Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Doctor, Virut infection


  • This topic is locked This topic is locked
25 replies to this topic

#1 atazk

atazk

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 11 June 2009 - 10:04 AM

Hi, I have been infected with malware doctor and virut and need some help removing them, i followed the preparation guide, but I could not get .DDS to run. I was getting this error:
Posted Image

Since then I was told to download RSIT, here is the log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Admin at 2009-06-11 13:53:51
Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (28%) free of 40 GB
Total RAM: 1535 MB (73% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:13 PM, on 6/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\VistaDrive.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\RSIT.exe
C:\Program Files\trend micro\Admin.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS.0\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS.0\VistaDrive.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] "C:\Program Files\AGEIA Technologies\TrayIcon.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [ares destiny] "C:\Documents and Settings\Admin\Desktop\Ares.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Highlight - C:\WINDOWS.0\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS.0\WEB\urllist.htm
O8 - Extra context menu item: &U使用纳米机器人下载并收藏 - D:\Program Files\NamiRobot\Data\du.html
O8 - Extra context menu item: &Web Search - C:\WINDOWS.0\WEB\selsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS.0\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS.0\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS.0\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS.0\WEB\zoomout.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{078F4114-CBF7-41FD-8EFF-154CCF847943}: NameServer = 208.92.72.118,209.42.47.149
O17 - HKLM\System\CS2\Services\Tcpip\..\{078F4114-CBF7-41FD-8EFF-154CCF847943}: NameServer = 208.92.72.118,209.42.47.149
O17 - HKLM\System\CS3\Services\Tcpip\..\{078F4114-CBF7-41FD-8EFF-154CCF847943}: NameServer = 208.92.72.118,209.42.47.149
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (file missing)
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: eaeaeebbacc - C:\WINDOWS.0\
O22 - SharedTaskScheduler: gsf87hfunf98398jd - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS.0\System32\avast!Antivirus.exe
O23 - Service: avast!avscontrolservice - Unknown owner - C:\WINDOWS.0\System32\avast!AVSControlService.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS.0\
O23 - Service: FCI - Unknown owner - C:\WINDOWS.0\system32\svchost.exe:ext.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS.0\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS.0\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS.0\System32\TuneUpDefragService.exe
O23 - Service: Uniblue DiskRescue (uniblue diskrescue) - Uniblue - C:\Program Files\Uniblue\DiskRescue\UBDiskRescueSrv.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS.0\

--
End of file - 7908 bytes

======Scheduled tasks folder======

C:\WINDOWS.0\tasks\1-Click Maintenance.job
C:\WINDOWS.0\tasks\PCConfidential.job
C:\WINDOWS.0\tasks\Uniblue DiskRescue 2009.job
C:\WINDOWS.0\tasks\Uniblue SpyEraser.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"=C:\WINDOWS.0\PCHealth\HelpCtr\Binaries\MSConfig.exe [2008-04-14 169984]
"NvCplDaemon"=C:\WINDOWS.0\system32\NvCpl.dll [2006-10-22 7700480]
"SoundMan"=C:\WINDOWS.0\SOUNDMAN.EXE [2007-04-16 577536]
"VistaDrive"=C:\WINDOWS.0\VistaDrive.exe [2007-10-11 1596230]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2007-03-01 153136]
"AGEIA PhysX SysTray"=C:\Program Files\AGEIA Technologies\TrayIcon.exe [2006-06-12 335872]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2007-12-04 79224]
"NvMediaCenter"=C:\WINDOWS.0\system32\NvMcTray.dll [2006-10-22 86016]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS.0\system32\ctfmon.exe [2008-04-14 15360]
"Uniblue RegistryBooster 2"=C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe [2007-09-06 1910040]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-05-26 1830128]
"Uniblue SpeedUpMyPC"=C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-07-05 9495832]
"Uniblue SpyEraser"=C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2007-12-10 1260296]
"ares destiny"=C:\Documents and Settings\Admin\Desktop\Ares.exe [2007-08-27 2973184]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2008-12-02 3882312]
"NVIDIA nTune"=C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\12cfg515-k641-55sf-n66p]
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\12zfg94-f641-2sf-k31p-5n1er6h6l2]
C:\RECYCLER\S-1-5-21-3327058181-8403345233-839497400-2427\service.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a00f6776465.exe]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares destiny]
C:\Documents and Settings\Admin\Desktop\Ares.exe [2007-08-27 2973184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe [2007-09-20 202024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS.0\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopMaestro]
C:\Program Files\Desktop Maestro\deskmech.exe [2007-11-02 2918288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2009-01-06 290088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS.0\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\malware doctor]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS.0\system32\NvCpl.dll [2006-10-22 7700480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nzdflkioezncfiunfindiuchiuenfcdc]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\programchecker]
C:\Program Files\Zenturi\ProgramChecker\pcheckp.exe [2006-02-15 503808]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\reader_s]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe [2007-09-06 1910040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows system recover!]
C:\DOCUME~1\Admin\LOCALS~1\Temp\smss.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^asgupd32.exe]
C:\Documents and Settings\Admin\Start Menu\Programs\Startup\asgupd32.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^admin^start menu^programs^startup^fmnupd32.exe]
C:\Documents and Settings\Admin\Start Menu\Programs\Startup\fmnupd32.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^Tierras del Sur.lnk]
D:\PROGRA~1\TIERRA~1\main.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"6to4"=2
"o&o defrag"=2
"dhcpsrv"=2
"Bonjour Service"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\eaeaeebbacc]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS.0\system32\wpdshserviceobj.dll [2007-01-17 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
gsf87hfunf98398jd - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Admin\Desktop\Ares.exe"="C:\Documents and Settings\Admin\Desktop\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7766f6ac-e32f-11dd-b2b8-0016ec3fd9d8}]
shell\autorun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7766f6ad-e32f-11dd-b2b8-0016ec3fd9d8}]
shell\autorun\command - C:\WINDOWS.0\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\m.exe /s


