legacy_SBKNRJ
-------\Service_NtmsService
-------\Service_qmvnhhan


((((((((((((((((((((((((( Files Created from 2009-04-08 to 2009-05-08 )))))))))))))))))))))))))))))))
.

2009-05-05 06:05 . 2009-05-05 06:05 -------- d-----w c:\documents and settings\user\DoctorWeb
2009-05-05 05:49 . 2009-05-05 05:49 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-05 05:48 . 2009-05-05 05:48 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-05 05:48 . 2009-05-05 05:48 -------- d-----w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-05-05 05:48 . 2009-05-05 05:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-05 04:56 . 2009-05-05 05:00 -------- d-----w c:\program files\SpywareBlaster
2009-05-05 04:44 . 2009-05-05 04:45 -------- d-----w C:\hosts
2009-05-04 07:50 . 2001-02-08 20:06 16896 ----a-w c:\windows\system32\CSP_UTL.DLL
2009-05-04 07:50 . 2001-02-08 20:06 96256 ----a-w c:\windows\system32\CSP_OSU.DLL
2009-05-04 07:50 . 2000-02-08 03:33 16288 ----a-w c:\windows\system32\drivers\SCFBPNT.SYS
2009-05-04 07:50 . 2000-02-08 03:33 34304 ----a-w c:\windows\SCFBPPM.DLL
2009-05-04 07:50 . 2001-02-08 20:06 307712 ----a-w c:\windows\system32\UCS32.DLL
2009-05-04 07:50 . 2009-05-04 07:50 -------- d-----w c:\program files\Canon
2009-04-30 08:29 . 2009-05-01 05:26 -------- d-----w c:\program files\Great Secrets Da Vinci
2009-04-29 05:52 . 2009-04-29 05:52 -------- d--h--r c:\documents and settings\user\Application Data\SecuROM
2009-04-29 05:52 . 2009-04-29 05:52 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-04-27 07:18 . 2009-02-11 03:19 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-27 07:17 . 2009-02-11 03:19 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 07:17 . 2009-04-27 07:18 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-08 02:05 . 2006-02-23 23:59 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-08 01:45 . 2007-10-07 22:15 -------- d-----w c:\program files\GetRight
2009-05-04 08:56 . 2009-03-17 08:58 472 ----a-w c:\windows\Tasks\Ad-Aware Update (Weekly).job
2009-04-06 06:48 . 2009-04-06 06:48 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-06 06:48 . 2009-04-06 06:48 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-06 06:48 . 2009-04-06 06:48 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-06 06:47 . 2009-04-06 06:47 -------- d-----w c:\program files\AVG
2009-03-17 03:42 . 2008-07-04 04:28 -------- d-----w c:\program files\Free Music Zilla
2009-03-13 05:19 . 2009-03-13 05:19 -------- d-----w c:\program files\Trend Micro
2009-02-13 04:31 . 2009-03-18 04:24 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-02-10 09:44 . 2009-02-10 09:44 0 ----a-w c:\windows\nsreg.dat
2008-06-20 01:15 . 2008-06-20 01:15 0 -c--a-w c:\program files\temp01
2006-12-14 21:03 . 2006-10-30 15:48 56 -csh--r c:\windows\system32\EF0E575348.sys
2008-01-09 19:51 . 2006-10-30 15:04 3350 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-04_09.03.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-08 02:06 . 2009-05-08 02:06 16384 c:\windows\temp\Perflib_Perfdata_704.dat
+ 2009-05-05 05:48 . 2009-05-05 05:48 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-05-05 05:48 . 2009-05-05 05:48 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-01-06 00:32 . 2009-05-08 02:06 218275 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-09-24 05:30 . 2006-01-13 03:52 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe
2009-03-10 07:18 . 2008-04-22 19:08 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

2005-08-12 00:30 . 2005-08-12 00:30 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
2005-08-12 00:30 . 2005-08-12 00:30 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

2005-08-12 00:30 . 2005-08-12 00:30 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\bak\isuspm.exe
2005-08-12 00:30 . 2005-08-12 00:30 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

2005-08-12 00:30 . 2005-08-12 00:30 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\bak\isuspm.exe

2004-02-29 23:44 . 2004-02-29 23:44 66680 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2006-10-17 14:44 . 2006-10-17 14:44 163576 c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe

2002-08-29 12:00 . 2002-08-29 12:00 13312 c:\windows\system32\bak\ctfmon.exe
2002-08-29 12:00 . 2004-08-04 07:56 15360 c:\windows\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"WordNet-Online"="c:\program files\WordNet-Online\WordNet-Online.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [N/A]
"SpyEmergency"="c:\program files\Spy Emergency 2005\SpyEmergency.exe" [N/A]
"Spy-Kill Deluxe Edition"="c:\program files\Spy-Kill Deluxe Edition\Spy-Kill Deluxe Edition.exe" [N/A]
"PhotoShow Deluxe Media Manager"="\\Lutfi\Nero\data\xtras\mssysmgr.exe" [2008-04-29 217088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-22 483328]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-12 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 81920]
"AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [N/A]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [N/A]
"BDSwitchAgent"="c:\program files\Softwin\BitDefender9\bdswitch.exe" [N/A]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [N/A]
"SSC Service Utility"="c:\program files\SSC Service Utility\ssc_serv.exe" [N/A]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-06 1932568]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-03-11 147456]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HDAShCut.exe [2004-10-27 61952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 04:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-06 06:48 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"40056:TCP"= 40056:TCP:HelpMicrosoft BootDefender
"37652:UDP"= 37652:UDP:HelpMicrosoft registrationNET
"63444:TCP"= 63444:TCP:HelpMicrosoft OptionsProgram
"54711:UDP"= 54711:UDP:HelpMicrosoft ReportsAdobe
"5311:TCP"= 5311:TCP:gxucyjo

