Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection: Vundo, Rogue XPAntivirus, and Others


  • Please log in to reply
5 replies to this topic

#1 mobyfan

mobyfan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 30 May 2009 - 01:48 PM

I've been working on a friend's laptop for more than one week trying to clean up malware infections. Initially when I would try to log on the system would begin "logging on" then would immediately report it was "logging off". Using a BartPE I found that the userinit file had been altered to point to an incorrect path. After I corrected this I could log in. I have run malwarebytes and superantispyware in safe mode and normal mode. They found [and removed] Vundo, Trojan.FakeAlert, Trojan.Agent, MyWebSearch, Adware.180Solutions, Rogue.XPAntivirus, Rootkit.ADS, Adware.Hotbar, and Adware.MyWay, among others. I later ran the Microsoft online One Live scan. After that I lost the ability to get on the Internet; there is a string of yellow exclamations on every network adapter in the Device Manager. The laptop is a Dell Inspiron e1705 (9400) running XPsp3 up to date on MS updates. The broken network adapters are Broadcom 440x, Intel Proset/Wireless 3945ABG, 1394 Net Adapter, and Direct Parallel and the WAN Miniport adapters. I downloaded HijackThis from this website and tried to run it, but at first it kept producing a Windows Error Report! I re-downloaded HijackThis and successfully ran it. I did not do the "Analyze" portion because I cannot connect to the Internet. The log appears below. I ran a ComboFix and can provide it immediately if requested. Please, if someone can just point me in the right direction I can do the rest. I fix all my friend's PCs and have never been stumped even with some of the worst of the worst malware infections. But I am stuck. Help!!

I have used my desktop PC to go directly to the Dell website and downloaded the network drivers that should be correct for this model of Dell laptop. These are .exe files and after running them there are still yellow exclamation marks on all of the network adapters in the Device Manager. I also tried unsuccessfully using the XP folder to repair the network adapters from within Add/Remove Programs. Because of the original problem and the subsequent issues I have been using my PC to shuttle all files back and forth. I would like to run scans after having updated the definitions which requires Internet connectivity. Finally, there are no error messages at this time. My malware scans are no longer finding any problem files. My guess is that some things may simply be broken as a result of the cleanup attempts. Another application I ran is Winsock XP Fix which I downloaded from www.snapfiles.com.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:16 PM, on 5/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgsvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Documents and Settings\Beth\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Beth\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Beth\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} (WWHearts Control) - http://www.worldwinner.com/games/v52/wwhearts/wwhearts.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195771090656
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8558 bytes

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:34 PM

Posted 10 June 2009 - 03:16 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 mobyfan

mobyfan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 12 June 2009 - 04:22 PM

Here are the two text files created when I ran the DDS file (attach.txt and dds.txt respectively). I copied/pasted the contents below and attached/uploaded the files as well.

As of now I am still having the problem where all of the network adapters are broken. Also, there is a suspicious 'scan for virus' that runs on bootup, the bottom of which window says 'service provided by Partizan'. Other than that, I have run other scans which at this time are not finding any more malware.



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/22/2007 5:26:10 PM
System Uptime: 6/12/2009 3:26:32 PM (0 hours ago)

Motherboard: Dell Inc. | | 0FF049
Processor: Genuine Intel® CPU T2300 @ 1.66GHz | Microprocessor | 981/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 71.982 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/Wireless 3945ABG Network Connection
Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10208086&REV_02\4&360A6DE&0&00E1
Manufacturer: Intel Corporation
Name: Intel® PRO/Wireless 3945ABG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10208086&REV_02\4&360A6DE&0&00E1
Service: NETw4x32

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01CD1028&REV_02\4&2FE911E8&0&00F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01CD1028&REV_02\4&2FE911E8&0&00F0
Service: bcm4sbxp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\21051141364FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\21051141364FC000
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: WAN Miniport (L2TP)
Device ID: ROOT\MS_L2TPMINIPORT\0000
Manufacturer: Microsoft
Name: WAN Miniport (L2TP)
PNP Device ID: ROOT\MS_L2TPMINIPORT\0000
Service: Rasl2tp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: WAN Miniport (IP)
Device ID: ROOT\MS_NDISWANIP\0000
Manufacturer: Microsoft
Name: WAN Miniport (IP)
PNP Device ID: ROOT\MS_NDISWANIP\0000
Service: NdisWan

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: WAN Miniport (PPPOE)
Device ID: ROOT\MS_PPPOEMINIPORT\0000
Manufacturer: Microsoft
Name: WAN Miniport (PPPOE)
PNP Device ID: ROOT\MS_PPPOEMINIPORT\0000
Service: RasPppoe

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: WAN Miniport (PPTP)
Device ID: ROOT\MS_PPTPMINIPORT\0000
Manufacturer: Microsoft
Name: WAN Miniport (PPTP)
PNP Device ID: ROOT\MS_PPTPMINIPORT\0000
Service: PptpMiniport

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Packet Scheduler Miniport
Device ID: ROOT\MS_PSCHEDMP\0000
Manufacturer: Microsoft
Name: WAN Miniport (IP) - Packet Scheduler Miniport
PNP Device ID: ROOT\MS_PSCHEDMP\0000
Service: PSched

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Packet Scheduler Miniport
Device ID: ROOT\MS_PSCHEDMP\0001
Manufacturer: Microsoft
Name: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
PNP Device ID: ROOT\MS_PSCHEDMP\0001
Service: PSched

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Packet Scheduler Miniport
Device ID: ROOT\MS_PSCHEDMP\0002
Manufacturer: Microsoft
Name: Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
PNP Device ID: ROOT\MS_PSCHEDMP\0002
Service: PSched

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Packet Scheduler Miniport
Device ID: ROOT\MS_PSCHEDMP\0003
Manufacturer: Microsoft
Name: Motorola SURFboard SB5120 USB Cable Modem - Packet Scheduler Miniport
PNP Device ID: ROOT\MS_PSCHEDMP\0003
Service: PSched

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Direct Parallel
Device ID: ROOT\MS_PTIMINIPORT\0000
Manufacturer: Microsoft
Name: Direct Parallel
PNP Device ID: ROOT\MS_PTIMINIPORT\0000
Service: Raspti