======List of files/folders created in the last 1 months======

2009-06-11 13:53:51 ----D---- C:\rsit
2009-06-09 18:15:37 ----A---- C:\WINDOWS.0\system32\avast!Antivirus.exe
2009-06-09 01:25:46 ----D---- C:\WINDOWS.0\system32\NtmsData
2009-06-07 15:29:38 ----A---- C:\WINDOWS.0\system32\kusers.dll
2009-06-07 15:29:35 ----A---- C:\WINDOWS.0\system32\aa09f0f9674ef630d206768b60e6bf0c.exe
2009-06-07 14:25:20 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\SUPERAntiSpyware.com
2009-06-07 14:25:13 ----D---- C:\Program Files\SUPERAntiSpyware
2009-06-07 14:25:13 ----D---- C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
2009-06-07 14:23:07 ----A---- C:\WINDOWS.0\system32\E3TL.DLL
2009-06-07 14:22:56 ----D---- C:\Program Files\Zenturi
2009-06-07 14:22:56 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Zenturi
2009-06-06 10:46:05 ----RHD---- C:\$VAULT$.AVG
2009-06-06 03:37:25 ----D---- C:\Program Files\Registry Mechanic
2009-06-06 03:36:59 ----D---- C:\Program Files\Grisoft
2009-06-05 23:34:53 ----D---- C:\Program Files\FinalBurner
2009-06-05 23:27:59 ----D---- C:\Program Files\My Company Name
2009-06-05 23:27:34 ----D---- C:\Program Files\Notepad2
2009-06-05 23:27:30 ----D---- C:\Program Files\Innovative Solutions
2009-06-05 23:05:56 ----D---- C:\Program Files\Mozilla Thunderbird
2009-06-05 23:05:16 ----D---- C:\Program Files\Common Files\SecureAction Shared
2009-06-05 22:55:31 ----D---- C:\Program Files\Alky for Applications
2009-06-05 22:55:00 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-06-05 22:53:01 ----D---- C:\Program Files\DAMN NFO Viewer
2009-06-05 22:44:06 ----D---- C:\Program Files\VistaExperience.org
2009-06-05 22:39:31 ----D---- C:\Program Files\Driver-Soft
2009-06-05 17:39:04 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\RFA_Backups
2009-06-05 17:37:57 ----D---- C:\Win XP Prof EN
2009-06-05 17:12:28 ----SHD---- C:\WINDOWS.0\CSC
2009-06-05 16:27:13 ----D---- C:\Program Files\OO Software
2009-06-05 16:25:07 ----A---- C:\WINDOWS.0\system32\STKIT432.DLL
2009-06-05 16:25:00 ----D---- C:\Program Files\Desktop Maestro
2009-06-05 16:20:35 ----A---- C:\Program Files\invsecr.exe
2009-06-05 16:20:31 ----D---- C:\Program Files\Invisible Secrets 4
2009-06-05 14:58:57 ----D---- C:\WINDOWS.1
2009-06-05 14:23:30 ----AD---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\TEMP
2009-06-05 14:22:58 ----HDC---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}
2009-06-05 12:37:37 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\NVIDIA
2009-06-05 00:07:14 ----A---- C:\WINDOWS.0\ntbtlog.txt
2009-06-04 21:55:54 ----D---- C:\Program Files\Trend Micro
2009-06-04 21:38:03 ----HDC---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\{F7498CBA-F30B-4739-8CF3-167AF0872B2E}
2009-06-04 19:45:25 ----DC---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-06-04 18:32:59 ----A---- C:\WINDOWS.0\9129837.exe
2009-06-04 18:32:22 ----A---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\91543586.ini
2009-06-04 18:32:21 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\91543586
2009-06-04 18:32:21 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\11533594
2009-06-04 17:22:48 ----HD---- C:\WINDOWS.0\system32\GroupPolicy
2009-06-04 15:10:31 ----D---- C:\WINDOWS.0\dhcp
2009-05-26 14:39:46 ----A---- C:\DragonSky_setup_2009-05-21.exe