R1 SpyEmrg;Spy Emergency Driver; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R4 Windows System Tray;Windows System Tray; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-06 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-06 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-01-15 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-01-15 55024]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-06 298264]
S2 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\ScFBPNT.SYS [2000-02-08 16288]

.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
uInternet Settings,ProxyServer = proxy:8080
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-08 09:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-1979792683-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:df,e0,46,d4,5d,d5,3b,eb,d3,6a,00,62,b7,9a,3e,b8,91,3b,3e,63,32,
8c,71,ae,65,66,80,46,42,38,70,a3,10,8f,1e,f0,c9,8d,66,75,09,c6,2f,6c,47,b6,\
"rkeysecu"=hex:82,bf,de,a9,c0,47,c3,c9,36,a3,b4,2a,bb,5f,db,db
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\snmp.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-08 9:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-08 02:13
ComboFix2.txt 2009-05-07 01:18
ComboFix3.txt 2009-05-04 09:07
ComboFix4.txt 2009-03-16 07:14

Pre-Run: 24,839,217,152 bytes free
Post-Run: 24,873,721,856 bytes free

210 --- E O F --- 2008-09-11 09:05



And here is my GMER log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-08 09:22:00
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----



Waiting for your next assistance, but is it okay if I reply it on the next Monday? Because the computer that gets infected is the computer at my office.

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 08 May 2009 - 07:07 AM

Hello.

Waiting for your next assistance, but is it okay if I reply it on the next Monday?

That's not a problem.

Looks better.

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Download and Run OTListIt
Please download OTListIt by OldTimer to your desktop.
Open OTListIt by double clicking its icon. If you are using Windows Vista, right click OTListIt2.exe and select Run As Administrator.
Click Run Scan without changing any settings. When the scan is complete, a logfile will open.
Copy the contents of the log into your next reply. It will be saved as OTListIt.txt where OTListIt.exe is located.

With Regards,
The Panda

#10 Yican

Yican
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 10 May 2009 - 09:48 PM

Hi again PP,

I can't access the Microsoft Update Website. Every time I went there, the browser gave me this message:

The page cannot be displayed
There is a problem with the page you are trying to reach and it cannot be displayed.

--------------------------------------------------------------------------------

Please try the following:

Click the Refresh button, or try again later.

Open the update.microsoft.com home page, and then look for links to the information you want.
If you believe you should be able to view this directory or page, please contact the Web site administrator by using the e-mail address or phone number listed on the update.microsoft.com home page.
11004 - Host not found
Internet Security and Acceleration Server

--------------------------------------------------------------------------------

Technical Information (for support personnel)

Background:
This error indicates that the server, while acting as a gateway or proxy, could not find the IP address of an upstream content server.



The same goes when I tried to access F-Secure homepage. I tried to find a mirror for the Online Scanner, but can't find any.


I downloaded OTListIt and ran it. Below is the log file:

OTListIt logfile created on: 5/11/2009 9:28:59 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.6 Folder = C:\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

239.30 Mb Total Physical Memory | 53.39 Mb Available Physical Memory | 22.31% Memory free
514.33 Mb Paging File | 173.84 Mb Available in Paging File | 33.80% Paging File free
Paging file location(s): C:\pagefile.sys 288 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 23.18 Gb Free Space | 62.19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 139.74 Gb Total Space | 128.89 Gb Free Space | 92.24% Space Free | Partition Type: NTFS