==== System Restore Points ===================

RP346: 2/25/2009 1:10:25 AM - System Checkpoint
RP347: 2/25/2009 2:53:13 AM - Installed Full Tilt Poker
RP348: 2/25/2009 3:00:06 AM - Removed Full Tilt Poker
RP349: 2/25/2009 3:00:26 AM - Software Distribution Service 3.0
RP350: 2/25/2009 3:03:28 PM - Installed Full Tilt Poker
RP351: 2/26/2009 3:00:18 AM - Software Distribution Service 3.0
RP352: 2/27/2009 11:37:08 AM - System Checkpoint
RP353: 3/1/2009 2:52:52 PM - System Checkpoint
RP354: 3/2/2009 4:43:47 PM - System Checkpoint
RP355: 3/5/2009 11:02:39 AM - System Checkpoint
RP356: 3/6/2009 11:55:50 AM - System Checkpoint
RP357: 3/7/2009 11:35:24 AM - Restore Operation
RP358: 3/10/2009 2:27:51 PM - System Checkpoint
RP359: 3/11/2009 7:49:09 AM - Software Distribution Service 3.0
RP360: 3/12/2009 11:22:36 AM - System Checkpoint
RP361: 3/13/2009 11:52:39 AM - System Checkpoint
RP362: 3/15/2009 6:30:46 PM - System Checkpoint
RP363: 3/16/2009 11:37:58 PM - System Checkpoint
RP364: 3/19/2009 12:53:44 PM - System Checkpoint
RP365: 3/20/2009 8:46:31 AM - Software Distribution Service 3.0
RP366: 3/21/2009 8:43:23 PM - System Checkpoint
RP367: 3/26/2009 2:16:03 AM - System Checkpoint
RP368: 3/26/2009 3:00:18 AM - Software Distribution Service 3.0
RP369: 3/26/2009 6:35:24 PM - Installed Windows XP WgaNotify.
RP370: 3/27/2009 1:10:19 AM - Removed Quicken 2009
RP371: 3/27/2009 1:11:57 AM - Installed Desktop Sidebar
RP372: 3/27/2009 1:55:39 AM - Removed Desktop Sidebar
RP373: 3/28/2009 2:33:04 AM - System Checkpoint
RP374: 4/2/2009 12:21:04 PM - System Checkpoint
RP375: 4/4/2009 1:32:59 AM - System Checkpoint
RP376: 4/5/2009 4:12:58 PM - System Checkpoint
RP377: 4/7/2009 12:19:22 AM - System Checkpoint
RP378: 4/8/2009 2:10:00 AM - System Checkpoint
RP379: 4/9/2009 3:16:40 AM - System Checkpoint
RP380: 4/11/2009 2:13:48 PM - System Checkpoint
RP381: 4/12/2009 4:11:18 PM - System Checkpoint
RP382: 4/13/2009 4:39:13 PM - System Checkpoint
RP383: 4/14/2009 5:14:26 PM - System Checkpoint
RP384: 4/16/2009 1:58:50 AM - System Checkpoint
RP385: 4/16/2009 3:00:17 AM - Software Distribution Service 3.0
RP386: 4/17/2009 11:48:21 AM - System Checkpoint
RP387: 4/18/2009 12:22:35 PM - Removed Full Tilt Poker
RP388: 4/18/2009 12:25:32 PM - Installed Full Tilt Poker
RP389: 4/19/2009 1:23:10 PM - System Checkpoint
RP390: 4/21/2009 9:56:52 AM - System Checkpoint
RP391: 4/23/2009 11:47:12 AM - System Checkpoint
RP392: 4/25/2009 1:21:18 PM - System Checkpoint
RP393: 4/26/2009 2:18:07 AM - Installed Java™ 6 Update 13
RP394: 4/27/2009 11:43:22 AM - System Checkpoint
RP395: 4/28/2009 12:13:16 PM - System Checkpoint
RP396: 4/30/2009 12:02:16 PM - System Checkpoint
RP397: 5/2/2009 3:27:24 AM - System Checkpoint
RP398: 5/3/2009 3:09:00 PM - System Checkpoint
RP399: 5/5/2009 12:07:54 PM - System Checkpoint
RP400: 5/6/2009 11:38:54 PM - System Checkpoint
RP401: 5/7/2009 11:39:47 PM - System Checkpoint
RP402: 5/10/2009 4:42:56 PM - System Checkpoint
RP403: 5/12/2009 1:00:44 AM - System Checkpoint
RP404: 5/14/2009 10:43:59 AM - Software Distribution Service 3.0
RP405: 5/15/2009 11:29:43 AM - System Checkpoint
RP406: 5/16/2009 8:29:28 PM - Removed Full Tilt Poker
RP407: 5/21/2009 11:00:10 PM - System Checkpoint
RP408: 5/22/2009 12:58:46 AM - Removed Broadcom 440x 10/100 Integrated Controller
RP409: 5/22/2009 12:59:53 AM - Installed Broadcom 440x 10/100 Integrated Controller
RP410: 5/22/2009 1:42:01 AM - Removed Broadcom 440x 10/100 Integrated Controller
RP411: 5/23/2009 12:32:00 PM - System Checkpoint
RP412: 5/23/2009 5:41:15 PM - Installed Broadcom 440x 10/100 Integrated Controller
RP413: 5/24/2009 9:17:30 PM - System Checkpoint
RP414: 5/24/2009 11:01:52 PM - Installed Symantec AntiVirus Client
RP415: 5/25/2009 3:42:10 PM - Removed Broadcom 440x 10/100 Integrated Controller
RP416: 5/25/2009 11:18:50 PM - RegRun Virus Scan
RP417: 5/26/2009 1:17:01 AM - Installed Broadcom 440x 10/100 Integrated Controller

==== Installed Programs ======================

7 Wonders
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
Big Fish Games Client
Bonjour
Bricks of Atlantis
Broadcom 440x 10/100 Integrated Controller
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Conexant HDA D110 MDC V.92 Modem
CopyTrans Suite (remove only)
Critical Update for Windows Media Player 11 (KB959772)
Dell Wireless WLAN Card
Elecard MPEG-2 Decoder&Streaming Plug-in for WMP
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Photosmart, Officejet and Deskjet 7.0.A
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless Software
InterActual Player
iPhoneRingToneMaker 2.5.1
iPod for Windows 2006-03-23
iTunes
Java™ 6 Update 13
Java™ 6 Update 5
Java™ 6 Update 7
Jewel Quest (remove only)
Jewel Quest Solitaire
LiveUpdate 1.80 (Symantec Corporation)
Lottso! Deluxe
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money Plus
Microsoft Money Shared Libraries
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
MobileMe Control Panel
Move Networks Media Player for Internet Explorer
mPfMgr
mPfWiz
mProSafe
mSCfg
MSN
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mWMI
mZConfig
Norton Security Scan
Norton Security Scan (Symantec Corporation)
Operation Mania
Paradise Quest
PokerStars
QuickTime
RealPlayer
Rhapsody Player Engine
Safari
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SigmaTel Audio
Slingo Quest Hawaii
Star Defender 4
SUPERAntiSpyware Free Edition
Symantec AntiVirus Client
Tansee iPod Transfer v3.26
The Poppit! Show
The Rise of Atlantis
Tri Peaks 2 Quest For The Ruby Ring
UnHackMe 5.00 release
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC_MergeModuleToMSI
VideoLAN VLC media player 0.8.6d
Viewpoint Media Player
VZAccess Manager for RIM
WebFldrs XP
Windows Communication Foundation
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR archiver
Womens Murder Club
Word Riot Deluxe
World of Goo
XML Paper Specification Shared Components Pack 1.0
XPlay Photo Browser
Yahoo! Messenger
Zuma Deluxe 1.0

