Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.TDSS.rtk virus keeps reappearing


  • This topic is locked This topic is locked
19 replies to this topic

#1 peejay52

peejay52

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 02 May 2009 - 08:07 AM

Hi,
Please find attached hijackthis log and spybots as well. These trojans and more keep coming back after running scans from superantispyware, bullguard,spybot and malwarebytes. Please help me to sort this lot out...much appreciated, pete

Attached File  SpybotSD.Report.txt   38.78KB   21 downloads
Attached File  hijackthis.log   6.6KB   21 downloads
If I havent attached logs properly please let me know and I'll copy/paste them

Edited by peejay52, 02 May 2009 - 11:06 AM.


BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:53 PM

Posted 03 May 2009 - 04:32 AM

Hello peejay52 .

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member peejay52 only. If you are a lurker, do NOT try this on your system!
If you are not peejay52 and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

=
Next, before we do anything further, I need for you to turn off Sybot's Tea Timer.
Right click the Spybot Icon in the system tray (notification area).
  • If you have the new version 1.5, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.
As this is a Vista system, do NOT re-activate Tea Timer. It is not needed on Vista; and is a hinderance when removing malware.

=
Show all files:
  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.
Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along.

For any reports or logs that we ask for you to post, please do NOT attach them, but rather Copy & Paste the contents within the body of the reply box. None of us wants to download attachments.

=

Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=
Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 peejay52

peejay52
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 03 May 2009 - 05:33 AM

Maurice,
Thank you for taking the time to help me. I have done as you asked and below is the log...Only this one came up after rsit.exe was run?

Logfile of random's system information tool 1.06 (written by random/random)
Run by payne2 at 2009-05-03 11:30:06
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 41 GB (28%) free of 145 GB
Total RAM: 2039 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:21, on 03/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Registry Mechanic\RMTray.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Program Files\SUPERAntiSpyware\1fbf6165-23fb-4b93-aa9d-dd815a5e4a99.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\schtasks.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\payne2\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\payne2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.co.uk/ws/eBayISAPI.dll?MyEb...:ME:LNLK:MESUMX
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\rmtray.exe /H
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\1fbf6165-23fb-4b93-aa9d-dd815a5e4a99.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...b/wlscctrl2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6749 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Ad-Aware Update (Daily).job
C:\Windows\tasks\User_Feed_Synchronization-{9AD3D01F-4A40-4EED-9659-D2323F7B4A2D}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateReg"=C:\Windows\system32\jureg.exe [2007-04-07 54936]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2007-08-24 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2007-08-24 154136]
"Persistence"=C:\Windows\system32\igfxpers.exe [2007-08-24 129560]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2009-03-13 304464]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-07-06 4669440]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-19 1233920]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"RegistryMechanic"=C:\Program Files\Registry Mechanic\rmtray.exe [2008-07-03 812952]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe [2009-03-13 304464]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\1fbf6165-23fb-4b93-aa9d-dd815a5e4a99.exe [2009-03-23 1830128]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]

C:\Users\payne2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2007-08-24 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BgLiveSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BgMainSvc]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
shell\AutoRun\command - J:\autorun.exe
shell\cryo\command - J:\cryo.exe -f index.htm -r guardian.exe -hd guardian.exe
shell\dxe\command - J:\.\directx\dx61eng.exe
shell\dxf\command - .\directx\dx61fren.exe
shell\setup\command - J:\setup.exe


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2009-05-03 11:04:32 ----D---- C:\rsit
2009-05-02 15:52:22 ----D---- C:\Program Files\WinRAR
2009-05-02 10:43:10 ----D---- C:\Program Files\Trend Micro
2009-05-02 10:37:10 ----D---- C:\ProgramData\WinZip
2009-05-02 10:37:07 ----D---- C:\Program Files\WinZip
2009-05-02 09:41:46 ----A---- C:\Windows\system32\lmppcsetup.exe
2009-05-01 18:55:56 ----D---- C:\SDFix
2009-05-01 16:31:16 ----D---- C:\Program Files\SpywareBlaster
2009-05-01 15:44:55 ----A---- C:\ComboFix.txt
2009-05-01 15:02:17 ----D---- C:\Users\payne2\AppData\Roaming\Malwarebytes
2009-05-01 13:46:28 ----D---- C:\Users\payne2\AppData\Roaming\Mozilla
2009-04-29 20:57:11 ----A---- C:\Windows\system32\mshtmler.dll
2009-04-29 20:57:11 ----A---- C:\Windows\system32\mshtmled.dll
2009-04-29 20:57:11 ----A---- C:\Windows\system32\jsproxy.dll
2009-04-29 20:57:11 ----A---- C:\Windows\system32\ieui.dll
2009-04-29 20:57:11 ----A---- C:\Windows\system32\icardie.dll
2009-04-29 20:57:11 ----A---- C:\Windows\system32\admparse.dll
2009-04-29 20:57:10 ----A---- C:\Windows\system32\msls31.dll
2009-04-29 20:57:10 ----A---- C:\Windows\system32\imgutil.dll
2009-04-29 20:57:10 ----A---- C:\Windows\system32\iernonce.dll
2009-04-29 20:57:10 ----A---- C:\Windows\system32\ieakeng.dll
2009-04-29 20:57:10 ----A---- C:\Windows\system32\dxtrans.dll
2009-04-29 20:57:10 ----A---- C:\Windows\system32\dxtmsft.dll
2009-04-29 20:57:10 ----A---- C:\Windows\system32\corpol.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\webcheck.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\occache.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\msrating.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\msfeedsbs.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\licmgr10.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\inseng.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\iepeers.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\ieaksie.dll
2009-04-29 20:57:08 ----A---- C:\Windows\system32\WinFXDocObj.exe
2009-04-29 20:57:08 ----A---- C:\Windows\system32\wextract.exe
2009-04-29 20:57:08 ----A---- C:\Windows\system32\pngfilt.dll
2009-04-29 20:57:08 ----A---- C:\Windows\system32\mstime.dll
2009-04-29 20:57:08 ----A---- C:\Windows\system32\msfeedssync.exe
2009-04-29 20:57:08 ----A---- C:\Windows\system32\msfeeds.dll
2009-04-29 20:57:08 ----A---- C:\Windows\system32\iesetup.dll
2009-04-29 20:57:08 ----A---- C:\Windows\system32\ieakui.dll
2009-04-29 20:57:08 ----A---- C:\Windows\system32\advpack.dll
2009-04-29 20:57:07 ----A---- C:\Windows\system32\vbscript.dll
2009-04-29 20:57:07 ----A---- C:\Windows\system32\url.dll
2009-04-29 20:57:07 ----A---- C:\Windows\system32\jscript.dll
2009-04-29 20:57:07 ----A---- C:\Windows\system32\iedkcs32.dll
2009-04-29 20:57:07 ----A---- C:\Windows\system32\ieapfltr.dll
2009-04-29 20:57:06 ----A---- C:\Windows\system32\mshta.exe
2009-04-29 20:57:06 ----A---- C:\Windows\system32\iexpress.exe
2009-04-29 20:57:05 ----A---- C:\Windows\system32\wininet.dll
2009-04-29 20:57:05 ----A---- C:\Windows\system32\urlmon.dll
2009-04-29 20:57:05 ----A---- C:\Windows\system32\SetIEInstalledDate.exe
2009-04-29 20:57:05 ----A---- C:\Windows\system32\SetDepNx.exe
2009-04-29 20:57:05 ----A---- C:\Windows\system32\RegisterIEPKEYs.exe
2009-04-29 20:57:05 ----A---- C:\Windows\system32\PDMSetup.exe
2009-04-29 20:57:05 ----A---- C:\Windows\system32\ieUnatt.exe
2009-04-29 20:57:05 ----A---- C:\Windows\system32\iesysprep.dll
2009-04-29 20:57:05 ----A---- C:\Windows\system32\iertutil.dll
2009-04-29 20:57:05 ----A---- C:\Windows\system32\ie4uinit.exe
2009-04-29 20:57:03 ----A---- C:\Windows\system32\mshtml.dll
2009-04-29 20:57:03 ----A---- C:\Windows\system32\ieframe.dll
2009-04-29 10:39:21 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-04-29 10:26:51 ----D---- C:\Windows\temp
2009-04-28 19:37:15 ----D---- C:\ProgramData\Malwarebytes
2009-04-28 19:37:15 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-28 19:23:52 ----D---- C:\Users\payne2\AppData\Roaming\Ahead
2009-04-28 10:54:10 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-04-28 10:51:56 ----D---- C:\Users\payne2\AppData\Roaming\SUPERAntiSpyware.com
2009-04-28 10:51:56 ----D---- C:\Program Files\SUPERAntiSpyware
2009-04-27 21:10:34 ----HD---- C:\Config.Msi
2009-04-27 20:48:26 ----D---- C:\Program Files\Windows Live Safety Center
2009-04-27 17:11:21 ----DC---- C:\Windows\system32\DRVSTORE
2009-04-27 17:10:53 ----D---- C:\ProgramData\Lavasoft
2009-04-27 17:10:53 ----D---- C:\Program Files\Lavasoft
2009-04-27 16:32:58 ----D---- C:\Program Files\Anti Trojan Elite
2009-04-27 15:07:29 ----A---- C:\Windows\zip.exe
2009-04-27 15:07:29 ----A---- C:\Windows\vFind.exe
2009-04-27 15:07:29 ----A---- C:\Windows\SWXCACLS.exe
2009-04-27 15:07:29 ----A---- C:\Windows\SWSC.exe
2009-04-27 15:07:29 ----A---- C:\Windows\SWREG.exe
2009-04-27 15:07:29 ----A---- C:\Windows\sed.exe
2009-04-27 15:07:29 ----A---- C:\Windows\NIRCMD.exe
2009-04-27 15:07:29 ----A---- C:\Windows\grep.exe
2009-04-27 14:43:39 ----D---- C:\Windows\ERDNT
2009-04-27 14:40:40 ----D---- C:\Qoobox
2009-04-27 12:03:25 ----A---- C:\Windows\ntbtlog.txt
2009-04-26 20:55:17 ----D---- C:\Program Files\Mozilla Firefox
2009-04-23 08:36:10 ----D---- C:\Windows\Minidump
2009-04-21 16:06:32 ----D---- C:\RECYCLER
2009-04-17 08:03:30 ----A---- C:\Windows\system32\winhttp.dll
2009-04-17 08:03:26 ----A---- C:\Windows\system32\xolehlp.dll
2009-04-17 08:03:26 ----A---- C:\Windows\system32\msdtcprx.dll
2009-04-17 08:03:16 ----A---- C:\Windows\system32\rpcss.dll
2009-04-17 08:03:16 ----A---- C:\Windows\system32\ntkrnlpa.exe
2009-04-17 08:03:15 ----A---- C:\Windows\system32\ntoskrnl.exe
2009-04-17 08:03:13 ----A---- C:\Windows\system32\printfilterpipelinesvc.exe
2009-04-17 08:03:12 ----A---- C:\Windows\system32\sdohlp.dll
2009-04-17 08:03:12 ----A---- C:\Windows\system32\printfilterpipelineprxy.dll
2009-04-17 08:03:12 ----A---- C:\Windows\system32\iasrecst.dll
2009-04-17 08:03:12 ----A---- C:\Windows\system32\iasdatastore.dll
2009-04-17 08:03:12 ----A---- C:\Windows\system32\iasads.dll
2009-04-17 08:03:11 ----A---- C:\Windows\system32\iashost.exe
2009-04-17 08:03:04 ----A---- C:\Windows\system32\lsasrv.dll
2009-04-17 08:03:03 ----A---- C:\Windows\system32\kernel32.dll
2009-04-17 08:03:02 ----A---- C:\Windows\system32\secur32.dll
2009-04-17 08:03:01 ----A---- C:\Windows\system32\apilogen.dll
2009-04-17 08:03:01 ----A---- C:\Windows\system32\amxread.dll
2009-04-15 20:28:54 ----D---- C:\Users\payne2\AppData\Roaming\Farm Mania
2009-04-15 10:55:42 ----D---- C:\Users\payne2\AppData\Roaming\Teleca
2009-04-15 10:22:39 ----D---- C:\Users\payne2\AppData\Roaming\Sony Ericsson
2009-04-15 10:21:01 ----D---- C:\Program Files\Common Files\Teleca Shared
2009-04-13 14:03:50 ----A---- C:\Windows\system32\wdfcoinstaller01005.dll
2009-04-06 14:37:16 ----A---- C:\Windows\system32\BGLsp.dll