Computer Name: MONICA
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/04/06 13:47:29 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2004/08/04 14:56:50 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe
PRC - [2006/11/20 15:42:45 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\snmp.exe
PRC - [2009/04/06 13:47:45 | 00,485,144 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/04/06 13:47:45 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2007/06/13 17:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2004/08/04 14:56:57 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2005/03/08 02:33:28 | 00,053,248 | R--- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\VTTimer.exe
PRC - [2005/03/11 16:33:28 | 00,147,456 | R--- | M] (S3 Graphics Co., Ltd.) -- C:\WINDOWS\system32\VTtrayp.exe
PRC - [2008/04/23 02:08:13 | 00,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
PRC - [2005/08/12 07:30:30 | 00,081,920 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2009/04/06 13:47:33 | 01,932,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2004/10/13 23:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2009/01/22 08:03:45 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/06/23 16:20:52 | 00,625,664 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/04/06 13:47:55 | 00,672,024 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\aAvgApi.exe
PRC - [2008/06/23 14:47:18 | 04,628,752 | ---- | M] (Headlight Software, Inc.) -- C:\Program Files\GetRight\GetRight.exe
PRC - [2009/05/11 09:25:54 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Downloads\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2006/07/29 03:50:08 | 00,069,632 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
SRV - [2009/04/06 13:47:29 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2002/07/17 16:03:00 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe -- (EPSONStatusAgent2 [Disabled | Stopped])
SRV - [2009/04/29 07:52:20 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2004/08/04 14:56:44 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/08/04 14:56:50 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (IISADMIN [Auto | Running])
SRV - [2002/08/29 19:00:00 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\tcpsvcs.exe -- (LPDSVC [On_Demand | Stopped])
SRV - [2003/07/29 03:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2004/08/04 14:56:50 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (SMTPSVC [Auto | Running])
SRV - [2005/01/22 12:32:12 | 00,206,552 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
SRV - [2006/11/20 15:42:45 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\snmp.exe -- (SNMP [Auto | Running])
SRV - [2004/08/04 14:56:50 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (W3SVC [Auto | Running])
SRV - File not found -- -- (Windows System Tray [Disabled | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009/04/06 13:48:14 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/04/06 13:48:11 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/04/06 13:48:22 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2004/12/17 03:36:30 | 00,042,496 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys -- (FETND5BV [On_Demand | Running])
DRV - [2001/08/17 19:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\System32\DRIVERS\fetnd5.sys -- (FETNDIS [On_Demand | Stopped])
DRV - [2006/04/19 12:59:45 | 00,005,248 | ---- | M] () -- C:\WINDOWS\System32\giveio.sys -- (giveio [On_Demand | Stopped])
DRV - [2004/10/28 06:21:30 | 00,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\HdAudio.sys -- (HdAudAddService [On_Demand | Running])
DRV - [2004/10/28 06:21:36 | 00,138,240 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2004/08/13 09:56:20 | 00,005,810 | R--- | M] () -- C:\WINDOWS\System32\DRIVERS\ASACPI.sys -- (MTsensor [On_Demand | Running])
DRV - [2002/08/29 19:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2005/03/12 05:28:13 | 00,020,640 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2000/02/08 10:33:28 | 00,016,288 | ---- | M] () -- C:\WINDOWS\system32\drivers\ScFBPNT.SYS -- (ScFBPNT [Auto | Running])
DRV - [2007/11/13 17:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/08/17 13:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\serscan.sys -- (StillCam [On_Demand | Running])
DRV - [2004/03/05 13:46:46 | 00,082,832 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Stopped])
DRV - [2005/01/22 12:31:48 | 00,026,424 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Stopped])
DRV - [2005/01/22 12:31:50 | 00,267,384 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2003/07/02 03:42:00 | 00,027,904 | R--- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1 [Boot | Running])
DRV - [2005/07/07 15:58:12 | 00,226,560 | R--- | M] (Copyright © VIA/S3 Graphics Co, Ltd.) -- C:\WINDOWS\System32\DRIVERS\vtmini.sys -- (viagfx [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (IE to GetRight Helper) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll (Headlight Software, Inc.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll ([[[COMPANYNAME]]]----------------------------)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll ([[[COMPANYNAME]]]----------------------------)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll ([[[COMPANYNAME]]]----------------------------)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe File not found
O4 - HKLM..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" (Adobe Systems Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender9\bdswitch.exe File not found
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (Macrovision Corporation)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall File not found
O4 - HKLM..\Run: [SSC Service Utility] C:\Program Files\SSC Service Utility\ssc_serv.exe /s File not found
O4 - HKLM..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe File not found
O4 - HKLM..\Run: [VTTimer] VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VTTrayp] VTtrayp.exe (S3 Graphics Co., Ltd.)
O4 - HKCU..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized File not found
O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] \\Lutfi\Nero\data\xtras\mssysmgr.exe File not found
O4 - HKCU..\Run: [SpyEmergency] "C:\Program Files\Spy Emergency 2005\SpyEmergency.exe" File not found
O4 - HKCU..\Run: [Spy-Kill Deluxe Edition] "C:\Program Files\Spy-Kill Deluxe Edition\Spy-Kill Deluxe Edition.exe" /s File not found
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [WordNet-Online] "C:\Program Files\WordNet-Online\WordNet-Online.exe" /m File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 (Microsoft Corporation)
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm ()
O9 - Extra Button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - Reg Error: Key error. File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 56 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0...D0C/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/02/24 06:59:58 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[5 C:\WINDOWS\*.tmp files]
[2009/05/08 16:50:32 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/05/08 09:13:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\temp
[2009/05/08 09:02:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/05/08 08:59:40 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/05/08 08:47:56 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/05/08 08:47:49 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/05/08 08:47:41 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/05/06 13:51:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\TikGames