==== Event Viewer Messages From Past Week ========

6/12/2009 3:00:58 PM, error: DCOM [10001] - Unable to start a DCOM Server: {E367E1A1-E917-11D0-AF5F-00A02448799A} as /. The error: "%2" Happened while starting this command: C:\WINDOWS\system32\MDM.EXE -Embedding
6/12/2009 3:00:58 PM, error: DCOM [10001] - Unable to start a DCOM Server: {0C0A3666-30C9-11D0-8F20-00805F2CD064} as /. The error: "%2" Happened while starting this command: C:\WINDOWS\system32\MDM.EXE -Embedding
6/12/2009 3:00:20 PM, error: Service Control Manager [7001] - The TCP/IP Protocol Driver service depends on the IPSEC driver service which failed to start because of the following error: The system cannot find the file specified.
6/12/2009 3:00:20 PM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the AFD service which failed to start because of the following error: The system cannot find the file specified.
6/12/2009 3:00:20 PM, error: Service Control Manager [7000] - The IPSEC driver service failed to start due to the following error: The system cannot find the file specified.
6/12/2009 3:00:20 PM, error: Service Control Manager [7000] - The AFD service failed to start due to the following error: The system cannot find the file specified.
6/12/2009 2:58:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD IPSec MRxSmb NetBIOS NetBT Tcpip
6/12/2009 2:58:10 PM, error: Service Control Manager [7024] - The Workstation service terminated with service-specific error 2250 (0x8CA).
6/12/2009 2:58:10 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
6/12/2009 2:58:10 PM, error: Service Control Manager [7023] - The Server service terminated with the following error: The system cannot find the file specified.
6/12/2009 2:58:10 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952450
6/12/2009 2:58:10 PM, error: Service Control Manager [7001] - The Wireless Zero Configuration service depends on the NDIS Usermode I/O Protocol service which failed to start because of the following error: The system cannot find the file specified.
6/12/2009 2:58:10 PM, error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector service which failed to start because of the following error: The system cannot find the file specified.
6/12/2009 2:58:10 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
6/12/2009 2:58:10 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/12/2009 2:58:10 PM, error: Service Control Manager [7001] - The Intel® PROSet/Wireless SSO Service service depends on the Intel® PROSet/Wireless Service service which failed to start because of the following error: The dependency service or group failed to start.
6/12/2009 2:58:10 PM, error: Service Control Manager [7001] - The Intel® PROSet/Wireless Service service depends on the WLAN Transport service which failed to start because of the following error: The system cannot find the file specified.
6/12/2009 2:58:10 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/12/2009 2:58:10 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/12/2009 2:58:10 PM, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The service has returned a service-specific error code.
6/12/2009 2:58:10 PM, error: Service Control Manager [7001] - The Canon Camera Access Library 8 service depends on the SSDP Discovery Service service which failed to start because of the following error: The operation completed successfully.
6/12/2009 2:58:10 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/12/2009 2:58:10 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/12/2009 2:58:10 PM, error: Service Control Manager [7000] - The WLAN Transport service failed to start due to the following error: The system cannot find the file specified.
6/12/2009 2:58:10 PM, error: Service Control Manager [7000] - The WebDav Client Redirector service failed to start due to the following error: The system cannot find the file specified.
6/12/2009 2:58:10 PM, error: Service Control Manager [7000] - The NDIS Usermode I/O Protocol service failed to start due to the following error: The system cannot find the file specified.
6/12/2009 2:58:10 PM, error: Service Control Manager [7000] - The AEGIS Protocol (IEEE 802.1x) v3.7.5.0 service failed to start due to the following error: The system cannot find the file specified.
6/12/2009 2:58:05 PM, error: Workstation [5727] - Could not load RDR device driver.
6/12/2009 2:58:05 PM, error: Workstation [5727] - Could not load MRxSmb device driver.

==== End Of File ===========================




DDS (Ver_09-05-14.01) - NTFSx86
Run by Beth at 15:45:24.46 on Fri 06/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.145 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Beth\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
IE: &Search
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} - hxxp://www.worldwinner.com/games/v52/wwhearts/wwhearts.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195771090656
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-21 24652]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20030319.002\NAVENG.sys [2009-5-24 61732]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20030319.002\NAVEX15.sys [2009-5-24 519333]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-5-25 34760]