======List of files/folders modified in the last 1 months======

2009-05-03 11:29:13 ----D---- C:\Windows\Prefetch
2009-05-03 11:24:56 ----D---- C:\ProgramData\BullGuard
2009-05-03 11:24:14 ----D---- C:\Windows\System32
2009-05-03 11:24:14 ----D---- C:\Windows\inf
2009-05-03 11:24:14 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-05-03 11:23:12 ----AD---- C:\ProgramData\TEMP
2009-05-02 17:00:31 ----D---- C:\Windows\system32\drivers
2009-05-02 17:00:30 ----A---- C:\Windows\wininit.ini
2009-05-02 15:52:22 ----RD---- C:\Program Files
2009-05-02 13:04:13 ----D---- C:\Windows
2009-05-02 10:37:58 ----SHD---- C:\Windows\Installer
2009-05-02 10:37:10 ----HD---- C:\ProgramData
2009-05-01 15:44:58 ----D---- C:\Windows\system32\en-US
2009-05-01 15:40:51 ----A---- C:\Windows\system.ini
2009-05-01 15:36:57 ----D---- C:\Windows\AppPatch
2009-05-01 15:36:56 ----D---- C:\Program Files\Common Files
2009-04-30 19:02:29 ----D---- C:\ProgramData\Roxio
2009-04-30 12:13:18 ----D---- C:\Windows\system32\catroot2
2009-04-30 09:43:06 ----D---- C:\Windows\system32\WDI
2009-04-29 21:25:40 ----D---- C:\Windows\rescache
2009-04-29 21:07:44 ----D---- C:\Windows\system32\migration
2009-04-29 21:07:44 ----D---- C:\Windows\PolicyDefinitions
2009-04-29 21:07:44 ----D---- C:\Program Files\Internet Explorer
2009-04-29 21:06:44 ----D---- C:\ProgramData\Microsoft Help
2009-04-29 21:05:42 ----RSD---- C:\Windows\assembly
2009-04-29 21:03:08 ----RSD---- C:\Windows\Fonts
2009-04-29 21:03:05 ----D---- C:\Program Files\Common Files\microsoft shared
2009-04-29 21:02:54 ----D---- C:\Program Files\Microsoft Works
2009-04-29 21:00:43 ----A---- C:\Windows\win.ini
2009-04-29 20:58:09 ----D---- C:\Windows\winsxs
2009-04-29 20:58:07 ----D---- C:\Windows\system32\catroot
2009-04-29 10:43:50 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-04-29 10:19:30 ----SHD---- C:\System Volume Information
2009-04-29 09:48:10 ----D---- C:\Windows\SMINST
2009-04-28 19:24:11 ----D---- C:\Windows\ehome
2009-04-28 19:24:11 ----D---- C:\Program Files\Common Files\Ahead
2009-04-28 19:21:19 ----D---- C:\Windows\Downloaded Installations
2009-04-28 17:50:05 ----D---- C:\Windows\system32\Tasks
2009-04-28 17:48:30 ----D---- C:\ProgramData\Google
2009-04-28 17:05:54 ----D---- C:\Program Files\Registry Mechanic
2009-04-28 12:36:57 ----D---- C:\Users\payne2\AppData\Roaming\Vso
2009-04-28 12:36:57 ----A---- C:\Users\payne2\AppData\Roaming\ezpinst.exe
2009-04-28 12:35:03 ----D---- C:\Program Files\EA SPORTS
2009-04-28 12:33:53 ----D---- C:\ProgramData\Rosetta Stone
2009-04-28 10:51:07 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-04-27 21:11:04 ----SD---- C:\Windows\system32\Microsoft
2009-04-27 20:48:26 ----SD---- C:\Windows\Downloaded Program Files
2009-04-27 18:37:13 ----D---- C:\Windows\Tasks
2009-04-27 11:33:47 ----SHD---- C:\$Recycle.Bin
2009-04-27 10:41:09 ----D---- C:\Kontiki
2009-04-17 22:19:09 ----D---- C:\Windows\system32\wbem
2009-04-17 22:19:06 ----D---- C:\Windows\system32\manifeststore
2009-04-15 19:36:06 ----D---- C:\Windows\system32\config
2009-04-15 19:04:10 ----D---- C:\Program Files\Orchard
2009-04-06 15:57:24 ----A---- C:\Windows\system32\mrt.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 afw;Agnitum Firewall Driver; C:\Windows\system32\DRIVERS\afw.sys [2009-04-06 29208]
R1 ElbyCDIO;ElbyCDIO Driver; C:\Windows\System32\Drivers\ElbyCDIO.sys [2007-08-07 25160]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
R1 SCDEmu;SCDEmu; C:\Windows\system32\drivers\SCDEmu.sys [2008-01-20 33292]
R2 atksgt;atksgt; C:\Windows\system32\DRIVERS\atksgt.sys [2008-03-25 278728]
R2 BdFileSpy;BullGuard File Monitor Driver; \??\C:\Windows\system32\drivers\BdFileSpy.sys [2009-01-27 55504]
R2 lirsgt;lirsgt; C:\Windows\system32\DRIVERS\lirsgt.sys [2008-03-25 25416]
R3 AfwCore;Agnitum Firewall Core Driver; \??\C:\Windows\system32\Drivers\AfwCore.sys [2009-04-06 305688]
R3 AnyDVD;AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [2007-09-08 96704]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-08-24 1899008]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-07-11 1793880]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2007-03-05 76288]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
R3 wsvad_driver;WS Audio Device; C:\Windows\system32\drivers\VirtualAudio.sys [2008-08-12 16896]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S3 BlueletAudio;Bluetooth Audio Service; C:\Windows\system32\DRIVERS\blueletaudio.sys []
S3 BT;Bluetooth PAN Network Adapter; C:\Windows\system32\DRIVERS\btnetdrv.sys []
S3 Btcsrusb;Bluetooth USB For Bluetooth Service; C:\Windows\System32\Drivers\btcusb.sys []
S3 BthEnum;Bluetooth Request Block Driver; C:\Windows\system32\DRIVERS\BthEnum.sys [2008-01-19 19456]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-19 92160]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2008-04-29 220160]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2008-04-29 29184]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 ggflt;SEMC USB Flash Driver Filter; C:\Windows\system32\DRIVERS\ggflt.sys [2007-09-25 13352]
S3 ggsemc;SEMC USB Flash Driver; C:\Windows\system32\DRIVERS\ggsemc.sys [2007-09-25 20520]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-08-24 1899008]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2007-12-30 47360]
S3 Profos;Profos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\profos.sys [2009-02-19 13056]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2008-01-19 49664]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\Windows\System32\Drivers\RootMdm.sys [2008-01-19 8192]
S3 s125bus;Sony Ericsson Device 125 driver (WDM); C:\Windows\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter; C:\Windows\system32\DRIVERS\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver; C:\Windows\system32\DRIVERS\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM); C:\Windows\system32\DRIVERS\s125mgmt.sys [2007-04-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface; C:\Windows\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
S3 Trufos;Trufos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\trufos.sys [2008-11-23 36736]
S3 VComm;Virtual Serial port driver; C:\Windows\system32\DRIVERS\VComm.sys []
S3 VcommMgr;Bluetooth VComm Manager Service; C:\Windows\System32\Drivers\VcommMgr.sys []
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 BgLiveSvc;BullGuard LiveUpdate; C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [2009-04-06 300368]
R2 BgMainSvc;BullGuard Main Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BsFileScan;BullGuard File Scan Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BsFire;BullGuard Firewall Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BsMailProxy;BullGuard Email Monitoring Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 EPSON_PM_RPCV4_01;EPSON V3 Service4(01); C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE [2006-04-18 102400]
R2 HP Health Check Service;HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2007-05-24 61440]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-07-25 79136]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-09-16 658432]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe []
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 RoxMediaDB9;RoxMediaDB9; c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-05-11 887544]
S3 stllssvr;stllssvr; c:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-05-03 74656]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S4 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []

-----------------EOF-----------------

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:53 PM

Posted 03 May 2009 - 05:53 AM

Tea Timer is still active ! Take another look and turn it off.
I need for you to turn off Sybot's Tea Timer.
Right click the Spybot Icon in the system tray (notification area).
  • If you have the new version 1.5, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.
As this is a Vista system, do NOT re-activate Tea Timer. It is not needed on Vista; and is a hidderance when removing malware.

There are several indications in this log that you have run Combofix and some other tools as well, very recently.
Are you being assisted elsewhere? if so, at which forum?
and if this is true, I will ask you to return to that forum for resolution.

2009-05-01 18:55:56 ----D---- C:\SDFix
.
.
2009-05-01 15:44:55 ----A---- C:\ComboFix.txt
.
.
2009-04-27 14:40:40 ----D---- C:\Qoobox


Those are all indications of very recent activity between April 27 and May 1 using specialized tools that require expert guidance.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 peejay52

peejay52
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 03 May 2009 - 05:58 AM

Hi maurice,
I clicked teatimer as you mentioned and after reboot it must have come back on...Ive stopped it now hopefully.. I'm not getting other assistance. I've downloaded the other tools after reading through this forum and tried to work my way through the problem. But it was too hard for someone of my limited knowledge. Here is the new log,
thanks,
PeteLogfile of random's system information tool 1.06 (written by random/random)
Run by payne2 at 2009-05-03 11:55:19
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 41 GB (28%) free of 145 GB
Total RAM: 2039 MB (56% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:36, on 03/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Registry Mechanic\RMTray.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Program Files\SUPERAntiSpyware\1fbf6165-23fb-4b93-aa9d-dd815a5e4a99.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\schtasks.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\payne2\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\payne2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.co.uk/ws/eBayISAPI.dll?MyEb...:ME:LNLK:MESUMX
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\rmtray.exe /H
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\1fbf6165-23fb-4b93-aa9d-dd815a5e4a99.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...b/wlscctrl2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6700 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Ad-Aware Update (Daily).job
C:\Windows\tasks\User_Feed_Synchronization-{9AD3D01F-4A40-4EED-9659-D2323F7B4A2D}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateReg"=C:\Windows\system32\jureg.exe [2007-04-07 54936]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2007-08-24 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2007-08-24 154136]
"Persistence"=C:\Windows\system32\igfxpers.exe [2007-08-24 129560]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2009-03-13 304464]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-07-06 4669440]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-19 1233920]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"RegistryMechanic"=C:\Program Files\Registry Mechanic\rmtray.exe [2008-07-03 812952]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe [2009-03-13 304464]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\1fbf6165-23fb-4b93-aa9d-dd815a5e4a99.exe [2009-03-23 1830128]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]

C:\Users\payne2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2007-08-24 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BgLiveSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BgMainSvc]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
shell\AutoRun\command - J:\autorun.exe
shell\cryo\command - J:\cryo.exe -f index.htm -r guardian.exe -hd guardian.exe
shell\dxe\command - J:\.\directx\dx61eng.exe
shell\dxf\command - .\directx\dx61fren.exe
shell\setup\command - J:\setup.exe