[2009/05/05 12:49:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/05/05 12:48:42 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/05/05 12:48:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
[2009/05/05 11:56:30 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2009/05/05 11:44:54 | 00,000,000 | ---D | C] -- C:\hosts
[2009/05/04 15:59:27 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/05/04 15:59:27 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/05/04 15:59:27 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/05/04 15:59:27 | 00,117,248 | ---- | C] () -- C:\WINDOWS\vFind.exe
[2009/05/04 15:59:27 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/05/04 15:59:27 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/05/04 15:59:27 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/05/04 15:55:32 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/05/04 15:51:10 | 03,012,669 | R--- | C] () -- C:\Documents and Settings\user\Desktop\Combo-Fix.exe
[2009/05/04 14:50:25 | 00,096,256 | ---- | C] (Canon) -- C:\WINDOWS\System32\CSP_OSU.DLL
[2009/05/04 14:50:25 | 00,016,896 | ---- | C] (Canon) -- C:\WINDOWS\System32\CSP_UTL.DLL
[2009/05/04 14:50:25 | 00,016,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\SCFBPNT.SYS
[2009/05/04 14:50:24 | 00,307,712 | ---- | C] (Canon) -- C:\WINDOWS\System32\UCS32.DLL
[2009/05/04 14:50:19 | 00,000,000 | ---D | C] -- C:\Program Files\Canon
[2009/05/04 13:11:23 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2009/04/30 15:29:22 | 00,000,000 | ---D | C] -- C:\Program Files\Great Secrets Da Vinci
[2009/04/30 13:14:37 | 00,000,002 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\_chk2024200
[2009/04/29 12:52:40 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\user\Application Data\SecuROM
[2009/04/29 12:52:36 | 00,107,888 | ---- | C] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2009/04/27 14:18:03 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/27 14:17:58 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/27 14:17:51 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/23 09:53:10 | 00,360,021 | ---- | C] () -- C:\Documents and Settings\user\Desktop\dds.scr
[2009/04/23 09:52:17 | 00,664,576 | ---- | C] () -- C:\Documents and Settings\user\My Documents\Preparation Guide.doc
[2009/04/23 09:14:54 | 00,230,912 | ---- | C] () -- C:\Documents and Settings\user\My Documents\How to remove the Downadup and Conficker worm.doc
[2009/04/13 08:38:13 | 00,025,088 | ---- | C] () -- C:\Documents and Settings\user\My Documents\How to Make Mashed Potatoes.doc
[2009/02/19 15:05:17 | 00,000,123 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/07/25 11:46:51 | 00,023,552 | ---- | C] () -- C:\WINDOWS\xobglu32.dll
[2008/07/25 11:46:50 | 00,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll
[2007/10/10 23:11:04 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2007/09/19 05:26:30 | 00,002,158 | ---- | C] () -- C:\WINDOWS\System32\tmmute.ini
[2007/09/18 23:56:24 | 00,000,048 | ---- | C] () -- C:\WINDOWS\SK.ini
[2007/09/18 03:23:38 | 00,002,158 | ---- | C] () -- C:\WINDOWS\System32\ssmute.ini
[2007/09/18 03:17:37 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PestPatrol5.INI
[2007/07/11 01:35:55 | 00,000,725 | ---- | C] () -- C:\WINDOWS\AMM1606.INI
[2007/07/11 01:35:55 | 00,000,271 | ---- | C] () -- C:\WINDOWS\JCM1606.INI
[2007/07/11 01:35:55 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AMMI1606.INI
[2007/07/11 01:35:55 | 00,000,211 | ---- | C] () -- C:\WINDOWS\WDM1606.INI
[2007/07/11 01:35:55 | 00,000,211 | ---- | C] () -- C:\WINDOWS\IPC1606.INI
[2007/07/11 01:35:54 | 00,001,304 | ---- | C] () -- C:\WINDOWS\fldportc.ini
[2007/07/11 01:35:31 | 00,002,641 | ---- | C] () -- C:\WINDOWS\EPFWIS.INI
[2007/07/05 05:09:18 | 00,013,312 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/03/07 07:36:13 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2007/01/06 07:33:19 | 00,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini
[2007/01/06 07:32:10 | 00,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2007/01/06 07:32:10 | 00,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2007/01/06 07:31:39 | 00,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2007/01/06 07:31:38 | 00,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2007/01/06 07:31:23 | 00,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2006/10/30 22:48:57 | 00,000,056 | RHS- | C] () -- C:\WINDOWS\System32\EF0E575348.sys
[2006/10/30 22:04:27 | 00,003,350 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/04/21 01:12:57 | 00,001,344 | ---- | C] () -- C:\WINDOWS\System32\odbcinst.ini
[2006/04/19 15:28:20 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2006/04/19 12:59:45 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys
[2006/03/16 06:10:37 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2006/02/24 09:12:31 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/24 09:05:59 | 00,000,155 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2006/02/24 07:06:02 | 00,018,842 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2006/02/24 07:06:02 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2006/02/24 07:05:58 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2004/11/21 03:17:36 | 00,950,272 | ---- | C] () -- C:\WINDOWS\System32\ice20.dll
[2004/11/21 03:12:26 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\iceutil20.dll
[2004/09/18 07:37:42 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2002/08/29 19:00:00 | 00,000,924 | ---- | C] () -- C:\WINDOWS\win.ini
[2002/08/29 19:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[1996/11/17 15:37:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/05/11 09:01:53 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\user\Local Settings\desktop.ini
[2009/05/11 09:01:30 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/11 09:01:29 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/11 09:01:24 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/08 09:07:38 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/05/08 09:06:39 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/05/08 08:47:56 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/05/06 14:05:04 | 35,810,769 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/05/04 15:56:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/05/04 15:51:10 | 03,012,669 | R--- | M] () -- C:\Documents and Settings\user\Desktop\Combo-Fix.exe
[2009/05/04 15:20:56 | 00,000,155 | ---- | M] () -- C:\WINDOWS\winamp.ini
[2009/05/01 15:36:46 | 00,117,248 | ---- | M] () -- C:\WINDOWS\vFind.exe
[2009/04/30 13:14:37 | 00,000,002 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\_chk2024200
[2009/04/30 07:57:51 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/04/29 12:52:37 | 00,107,888 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2009/04/23 09:53:13 | 00,360,021 | ---- | M] () -- C:\Documents and Settings\user\Desktop\dds.scr
[2009/04/23 09:52:18 | 00,664,576 | ---- | M] () -- C:\Documents and Settings\user\My Documents\Preparation Guide.doc
[2009/04/23 09:14:56 | 00,230,912 | ---- | M] () -- C:\Documents and Settings\user\My Documents\How to remove the Downadup and Conficker worm.doc
[2009/04/21 16:44:50 | 00,009,662 | ---- | M] () -- C:\WINDOWS\EPISME00.SWB
[2009/04/13 12:51:27 | 00,025,088 | ---- | M] () -- C:\Documents and Settings\user\My Documents\How to Make Mashed Potatoes.doc
< End of report >