======List of files/folders modified in the last 1 months======

2009-06-11 13:53:51 ----D---- C:\WINDOWS.0\Prefetch
2009-06-11 12:25:50 ----D---- C:\WINDOWS.0\Temp
2009-06-10 01:13:06 ----D---- C:\Program Files\Internet Explorer
2009-06-09 23:23:21 ----SHD---- C:\WINDOWS.0\Installer
2009-06-09 23:23:21 ----SHD---- C:\Config.Msi
2009-06-09 23:23:14 ----RD---- C:\Program Files
2009-06-09 23:23:14 ----D---- C:\Program Files\Common Files
2009-06-09 23:23:13 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Skype
2009-06-09 23:20:46 ----D---- C:\WINDOWS.0\system32
2009-06-09 23:20:29 ----SD---- C:\WINDOWS.0\Tasks
2009-06-09 23:18:41 ----HD---- C:\WINDOWS.0\inf
2009-06-09 23:18:41 ----DC---- C:\WINDOWS.0\system32\DRVSTORE
2009-06-09 23:18:39 ----D---- C:\WINDOWS.0\system32\CatRoot2
2009-06-09 23:18:33 ----D---- C:\Program Files\Common Files\Apple
2009-06-09 23:12:40 ----SH---- C:\boot.ini
2009-06-09 23:12:40 ----A---- C:\WINDOWS.0\win.ini
2009-06-09 23:12:40 ----A---- C:\WINDOWS.0\system.ini
2009-06-09 15:09:48 ----A---- C:\WINDOWS.0\SchedLgU.Txt
2009-06-09 14:57:31 ----D---- C:\WINDOWS.0\system32\drivers
2009-06-09 14:53:13 ----D---- C:\WINDOWS.0
2009-06-09 01:31:14 ----D---- C:\Documents and Settings\Admin\Application Data\skypePM
2009-06-09 01:26:10 ----SD---- C:\Documents and Settings\Admin\Application Data\Microsoft
2009-06-09 01:19:36 ----D---- C:\WINDOWS.0\Registration
2009-06-08 18:51:23 ----D---- C:\Documents and Settings\Admin\Application Data\U3
2009-06-08 16:32:48 ----D---- C:\WINDOWS
2009-06-07 20:37:57 ----D---- C:\Documents and Settings\Admin\Application Data\Uniblue
2009-06-07 19:49:49 ----D---- C:\Program Files\Mozilla Firefox
2009-06-07 18:54:26 ----SHD---- C:\System Volume Information
2009-06-07 18:54:26 ----D---- C:\WINDOWS.0\system32\Restore
2009-06-07 14:24:21 ----SD---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Microsoft
2009-06-07 14:22:27 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-06-06 05:11:56 ----D---- C:\WINDOWS.0\Minidump
2009-06-06 05:11:56 ----D---- C:\Reflective Icons
2009-06-06 05:11:56 ----D---- C:\Program Files\Windows Media Connect 2
2009-06-06 04:57:47 ----SHD---- C:\RECYCLER
2009-06-06 03:37:30 ----A---- C:\WPI_Log.txt
2009-06-06 03:37:22 ----D---- C:\Program Files\Google
2009-06-05 23:27:24 ----D---- C:\Program Files\WinRAR
2009-06-05 23:19:26 ----D---- C:\Program Files\Common Files\Adobe
2009-06-05 23:19:26 ----D---- C:\Program Files\Adobe
2009-06-05 23:18:21 ----D---- C:\Program Files\OpenOffice.org 2.3
2009-06-05 23:06:03 ----D---- C:\Program Files\Uniblue
2009-06-05 23:06:01 ----D---- C:\Program Files\Tiger System Preferences v2
2009-06-05 23:05:16 ----D---- C:\Program Files\AEP2008 Pro
2009-06-05 22:58:54 ----D---- C:\Documents and Settings
2009-06-05 22:54:26 ----D---- C:\Program Files\TuneUp Utilities 2008
2009-06-05 22:53:50 ----D---- C:\Program Files\Opera
2009-06-05 22:53:39 ----D---- C:\Program Files\K-Lite Codec Pack
2009-06-05 22:53:02 ----D---- C:\Program Files\BackupFox
2009-06-05 22:49:31 ----D---- C:\Program Files\Windows Media Player
2009-06-05 22:49:30 ----D---- C:\Program Files\NetMeeting
2009-06-05 22:49:29 ----D---- C:\Program Files\Common Files\Services
2009-06-05 22:49:26 ----D---- C:\Program Files\Outlook Express
2009-06-05 22:49:12 ----D---- C:\Program Files\Movie Maker
2009-06-05 22:48:55 ----D---- C:\Program Files\Common Files\System
2009-06-05 22:46:57 ----D---- C:\Program Files\Windows Sidebar
2009-06-05 22:38:41 ----D---- C:\Program Files\Messenger
2009-06-05 22:38:25 ----D---- C:\Program Files\Windows NT
2009-06-05 18:12:19 ----HD---- C:\Program Files\InstallShield Installation Information
2009-06-05 18:08:34 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-06-05 16:20:55 ----A---- C:\WINDOWS.0\NeroDigital.ini
2009-06-05 00:23:32 ----D---- C:\WINDOWS.0\system32\dllcache
2009-06-04 21:38:15 ----D---- C:\WINDOWS.0\system32\config
2009-06-04 17:51:46 ----D---- C:\WINDOWS.0\security
2009-06-04 16:50:14 ----A---- C:\WINDOWS.0\avisplitter.INI
2009-06-04 16:41:57 ----A---- C:\WINDOWS.0\system32\svchost.exe
2009-06-04 15:43:36 ----D---- C:\Download
2009-06-04 15:09:05 ----D---- C:\WINDOWS.0\pss
2009-05-16 19:05:49 ----D---- C:\Downloads

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS.0\system32\drivers\Aavmker4.sys [2009-02-05 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS.0\system32\drivers\aswSP.sys [2009-02-05 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS.0\system32\drivers\aswTdi.sys [2009-02-05 51376]
R1 intelppm;Intel Processor Driver; C:\WINDOWS.0\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 sasdifsv;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 saskutil;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 aswFsBlk;aswFsBlk; C:\WINDOWS.0\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS.0\system32\drivers\aswMon2.sys [2009-02-05 94032]
R2 atksgt;atksgt; C:\WINDOWS.0\system32\DRIVERS\atksgt.sys [2009-01-15 271360]
R2 lirsgt;lirsgt; C:\WINDOWS.0\system32\DRIVERS\lirsgt.sys [2009-01-15 18048]
R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS.0\system32\DRIVERS\rspndr.sys [2007-12-28 62336]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS.0\system32\drivers\ALCXWDM.SYS [2007-10-26 4124352]
R3 aswRdr;aswRdr; C:\WINDOWS.0\system32\drivers\aswRdr.sys [2009-02-05 23152]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS.0\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS.0\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS.0\system32\DRIVERS\mouhid.sys [2007-12-28 12160]
R3 nv;nv; C:\WINDOWS.0\system32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
R3 NVR0Dev;NVR0Dev; \??\C:\WINDOWS.0\nvoclock.sys []
R3 RT2500;Linksys Wireless-G PCI Adapter Driver; C:\WINDOWS.0\system32\DRIVERS\RT2500.sys [2006-08-15 211072]
R3 sasenum;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS.0\system32\DRIVERS\sisnic.sys [2004-08-03 32768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS.0\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS.0\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS.0\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
S1 334da089;334da089; C:\WINDOWS.0\System32\drivers\334da089.sys []
S1 5d99c4a1;5d99c4a1; C:\WINDOWS.0\System32\drivers\5d99c4a1.sys []
S1 911b6f82;911b6f82; C:\WINDOWS.0\System32\drivers\911b6f82.sys []
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS.0\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
S3 ENTECH;ENTECH; \??\C:\WINDOWS.0\system32\DRIVERS\ENTECH.sys []
S3 nm;Network Monitor Driver; C:\WINDOWS.0\system32\DRIVERS\NMnt.sys [2008-04-14 40320]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS.0\system32\drivers\npf.sys [2007-11-06 34064]
S3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51; C:\WINDOWS.0\system32\DRIVERS\sisnicxp.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS.0\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS.0\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS.0\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 vtayn;vtayn; \??\C:\DOCUME~1\Admin\LOCALS~1\Temp\vtayn.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS.0\system32\DRIVERS\WudfPf.sys [2007-01-17 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS.0\system32\DRIVERS\wudfrd.sys [2007-01-17 82944]
S3 XDva269;XDva269; \??\C:\WINDOWS.0\system32\XDva269.sys []
S4 IntelIde;IntelIde; C:\WINDOWS.0\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2007-12-04 17272]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2007-12-04 140664]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS.0\system32\nvsvc32.exe [2006-10-22 159810]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS.0\System32\svchost.exe [2009-06-04 14336]
S2 avast!antivirus;avast!antivirus; C:\WINDOWS.0\System32\avast!Antivirus.exe [2009-06-10 36864]
S2 avast!avscontrolservice;avast!avscontrolservice; C:\WINDOWS.0\System32\avast!AVSControlService.exe -k netsvcs []
S2 FCI;FCI; C:\WINDOWS.0\system32\svchost.exe [2009-06-04 14336]
S2 ias;Ias; C:\WINDOWS.0\System32\svchost.exe [2009-06-04 14336]
S2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
S2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
S2 nTuneService;nTune Service; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [2007-09-04 131072]
S2 ProtexisLicensing;ProtexisLicensing; C:\WINDOWS.0\system32\PSIService.exe [2006-11-02 174656]
S2 uniblue diskrescue;Uniblue DiskRescue; C:\Program Files\Uniblue\DiskRescue\UBDiskRescueSrv.exe [2008-09-10 229648]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS.0\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2007-12-04 247160]
S3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2007-12-04 345464]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS.0\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS.0\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS.0\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-01-06 536872]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2007-09-20 382248]
S3 npggsvc;nProtect GameGuard Service; C:\WINDOWS.0\system32\GameMon.des [2009-02-24 3117818]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe -d -f C:\Program Files\WinPcap\rpcapd.ini []
S3 sassvc;ProgramCheckerPro; C:\Program Files\Zenturi\ProgramChecker\sassvc.exe [2006-02-15 122880]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service; C:\WINDOWS.0\System32\TuneUpDefragService.exe [2008-12-15 306432]
S3 usprserv;User Privilege Service; C:\WINDOWS.0\System32\svchost.exe [2009-06-04 14336]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\wmpnetwk.exe [2006-10-19 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS.0\system32\svchost.exe [2009-06-04 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS.0\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:46 PM