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2009-05-03 11:04:32 ----D---- C:\rsit
2009-05-02 15:52:22 ----D---- C:\Program Files\WinRAR
2009-05-02 10:43:10 ----D---- C:\Program Files\Trend Micro
2009-05-02 10:37:10 ----D---- C:\ProgramData\WinZip
2009-05-02 10:37:07 ----D---- C:\Program Files\WinZip
2009-05-02 09:41:46 ----A---- C:\Windows\system32\lmppcsetup.exe
2009-05-01 18:55:56 ----D---- C:\SDFix
2009-05-01 16:31:16 ----D---- C:\Program Files\SpywareBlaster
2009-05-01 15:44:55 ----A---- C:\ComboFix.txt
2009-05-01 15:02:17 ----D---- C:\Users\payne2\AppData\Roaming\Malwarebytes
2009-05-01 13:46:28 ----D---- C:\Users\payne2\AppData\Roaming\Mozilla
2009-04-29 20:57:11 ----A---- C:\Windows\system32\mshtmler.dll
2009-04-29 20:57:11 ----A---- C:\Windows\system32\mshtmled.dll
2009-04-29 20:57:11 ----A---- C:\Windows\system32\jsproxy.dll
2009-04-29 20:57:11 ----A---- C:\Windows\system32\ieui.dll
2009-04-29 20:57:11 ----A---- C:\Windows\system32\icardie.dll
2009-04-29 20:57:11 ----A---- C:\Windows\system32\admparse.dll
2009-04-29 20:57:10 ----A---- C:\Windows\system32\msls31.dll
2009-04-29 20:57:10 ----A---- C:\Windows\system32\imgutil.dll
2009-04-29 20:57:10 ----A---- C:\Windows\system32\iernonce.dll
2009-04-29 20:57:10 ----A---- C:\Windows\system32\ieakeng.dll
2009-04-29 20:57:10 ----A---- C:\Windows\system32\dxtrans.dll
2009-04-29 20:57:10 ----A---- C:\Windows\system32\dxtmsft.dll
2009-04-29 20:57:10 ----A---- C:\Windows\system32\corpol.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\webcheck.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\occache.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\msrating.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\msfeedsbs.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\licmgr10.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\inseng.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\iepeers.dll
2009-04-29 20:57:09 ----A---- C:\Windows\system32\ieaksie.dll
2009-04-29 20:57:08 ----A---- C:\Windows\system32\WinFXDocObj.exe
2009-04-29 20:57:08 ----A---- C:\Windows\system32\wextract.exe
2009-04-29 20:57:08 ----A---- C:\Windows\system32\pngfilt.dll
2009-04-29 20:57:08 ----A---- C:\Windows\system32\mstime.dll
2009-04-29 20:57:08 ----A---- C:\Windows\system32\msfeedssync.exe
2009-04-29 20:57:08 ----A---- C:\Windows\system32\msfeeds.dll
2009-04-29 20:57:08 ----A---- C:\Windows\system32\iesetup.dll
2009-04-29 20:57:08 ----A---- C:\Windows\system32\ieakui.dll
2009-04-29 20:57:08 ----A---- C:\Windows\system32\advpack.dll
2009-04-29 20:57:07 ----A---- C:\Windows\system32\vbscript.dll
2009-04-29 20:57:07 ----A---- C:\Windows\system32\url.dll
2009-04-29 20:57:07 ----A---- C:\Windows\system32\jscript.dll
2009-04-29 20:57:07 ----A---- C:\Windows\system32\iedkcs32.dll
2009-04-29 20:57:07 ----A---- C:\Windows\system32\ieapfltr.dll
2009-04-29 20:57:06 ----A---- C:\Windows\system32\mshta.exe
2009-04-29 20:57:06 ----A---- C:\Windows\system32\iexpress.exe
2009-04-29 20:57:05 ----A---- C:\Windows\system32\wininet.dll
2009-04-29 20:57:05 ----A---- C:\Windows\system32\urlmon.dll
2009-04-29 20:57:05 ----A---- C:\Windows\system32\SetIEInstalledDate.exe
2009-04-29 20:57:05 ----A---- C:\Windows\system32\SetDepNx.exe
2009-04-29 20:57:05 ----A---- C:\Windows\system32\RegisterIEPKEYs.exe
2009-04-29 20:57:05 ----A---- C:\Windows\system32\PDMSetup.exe
2009-04-29 20:57:05 ----A---- C:\Windows\system32\ieUnatt.exe
2009-04-29 20:57:05 ----A---- C:\Windows\system32\iesysprep.dll
2009-04-29 20:57:05 ----A---- C:\Windows\system32\iertutil.dll
2009-04-29 20:57:05 ----A---- C:\Windows\system32\ie4uinit.exe
2009-04-29 20:57:03 ----A---- C:\Windows\system32\mshtml.dll
2009-04-29 20:57:03 ----A---- C:\Windows\system32\ieframe.dll
2009-04-29 10:39:21 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-04-29 10:26:51 ----D---- C:\Windows\temp
2009-04-28 19:37:15 ----D---- C:\ProgramData\Malwarebytes
2009-04-28 19:37:15 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-28 19:23:52 ----D---- C:\Users\payne2\AppData\Roaming\Ahead
2009-04-28 10:54:10 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-04-28 10:51:56 ----D---- C:\Users\payne2\AppData\Roaming\SUPERAntiSpyware.com
2009-04-28 10:51:56 ----D---- C:\Program Files\SUPERAntiSpyware
2009-04-27 21:10:34 ----HD---- C:\Config.Msi
2009-04-27 20:48:26 ----D---- C:\Program Files\Windows Live Safety Center
2009-04-27 17:11:21 ----DC---- C:\Windows\system32\DRVSTORE
2009-04-27 17:10:53 ----D---- C:\ProgramData\Lavasoft
2009-04-27 17:10:53 ----D---- C:\Program Files\Lavasoft
2009-04-27 16:32:58 ----D---- C:\Program Files\Anti Trojan Elite
2009-04-27 15:07:29 ----A---- C:\Windows\zip.exe
2009-04-27 15:07:29 ----A---- C:\Windows\vFind.exe
2009-04-27 15:07:29 ----A---- C:\Windows\SWXCACLS.exe
2009-04-27 15:07:29 ----A---- C:\Windows\SWSC.exe
2009-04-27 15:07:29 ----A---- C:\Windows\SWREG.exe
2009-04-27 15:07:29 ----A---- C:\Windows\sed.exe
2009-04-27 15:07:29 ----A---- C:\Windows\NIRCMD.exe
2009-04-27 15:07:29 ----A---- C:\Windows\grep.exe
2009-04-27 14:43:39 ----D---- C:\Windows\ERDNT
2009-04-27 14:40:40 ----D---- C:\Qoobox
2009-04-27 12:03:25 ----A---- C:\Windows\ntbtlog.txt
2009-04-26 20:55:17 ----D---- C:\Program Files\Mozilla Firefox
2009-04-23 08:36:10 ----D---- C:\Windows\Minidump
2009-04-21 16:06:32 ----D---- C:\RECYCLER
2009-04-17 08:03:30 ----A---- C:\Windows\system32\winhttp.dll
2009-04-17 08:03:26 ----A---- C:\Windows\system32\xolehlp.dll
2009-04-17 08:03:26 ----A---- C:\Windows\system32\msdtcprx.dll
2009-04-17 08:03:16 ----A---- C:\Windows\system32\rpcss.dll
2009-04-17 08:03:16 ----A---- C:\Windows\system32\ntkrnlpa.exe
2009-04-17 08:03:15 ----A---- C:\Windows\system32\ntoskrnl.exe
2009-04-17 08:03:13 ----A---- C:\Windows\system32\printfilterpipelinesvc.exe
2009-04-17 08:03:12 ----A---- C:\Windows\system32\sdohlp.dll
2009-04-17 08:03:12 ----A---- C:\Windows\system32\printfilterpipelineprxy.dll
2009-04-17 08:03:12 ----A---- C:\Windows\system32\iasrecst.dll
2009-04-17 08:03:12 ----A---- C:\Windows\system32\iasdatastore.dll
2009-04-17 08:03:12 ----A---- C:\Windows\system32\iasads.dll
2009-04-17 08:03:11 ----A---- C:\Windows\system32\iashost.exe
2009-04-17 08:03:04 ----A---- C:\Windows\system32\lsasrv.dll
2009-04-17 08:03:03 ----A---- C:\Windows\system32\kernel32.dll
2009-04-17 08:03:02 ----A---- C:\Windows\system32\secur32.dll
2009-04-17 08:03:01 ----A---- C:\Windows\system32\apilogen.dll
2009-04-17 08:03:01 ----A---- C:\Windows\system32\amxread.dll
2009-04-15 20:28:54 ----D---- C:\Users\payne2\AppData\Roaming\Farm Mania
2009-04-15 10:55:42 ----D---- C:\Users\payne2\AppData\Roaming\Teleca
2009-04-15 10:22:39 ----D---- C:\Users\payne2\AppData\Roaming\Sony Ericsson
2009-04-15 10:21:01 ----D---- C:\Program Files\Common Files\Teleca Shared
2009-04-13 14:03:50 ----A---- C:\Windows\system32\wdfcoinstaller01005.dll
2009-04-06 14:37:16 ----A---- C:\Windows\system32\BGLsp.dll