It also created an Extras.txt file. The content is below:

OTListIt Extras logfile created on: 5/11/2009 9:29:01 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.6 Folder = C:\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

239.30 Mb Total Physical Memory | 53.39 Mb Available Physical Memory | 22.31% Memory free
514.33 Mb Paging File | 173.84 Mb Available in Paging File | 33.80% Paging File free
Paging file location(s): C:\pagefile.sys 288 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 23.18 Gb Free Space | 62.19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 139.74 Gb Total Space | 128.89 Gb Free Space | 92.24% Space Free | Partition Type: NTFS

Computer Name: MONICA
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"FirstRunDisabled" = 1
"UacDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallDisableNotify" = 1
"FirewallOverride" = 1
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 1
"UacDisableNotify" = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"40056:TCP" = 40056:TCP:*:Enabled:HelpMicrosoft BootDefender
"37652:UDP" = 37652:UDP:*:Enabled:HelpMicrosoft registrationNET
"63444:TCP" = 63444:TCP:*:Enabled:HelpMicrosoft OptionsProgram
"54711:UDP" = 54711:UDP:*:Enabled:HelpMicrosoft ReportsAdobe
"5311:TCP" = 5311:TCP:*:Enabled:gxucyjo

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2006/10/10 19:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2007/10/17 09:45:42 | 00,626,688 | ---- | M] () -- C:\Program Files\Free Music Zilla\FMZilla.exe:*:Enabled:FMZilla Module
[2009/04/06 13:47:32 | 01,057,048 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
[2009/04/06 13:47:45 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe
[2009/02/11 10:19:32 | 01,273,488 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7169B8E4-2632-46B1-AA5F-167CB5FE5029}" = Symantec Network Drivers Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}" = Update Manager
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.1.0 Professional
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player
"AVG8Uninstall" = AVG 8.5
"BitComet FLV Converter" = BitComet FLV Converter 1.0
"EPSON Printer and Utilities" = EPSON Printer Software
"Free Music Zilla_is1" = Free Music Zilla
"GetRight_is1" = GetRight
"Great Secrets Da Vinci_is1" = Great Secrets Da Vinci
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"ScanCraft CS-P" = ScanCraft CS-P
"SpywareBlaster_is1" = SpywareBlaster 4.2
"Surround Mp4 Tool" = Surround Mp4 Tool 3.0.4
"VIA/S3G UniChrome Family Win2K/XP Display" = VIA/S3G Display Driver
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"Webshots Desktop" = Webshots Desktop
"Winamp" = Winamp (remove only)
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/21/2009 8:40:13 PM | Computer Name = MONICA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16705, faulting
module flash10b.ocx, version 10.0.22.87, fault address 0x001ea9e1.

Error - 4/23/2009 3:06:37 AM | Computer Name = MONICA | Source = Application Hang | ID = 1002
Description = Hanging application wrun32.exe, version 7.2.0.1986, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/27/2009 8:25:03 PM | Computer Name = MONICA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/27/2009 9:36:34 PM | Computer Name = MONICA | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 10.0.2627.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/4/2009 3:23:09 AM | Computer Name = MONICA | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 5/4/2009 10:42:47 PM | Computer Name = MONICA | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 5/10/2009 10:16:51 PM | Computer Name = MONICA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: 500 (HTTP Response Status)

Error - 5/10/2009 10:16:51 PM | Computer Name = MONICA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/10/2009 10:17:17 PM | Computer Name = MONICA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: 500 (HTTP Response Status)

Error - 5/10/2009 10:17:17 PM | Computer Name = MONICA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 5/7/2009 11:59:41 PM | Computer Name = MONICA | Source = DCOM | ID = 10010
Description = The server {A1F4E726-8CF1-11D1-BF92-0060081ED811} did not register
with DCOM within the required timeout.

Error - 5/8/2009 12:00:46 AM | Computer Name = MONICA | Source = DCOM | ID = 10010
Description = The server {A1F4E726-8CF1-11D1-BF92-0060081ED811} did not register
with DCOM within the required timeout.

Error - 5/8/2009 12:01:16 AM | Computer Name = MONICA | Source = DCOM | ID = 10010
Description = The server {A1F4E726-8CF1-11D1-BF92-0060081ED811} did not register
with DCOM within the required timeout.

Error - 5/8/2009 3:05:30 AM | Computer Name = MONICA | Source = DCOM | ID = 10010
Description = The server {A1F4E726-8CF1-11D1-BF92-0060081ED811} did not register
with DCOM within the required timeout.

Error - 5/8/2009 3:43:20 AM | Computer Name = MONICA | Source = DCOM | ID = 10010
Description = The server {A1F4E726-8CF1-11D1-BF92-0060081ED811} did not register
with DCOM within the required timeout.

Error - 5/8/2009 5:50:33 AM | Computer Name = MONICA | Source = Service Control Manager | ID = 7000
Description = The SASDIFSV service failed to start due to the following error: %%183

Error - 5/8/2009 5:51:20 AM | Computer Name = MONICA | Source = DCOM | ID = 10010
Description = The server {A1F4E726-8CF1-11D1-BF92-0060081ED811} did not register
with DCOM within the required timeout.

Error - 5/10/2009 10:01:27 PM | Computer Name = MONICA | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.97 for the Network Card with network
address 0015F283974B has been denied by the DHCP server 61.8.67.195 (The DHCP Server
sent a DHCPNACK message).

Error - 5/10/2009 10:13:18 PM | Computer Name = MONICA | Source = DCOM | ID = 10010
Description = The server {A1F4E726-8CF1-11D1-BF92-0060081ED811} did not register
with DCOM within the required timeout.

Error - 5/10/2009 10:20:31 PM | Computer Name = MONICA | Source = DCOM | ID = 10010
Description = The server {A1F4E726-8CF1-11D1-BF92-0060081ED811} did not register
with DCOM within the required timeout.


< End of report >

Thanks!

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 11 May 2009 - 07:17 AM

Hello.

Looks like there is still a DNS hijack.

Let's try this.

Download and Run SmitFruadFix Scan
  • Please download SmitFraudFix by S!Ri to your desktop.
  • Double click the icon to run it.
  • Select Option 1 by typing 1 and hitting Enter.
  • When the scan is complete, a log file will appear. Please copy the contents of the log into your next post.

With Regards,
The Panda

#12 Yican

Yican
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 11 May 2009 - 08:18 PM

Hi PP,

I've downloaded and run SmitFraudFix.

Here is the log:

SmitFraudFix v2.416

Scan done at 8:11:54.46, Tue 05/12/2009
Run from C:\Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GetRight\GetRight.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA Rhine II Fast Ethernet Adapter
DNS Server Search Order: 192.168.0.1
DNS Server Search Order: 192.168.0.7
DNS Server Search Order: 202.152.5.36
DNS Server Search Order: 202.155.0.10
DNS Server Search Order: 202.155.0.15

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A17FDD18-5E01-4D26-AF0E-2AD704BA5058}: DhcpNameServer=192.168.0.1 192.168.0.7 202.152.5.36 202.155.0.10 202.155.0.15
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A17FDD18-5E01-4D26-AF0E-2AD704BA5058}: DhcpNameServer=192.168.0.1 192.168.0.7 202.152.5.36 202.155.0.10 202.155.0.15
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A17FDD18-5E01-4D26-AF0E-2AD704BA5058}: DhcpNameServer=192.168.0.1 192.168.0.7 202.152.5.36 202.155.0.10 202.155.0.15
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.7 202.152.5.36 202.155.0.10 202.155.0.15
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.7 202.152.5.36 202.155.0.10 202.155.0.15
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.7 202.152.5.36 202.155.0.10 202.155.0.15


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 12 May 2009 - 07:04 AM

Hello.