Posted 11 June 2009 - 10:28 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Let me tell you up front that if you are actually infected with virut, it is unlikely that we'll be able to completely rid your computer of the infection without having to format completely and reinstall. It's not impossible, but in most cases a format is the best option. You may want to backup any vital media files that you don't want to lose. Don't backup any .exe files as they may be infected.




Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 atazk

atazk
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 11 June 2009 - 11:26 AM

While running combofix, my computer automatically restarted two times, and the second restart combofix was preparing the log but did not finish. After the restarts i ran it again and it worked fine. Here is the log:

ComboFix 09-06-10.02 - Admin 06/11/2009 15:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1145 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: avast! antivirus 4.7.1335 [VPS 090610-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-06-11 17:53 . 2009-06-11 17:54 -------- d-----w- C:\rsit
2009-06-10 03:21 . 2009-06-11 19:12 -------- d-----w- c:\documents and settings\Admin\Tracing
2009-06-09 05:25 . 2009-06-09 05:26 -------- d-----w- c:\windows.0\system32\NtmsData
2009-06-07 19:29 . 2009-06-07 19:29 205840 ----a-w- c:\windows.0\system32\kusers.dll
2009-06-07 19:29 . 2009-06-07 19:29 262160 ----a-w- c:\windows.0\system32\aa09f0f9674ef630d206768b60e6bf0c.exe
2009-06-07 18:26 . 2009-06-11 19:12 117760 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-07 18:25 . 2009-06-07 18:25 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\SUPERAntiSpyware.com
2009-06-07 18:25 . 2009-06-07 22:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-07 18:25 . 2009-06-07 18:25 -------- d-----w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com
2009-06-07 18:23 . 2009-06-07 18:23 26000 ----a-w- c:\windows.0\system32\E3TL.DLL
2009-06-07 18:23 . 2009-06-07 18:23 29696 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{FE047432-CD76-41F9-88FA-1AD225604FFB}\IconA6E9E0334.exe
2009-06-07 18:22 . 2009-06-07 18:22 -------- d-----w- c:\program files\Zenturi
2009-06-07 18:22 . 2009-06-07 18:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Zenturi
2009-06-07 00:01 . 2006-04-06 02:38 110592 ----a-w- c:\documents and settings\Admin.PAL\Application Data\U3\temp\cleanup.exe
2009-06-06 21:43 . 2009-06-06 21:43 664 ----a-w- c:\windows.0\system32\d3d9caps.dat
2009-06-06 18:26 . 2009-06-07 00:01 -------- d-----w- c:\documents and settings\Admin.PAL\Application Data\U3
2009-06-06 14:46 . 2009-06-06 18:14 -------- d--h--r- C:\$VAULT$.AVG
2009-06-06 09:05 . 2009-06-06 11:26 -------- d-----w- c:\documents and settings\Admin.PAL\Application Data\Uniblue
2009-06-06 07:49 . 2009-06-06 07:49 -------- d-----w- c:\documents and settings\Admin.PAL\Local Settings\Application Data\Mozilla
2009-06-06 07:37 . 2009-06-06 15:00 -------- d-----w- c:\documents and settings\Admin.PAL\Application Data\AVG7
2009-06-06 07:37 . 2009-06-06 07:37 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Application Data\AVG7
2009-06-06 03:37 . 2009-06-06 03:37 552312 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-06 03:34 . 2009-06-06 03:35 -------- d-----w- c:\program files\FinalBurner
2009-06-06 03:27 . 2009-06-06 03:27 -------- d-----w- c:\program files\My Company Name
2009-06-06 03:27 . 2009-06-06 03:27 -------- d-----w- c:\documents and settings\Admin.PAL\Application Data\Notepad2
2009-06-06 03:27 . 2009-06-06 03:27 -------- d-----w- c:\program files\Notepad2
2009-06-06 03:27 . 2009-06-06 03:27 -------- d-----w- c:\program files\Innovative Solutions
2009-06-06 03:21 . 2009-06-06 03:21 -------- d-----w- c:\documents and settings\Admin.PAL\Local Settings\Application Data\Microsoft Help
2009-06-06 03:19 . 2009-06-06 03:19 -------- d-----w- c:\documents and settings\Admin.PAL\Local Settings\Application Data\Adobe
2009-06-06 03:05 . 2009-06-06 09:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-06 03:05 . 2009-06-06 03:05 -------- d-----w- c:\program files\Common Files\SecureAction Shared
2009-06-06 03:02 . 2009-06-06 07:38 71976 ----a-w- c:\documents and settings\Admin.PAL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 02:55 . 2009-06-06 02:55 -------- d-----w- c:\program files\Alky for Applications
2009-06-06 02:55 . 2009-06-06 02:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-06 02:53 . 2009-06-06 02:53 -------- d-----w- c:\documents and settings\Default User.WINDOWS.1\Local Settings\Application Data\Real
2009-06-06 02:53 . 2009-06-06 02:53 -------- d-----w- c:\program files\DAMN NFO Viewer
2009-06-06 02:53 . 2009-06-06 02:53 -------- d-----w- c:\documents and settings\Default User.WINDOWS.1\7zS1FD1.tmp
2009-06-06 02:51 . 2009-06-06 02:51 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS.1\DRM
2009-06-06 02:44 . 2009-06-06 02:44 -------- d-----w- c:\program files\VistaExperience.org