======List of files/folders modified in the last 1 months======

2009-05-03 11:43:29 ----D---- C:\Windows\Prefetch
2009-05-03 11:24:56 ----D---- C:\ProgramData\BullGuard
2009-05-03 11:24:14 ----D---- C:\Windows\System32
2009-05-03 11:24:14 ----D---- C:\Windows\inf
2009-05-03 11:24:14 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-05-03 11:23:12 ----AD---- C:\ProgramData\TEMP
2009-05-02 17:00:31 ----D---- C:\Windows\system32\drivers
2009-05-02 17:00:30 ----A---- C:\Windows\wininit.ini
2009-05-02 15:52:22 ----RD---- C:\Program Files
2009-05-02 13:04:13 ----D---- C:\Windows
2009-05-02 10:37:58 ----SHD---- C:\Windows\Installer
2009-05-02 10:37:10 ----HD---- C:\ProgramData
2009-05-01 15:44:58 ----D---- C:\Windows\system32\en-US
2009-05-01 15:40:51 ----A---- C:\Windows\system.ini
2009-05-01 15:36:57 ----D---- C:\Windows\AppPatch
2009-05-01 15:36:56 ----D---- C:\Program Files\Common Files
2009-04-30 19:02:29 ----D---- C:\ProgramData\Roxio
2009-04-30 12:13:18 ----D---- C:\Windows\system32\catroot2
2009-04-30 09:43:06 ----D---- C:\Windows\system32\WDI
2009-04-29 21:25:40 ----D---- C:\Windows\rescache
2009-04-29 21:07:44 ----D---- C:\Windows\system32\migration
2009-04-29 21:07:44 ----D---- C:\Windows\PolicyDefinitions
2009-04-29 21:07:44 ----D---- C:\Program Files\Internet Explorer
2009-04-29 21:06:44 ----D---- C:\ProgramData\Microsoft Help
2009-04-29 21:05:42 ----RSD---- C:\Windows\assembly
2009-04-29 21:03:08 ----RSD---- C:\Windows\Fonts
2009-04-29 21:03:05 ----D---- C:\Program Files\Common Files\microsoft shared
2009-04-29 21:02:54 ----D---- C:\Program Files\Microsoft Works
2009-04-29 21:00:43 ----A---- C:\Windows\win.ini
2009-04-29 20:58:09 ----D---- C:\Windows\winsxs
2009-04-29 20:58:07 ----D---- C:\Windows\system32\catroot
2009-04-29 10:43:50 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-04-29 10:19:30 ----SHD---- C:\System Volume Information
2009-04-29 09:48:10 ----D---- C:\Windows\SMINST
2009-04-28 19:24:11 ----D---- C:\Windows\ehome
2009-04-28 19:24:11 ----D---- C:\Program Files\Common Files\Ahead
2009-04-28 19:21:19 ----D---- C:\Windows\Downloaded Installations
2009-04-28 17:50:05 ----D---- C:\Windows\system32\Tasks
2009-04-28 17:48:30 ----D---- C:\ProgramData\Google
2009-04-28 17:05:54 ----D---- C:\Program Files\Registry Mechanic
2009-04-28 12:36:57 ----D---- C:\Users\payne2\AppData\Roaming\Vso
2009-04-28 12:36:57 ----A---- C:\Users\payne2\AppData\Roaming\ezpinst.exe
2009-04-28 12:35:03 ----D---- C:\Program Files\EA SPORTS
2009-04-28 12:33:53 ----D---- C:\ProgramData\Rosetta Stone
2009-04-28 10:51:07 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-04-27 21:11:04 ----SD---- C:\Windows\system32\Microsoft
2009-04-27 20:48:26 ----SD---- C:\Windows\Downloaded Program Files
2009-04-27 18:37:13 ----D---- C:\Windows\Tasks
2009-04-27 11:33:47 ----SHD---- C:\$Recycle.Bin
2009-04-27 10:41:09 ----D---- C:\Kontiki
2009-04-17 22:19:09 ----D---- C:\Windows\system32\wbem
2009-04-17 22:19:06 ----D---- C:\Windows\system32\manifeststore
2009-04-15 19:36:06 ----D---- C:\Windows\system32\config
2009-04-15 19:04:10 ----D---- C:\Program Files\Orchard
2009-04-06 15:57:24 ----A---- C:\Windows\system32\mrt.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 afw;Agnitum Firewall Driver; C:\Windows\system32\DRIVERS\afw.sys [2009-04-06 29208]
R1 ElbyCDIO;ElbyCDIO Driver; C:\Windows\System32\Drivers\ElbyCDIO.sys [2007-08-07 25160]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
R1 SCDEmu;SCDEmu; C:\Windows\system32\drivers\SCDEmu.sys [2008-01-20 33292]
R2 atksgt;atksgt; C:\Windows\system32\DRIVERS\atksgt.sys [2008-03-25 278728]
R2 BdFileSpy;BullGuard File Monitor Driver; \??\C:\Windows\system32\drivers\BdFileSpy.sys [2009-01-27 55504]
R2 lirsgt;lirsgt; C:\Windows\system32\DRIVERS\lirsgt.sys [2008-03-25 25416]
R3 AfwCore;Agnitum Firewall Core Driver; \??\C:\Windows\system32\Drivers\AfwCore.sys [2009-04-06 305688]
R3 AnyDVD;AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [2007-09-08 96704]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-08-24 1899008]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-07-11 1793880]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2007-03-05 76288]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
R3 wsvad_driver;WS Audio Device; C:\Windows\system32\drivers\VirtualAudio.sys [2008-08-12 16896]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S3 BlueletAudio;Bluetooth Audio Service; C:\Windows\system32\DRIVERS\blueletaudio.sys []
S3 BT;Bluetooth PAN Network Adapter; C:\Windows\system32\DRIVERS\btnetdrv.sys []
S3 Btcsrusb;Bluetooth USB For Bluetooth Service; C:\Windows\System32\Drivers\btcusb.sys []
S3 BthEnum;Bluetooth Request Block Driver; C:\Windows\system32\DRIVERS\BthEnum.sys [2008-01-19 19456]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-19 92160]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2008-04-29 220160]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2008-04-29 29184]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 ggflt;SEMC USB Flash Driver Filter; C:\Windows\system32\DRIVERS\ggflt.sys [2007-09-25 13352]
S3 ggsemc;SEMC USB Flash Driver; C:\Windows\system32\DRIVERS\ggsemc.sys [2007-09-25 20520]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-08-24 1899008]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2007-12-30 47360]
S3 Profos;Profos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\profos.sys [2009-02-19 13056]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2008-01-19 49664]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\Windows\System32\Drivers\RootMdm.sys [2008-01-19 8192]
S3 s125bus;Sony Ericsson Device 125 driver (WDM); C:\Windows\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter; C:\Windows\system32\DRIVERS\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver; C:\Windows\system32\DRIVERS\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM); C:\Windows\system32\DRIVERS\s125mgmt.sys [2007-04-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface; C:\Windows\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
S3 Trufos;Trufos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\trufos.sys [2008-11-23 36736]
S3 VComm;Virtual Serial port driver; C:\Windows\system32\DRIVERS\VComm.sys []
S3 VcommMgr;Bluetooth VComm Manager Service; C:\Windows\System32\Drivers\VcommMgr.sys []
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 BgLiveSvc;BullGuard LiveUpdate; C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [2009-04-06 300368]
R2 BgMainSvc;BullGuard Main Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BsFileScan;BullGuard File Scan Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BsFire;BullGuard Firewall Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BsMailProxy;BullGuard Email Monitoring Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 EPSON_PM_RPCV4_01;EPSON V3 Service4(01); C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE [2006-04-18 102400]
R2 HP Health Check Service;HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2007-05-24 61440]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-07-25 79136]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-09-16 658432]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe []
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 RoxMediaDB9;RoxMediaDB9; c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-05-11 887544]
S3 stllssvr;stllssvr; c:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-05-03 74656]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S4 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []

-----------------EOF-----------------

#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:53 PM

Posted 03 May 2009 - 06:32 AM

Hi maurice,
I clicked teatimer as you mentioned and after reboot it must have come back on...Ive stopped it now hopefully.. I'm not getting other assistance. I've downloaded the other tools after reading through this forum and tried to work my way through the problem. But it was too hard for someone of my limited knowledge. Here is the new log,
thanks,

It is absolutely important that you do not get specialized anti-malware tools, such as Combofix or SDfix, etc "on your own".
While we are assisting you, follow my guidance and do not do anything more .