Run Fix with OTListIt
If you have lost your copy of OTListIt, please download a new one from here.
Copy the contents of the CodeBox below into the Custom Scans/Fixes.
:commands
[resethosts]

Click the Run Fix button. The fix should take a moment to complete. Post back with the logfile that opens.

After clicking Run Fix, OTListIt may ask to reboot the machine. If so, a logfile will open after the reboot.

Take a new OTList It scan log after.

Are you able to access those sites now?

With Regards,
The Panda

#14 Yican

Yican
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 12 May 2009 - 08:08 PM

Hi PP,

Below is the Run Fix log from OTListIt:

========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTListIt2 by OldTimer - Version 2.0.15.6 log created on 05132009_074237



OTListIt did not prompt me to reboot the machine.



And below is the new scan log from OTListIt:

OTListIt logfile created on: 5/13/2009 7:46:11 AM - Run 2
OTListIt2 by OldTimer - Version 2.0.15.6 Folder = C:\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

239.30 Mb Total Physical Memory | 66.14 Mb Available Physical Memory | 27.64% Memory free
514.33 Mb Paging File | 153.70 Mb Available in Paging File | 29.88% Paging File free
Paging file location(s): C:\pagefile.sys 288 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 23.03 Gb Free Space | 61.79% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 139.74 Gb Total Space | 128.64 Gb Free Space | 92.06% Space Free | Partition Type: NTFS

Computer Name: MONICA
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/04/06 13:47:29 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2004/08/04 14:56:50 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe
PRC - [2006/11/20 15:42:45 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\snmp.exe
PRC - [2009/04/06 13:47:45 | 00,485,144 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/04/06 13:47:45 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2004/08/04 14:56:57 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2007/06/13 17:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2005/03/08 02:33:28 | 00,053,248 | R--- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\VTTimer.exe
PRC - [2005/03/11 16:33:28 | 00,147,456 | R--- | M] (S3 Graphics Co., Ltd.) -- C:\WINDOWS\system32\VTtrayp.exe
PRC - [2008/04/23 02:08:13 | 00,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
PRC - [2005/08/12 07:30:30 | 00,081,920 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2009/04/06 13:47:33 | 01,932,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2004/10/13 23:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2009/01/22 08:03:45 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/06/23 16:20:52 | 00,625,664 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/04/06 13:47:55 | 00,672,024 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\aAvgApi.exe
PRC - [2008/06/23 14:47:18 | 04,628,752 | ---- | M] (Headlight Software, Inc.) -- C:\Program Files\GetRight\GetRight.exe
PRC - [2009/05/11 09:25:54 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Downloads\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2006/07/29 03:50:08 | 00,069,632 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
SRV - [2009/04/06 13:47:29 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2002/07/17 16:03:00 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe -- (EPSONStatusAgent2 [Disabled | Stopped])
SRV - [2009/04/29 07:52:20 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2004/08/04 14:56:44 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/08/04 14:56:50 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (IISADMIN [Auto | Running])
SRV - [2002/08/29 19:00:00 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\tcpsvcs.exe -- (LPDSVC [On_Demand | Stopped])
SRV - [2003/07/29 03:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2004/08/04 14:56:50 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (SMTPSVC [Auto | Running])
SRV - [2005/01/22 12:32:12 | 00,206,552 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
SRV - [2006/11/20 15:42:45 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\snmp.exe -- (SNMP [Auto | Running])
SRV - [2004/08/04 14:56:50 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (W3SVC [Auto | Running])
SRV - File not found -- -- (Windows System Tray [Disabled | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009/04/06 13:48:14 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/04/06 13:48:11 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/04/06 13:48:22 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2004/12/17 03:36:30 | 00,042,496 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys -- (FETND5BV [On_Demand | Running])
DRV - [2001/08/17 19:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\System32\DRIVERS\fetnd5.sys -- (FETNDIS [On_Demand | Stopped])
DRV - [2006/04/19 12:59:45 | 00,005,248 | ---- | M] () -- C:\WINDOWS\System32\giveio.sys -- (giveio [On_Demand | Stopped])
DRV - [2004/10/28 06:21:30 | 00,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\HdAudio.sys -- (HdAudAddService [On_Demand | Running])
DRV - [2004/10/28 06:21:36 | 00,138,240 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2004/08/13 09:56:20 | 00,005,810 | R--- | M] () -- C:\WINDOWS\System32\DRIVERS\ASACPI.sys -- (MTsensor [On_Demand | Running])
DRV - [2002/08/29 19:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2005/03/12 05:28:13 | 00,020,640 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2000/02/08 10:33:28 | 00,016,288 | ---- | M] () -- C:\WINDOWS\system32\drivers\ScFBPNT.SYS -- (ScFBPNT [Auto | Running])
DRV - [2007/11/13 17:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/08/17 13:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\serscan.sys -- (StillCam [On_Demand | Running])
DRV - [2004/03/05 13:46:46 | 00,082,832 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Stopped])
DRV - [2005/01/22 12:31:48 | 00,026,424 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Stopped])
DRV - [2005/01/22 12:31:50 | 00,267,384 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2003/07/02 03:42:00 | 00,027,904 | R--- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1 [Boot | Running])
DRV - [2005/07/07 15:58:12 | 00,226,560 | R--- | M] (Copyright © VIA/S3 Graphics Co, Ltd.) -- C:\WINDOWS\System32\DRIVERS\vtmini.sys -- (viagfx [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/05/13 07:39:51 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/05/13 07:39:51 | 00,000,000 | ---D | M]