2009-06-06 02:39 . 2009-06-06 02:52 -------- d-----w- c:\documents and settings\Default User.WINDOWS.1\Local Settings\Application Data\Microsoft
2009-06-06 02:39 . 2009-06-06 02:39 -------- d-----w- c:\documents and settings\Default User.WINDOWS.1\Application Data\uTorrent
2009-06-06 02:39 . 2009-06-06 02:39 -------- d-----w- c:\program files\Driver-Soft
2009-06-05 22:00 . 2009-06-05 22:00 -------- d-----w- c:\documents and settings\user\Application Data\TuneUp Software
2009-06-05 21:39 . 2009-06-05 21:39 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\RFA_Backups
2009-06-05 21:37 . 2009-06-05 21:37 -------- d-----w- C:\Win XP Prof EN
2009-06-05 20:27 . 2009-06-05 20:27 -------- d-----w- c:\program files\OO Software
2009-06-05 20:25 . 2009-06-05 21:18 -------- d-----w- c:\program files\Desktop Maestro
2009-06-05 20:20 . 2007-04-26 18:37 2168069 ----a-w- c:\program files\invsecr.exe
2009-06-05 20:20 . 2009-06-05 21:46 -------- d-----w- c:\program files\Invisible Secrets 4
2009-06-05 19:28 . 2009-06-06 02:55 -------- d--h--w- c:\documents and settings\Default User.WINDOWS.1
2009-06-05 19:28 . 2009-06-06 02:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS.1
2009-06-05 18:58 . 2009-06-07 22:41 -------- d-----w- C:\WINDOWS.1
2009-06-05 18:23 . 2009-06-05 21:43 -------- d---a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP
2009-06-05 18:23 . 2008-12-22 08:11 2644133 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\Uniblue DiskRescue.exe
2009-06-05 18:23 . 2008-09-10 15:22 836880 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\B4B74A3\3826204\UBDefrag.DLL
2009-06-05 18:23 . 2008-09-10 15:22 419088 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\F02A138C\3826204\update.dll
2009-06-05 18:23 . 2008-09-10 15:22 3211536 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\1FDE702B\3826204\UBDiskRescue.exe
2009-06-05 18:23 . 2008-09-10 15:22 229648 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\C_\build\AutoBuilds\DR\Installer\Raw\UBDiskRescueSrv.exe
2009-06-05 18:23 . 2008-09-10 15:22 229648 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\49994FF1\3826204\UBDiskRescueSrv.exe
2009-06-05 18:23 . 2008-09-10 15:22 1996048 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\9C335CDE\3826204\UBResdll.dll
2009-06-05 18:22 . 2009-06-05 18:23 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}
2009-06-05 16:37 . 2009-06-05 16:37 72760 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-05 16:37 . 2009-06-05 16:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\NVIDIA
2009-06-05 01:55 . 2009-06-11 17:54 -------- d-----w- c:\program files\Trend Micro
2009-06-05 01:38 . 2009-06-05 01:38 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{F7498CBA-F30B-4739-8CF3-167AF0872B2E}
2009-06-05 01:38 . 2008-07-22 11:59 2638950 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{F7498CBA-F30B-4739-8CF3-167AF0872B2E}\DriverScanner_Setup.exe
2009-06-05 00:29 . 2009-06-11 19:19 99422 ----a-w- c:\windows.0\system32\drivers\3a5b519b.sys
2009-06-05 00:25 . 2008-04-14 02:04 12127 ----a-w- c:\windows.0\system32\dllcache\wadv02nt.sys
2009-06-05 00:24 . 2001-08-17 16:13 17129 ----a-w- c:\windows.0\system32\dllcache\tdkcd31.sys
2009-06-05 00:23 . 2001-08-17 16:12 94698 ----a-w- c:\windows.0\system32\dllcache\sk98xwin.sys
2009-06-05 00:22 . 2001-08-18 02:36 41472 ----a-w- c:\windows.0\system32\dllcache\qvusd.dll
2009-06-05 00:21 . 2001-08-17 18:05 28032 ----a-w- c:\windows.0\system32\dllcache\ovcd.sys
2009-06-05 00:20 . 2001-08-17 18:00 2944 ----a-w- c:\windows.0\system32\dllcache\msmpu401.sys
2009-06-05 00:19 . 2006-02-28 12:00 5632 ----a-w- c:\windows.0\system32\dllcache\kbdusa.dll
2009-06-05 00:18 . 2001-08-18 02:36 372824 ----a-w- c:\windows.0\system32\dllcache\iconf32.dll
2009-06-05 00:17 . 2008-04-14 04:15 59136 ----a-w- c:\windows.0\system32\dllcache\gckernel.sys
2009-06-05 00:16 . 2001-08-17 16:11 455199 ----a-w- c:\windows.0\system32\dllcache\el985n51.sys
2009-06-05 00:15 . 2001-08-17 16:12 63208 ----a-w- c:\windows.0\system32\dllcache\dc21x4.sys
2009-06-05 00:07 . 2006-02-28 12:00 14336 ----a-w- c:\windows.0\system32\dllcache\chgusr.exe
2009-06-05 00:06 . 2008-04-14 04:16 11776 ----a-w- c:\windows.0\system32\dllcache\bdasup.sys
2009-06-05 00:05 . 2001-08-18 02:36 5632 ----a-w- c:\windows.0\system32\dllcache\EXCH_adsiisex.dll
2009-06-04 23:45 . 2009-06-04 23:45 -------- dc----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-06-04 22:32 . 2009-06-07 22:29 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\91543586
2009-06-04 22:31 . 2009-06-11 19:19 99422 ----a-w- c:\windows.0\system32\drivers\db3a6068.sys
2009-06-04 21:22 . 2009-06-04 21:22 -------- d--h--w- c:\windows.0\system32\GroupPolicy
2009-06-04 20:42 . 2009-06-10 06:59 0 ----a-w- c:\windows.0\system32\drivers\5d99c4a1.sys
2009-06-04 20:10 . 2009-06-09 18:52 0 ----a-w- c:\windows.0\system32\drivers\911b6f82.sys
2009-06-04 19:34 . 2009-06-04 19:34 -------- d-----w- c:\documents and settings\user\Application Data\Uniblue
2009-06-04 19:10 . 2009-06-07 22:29 -------- d-----w- c:\windows.0\dhcp