=============== Created Last 30 ================

2009-05-26 01:27 <DIR> --d----- c:\docume~1\beth\applic~1\Intel
2009-05-26 01:22 21,361 a------- c:\windows\system32\drivers\AegisP.sys
2009-05-26 01:22 21,361 a------- c:\windows\AegisP.sys
2009-05-26 01:22 13,984 a------- c:\windows\AegisP.inf
2009-05-26 01:22 10,640 a------- c:\windows\AegisP.cat
2009-05-26 01:20 2,777,088 a------- c:\windows\system32\NETw4r32.dll
2009-05-26 01:20 2,236,032 a------- c:\windows\system32\drivers\NETw4x32.sys
2009-05-26 01:20 745,472 a------- c:\windows\system32\NETw4c32.dll
2009-05-26 01:17 45,568 a----r-- c:\windows\system32\drivers\bcm4sbxp.sys
2009-05-26 01:17 <DIR> --d----- c:\program files\Broadcom
2009-05-25 23:11 34,760 a------- c:\windows\system32\drivers\Partizan.sys
2009-05-25 23:11 32,480 a------- c:\windows\system32\Partizan.exe
2009-05-25 23:11 2 a--shrot c:\windows\winstart.bat
2009-05-25 23:10 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-05-25 23:10 <DIR> --d----- c:\program files\UnHackMe
2009-05-25 14:04 <DIR> --d----- c:\windows\system32\msmq
2009-05-25 14:04 <DIR> --d----- C:\Inetpub
2009-05-25 12:43 <DIR> --d----- C:\HijackThis
2009-05-25 05:10 0 a------- c:\windows\vpc32.INI
2009-05-24 23:02 124,167 a------- c:\windows\system32\SYMEVNT.386
2009-05-24 23:02 83,208 a------- c:\windows\system32\S32EVNT1.DLL
2009-05-24 23:02 73,496 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-24 23:02 <DIR> --d----- c:\program files\Symantec
2009-05-24 23:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-05-24 23:02 <DIR> --d----- c:\program files\Symantec_Client_Security
2009-05-24 20:29 <DIR> --ds---- C:\ComboFix
2009-05-24 20:22 <DIR> --dshr-- C:\cmdcons
2009-05-24 20:22 <DIR> --d----- c:\windows\setup.pss
2009-05-24 14:55 <DIR> --d----- C:\My Downloads
2009-05-24 14:32 161,792 a------- c:\windows\SWREG.exe
2009-05-24 14:32 139,776 a------- c:\windows\PEV.exe
2009-05-24 14:32 98,816 a------- c:\windows\sed.exe
2009-05-23 22:08 770,048 a------- c:\windows\system32\BCMLogon.dll
2009-05-23 22:08 33,664 a------- c:\windows\system32\drivers\BCMWLNPF.SYS
2009-05-23 22:07 253,952 a------- c:\windows\system32\bcmwlu00.exe
2009-05-23 22:07 86,016 a------- c:\windows\system32\preflib.dll
2009-05-23 22:07 69,632 a------- c:\windows\system32\bcmwlpkt.dll
2009-05-23 22:07 44,032 a------- c:\windows\system32\wltrynt.dll
2009-05-23 22:07 3,395,584 a------- c:\windows\system32\BCMWLCPL.CPL
2009-05-23 22:07 1,392,640 a------- c:\windows\system32\WLTRAY.EXE
2009-05-23 22:07 1,253,376 a------- c:\windows\system32\BCMWLTRY.EXE
2009-05-23 22:07 20,480 a------- c:\windows\system32\WLTRYSVC.EXE
2009-05-23 22:07 2,129,920 a------- c:\windows\system32\WLBCGCBPRO731.DLL
2009-05-23 22:07 757,760 a------- c:\windows\system32\bcm1xsup.dll
2009-05-23 22:07 <DIR> --d----- c:\program files\Dell
2009-05-21 19:21 244 a---h--- C:\sqmnoopt19.sqm
2009-05-21 19:21 232 a---h--- C:\sqmdata19.sqm
2009-05-21 19:20 244 a---h--- C:\sqmnoopt18.sqm
2009-05-21 19:20 232 a---h--- C:\sqmdata18.sqm
2009-05-21 19:19 244 a---h--- C:\sqmnoopt17.sqm
2009-05-21 19:19 232 a---h--- C:\sqmdata17.sqm
2009-05-21 19:18 244 a---h--- C:\sqmnoopt16.sqm
2009-05-21 19:18 232 a---h--- C:\sqmdata16.sqm
2009-05-21 19:16 244 a---h--- C:\sqmnoopt15.sqm
2009-05-21 19:16 232 a---h--- C:\sqmdata15.sqm
2009-05-21 19:15 244 a---h--- C:\sqmnoopt14.sqm
2009-05-21 19:15 232 a---h--- C:\sqmdata14.sqm
2009-05-21 19:14 244 a---h--- C:\sqmnoopt13.sqm
2009-05-21 19:14 232 a---h--- C:\sqmdata13.sqm
2009-05-21 19:13 244 a---h--- C:\sqmnoopt12.sqm
2009-05-21 19:13 232 a---h--- C:\sqmdata12.sqm
2009-05-21 19:12 232 a---h--- C:\sqmdata11.sqm
2009-05-21 19:12 244 a---h--- C:\sqmnoopt11.sqm
2009-05-21 19:11 244 a---h--- C:\sqmnoopt10.sqm
2009-05-21 19:11 232 a---h--- C:\sqmdata10.sqm
2009-05-21 19:10 232 a---h--- C:\sqmdata09.sqm
2009-05-21 19:10 244 a---h--- C:\sqmnoopt09.sqm
2009-05-21 00:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-21 00:44 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-21 00:44 <DIR> --d----- c:\docume~1\beth\applic~1\SUPERAntiSpyware.com
2009-05-21 00:43 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-21 00:26 <DIR> --d----- c:\docume~1\beth\applic~1\Malwarebytes
2009-05-21 00:26 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 00:26 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 00:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-21 00:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-21 00:24 <DIR> --d----- c:\docume~1\beth\applic~1\Smith Micro
2009-05-21 00:22 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys
2009-05-21 00:22 <DIR> --d----- c:\program files\Verizon Wireless
2009-05-21 00:22 <DIR> --d----- c:\program files\common files\Research in Motion
2009-05-20 18:51 22,016 -------- c:\windows\system32\USERINIT.EXE
2009-05-19 22:31 2,967,800 a------- C:\mbam-setup.exe
2009-05-19 22:26 <DIR> --d----- c:\program files\malwarebytes
2009-05-19 22:21 16,078,104 a------- C:\VZAccess_6.7.3_2010e-RIM.exe
2009-05-17 19:09 <DIR> --d----- c:\program files\AVG
2009-05-17 18:42 147,456 a------- c:\windows\system32\vbzip10.dll
2009-05-17 18:40 212,224 ac------ c:\windows\system32\dllcache\ndis.sys
2009-05-17 18:40 17,408 -------- c:\windows\system32\UACbftduxvbbhsdgtj.dll
2009-05-17 18:40 19,968 -------- c:\windows\system32\UACqxobkmdywciwqyv.dll
2009-05-17 18:39 2 a------- C:\1352633492
2009-05-17 18:39 24,064 -------- c:\windows\system32\UACmwgnxveteepqdvp.dll
2009-05-17 17:12 <DIR> --d----- c:\program files\Star Defender 4
2009-05-17 17:09 <DIR> --d----- c:\program files\bfgclient
2009-05-17 17:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BigFishGamesCache

==================== Find3M ====================

2009-05-26 01:22 376,832 a------- c:\windows\system32\AegisI5Installer.exe
2009-05-17 18:39 14,336 a------- c:\windows\system32\svchost.exe
1998-12-08 23:53 186,368 a------- c:\program files\common files\IRAREG.DLL
1998-12-08 23:53 99,840 a------- c:\program files\common files\IRAABOUT.DLL
1998-12-08 23:53 70,144 a------- c:\program files\common files\IRAMDMTR.DLL
1998-12-08 23:53 48,640 a------- c:\program files\common files\IRALPTTR.DLL
1998-12-08 23:53 31,744 a------- c:\program files\common files\IRAWEBTR.DLL
1998-12-08 23:53 17,920 a------- c:\program files\common files\IRASRIAL.DLL

============= FINISH: 15:46:06.51 ===============

Attached Files



#4 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:08:34 PM

Posted 14 June 2009 - 06:42 PM

Hello and welcome to BleepingComputer.

In the future, please avoid posting logs in colors; they're a bit hard on the eyes.


Please update MBAM, run a Quick Scan, and post its log please.


After that, we'll use ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

#5 mobyfan

mobyfan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 14 June 2009 - 11:59 PM

Here are the three logs as requested, the mbam quick scan, the hijack this, and the combofix logs. Combofix went through 47 stages and then deleted a file called partizan.exe (you'll notice I mentioned this file before as something I noticed that seemed odd or conspicuous). It then rebooted the computer and finished running and creating the logfile after the bootup. So without further ado, here are the logs.


Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

6/14/2009 9:11:33 PM
mbam-log-2009-06-14 (21-11-33).txt

Scan type: Quick Scan
Objects scanned: 65666
Time elapsed: 11 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:20 PM, on 6/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Beth\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Beth\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Beth\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} (WWHearts Control) - http://www.worldwinner.com/games/v52/wwhearts/wwhearts.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195771090656
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7166 bytes



ComboFix 09-06-14.02 - Beth 06/14/2009 22:59.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.356 [GMT -5:00]
Running from: c:\documents and settings\Beth\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Drivers\Partizan.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_Partizan
-------\Service_Partizan


((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.