For now, locate the Combofix on your dekstop (I presume) and Delete it.
Then stay tuned for my next reply.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 peejay52

peejay52
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 03 May 2009 - 06:38 AM

Will do maurice....Just trying to help myself but failed miserably...I am in your hands totally now :thumbup2:)

#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:53 PM

Posted 03 May 2009 - 06:53 AM

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • RIGHT-click with your mouse on avenger.exe and select "Run as Administrator" to start The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    c:\windows\system32\drivers\msqpdxserv.sys 
    c:\windows\system32\TDSSweat.dat
    C:\WINDOWS\system32\drivers\TDSSmqlt.sys 
    C:\windows\system32\drivers\tdssserv.sys
    C:\WINDOWS\system32\drivers\TDSSmact.sys
    C:\WINDOWS\system32\TDSSfpmp.dll
    C:\WINDOWS\system32\TDSSwpyd.dat 
    C:\WINDOWS\system32\TDSStkdv.log  
    C:\WINDOWS\system32\TDSSotxb.dll 
    C:\WINDOWS\system32\TDSScrrn.dll 
    C:\WINDOWS\system32\TDSSbvqh.dll 
    C:\WINDOWS\system32\TDSSjnmx.dll
    c:\windows\system32\TDSShrxr.dll
    c:\windows\system32\TDSSkkbi.log
    c:\windows\system32\TDSSlrvd.dat
    c:\windows\system32\TDSSlxwp.dll
    c:\windows\system32\TDSSnmxh.log
    c:\windows\system32\TDSSoiqt.dll
    c:\windows\system32\TDSSrhyp.log
    c:\windows\system32\TDSSrtqp.dll
    c:\windows\system32\TDSSsihc.dll
    c:\windows\system32\TDSSxfum.dll
    c:\windows\system32\TDSSmtve.dat
    c:\windows\system32\TDSSnirj.dat
    C:\WINDOWS\SYSTEM32\TDSSixgp.dll
    C:\WINDOWS\SYSTEM32\TDSSproc.log
    C:\WINDOWS\SYSTEM32\TDSSwkod.log
    c:\windows\sysguard.exe
    c:\windows\system32\sdra64.exe
    
    Drivers to delete:
    ovfsthxlxrjtqvi.sys
    ovfsthxlxrjtqvi
    ovfsthx
    UACd.sys
    UACd
    gaopdxserv.sys
    gaopdxserv
    gaopdxl
    tdss
    tdssserv
    TDSSserv.SYS
    Service_TDSSSERV.SYS
    Legacy_TDSSSERV.SYS
    msqpdxserv.sys
    msqpdxserv
    
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata 
    HKEY_LOCAL_MACHINE\SOFTWARE\tdss 
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys 
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys 
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv 
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV 
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules\gaopdxl
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules\gaopdxserv
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules\gaopdxl
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules\gaopdxserv
    
    Folders to delete:
    C:\$Recycle.Bin
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

Edited by Maurice Naggar, 03 May 2009 - 06:56 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 peejay52

peejay52
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 03 May 2009 - 07:09 AM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "ovfsthxbodpmowt" found!
ImagePath: \systemroot\system32\drivers\ovfsthxlxrjtqvi.sys
Start Type: 1 (System)

Rootkit scan completed.

Edited for brevity ~ Maurice

Error: file "c:\windows\sysguard.exe" not found!
Deletion of file "c:\windows\sysguard.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\sdra64.exe" not found!
Deletion of file "c:\windows\system32\sdra64.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthxlxrjtqvi.sys" not found!
Deletion of driver "ovfsthxlxrjtqvi.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthxlxrjtqvi" not found!
Deletion of driver "ovfsthxlxrjtqvi" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthx" not found!
Deletion of driver "ovfsthx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\$Recycle.Bin" deleted successfully.
Folder "C:\recycler" deleted successfully.
Folder "D:\recycler" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Edited by Maurice Naggar, 03 May 2009 - 10:32 AM.


#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:53 PM

Posted 03 May 2009 - 10:49 AM

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member peejay52 only. If you are a lurker, do NOT try this on your system!

We need to do one more run of the Avenger to remove one malware rootkit.
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • RIGHT-click with your mouse on avenger.exe and select "Run as Administrator" to start The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    c:\windows\system32\drivers\ovfsthxlxrjtqvi.sys
    
    Drivers to delete:
    ovfsthxbodpmowt
    ovfsthxbodpmowt.sys
    ovfsthxlxrjtqvi.sys
    ovfsthxlxrjtqvi
    ovfsthx
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

=
Next, Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    -------------------------------------------------------

    Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
    RIGHT-click Combo-Fix.exe {red lion icon} and select "Run as Administrator" on your Desktop to start it.
    [list]
  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt.

Note:
Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.

Reply with copy of contents of C:\Avenger.txt
and C:\Combofix.txt
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#11 peejay52

peejay52
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 03 May 2009 - 12:43 PM

Maurice,
Apologies for the deay and thanks again for sticking with me...I did as asked and although I stopped bullguard, combofix still said it was running. I right clicked on the tray and closed and also disabled it in its control panel...I hope it was ok. Anyway here are the logs

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "ovfsthxbodpmowt" found!
ImagePath: \systemroot\system32\drivers\ovfsthxlxrjtqvi.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

File "c:\windows\system32\drivers\ovfsthxlxrjtqvi.sys" deleted successfully.
Driver "ovfsthxbodpmowt" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthxbodpmowt.sys" not found!
Deletion of driver "ovfsthxbodpmowt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthxlxrjtqvi.sys" not found!
Deletion of driver "ovfsthxlxrjtqvi.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthxlxrjtqvi" not found!
Deletion of driver "ovfsthxlxrjtqvi" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthx" not found!
Deletion of driver "ovfsthx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