2009-06-04 19:08 . 2009-06-11 19:19 99422 ----a-w- c:\windows.0\system32\drivers\290fcb74.sys
2009-06-04 17:36 . 2009-06-04 18:53 0 ----a-w- c:\windows.0\system32\drivers\334da089.sys
2009-05-26 19:23 . 2008-07-19 20:47 86016 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\gb9kvent.default\extensions\{6f7ae34f-ec7d-4ecd-871f-6efe8bf131df}\RobotWrapper.exe
2009-05-26 18:39 . 2009-05-26 20:38 1065803877 ----a-w- C:\DragonSky_setup_2009-05-21.exe
2009-05-19 01:44 . 2008-04-14 04:09 14592 ----a-w- c:\windows.0\system32\drivers\kbdhid.sys
2009-05-19 01:44 . 2008-04-14 04:09 14592 ----a-w- c:\windows.0\system32\dllcache\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 19:03 . 2004-08-03 12:00 182656 ----a-w- c:\windows.0\system32\drivers\ndis.sys
2009-06-11 18:54 . 2009-01-15 18:08 -------- d-----w- c:\documents and settings\Admin\Application Data\U3
2009-06-10 03:23 . 2009-05-04 22:25 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Skype
2009-06-10 03:18 . 2009-02-13 22:57 -------- d-----w- c:\program files\Common Files\Apple
2009-06-09 05:31 . 2009-05-04 22:27 -------- d-----w- c:\documents and settings\Admin\Application Data\skypePM
2009-06-08 00:37 . 2008-12-18 08:35 -------- d-----w- c:\documents and settings\Admin\Application Data\Uniblue
2009-06-07 18:22 . 2008-03-06 22:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-06 09:11 . 2008-12-16 03:17 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-06 07:37 . 2009-02-21 20:47 -------- d-----w- c:\program files\Google
2009-06-06 03:19 . 2007-03-07 20:52 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-06 03:18 . 2009-02-18 20:29 -------- d-----w- c:\program files\OpenOffice.org 2.3
2009-06-06 03:06 . 2008-12-16 06:17 -------- d-----w- c:\program files\Uniblue
2009-06-06 03:06 . 2008-12-16 06:17 -------- d-----w- c:\program files\Tiger System Preferences v2
2009-06-06 03:05 . 2008-12-16 06:16 -------- d-----w- c:\program files\AEP2008 Pro
2009-06-06 02:54 . 2008-12-16 03:31 -------- d-----w- c:\program files\TuneUp Utilities 2008
2009-06-06 02:53 . 2008-12-16 03:31 -------- d-----w- c:\program files\Opera
2009-06-06 02:53 . 2008-12-16 03:30 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-06-06 02:53 . 2008-12-16 03:30 -------- d-----w- c:\program files\BackupFox
2009-06-06 02:46 . 2008-12-16 03:18 -------- d-----w- c:\program files\Windows Sidebar
2009-06-06 02:39 . 2009-06-06 02:58 -------- d-----w- c:\documents and settings\Admin.PAL\Application Data\uTorrent
2009-06-05 22:12 . 2006-02-21 06:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-05 21:46 . 2006-12-08 00:00 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent
2009-06-05 21:46 . 2008-12-07 03:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-06-04 20:41 . 2004-08-03 12:00 14336 ----a-w- c:\windows.0\system32\svchost.exe
2009-06-04 19:35 . 2007-02-08 09:45 -------- d-----w- c:\documents and settings\user\Application Data\U3
2009-05-05 23:03 . 2006-02-22 09:41 -------- d-----w- c:\program files\Java
2009-05-05 23:02 . 2009-05-05 23:02 152576 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-04 22:27 . 2009-05-04 22:27 56 ---ha-w- c:\windows.0\system32\ezsidmv.dat
2009-04-18 17:52 . 2009-04-18 17:52 -------- d-----w- c:\program files\Blender Foundation
2009-04-15 02:42 . 2009-04-15 02:42 2134016 ----a-w- c:\windows.0\system32\python26.dll
2009-04-10 06:53 . 2008-12-23 18:05 34 ----a-w- c:\documents and settings\Admin\jagex_runescape_preferences.dat
2007-11-28 19:12 . 2009-06-06 02:53 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-11-28 19:12 . 2009-06-06 02:53 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-11-28 19:12 . 2009-06-06 02:53 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2007-11-28 19:12 . 2009-06-06 02:53 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2007-11-28 19:12 . 2009-06-06 02:53 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows.0\system32\ctfmon.exe" [2008-04-14 15360]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-09-06 1910040]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]
"Uniblue SpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-07-05 9495832]
"Uniblue SpyEraser"="c:\program files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-10 1260296]
"ares destiny"="c:\documents and settings\Admin\Desktop\Ares.exe" [2007-08-27 2973184]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows.0\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"NvCplDaemon"="c:\windows.0\system32\NvCpl.dll" [2006-10-22 7700480]
"VistaDrive"="c:\windows.0\VistaDrive.exe" [2007-10-12 1596230]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-06-12 335872]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 79224]
"NvMediaCenter"="c:\windows.0\system32\NvMcTray.dll" [2006-10-22 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows.0\SOUNDMAN.EXE [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows.0\system32\advpack.dll [2008-04-14 99840]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\eaeaeebbacc]
[BU]