2009-06-15 04:18 . 2009-06-15 04:18 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-05-26 06:27 . 2009-05-26 06:27 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-05-26 06:27 . 2009-05-26 06:27 -------- d-----w- c:\documents and settings\Default User\Application Data\Intel
2009-05-26 06:27 . 2009-05-26 06:27 -------- d-----w- c:\documents and settings\Beth\Application Data\Intel
2009-05-26 06:22 . 2009-05-26 06:22 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-05-26 06:22 . 2009-05-26 06:22 21361 ----a-w- c:\windows\AegisP.sys
2009-05-26 06:21 . 2009-05-26 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-05-26 06:20 . 2007-09-26 11:01 2236032 ----a-w- c:\windows\system32\drivers\NETw4x32.sys
2009-05-26 06:20 . 2007-08-27 16:12 2777088 ----a-w- c:\windows\system32\NETw4r32.dll
2009-05-26 06:20 . 2007-08-27 16:12 745472 ----a-w- c:\windows\system32\NETw4c32.dll
2009-05-26 06:17 . 2006-11-21 09:25 45568 ----a-r- c:\windows\system32\drivers\bcm4sbxp.sys
2009-05-26 06:17 . 2009-05-26 06:17 -------- d-----w- c:\program files\Broadcom
2009-05-26 04:11 . 2009-05-26 04:11 32480 ----a-w- c:\windows\system32\Partizan.exe
2009-05-26 04:11 . 2009-05-26 04:11 2 --shatr- c:\windows\winstart.bat
2009-05-26 04:10 . 2008-12-22 20:56 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-05-26 04:10 . 2009-05-26 04:11 -------- d-----w- c:\program files\UnHackMe
2009-05-25 19:04 . 2009-05-25 19:04 -------- d-----w- c:\windows\system32\msmq
2009-05-25 19:04 . 2009-05-25 19:04 -------- d-----w- C:\Inetpub
2009-05-25 17:43 . 2009-05-25 17:43 -------- d-----w- C:\HijackThis
2009-05-25 04:02 . 2009-05-25 04:02 -------- d-----w- c:\documents and settings\Beth\Local Settings\Application Data\Symantec
2009-05-25 04:02 . 2009-05-25 04:00 83208 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-05-25 04:02 . 2009-05-25 04:00 73496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-25 04:02 . 2009-05-25 04:02 -------- d-----w- c:\program files\Symantec
2009-05-25 04:02 . 2009-05-25 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-05-25 04:02 . 2009-05-25 04:02 -------- d-----w- c:\program files\Symantec_Client_Security
2009-05-24 19:55 . 2009-05-24 19:55 -------- d-----w- C:\My Downloads
2009-05-24 03:08 . 2007-03-16 23:10 770048 ----a-w- c:\windows\system32\BCMLogon.dll
2009-05-24 03:08 . 2007-03-16 23:10 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
2009-05-24 03:07 . 2007-03-16 23:10 86016 ----a-w- c:\windows\system32\preflib.dll
2009-05-24 03:07 . 2007-03-16 23:10 44032 ----a-w- c:\windows\system32\wltrynt.dll
2009-05-24 03:07 . 2007-03-16 23:10 253952 ----a-w- c:\windows\system32\bcmwlu00.exe
2009-05-24 03:07 . 2007-03-16 23:10 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
2009-05-24 03:07 . 2007-03-16 23:10 1392640 ----a-w- c:\windows\system32\WLTRAY.EXE
2009-05-24 03:07 . 2007-03-16 23:10 20480 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2009-05-24 03:07 . 2007-03-16 23:10 1253376 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2009-05-24 03:07 . 2007-03-16 23:10 2129920 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
2009-05-24 03:07 . 2007-03-16 23:10 757760 ----a-w- c:\windows\system32\bcm1xsup.dll
2009-05-24 03:07 . 2009-05-24 03:07 -------- d-----w- c:\program files\Dell
2009-05-22 00:15 . 2009-05-22 00:21 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-21 05:45 . 2009-06-15 04:19 117760 ----a-w- c:\documents and settings\Beth\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-21 05:44 . 2009-05-21 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-21 05:44 . 2009-05-21 05:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-21 05:44 . 2009-05-21 05:44 -------- d-----w- c:\documents and settings\Beth\Application Data\SUPERAntiSpyware.com
2009-05-21 05:43 . 2009-05-21 05:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-21 05:26 . 2009-05-21 05:26 -------- d-----w- c:\documents and settings\Beth\Application Data\Malwarebytes
2009-05-21 05:26 . 2009-04-06 20:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-21 05:26 . 2009-04-06 20:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 05:26 . 2009-05-21 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-21 05:25 . 2009-05-21 05:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-21 05:24 . 2009-05-21 05:24 -------- d-----w- c:\documents and settings\Beth\Application Data\Smith Micro
2009-05-21 05:22 . 2007-01-18 15:24 26496 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-05-21 05:22 . 2009-05-21 05:22 -------- d-----w- c:\program files\Verizon Wireless
2009-05-21 05:22 . 2009-05-21 05:22 -------- d-----w- c:\program files\Common Files\Research in Motion
2009-05-20 23:51 . 2003-07-16 16:43 22016 ------w- c:\windows\system32\USERINIT.EXE
2009-05-20 03:31 . 2009-05-19 20:23 2967800 ----a-w- C:\mbam-setup.exe
2009-05-20 03:26 . 2009-05-20 03:29 -------- d-----w- c:\program files\malwarebytes
2009-05-20 03:21 . 2008-03-29 01:27 16078104 ----a-w- C:\VZAccess_6.7.3_2010e-RIM.exe
2009-05-18 00:09 . 2009-05-18 00:09 -------- d-----w- c:\program files\AVG
2009-05-17 23:42 . 2009-05-17 23:42 147456 ----a-w- c:\windows\system32\vbzip10.dll
2009-05-17 23:40 . 2009-05-17 23:40 212224 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-05-17 23:40 . 2009-05-22 02:53 17408 ------w- c:\windows\system32\UACbftduxvbbhsdgtj.dll
2009-05-17 23:40 . 2009-05-22 02:53 19968 ------w- c:\windows\system32\UACqxobkmdywciwqyv.dll
2009-05-17 23:39 . 2009-05-22 02:53 24064 ------w- c:\windows\system32\UACmwgnxveteepqdvp.dll
2009-05-17 22:12 . 2009-05-17 23:14 -------- d-----w- c:\program files\Star Defender 4
2009-05-17 22:09 . 2009-05-17 22:09 -------- d-----w- c:\program files\bfgclient
2009-05-17 22:08 . 2009-05-17 22:09 2081496 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
2009-05-17 22:08 . 2009-05-17 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-05-17 04:02 . 2009-05-17 04:02 390664 ----a-w- c:\documents and settings\Beth\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 20:00 . 2008-12-10 06:04 -------- d-----w- c:\program files\Norton Security Scan
2009-05-26 06:22 . 2007-11-22 22:36 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2009-05-26 06:20 . 2007-11-22 22:35 -------- d-----w- c:\program files\Intel
2009-05-26 04:10 . 2007-11-25 18:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-25 20:00 . 2008-12-10 06:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-24 03:07 . 2007-11-22 23:10 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-18 00:12 . 2007-11-23 21:50 -------- d-----w- c:\documents and settings\Beth\Application Data\LimeWire
2009-05-18 00:03 . 2007-11-23 21:49 -------- d-----w- c:\program files\LimeWire
2009-05-17 23:39 . 2004-08-04 10:00 14336 ----a-w- c:\windows\system32\svchost.exe
2009-05-17 04:54 . 2007-11-25 18:24 -------- d-----w- c:\program files\Oberon Media
2009-05-17 01:29 . 2007-11-23 04:44 -------- d-----w- c:\program files\Full Tilt Poker
2009-05-17 01:29 . 2007-11-22 23:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-26 07:18 . 2007-11-23 14:06 -------- d-----w- c:\program files\Java
2009-04-26 07:16 . 2009-04-26 07:16 152576 ----a-w- c:\documents and settings\Beth\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-25 17:46 . 2009-04-25 17:45 -------- d-----w- c:\program files\iTunes
2009-04-25 17:46 . 2009-04-25 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-25 17:45 . 2007-11-23 00:42 -------- d-----w- c:\program files\iPod
2009-04-25 17:45 . 2007-11-23 01:10 -------- d-----w- c:\program files\Common Files\Apple
2009-04-25 17:38 . 2009-04-25 17:38 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-25 17:35 . 2009-04-25 17:35 -------- d-----w- c:\program files\Safari
2009-04-25 17:32 . 2009-04-25 17:29 -------- d-----w- c:\documents and settings\Beth\Application Data\iPhoneRingToneMaker
2009-04-25 17:29 . 2009-04-25 17:29 -------- d-----w- c:\program files\iPhoneRingToneMaker
2009-04-19 00:28 . 2007-11-23 00:48 -------- d-----w- c:\documents and settings\Beth\Application Data\Apple Computer
2009-04-18 16:14 . 2008-09-02 03:15 -------- d-----w- c:\program files\PokerStars
2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 21:32 . 2008-01-29 17:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
1998-12-09 04:53 . 1998-12-09 04:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 04:53 . 1998-12-09 04:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 04:53 . 1998-12-09 04:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 04:53 . 1998-12-09 04:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 04:53 . 1998-12-09 04:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 04:53 . 1998-12-09 04:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.