[2009/05/13 07:39:51 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/05/13 07:39:51 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/24 11:38:30 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/24 11:38:32 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/04/24 07:39:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/04/24 07:39:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/24 07:39:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/24 07:39:08 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/04/24 07:39:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/04/24 07:39:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/24 07:39:08 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (56 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (IE to GetRight Helper) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll (Headlight Software, Inc.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll ([[[COMPANYNAME]]]----------------------------)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll ([[[COMPANYNAME]]]----------------------------)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll ([[[COMPANYNAME]]]----------------------------)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe File not found
O4 - HKLM..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" (Adobe Systems Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender9\bdswitch.exe File not found
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (Macrovision Corporation)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall File not found
O4 - HKLM..\Run: [SSC Service Utility] C:\Program Files\SSC Service Utility\ssc_serv.exe /s File not found
O4 - HKLM..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe File not found
O4 - HKLM..\Run: [VTTimer] VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VTTrayp] VTtrayp.exe (S3 Graphics Co., Ltd.)
O4 - HKCU..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized File not found
O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] \\Lutfi\Nero\data\xtras\mssysmgr.exe File not found
O4 - HKCU..\Run: [SpyEmergency] "C:\Program Files\Spy Emergency 2005\SpyEmergency.exe" File not found
O4 - HKCU..\Run: [Spy-Kill Deluxe Edition] "C:\Program Files\Spy-Kill Deluxe Edition\Spy-Kill Deluxe Edition.exe" /s File not found
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [WordNet-Online] "C:\Program Files\WordNet-Online\WordNet-Online.exe" /m File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 (Microsoft Corporation)
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm ()
O9 - Extra Button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - Reg Error: Key error. File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 56 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0...D0C/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/02/24 06:59:58 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[5 C:\WINDOWS\*.tmp files]
[2009/05/13 07:42:37 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/05/13 07:40:02 | 00,001,605 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/05/13 07:39:48 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/05/12 16:53:15 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/05/12 14:32:03 | 00,347,648 | ---- | C] () -- C:\Documents and Settings\user\My Documents\Pet Society2.doc
[2009/05/12 13:35:40 | 00,030,208 | ---- | C] () -- C:\Documents and Settings\user\My Documents\Pet Society.doc
[2009/05/12 08:12:16 | 00,002,776 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2009/05/11 13:19:11 | 00,001,065 | ---- | C] () -- C:\Documents and Settings\user\My Documents\XP-GENUINE.REG
[2009/05/08 16:50:32 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/05/08 09:13:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\temp
[2009/05/08 09:02:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/05/08 08:59:40 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/05/08 08:47:56 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/05/08 08:47:49 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/05/08 08:47:41 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/05/06 13:51:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\TikGames
[2009/05/05 12:49:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/05/05 12:48:42 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/05/05 12:48:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
[2009/05/05 11:56:30 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2009/05/05 11:44:54 | 00,000,000 | ---D | C] -- C:\hosts
[2009/05/04 15:59:27 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/05/04 15:59:27 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/05/04 15:59:27 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/05/04 15:59:27 | 00,117,248 | ---- | C] () -- C:\WINDOWS\vFind.exe
[2009/05/04 15:59:27 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/05/04 15:59:27 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/05/04 15:59:27 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/05/04 15:55:32 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/05/04 15:51:10 | 03,012,669 | R--- | C] () -- C:\Documents and Settings\user\Desktop\Combo-Fix.exe
[2009/05/04 14:50:25 | 00,096,256 | ---- | C] (Canon) -- C:\WINDOWS\System32\CSP_OSU.DLL
[2009/05/04 14:50:25 | 00,016,896 | ---- | C] (Canon) -- C:\WINDOWS\System32\CSP_UTL.DLL
[2009/05/04 14:50:25 | 00,016,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\SCFBPNT.SYS
[2009/05/04 14:50:24 | 00,307,712 | ---- | C] (Canon) -- C:\WINDOWS\System32\UCS32.DLL
[2009/05/04 14:50:19 | 00,000,000 | ---D | C] -- C:\Program Files\Canon
[2009/05/04 13:11:23 | 00,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2009/04/30 15:29:22 | 00,000,000 | ---D | C] -- C:\Program Files\Great Secrets Da Vinci
[2009/04/30 13:14:37 | 00,000,002 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\_chk2024200
[2009/04/29 12:52:40 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\user\Application Data\SecuROM
[2009/04/29 12:52:36 | 00,107,888 | ---- | C] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2009/04/27 14:18:03 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/27 14:17:58 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/27 14:17:51 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/23 09:53:10 | 00,360,021 | ---- | C] () -- C:\Documents and Settings\user\Desktop\dds.scr
[2009/04/23 09:52:17 | 00,664,576 | ---- | C] () -- C:\Documents and Settings\user\My Documents\Preparation Guide.doc
[2009/04/23 09:14:54 | 00,230,912 | ---- | C] () -- C:\Documents and Settings\user\My Documents\How to remove the Downadup and Conficker worm.doc
[2009/04/13 08:38:13 | 00,025,088 | ---- | C] () -- C:\Documents and Settings\user\My Documents\How to Make Mashed Potatoes.doc
[2009/02/19 15:05:17 | 00,000,123 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/07/25 11:46:51 | 00,023,552 | ---- | C] () -- C:\WINDOWS\xobglu32.dll
[2008/07/25 11:46:50 | 00,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll
[2007/10/10 23:11:04 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2007/09/19 05:26:30 | 00,002,158 | ---- | C] () -- C:\WINDOWS\System32\tmmute.ini
[2007/09/18 23:56:24 | 00,000,048 | ---- | C] () -- C:\WINDOWS\SK.ini
[2007/09/18 03:23:38 | 00,002,158 | ---- | C] () -- C:\WINDOWS\System32\ssmute.ini
[2007/09/18 03:17:37 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PestPatrol5.INI
[2007/07/11 01:35:55 | 00,000,725 | ---- | C] () -- C:\WINDOWS\AMM1606.INI
[2007/07/11 01:35:55 | 00,000,271 | ---- | C] () -- C:\WINDOWS\JCM1606.INI
[2007/07/11 01:35:55 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AMMI1606.INI
[2007/07/11 01:35:55 | 00,000,211 | ---- | C] () -- C:\WINDOWS\WDM1606.INI
[2007/07/11 01:35:55 | 00,000,211 | ---- | C] () -- C:\WINDOWS\IPC1606.INI
[2007/07/11 01:35:54 | 00,001,304 | ---- | C] () -- C:\WINDOWS\fldportc.ini
[2007/07/11 01:35:31 | 00,002,641 | ---- | C] () -- C:\WINDOWS\EPFWIS.INI
[2007/07/05 05:09:18 | 00,013,312 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/03/07 07:36:13 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2007/01/06 07:33:19 | 00,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini
[2007/01/06 07:32:10 | 00,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2007/01/06 07:32:10 | 00,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2007/01/06 07:31:39 | 00,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2007/01/06 07:31:38 | 00,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2007/01/06 07:31:23 | 00,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2006/10/30 22:48:57 | 00,000,056 | RHS- | C] () -- C:\WINDOWS\System32\EF0E575348.sys
[2006/10/30 22:04:27 | 00,003,350 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/04/21 01:12:57 | 00,001,344 | ---- | C] () -- C:\WINDOWS\System32\odbcinst.ini
[2006/04/19 15:28:20 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2006/04/19 12:59:45 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys
[2006/03/16 06:10:37 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2006/02/24 09:12:31 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/24 09:05:59 | 00,000,155 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2006/02/24 07:06:02 | 00,018,842 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2006/02/24 07:06:02 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2006/02/24 07:05:58 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2004/11/21 03:17:36 | 00,950,272 | ---- | C] () -- C:\WINDOWS\System32\ice20.dll
[2004/11/21 03:12:26 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\iceutil20.dll
[2004/09/18 07:37:42 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2002/08/29 19:00:00 | 00,000,924 | ---- | C] () -- C:\WINDOWS\win.ini
[2002/08/29 19:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[1996/11/17 15:37:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/05/13 07:44:14 | 00,000,056 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2009/05/13 07:40:02 | 00,001,605 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/05/13 07:14:25 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\user\Local Settings\desktop.ini
[2009/05/13 07:13:26 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/13 07:13:18 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/12 15:56:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/05/12 14:32:06 | 00,347,648 | ---- | M] () -- C:\Documents and Settings\user\My Documents\Pet Society2.doc
[2009/05/12 13:35:41 | 00,030,208 | ---- | M] () -- C:\Documents and Settings\user\My Documents\Pet Society.doc
[2009/05/12 08:12:16 | 00,002,776 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2009/05/11 13:19:18 | 00,001,065 | ---- | M] () -- C:\Documents and Settings\user\My Documents\XP-GENUINE.REG
[2009/05/11 10:07:00 | 35,862,722 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/05/11 09:01:29 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/08 09:07:38 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/05/08 08:47:56 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/05/04 15:51:10 | 03,012,669 | R--- | M] () -- C:\Documents and Settings\user\Desktop\Combo-Fix.exe
[2009/05/04 15:20:56 | 00,000,155 | ---- | M] () -- C:\WINDOWS\winamp.ini
[2009/05/01 15:36:46 | 00,117,248 | ---- | M] () -- C:\WINDOWS\vFind.exe
[2009/04/30 13:14:37 | 00,000,002 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\_chk2024200
[2009/04/30 07:57:51 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/04/29 12:52:37 | 00,107,888 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2009/04/23 09:53:13 | 00,360,021 | ---- | M] () -- C:\Documents and Settings\user\Desktop\dds.scr
[2009/04/23 09:52:18 | 00,664,576 | ---- | M] () -- C:\Documents and Settings\user\My Documents\Preparation Guide.doc
[2009/04/23 09:14:56 | 00,230,912 | ---- | M] () -- C:\Documents and Settings\user\My Documents\How to remove the Downadup and Conficker worm.doc
[2009/04/21 16:44:50 | 00,009,662 | ---- | M] () -- C:\WINDOWS\EPISME00.SWB
[2009/04/13 12:51:27 | 00,025,088 | ---- | M] () -- C:\Documents and Settings\user\My Documents\How to Make Mashed Potatoes.doc
< End of report >