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^asgupd32.exe]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\asgupd32.exe
backup=c:\windows.0\pss\asgupd32.exeStartup

[HKLM\~\startupfolder\c:^documents and settings^admin^start menu^programs^startup^fmnupd32.exe]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\fmnupd32.exe
backup=c:\windows.0\pss\fmnupd32.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^Tierras del Sur.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\Tierras del Sur.lnk
backup=c:\windows.0\pss\Tierras del Sur.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\malware doctor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nzdflkioezncfiunfindiuchiuenfcdc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\reader_s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a00f6776465.exe]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"6to4"=2 (0x2)
"o&o defrag"=2 (0x2)
"dhcpsrv"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Admin\\Desktop\\Ares.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows.0\system32\drivers\aswSP.sys [2/23/2009 1:26 AM 114768]
R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows.0\system32\drivers\aswFsBlk.sys [2/23/2009 1:26 AM 20560]
R2 uniblue diskrescue;Uniblue DiskRescue;c:\program files\Uniblue\DiskRescue\UBDiskRescueSrv.exe [9/10/2008 11:22 AM 229648]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S1 334da089;334da089;c:\windows.0\system32\drivers\334da089.sys [6/4/2009 1:36 PM 0]
S1 5d99c4a1;5d99c4a1;c:\windows.0\system32\drivers\5d99c4a1.sys [6/4/2009 4:42 PM 0]
S1 911b6f82;911b6f82;c:\windows.0\system32\drivers\911b6f82.sys [6/4/2009 4:10 PM 0]
S2 avast!avscontrolservice;avast!avscontrolservice;c:\windows.0\System32\avast!AVSControlService.exe -k netsvcs --> c:\windows.0\System32\avast!AVSControlService.exe -k netsvcs [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows.0\system32\GameMon.des -service --> c:\windows.0\system32\GameMon.des -service [?]
S3 sassvc;ProgramCheckerPro;c:\program files\Zenturi\ProgramChecker\sassvc.exe [2/15/2006 4:17 PM 122880]
S3 vtayn;vtayn;\??\c:\docume~1\Admin\LOCALS~1\Temp\vtayn.sys --> c:\docume~1\Admin\LOCALS~1\Temp\vtayn.sys [?]
S3 XDva269;XDva269;\??\c:\windows.0\system32\XDva269.sys --> c:\windows.0\system32\XDva269.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
Contents of the 'Scheduled Tasks' folder

2009-06-05 c:\windows.0\Tasks\Uniblue DiskRescue 2009.job
- c:\program files\Uniblue\DiskRescue\UBDiskRescue.exe [2008-09-10 15:22]

2009-03-14 c:\windows.0\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-12-16 19:22]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = local
IE: &Highlight - c:\windows.0\WEB\highlight.htm
IE: &Links List - c:\windows.0\WEB\urllist.htm
IE: &U使用纳米机器人下载并收藏 - d:\program files\NamiRobot\Data\du.html
IE: &U???????????? - d:\program files\NamiRobot\Data\du.html
IE: &Web Search - c:\windows.0\WEB\selsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: I&mages List - c:\windows.0\Web\imglist.htm
IE: Open Frame in &New Window - c:\windows.0\WEB\frm2new.htm
IE: Zoom &In - c:\windows.0\WEB\zoomin.htm
IE: Zoom O&ut - c:\windows.0\WEB\zoomout.htm
TCP: {078F4114-CBF7-41FD-8EFF-154CCF847943} = 208.92.72.118,209.42.47.149
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 15:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows.0\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\290fcb74]
"ImagePath"="\SystemRoot\System32\drivers\290fcb74.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\3a5b519b]
"ImagePath"="\SystemRoot\System32\drivers\3a5b519b.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\db3a6068]
"ImagePath"="\SystemRoot\System32\drivers\db3a6068.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3812)
c:\windows.0\system32\wpdshserviceobj.dll
c:\windows.0\system32\portabledevicetypes.dll
c:\windows.0\system32\portabledeviceapi.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\program files\Common Files\Nero\Lib\NeroDigitalExt.dll
.
Completion time: 2009-06-11 15:21
ComboFix-quarantined-files.txt 2009-06-11 19:21
ComboFix2.txt 2009-06-11 19:10

Pre-Run: 11,916,017,664 bytes free
Post-Run: 11,904,868,352 bytes free

275

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:46 PM

Posted 11 June 2009 - 04:25 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
vtayn
avast!avscontrolservice
911b6f82
5d99c4a1
334da089

File::
c:\docume~1\Admin\LOCALS~1\Temp\vtayn.sys
c:\windows.0\System32\avast!AVSControlService.exe
c:\windows.0\system32\drivers\911b6f82.sys
c:\windows.0\system32\drivers\334da089.sys
c:\windows.0\system32\drivers\5d99c4a1.sys
c:\windows.0\pss\fmnupd32.exe
c:\windows.0\pss\asgupd32.exe
c:\windows.0\VistaDrive.exe
c:\windows.0\system32\kusers.dll
c:\windows.0\system32\aa09f0f9674ef630d206768b60e6bf0c.exe