------- Sigcheck -------

[7] 2004-08-04 10:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2003-07-16 16:43 22016 E931E0A2B8BF0019DB902E98D03662CB c:\windows\system32\USERINIT.EXE
.
((((((((((((((((((((((((((((( SnapShot@2009-05-25_01.37.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-05-25 01:37 . 2009-05-25 01:37 16384 c:\windows\Temp\Perflib_Perfdata_3dc.dat
+ 2009-06-15 04:16 . 2009-06-15 04:16 16384 c:\windows\temp\Perflib_Perfdata_3dc.dat
+ 2008-08-22 20:47 . 2008-04-14 00:12 39936 c:\windows\system32\wbem\snmpthrd.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 33280 c:\windows\system32\snmp.exe
+ 2006-08-29 18:59 . 2006-08-29 18:59 53248 c:\windows\system32\SMSUnins.dll
- 2006-08-29 19:59 . 2006-08-29 19:59 53248 c:\windows\system32\SMSUnins.dll
+ 2007-08-27 16:09 . 2007-08-27 16:09 14848 c:\windows\system32\s24NCfg.dll
- 2007-08-27 17:09 . 2007-08-27 17:09 14848 c:\windows\system32\s24NCfg.dll
+ 2003-01-10 16:39 . 2003-01-10 16:39 65590 c:\windows\system32\PDS.DLL
+ 2003-01-10 16:39 . 2003-01-10 16:39 77875 c:\windows\system32\NTS.DLL
+ 2003-05-21 06:19 . 2003-05-21 06:19 45056 c:\windows\system32\NavLogon.dll
+ 2003-01-10 16:39 . 2003-01-10 16:39 41017 c:\windows\system32\Msgsys.dll
+ 2008-08-22 20:47 . 2008-04-14 00:11 33792 c:\windows\system32\lmmib2.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 35328 c:\windows\system32\iprip.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 13312 c:\windows\system32\infoadmn.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 53248 c:\windows\system32\inetsrv\wamreg.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 76800 c:\windows\system32\inetsrv\wam.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 33792 c:\windows\system32\inetsrv\tools.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 46592 c:\windows\system32\inetsrv\svcext.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 46592 c:\windows\system32\inetsrv\sspifilt.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 45056 c:\windows\system32\inetsrv\ssinc.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 44544 c:\windows\system32\inetsrv\nsepm.dll
+ 2008-08-22 20:47 . 2008-04-14 00:11 85504 c:\windows\system32\inetsrv\metadata.dll
+ 2008-08-22 20:47 . 2008-04-14 00:11 37888 c:\windows\system32\inetsrv\md5filt.dll
+ 2008-08-22 20:47 . 2008-04-14 00:11 13312 c:\windows\system32\inetsrv\lonsint.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 26624 c:\windows\system32\inetsrv\iscomlog.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 68608 c:\windows\system32\inetsrv\isatq.dll
+ 2008-08-22 20:46 . 2008-04-14 00:12 15360 c:\windows\system32\inetsrv\inetinfo.exe
+ 2008-08-22 20:46 . 2008-04-14 00:12 30720 c:\windows\system32\inetsrv\iisrstas.exe
+ 2008-08-22 20:46 . 2008-04-14 00:11 79872 c:\windows\system32\inetsrv\iislog.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 25088 c:\windows\system32\inetsrv\iisadmin.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 61440 c:\windows\system32\inetsrv\httpodbc.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 32256 c:\windows\system32\inetsrv\gzip.dll
+ 2008-08-22 20:46 . 2008-04-14 00:12 42496 c:\windows\system32\inetsrv\davcdata.exe
+ 2008-08-22 20:46 . 2008-04-14 00:11 24064 c:\windows\system32\inetsrv\compfilt.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 46592 c:\windows\system32\inetsrv\coadmin.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 29696 c:\windows\system32\inetsrv\admexs.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 64512 c:\windows\system32\iismap.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 68608 c:\windows\system32\iisext.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 39936 c:\windows\system32\hostmib.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 14336 c:\windows\system32\exstrace.dll
+ 2008-08-22 20:46 . 2008-04-14 00:12 92160 c:\windows\system32\evntwin.exe
+ 2008-08-22 20:46 . 2008-04-14 00:12 24064 c:\windows\system32\evntcmd.exe
- 2009-05-23 22:41 . 2006-11-21 09:25 45568 c:\windows\system32\DRVSTORE\b44win_A4FF09C646CF97A72E7241C9A8D160636A21E4F9\bcm4sbxp.sys
+ 2009-05-26 06:17 . 2006-11-21 09:25 45568 c:\windows\system32\DRVSTORE\b44win_A4FF09C646CF97A72E7241C9A8D160636A21E4F9\bcm4sbxp.sys
+ 2009-05-26 06:17 . 2006-11-21 09:20 49507 c:\windows\system32\DRVSTORE\b44win_A4FF09C646CF97A72E7241C9A8D160636A21E4F9\bcm4sbe5.sys
- 2009-05-23 22:41 . 2006-11-21 09:20 49507 c:\windows\system32\DRVSTORE\b44win_A4FF09C646CF97A72E7241C9A8D160636A21E4F9\bcm4sbe5.sys
+ 2007-08-27 16:10 . 2007-08-27 16:10 12288 c:\windows\system32\drivers\s24trans.sys
- 2007-08-27 17:10 . 2007-08-27 17:10 12288 c:\windows\system32\drivers\s24trans.sys
+ 2008-08-22 20:48 . 2008-04-14 00:12 53248 c:\windows\system32\dllcache\wamreg51.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 76800 c:\windows\system32\dllcache\wam51.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 33792 c:\windows\system32\dllcache\tools.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 46592 c:\windows\system32\dllcache\svcext51.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 46592 c:\windows\system32\dllcache\sspifilt.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 45056 c:\windows\system32\dllcache\ssinc51.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 39936 c:\windows\system32\dllcache\snmpthrd.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 33280 c:\windows\system32\dllcache\snmp.exe
+ 2008-08-22 20:46 . 2008-04-14 00:12 10752 c:\windows\system32\dllcache\smtpapi.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 44544 c:\windows\system32\dllcache\nsepm.dll
+ 2008-08-22 20:47 . 2008-04-14 00:11 85504 c:\windows\system32\dllcache\metada51.dll
+ 2008-08-22 20:47 . 2008-04-14 00:11 37888 c:\windows\system32\dllcache\md5filt.dll
+ 2008-08-22 20:47 . 2008-04-14 00:11 13312 c:\windows\system32\dllcache\lonsint.dll