Are you able to access those sites now?


No, I still can't access both the Windows Update Website and F-Secure website.



Update: I tried to visit the windows update website through visiting the ip-address. I managed to get into the site, but when I tried to update, it gave me this error message:

The website has encountered a problem and cannot display the page you are trying to view. Take the following steps to try solving the problem:
Refresh the page.
In Internet Explorer, delete your Temporary Internet Files by going to the Tools menu and clicking Internet Options.
Close and then re-open Internet Explorer.

Internet Explorer (Add-ons Disabled) mode only prevents the use of ActiveX controls, including those used by the Microsoft Update website. To get updates using this browser mode, you need to turn on Automatic Updates on your computer or visit the Windows Update website.

If these steps don’t work, try visiting the site later or using the resources provided below.
For self-help options:


Frequently Asked Questions
Find Solutions
Windows Update Newsgroup
For assisted support options:
Microsoft Online Assisted Support (no-cost for update-related issues)

Edited by Yican, 13 May 2009 - 04:48 AM.


#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 13 May 2009 - 05:07 PM

Hello.

Please, refering to this guide, boot into Safe Mode with networking. Simply select that instead of Safe Mode.

Are you able to access the sites there? (Don't perform updates or scans)

Please run ComboFix by clicking it again and post back with that log. Also take a new GMER scan log.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users