ComboFix 09-05-02.4 - payne2 03/05/2009 18:27.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2039.1282 [GMT 1:00]
Running from: c:\users\payne2\Desktop\Combo-Fix.exe
AV: BullGuard Antivirus *On-access scanning enabled* (Outdated)
FW: BullGuard Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lmppcsetup.exe
c:\windows\system32\ovfsthxecpclxye.dll
c:\windows\system32\ovfsthxiwtsmbcv.dll
c:\windows\system32\ovfsthxlog.dat
c:\windows\system32\ovfsthxoptqyrxp.dat
c:\windows\system32\ovfsthxxepxcmei.dat
c:\windows\system32\ovfsthxynabmnsx.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-05-03 12:06 . 2009-05-03 12:06 -------- d-sh--w C:\$RECYCLE.BIN
2009-05-03 10:04 . 2009-05-03 10:05 -------- d-----w C:\rsit
2009-05-02 14:42 . 2009-05-02 14:42 -------- d-----w c:\users\payne2\AppData\Local\WinZip
2009-05-02 09:43 . 2009-05-02 09:43 -------- d-----w c:\program files\Trend Micro
2009-05-02 09:37 . 2009-05-02 14:42 -------- d-----w c:\programdata\WinZip
2009-05-02 09:37 . 2009-05-02 14:42 -------- d-----w c:\users\All Users\WinZip
2009-05-01 17:55 . 2009-05-02 08:35 -------- d-----w C:\SDFix
2009-05-01 15:31 . 2009-05-01 15:35 -------- d-----w c:\program files\SpywareBlaster
2009-05-01 14:02 . 2009-05-01 14:02 -------- d-----w c:\users\payne2\AppData\Roaming\Malwarebytes
2009-04-29 09:39 . 2009-04-29 09:43 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-28 18:37 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-28 18:37 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-28 18:37 . 2009-04-28 18:37 -------- d-----w c:\programdata\Malwarebytes
2009-04-28 18:37 . 2009-04-28 18:37 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-28 18:37 . 2009-04-28 18:37 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-28 18:23 . 2009-04-28 18:23 -------- d-----w c:\users\payne2\AppData\Roaming\Ahead
2009-04-28 09:54 . 2009-04-28 09:54 -------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-04-28 09:54 . 2009-04-28 09:54 -------- d-----w c:\users\All Users\SUPERAntiSpyware.com
2009-04-28 09:51 . 2009-05-01 18:17 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-28 09:51 . 2009-04-28 09:51 -------- d-----w c:\users\payne2\AppData\Roaming\SUPERAntiSpyware.com
2009-04-27 19:48 . 2009-04-27 20:09 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-27 16:11 . 2009-04-28 11:25 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-27 16:10 . 2009-04-28 11:25 -------- d-----w c:\program files\Lavasoft
2009-04-27 16:10 . 2009-04-28 11:25 -------- d-----w c:\programdata\Lavasoft
2009-04-27 16:10 . 2009-04-28 11:25 -------- d-----w c:\users\All Users\Lavasoft
2009-04-27 15:32 . 2009-04-27 15:41 -------- d-----w c:\program files\Anti Trojan Elite
2009-04-27 10:33 . 2009-04-27 10:33 -------- d-----r c:\windows\system32\config\systemprofile\Saved Games
2009-04-27 10:33 . 2009-04-27 10:33 -------- d-----r c:\windows\system32\config\systemprofile\Links
2009-04-27 10:33 . 2009-04-27 10:33 -------- d-----r c:\windows\system32\config\systemprofile\Downloads
2009-04-27 10:33 . 2009-04-27 10:33 -------- d-----r c:\windows\system32\config\systemprofile\Searches
2009-04-27 10:33 . 2009-04-27 10:33 -------- d-----r c:\windows\system32\config\systemprofile\Pictures
2009-04-27 10:33 . 2009-04-27 10:33 -------- d-----r c:\windows\system32\config\systemprofile\Videos
2009-04-27 10:33 . 2009-04-27 10:33 -------- d-----r c:\windows\system32\config\systemprofile\Documents
2009-04-26 19:55 . 2009-04-26 19:55 -------- d-----w c:\users\payne2\AppData\Local\Mozilla
2009-04-26 15:14 . 2009-04-26 15:14 18190616 ----a-w c:\users\payne2\lsPEIRCMY.exe
2009-04-26 15:14 . 2009-04-26 15:14 28672 ----a-w c:\users\payne2\kqSpiPGegV.exe
2009-04-15 19:28 . 2009-04-15 19:29 -------- d-----w c:\users\payne2\AppData\Roaming\Farm Mania
2009-04-15 09:55 . 2009-04-15 17:43 -------- d-----w c:\users\payne2\AppData\Roaming\Teleca
2009-04-15 09:31 . 2007-04-24 10:33 100488 ----a-w c:\windows\system32\drivers\s125mgmt.sys
2009-04-15 09:31 . 2007-04-24 10:33 98696 ----a-w c:\windows\system32\drivers\s125obex.sys
2009-04-15 09:30 . 2007-04-24 10:33 108680 ----a-w c:\windows\system32\drivers\s125mdm.sys
2009-04-15 09:30 . 2007-04-24 10:33 12424 ----a-w c:\windows\system32\drivers\s125cm.sys
2009-04-15 09:30 . 2007-04-24 10:33 12424 ----a-w c:\windows\system32\drivers\s125cmnt.sys
2009-04-15 09:30 . 2007-04-24 10:33 15112 ----a-w c:\windows\system32\drivers\s125mdfl.sys
2009-04-15 09:30 . 2007-04-24 10:33 83336 ----a-w c:\windows\system32\drivers\s125bus.sys
2009-04-15 09:30 . 2007-04-24 10:33 12424 ----a-w c:\windows\system32\drivers\s125wh.sys
2009-04-15 09:30 . 2007-04-24 10:33 12424 ----a-w c:\windows\system32\drivers\s125whnt.sys
2009-04-15 09:22 . 2009-04-15 09:22 -------- d-----w c:\users\payne2\AppData\Roaming\Sony Ericsson
2009-04-15 09:21 . 2009-04-15 17:43 -------- d-----w c:\program files\Common Files\Teleca Shared
2009-04-13 13:03 . 2006-11-02 08:09 1419232 ----a-w c:\windows\system32\wdfcoinstaller01005.dll
2009-04-13 13:03 . 2007-09-25 15:37 20520 ----a-w c:\windows\system32\drivers\ggsemc.sys
2009-04-13 13:03 . 2007-09-25 15:37 13352 ----a-w c:\windows\system32\drivers\ggflt.sys
2009-04-06 13:37 . 2009-04-29 09:03 87376 ----a-w c:\windows\system32\BGLsp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 17:17 . 2006-11-02 13:01 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 17:16 . 2008-01-08 19:40 12 ----a-w c:\windows\bthservsdp.dat
2009-05-03 16:10 . 2009-04-27 17:37 472 ----a-w c:\windows\Tasks\Ad-Aware Update (Daily).job
2009-05-03 14:00 . 2008-01-15 18:05 420 ---ha-w c:\windows\Tasks\User_Feed_Synchronization-{9AD3D01F-4A40-4EED-9659-D2323F7B4A2D}.job
2009-04-29 20:12 . 2007-12-29 18:55 119800 ----a-w c:\users\payne2\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-29 20:02 . 2007-09-22 05:40 -------- d-----w c:\program files\Microsoft Works
2009-04-28 18:24 . 2007-12-30 15:10 -------- d-----w c:\program files\Common Files\Ahead
2009-04-28 18:18 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infpub.dat
2009-04-28 18:18 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstrng.dat
2009-04-28 18:18 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstor.dat
2009-04-28 11:36 . 2007-12-30 17:02 81920 ----a-w c:\users\payne2\AppData\Roaming\ezpinst.exe
2009-04-28 11:36 . 2007-12-30 17:02 47360 ----a-w c:\users\payne2\AppData\Roaming\pcouffin.sys
2009-04-28 11:35 . 2008-01-04 13:45 -------- d-----w c:\program files\EA SPORTS
2009-04-28 09:51 . 2008-03-02 22:53 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-27 13:37 . 2008-10-13 11:47 1356 ----a-w c:\users\payne2\AppData\Local\d3d9caps.dat