+ 2008-08-22 20:47 . 2008-04-14 00:11 33792 c:\windows\system32\dllcache\lmmib2.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 26624 c:\windows\system32\dllcache\iscomlog.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 68608 c:\windows\system32\dllcache\isatq.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 35328 c:\windows\system32\dllcache\iprip.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 13312 c:\windows\system32\dllcache\infoadmn.dll
+ 2008-08-22 20:46 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\inetin51.exe
+ 2008-08-22 20:46 . 2008-04-14 00:11 79872 c:\windows\system32\dllcache\iislog51.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 25088 c:\windows\system32\dllcache\iisadmin.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 61440 c:\windows\system32\dllcache\httpod51.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 39936 c:\windows\system32\dllcache\hostmib.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 32256 c:\windows\system32\dllcache\gzip.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 14336 c:\windows\system32\dllcache\exstrace.dll
+ 2008-08-22 20:46 . 2008-04-14 00:12 92160 c:\windows\system32\dllcache\evntwin.exe
+ 2008-08-22 20:46 . 2008-04-14 00:12 24064 c:\windows\system32\dllcache\evntcmd.exe
+ 2008-08-22 20:46 . 2008-04-14 00:12 42496 c:\windows\system32\dllcache\davcdata.exe
+ 2008-08-22 20:46 . 2008-04-14 00:11 24064 c:\windows\system32\dllcache\compfilt.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 29696 c:\windows\system32\dllcache\admexs.dll
+ 2003-01-10 16:39 . 2003-01-10 16:39 28723 c:\windows\system32\CBA.DLL
+ 2008-08-22 20:46 . 2008-04-14 00:11 43520 c:\windows\system32\admwprox.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 8192 c:\windows\system32\staxmem.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 8704 c:\windows\system32\snmptrap.exe
+ 2008-08-22 20:47 . 2008-04-14 00:12 6144 c:\windows\system32\snmpmib.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 4096 c:\windows\system32\inetsrv\rpcref.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 7680 c:\windows\system32\inetsrv\pwsdata.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 7168 c:\windows\system32\inetsrv\iisfecnv.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 8192 c:\windows\system32\inetsrv\httpmib.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 6144 c:\windows\system32\inetsrv\ftpmib.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 8192 c:\windows\system32\dllcache\staxmem.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 8704 c:\windows\system32\dllcache\snmptrap.exe
+ 2008-08-22 20:47 . 2008-04-14 00:12 6144 c:\windows\system32\dllcache\snmpmib.dll
+ 2008-08-22 20:46 . 2008-04-14 00:12 9728 c:\windows\system32\dllcache\rwnh.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 4096 c:\windows\system32\dllcache\rpcref.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 7680 c:\windows\system32\dllcache\pwsdata.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 7168 c:\windows\system32\dllcache\iisfecnv.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 8192 c:\windows\system32\dllcache\httpmb51.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 6144 c:\windows\system32\dllcache\ftpmib.dll
+ 2009-05-26 06:17 . 2009-05-26 06:17 3262 c:\windows\Installer\{612B9183-67A9-4B44-9877-2F059E35B86A}\ARPPRODUCTICON.exe
- 2009-05-23 22:41 . 2009-05-23 22:41 3262 c:\windows\Installer\{612B9183-67A9-4B44-9877-2F059E35B86A}\ARPPRODUCTICON.exe
+ 2008-08-22 20:47 . 2008-04-14 00:12 188416 c:\windows\system32\wbem\snmpsmir.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 358400 c:\windows\system32\wbem\snmpincl.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 259072 c:\windows\system32\wbem\snmpcl.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 236544 c:\windows\system32\wbem\snmp\smi2smir.exe
- 2007-10-08 20:11 . 2007-10-08 20:11 208896 c:\windows\system32\NetProvCredMan.dll
+ 2007-10-08 19:11 . 2007-10-08 19:11 208896 c:\windows\system32\NetProvCredMan.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 364032 c:\windows\system32\inetsrv\w3svc.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 103424 c:\windows\system32\inetsrv\uihelper.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 456192 c:\windows\system32\inetsrv\smtpsvc.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 257024 c:\windows\system32\inetsrv\infocomm.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 829440 c:\windows\system32\inetsrv\inetmgr.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 145408 c:\windows\system32\inetsrv\iischema.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 268288 c:\windows\system32\inetsrv\httpext.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 125952 c:\windows\system32\inetsrv\ftpsvc2.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 369664 c:\windows\system32\inetsrv\asp.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 331264 c:\windows\system32\inetsrv\aqueue.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 108544 c:\windows\system32\inetsrv\AppConf.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 133632 c:\windows\system32\iisRtl.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 101888 c:\windows\system32\evntagnt.dll
- 2007-11-22 22:35 . 2007-02-12 18:40 557056 c:\windows\system32\DRVSTORE\w29n51_E99959A506B0423451BFDD2FE3C8B527B6AF45BD\Netw2c32.dll
+ 2009-05-26 06:20 . 2007-02-12 17:40 557056 c:\windows\system32\DRVSTORE\w29n51_E99959A506B0423451BFDD2FE3C8B527B6AF45BD\Netw2c32.dll
- 2007-11-22 22:35 . 2007-08-27 17:12 745472 c:\windows\system32\DRVSTORE\netw4x32_B0AEEEEDA759744D7D2AC236F54CA6D4CFC0961C\NETw4c32.dll
+ 2009-05-26 06:20 . 2007-08-27 16:12 745472 c:\windows\system32\DRVSTORE\netw4x32_B0AEEEEDA759744D7D2AC236F54CA6D4CFC0961C\NETw4c32.dll