2009-04-15 18:04 . 2008-12-22 14:08 -------- d-----w c:\program files\Orchard
2009-04-13 14:58 . 2009-04-13 14:58 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf
2009-04-06 13:37 . 2008-11-23 18:55 305688 ----a-r c:\windows\system32\drivers\AfwCore.sys
2009-04-06 13:37 . 2007-11-28 10:42 29208 ----a-r c:\windows\system32\drivers\Afw.sys
2009-03-28 10:16 . 2007-09-22 05:39 -------- d-----w c:\program files\Java
2009-03-17 03:38 . 2009-04-17 07:03 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-17 07:03 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-17 07:03 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-09 05:19 . 2009-02-05 19:24 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 11:34 . 2009-04-29 19:57 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-04-29 19:57 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-04-29 19:57 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-04-29 19:57 109056 ----a-w c:\windows\system32\iesysprep.dll
2009-03-08 11:33 . 2009-04-29 19:57 109568 ----a-w c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-04-29 19:57 132608 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-04-29 19:57 107520 ----a-w c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-04-29 19:57 107008 ----a-w c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-04-29 19:57 103936 ----a-w c:\windows\system32\SetDepNx.exe
2009-03-08 11:33 . 2009-04-29 19:57 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-04-29 19:57 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2009-04-29 19:57 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-04-29 19:57 66560 ----a-w c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-04-29 19:57 169472 ----a-w c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-04-29 19:57 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-04-29 19:57 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2009-04-29 19:57 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2009-04-29 19:57 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-03 04:46 . 2009-04-17 07:03 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-17 07:03 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-17 07:03 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 07:03 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-17 07:03 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 07:03 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 07:03 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-17 07:03 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-17 07:03 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-17 07:03 17408 ----a-w c:\windows\system32\iashost.exe
2009-02-24 12:21 . 2009-02-24 12:21 286720 ------w c:\windows\Setup1.exe
2009-02-24 12:21 . 2009-02-24 12:21 73216 ----a-w c:\windows\ST6UNST.EXE
2009-02-13 08:49 . 2009-04-17 07:03 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 08:49 . 2009-04-17 07:03 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 09:14 2033152 ----a-w c:\windows\system32\win32k.sys
2008-10-10 12:41 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2008-10-25 13:54 . 2008-01-20 16:49 72 --sha-w c:\windows\S626984B9(115).tmp
2008-10-25 13:54 . 2008-01-20 16:49 72 --sha-w c:\windows\S626984B9(32).tmp
2008-10-25 13:54 . 2008-01-20 16:49 72 --sha-w c:\windows\S626984B9(369).tmp
2008-10-25 13:54 . 2008-01-20 16:49 72 --sha-w c:\windows\S626984B9(94).tmp
2008-10-25 13:54 . 2008-01-20 16:49 72 --sh--w c:\windows\S626984B9.tmp
2008-01-27 20:06 . 2008-01-27 20:06 22 --sha-w c:\windows\SMINST\HPCD.sys
2007-09-22 06:00 . 2007-09-22 05:53 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot_2009-05-01_14.40.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-22 05:18 . 2009-05-03 12:56 59128 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2007-12-29 18:50 . 2009-05-03 17:19 14224 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2967131178-1537740910-638451718-1000_UserData.bin
+ 2007-12-29 18:46 . 2009-05-03 12:54 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-29 18:46 . 2009-05-01 14:38 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-29 18:46 . 2009-05-01 14:38 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-12-29 18:46 . 2009-05-03 12:54 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-02 14:48 . 2009-05-02 14:48 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-05-02 14:48 . 2009-05-02 14:48 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-02 14:48 . 2009-05-02 14:48 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-02 09:37 . 2009-05-02 09:37 29184 c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}\IconCD95F6617.exe
- 2009-05-01 14:38 . 2009-05-01 14:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-05-03 17:17 . 2009-05-03 17:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-05-01 14:38 . 2009-05-01 14:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-03 17:17 . 2009-05-03 17:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 13:05 . 2009-05-03 17:19 140460 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 10:33 . 2009-05-03 17:23 602846 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-05-01 14:13 602846 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-05-03 17:23 106292 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-05-01 14:13 106292 c:\windows\System32\perfc009.dat
- 2009-04-29 20:12 . 2009-05-01 14:38 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-04-29 20:12 . 2009-05-03 12:54 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-05-02 14:48 . 2009-05-02 14:48 245760 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-05-02 09:37 . 2009-05-02 09:37 632320 c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}\IconCD95F66110.exe
- 2006-11-02 10:22 . 2009-04-29 20:35 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2006-11-02 10:22 . 2009-05-03 17:21 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-05-03 17:27 . 2009-05-03 17:27 6299648 c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2008-02-14 17:00 . 2009-05-03 17:21 197712096 c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"RegistryMechanic"="c:\program files\Registry Mechanic\rmtray.exe" [2008-07-03 812952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\1fbf6165-23fb-4b93-aa9d-dd815a5e4a99.exe" [2009-03-23 1830128]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\BullGuard.exe" [2009-03-13 304464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-24 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-24 129560]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-03-13 304464]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-07-06 4669440]