+ 2009-05-26 06:20 . 2007-08-27 16:12 745472 c:\windows\system32\DRVSTORE\netw4k32_4CD46BE21BE74C8D663C65B8DC2D7EEA091E50F5\NETw4c32.dll
- 2007-11-22 22:35 . 2007-08-27 17:12 745472 c:\windows\system32\DRVSTORE\netw4k32_4CD46BE21BE74C8D663C65B8DC2D7EEA091E50F5\NETw4c32.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 364032 c:\windows\system32\dllcache\w3svc.dll
+ 2008-08-22 20:48 . 2008-04-14 00:12 103424 c:\windows\system32\dllcache\uihelper.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 188416 c:\windows\system32\dllcache\snmpsmir.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 358400 c:\windows\system32\dllcache\snmpincl.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 259072 c:\windows\system32\dllcache\snmpcl.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 456192 c:\windows\system32\dllcache\smtpsvc.dll
+ 2008-08-22 20:46 . 2008-04-14 00:12 189440 c:\windows\system32\dllcache\smtpadm.dll
+ 2008-08-22 20:47 . 2008-04-14 00:12 236544 c:\windows\system32\dllcache\smi2smir.exe
+ 2008-08-22 20:46 . 2008-04-14 00:12 221696 c:\windows\system32\dllcache\seo.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 257024 c:\windows\system32\dllcache\infocomm.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 829440 c:\windows\system32\dllcache\inetmgr.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 145408 c:\windows\system32\dllcache\iische51.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 268288 c:\windows\system32\dllcache\httpext.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 125952 c:\windows\system32\dllcache\ftpsv251.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 101888 c:\windows\system32\dllcache\evntagnt.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 369664 c:\windows\system32\dllcache\asp51.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 331264 c:\windows\system32\dllcache\aqueue.dll
+ 2008-08-22 20:46 . 2008-04-14 00:11 108544 c:\windows\system32\dllcache\appconf.dll
+ 2009-06-15 03:56 . 2009-06-15 03:56 389120 c:\windows\system32\CF15751.exe
+ 2008-08-22 20:46 . 2008-04-14 00:11 290816 c:\windows\system32\adsiis.dll
- 2007-11-22 22:35 . 2007-09-11 15:54 600328 c:\windows\Installer\iProInst.exe
+ 2009-05-26 06:20 . 2007-09-11 15:54 600328 c:\windows\Installer\iProInst.exe
+ 2009-05-26 06:20 . 2007-10-08 14:10 802816 c:\windows\Installer\iProData\iconvrtr.exe
- 2009-05-24 04:05 . 2007-10-08 14:10 802816 c:\windows\Installer\iProData\iconvrtr.exe
+ 2009-05-26 06:20 . 2007-07-25 22:44 2210048 c:\windows\system32\DRVSTORE\w29n51_E99959A506B0423451BFDD2FE3C8B527B6AF45BD\w29n51.sys
- 2007-11-22 22:35 . 2007-07-25 23:44 2210048 c:\windows\system32\DRVSTORE\w29n51_E99959A506B0423451BFDD2FE3C8B527B6AF45BD\w29n51.sys
- 2007-11-22 22:35 . 2007-07-25 23:45 2206464 c:\windows\system32\DRVSTORE\w29n51_E99959A506B0423451BFDD2FE3C8B527B6AF45BD\w29n50.sys
+ 2009-05-26 06:20 . 2007-07-25 22:45 2206464 c:\windows\system32\DRVSTORE\w29n51_E99959A506B0423451BFDD2FE3C8B527B6AF45BD\w29n50.sys
- 2007-11-22 22:35 . 2007-02-12 18:41 2732032 c:\windows\system32\DRVSTORE\w29n51_E99959A506B0423451BFDD2FE3C8B527B6AF45BD\Netw2r32.dll
+ 2009-05-26 06:20 . 2007-02-12 17:41 2732032 c:\windows\system32\DRVSTORE\w29n51_E99959A506B0423451BFDD2FE3C8B527B6AF45BD\Netw2r32.dll
- 2007-11-22 22:35 . 2007-09-26 12:01 2236032 c:\windows\system32\DRVSTORE\netw4x32_B0AEEEEDA759744D7D2AC236F54CA6D4CFC0961C\NETw4x32.sys
+ 2009-05-26 06:20 . 2007-09-26 11:01 2236032 c:\windows\system32\DRVSTORE\netw4x32_B0AEEEEDA759744D7D2AC236F54CA6D4CFC0961C\NETw4x32.sys
+ 2009-05-26 06:20 . 2007-08-27 16:12 2777088 c:\windows\system32\DRVSTORE\netw4x32_B0AEEEEDA759744D7D2AC236F54CA6D4CFC0961C\NETw4r32.dll
- 2007-11-22 22:35 . 2007-08-27 17:12 2777088 c:\windows\system32\DRVSTORE\netw4x32_B0AEEEEDA759744D7D2AC236F54CA6D4CFC0961C\NETw4r32.dll
- 2007-11-22 22:35 . 2007-08-27 17:12 2777088 c:\windows\system32\DRVSTORE\netw4k32_4CD46BE21BE74C8D663C65B8DC2D7EEA091E50F5\NETw4r32.dll
+ 2009-05-26 06:20 . 2007-08-27 16:12 2777088 c:\windows\system32\DRVSTORE\netw4k32_4CD46BE21BE74C8D663C65B8DC2D7EEA091E50F5\NETw4r32.dll
- 2007-11-22 22:35 . 2007-09-26 11:59 2230912 c:\windows\system32\DRVSTORE\netw4k32_4CD46BE21BE74C8D663C65B8DC2D7EEA091E50F5\NETw4k32.sys
+ 2009-05-26 06:20 . 2007-09-26 10:59 2230912 c:\windows\system32\DRVSTORE\netw4k32_4CD46BE21BE74C8D663C65B8DC2D7EEA091E50F5\NETw4k32.sys
+ 2008-08-22 20:46 . 2008-04-14 00:12 2134528 c:\windows\system32\dllcache\smtpsnap.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-14 1830128]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-01 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [5/25/2009 11:11 PM 34760]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/21/2007 1:23 AM 24652]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - UnHackMeDrv
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-06-12 c:\windows\Tasks\Norton Security Scan for Beth.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Search
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-14 23:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(308)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(2616)
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\CF15751.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-06-15 23:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-15 04:24
ComboFix2.txt 2009-05-25 01:42

Pre-Run: 77,984,944,128 bytes free
Post-Run: 77,968,674,816 bytes free

405 --- E O F --- 2009-05-14 16:26

#6 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:08:34 PM

Posted 17 June 2009 - 02:24 AM

Hello,

Before we continue, please go to VirusTotal, and upload the following files for analysis:
c:\windows\system32\drivers\Partizan.sys
c:\windows\system32\Partizan.exe
c:\windows\system32\USERINIT.EXE


Post the results in your reply.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users