c:\users\payne2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{19E55030-8C19-479E-847D-7098BF8D3DD6}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{81852BDC-D5DE-42B9-9BF5-EA611F521465}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{116D811A-9F7F-48F3-AB4D-42B40665FA54}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{008A2E22-B093-4619-BBE8-A795EE347229}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0A62E30E-D7DF-4913-AA3A-0A67CEF28FCA}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9E9E0E2D-2A25-4100-A8ED-E427D5F9187F}"= UDP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS
"{B1ABED61-7404-4FA9-8958-0ABD24014EFC}"= TCP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS
"{C4C9F9C4-9BDF-4A6A-B2AC-B42FCF3D336E}"= UDP:c:\windows\System32\lxdacoms.exe:Lexmark Communications System
"{E4C84132-66E2-4558-94DF-0AFE02285403}"= TCP:c:\windows\System32\lxdacoms.exe:Lexmark Communications System
"{A4B400F2-E471-45CF-8F95-C519C5FDA433}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdapswx.exe:Printer Status Window
"{35E2B385-7FC9-4C3D-BD88-35810B6EA9B0}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdapswx.exe:Printer Status Window
"{C36A3143-182F-4815-AB5A-566BFE264C94}"= Disabled:UDP:c:\program files\AOL\RC\regClient.exe:AOL
"{D2A114A7-E148-410A-88D7-B081B9062E7E}"= Disabled:TCP:c:\program files\AOL\RC\regClient.exe:AOL
"{6068B8CE-7D12-4012-9564-5B3D2D362AB3}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{4EBC32A5-DB8D-4432-8B0B-2E978419906B}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{204543D7-5FB2-47EB-8071-60F4CEF1D2B0}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{86AAA70D-7CBE-4CCF-A62C-05BF7AF46CB8}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DisabledInterfaces"= {F4839B3F-050E-46C9-B658-210B51E3563A},{B258EB15-F22A-482C-8AEC-DFCD7502A3ED}

R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2007-09-25 13352]
R3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
R3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s125mdfl.sys [2007-04-24 15112]
R3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s125mdm.sys [2007-04-24 108680]
R3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s125mgmt.sys [2007-04-24 100488]
R3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
S1 afw;Agnitum Firewall Driver;c:\windows\system32\DRIVERS\afw.sys [2009-04-06 29208]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [2009-01-27 55504]
S2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 AfwCore;Agnitum Firewall Core Driver;c:\windows\system32\Drivers\AfwCore.sys [2009-04-06 305688]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2008-08-12 16896]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\shell\AutoRun\command - J:\autorun.exe
\shell\cryo\command - J:\cryo.exe -f index.htm -r guardian.exe -hd guardian.exe
\shell\dxe\command - j:\.\directx\dx61eng.exe
\shell\dxf\command - .\directx\dx61fren.exe
\shell\setup\command - J:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-03 c:\windows\Tasks\User_Feed_Synchronization-{9AD3D01F-4A40-4EED-9659-D2323F7B4A2D}.job
- c:\windows\system32\msfeedssync.exe [2009-04-29 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.ebay.co.uk/ws/eBayISAPI.dll?MyEbayBeta&CurrentPage=MyeBayNextSummary&ssPageName=STRK:ME:LNLK:MESUMX
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=Presario&pf=desktop
LSP: c:\windows\system32\bglsp.dll
FF - ProfilePath - c:\users\payne2\AppData\Roaming\Mozilla\Firefox\Profiles\17r8v7s0.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.co.uk/ws/eBayISAPI.dll?MyEbayBeta&CurrentPage=MyeBayNextSummary&ssPageName=STRK:ME:LNLK:MESUMX
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 18:31
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2967131178-1537740910-638451718-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:2b,02,53,28,23,83,fb,8e,ed,77,b0,5c,a6,5e,6b,16,b7,b3,cd,ca,e2,d2,46,
b2,0f,ae,d1,b9,39,1a,df,f9,fd,a9,de,52,35,2e,ff,aa,bf,01,c1,3f,a8,9e,fa,4b,\
"??"=hex:7a,39,ae,66,64,a6,1e,2b,16,d1,17,15,21,99,4a,1a

[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000000

[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000000

[HKEY_USERS\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-05-03 18:33
ComboFix-quarantined-files.txt 2009-05-03 17:33
ComboFix2.txt 2009-05-01 14:44
ComboFix3.txt 2009-04-29 09:34

Pre-Run: 42,855,419,904 bytes free
Post-Run: 42,832,056,320 bytes free

404 --- E O F --- 2009-05-01 09:16

#12 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:53 PM

Posted 03 May 2009 - 01:22 PM

One rootkit variant of "ovfsthx" has been removed. Proceed with the following.
Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along.

Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.
Do a Full Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=
Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.
  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

Reply with copy of the MBAM scan log
the Sysclean.log
and tell me, How is your system now ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#13 peejay52

peejay52
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 03 May 2009 - 02:05 PM

will do all that now

#14 peejay52

peejay52
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 04 May 2009 - 04:37 AM

Hello maurice, scan with malwarebytes took 3 hours last night which is why I didnt get back to you then.
regarding the DCE downloads...All are in their own folder C:\DCE and all unzipped but when I dble click the main program it says file SSAPIPTN.DA5 is missing....However it is there in its folder(ssapiptn763)?? I deleted everything and downloaded all files again but same thing happened. Any ideas
regards,
Pete

#15 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:53 PM

Posted 04 May 2009 - 06:38 AM

If you made sure all 3 components are Unzipped and in the one folder, start the Sysclean and see if the prompts will allow running anyway.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users