Folder::
c:\windows.0\dhcp

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a00f6776465.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\malware doctor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nzdflkioezncfiunfindiuchiuenfcdc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\reader_s]
[-HKLM\~\startupfolder\c:^documents and settings^admin^start menu^programs^startup^fmnupd32.exe]
[-HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^asgupd32.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\eaeaeebbacc]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"=-
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


=================



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Note: If you have problems with DrWeb shutting down before it completes the scan you can perform a custom scan and select individual folders to scan. In that case start with C:\Windows\System32


Please post the contents of the log from DrWeb in your next reply along with the log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 atazk

atazk
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 11 June 2009 - 06:53 PM

I ran combofix several times, one it caused the computer to automatically restart again, and i also got the error below this. I cant seem to download Dr Web cure it.
Posted Image


here is the new combofix log:

ComboFix 09-06-11.05 - Admin 06/11/2009 22:31.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1145 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: avast! antivirus 4.7.1335 [VPS 090610-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\docume~1\Admin\LOCALS~1\Temp\vtayn.sys"
"c:\windows.0\pss\asgupd32.exe"
"c:\windows.0\pss\fmnupd32.exe"
"c:\windows.0\system32\aa09f0f9674ef630d206768b60e6bf0c.exe"
"c:\windows.0\System32\avast!AVSControlService.exe"
"c:\windows.0\system32\drivers\334da089.sys"
"c:\windows.0\system32\drivers\5d99c4a1.sys"
"c:\windows.0\system32\drivers\911b6f82.sys"
"c:\windows.0\system32\kusers.dll"
"c:\windows.0\VistaDrive.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_avast!avscontrolservice
-------\Legacy_VTAYN
-------\Service_334da089
-------\Service_5d99c4a1
-------\Service_911b6f82
-------\Service_avast!avscontrolservice
-------\Service_vtayn
-------\Service_290fcb74
-------\Service_3a5b519b
-------\Service_db3a6068


((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-11 17:53 . 2009-06-11 17:54 -------- d-----w- C:\rsit
2009-06-10 03:21 . 2009-06-12 02:18 -------- d-----w- c:\documents and settings\Admin\Tracing
2009-06-09 05:25 . 2009-06-09 05:26 -------- d-----w- c:\windows.0\system32\NtmsData
2009-06-07 18:26 . 2009-06-12 02:18 117760 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-07 18:25 . 2009-06-07 18:25 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\SUPERAntiSpyware.com
2009-06-07 18:25 . 2009-06-07 22:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-07 18:25 . 2009-06-07 18:25 -------- d-----w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com
2009-06-07 18:23 . 2009-06-07 18:23 26000 ----a-w- c:\windows.0\system32\E3TL.DLL
2009-06-07 18:23 . 2009-06-07 18:23 29696 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{FE047432-CD76-41F9-88FA-1AD225604FFB}\IconA6E9E0334.exe
2009-06-07 18:22 . 2009-06-07 18:22 -------- d-----w- c:\program files\Zenturi
2009-06-07 18:22 . 2009-06-07 18:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Zenturi
2009-06-07 00:01 . 2006-04-06 02:38 110592 ----a-w- c:\documents and settings\Admin.PAL\Application Data\U3\temp\cleanup.exe
2009-06-06 21:43 . 2009-06-06 21:43 664 ----a-w- c:\windows.0\system32\d3d9caps.dat
2009-06-06 18:26 . 2009-06-07 00:01 -------- d-----w- c:\documents and settings\Admin.PAL\Application Data\U3
2009-06-06 14:46 . 2009-06-06 18:14 -------- d--h--r- C:\$VAULT$.AVG
2009-06-06 09:05 . 2009-06-06 11:26 -------- d-----w- c:\documents and settings\Admin.PAL\Application Data\Uniblue
2009-06-06 07:49 . 2009-06-06 07:49 -------- d-----w- c:\documents and settings\Admin.PAL\Local Settings\Application Data\Mozilla
2009-06-06 07:37 . 2009-06-06 15:00 -------- d-----w- c:\documents and settings\Admin.PAL\Application Data\AVG7
2009-06-06 07:37 . 2009-06-06 07:37 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Application Data\AVG7
2009-06-06 03:37 . 2009-06-06 03:37 552312 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-06 03:34 . 2009-06-06 03:35 -------- d-----w- c:\program files\FinalBurner
2009-06-06 03:27 . 2009-06-06 03:27 -------- d-----w- c:\program files\My Company Name
2009-06-06 03:27 . 2009-06-06 03:27 -------- d-----w- c:\documents and settings\Admin.PAL\Application Data\Notepad2
2009-06-06 03:27 . 2009-06-06 03:27 -------- d-----w- c:\program files\Notepad2
2009-06-06 03:27 . 2009-06-06 03:27 -------- d-----w- c:\program files\Innovative Solutions
2009-06-06 03:21 . 2009-06-06 03:21 -------- d-----w- c:\documents and settings\Admin.PAL\Local Settings\Application Data\Microsoft Help
2009-06-06 03:19 . 2009-06-06 03:19 -------- d-----w- c:\documents and settings\Admin.PAL\Local Settings\Application Data\Adobe
2009-06-06 03:05 . 2009-06-06 09:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-06 03:05 . 2009-06-06 03:05 -------- d-----w- c:\program files\Common Files\SecureAction Shared
2009-06-06 03:02 . 2009-06-06 07:38 71976 ----a-w- c:\documents and settings\Admin.PAL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 02:55 . 2009-06-06 02:55 -------- d-----w- c:\program files\Alky for Applications
2009-06-06 02:55 . 2009-06-06 02:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-06 02:53 . 2009-06-06 02:53 -------- d-----w- c:\documents and settings\Default User.WINDOWS.1\Local Settings\Application Data\Real
2009-06-06 02:53 . 2009-06-06 02:53 -------- d-----w- c:\program files\DAMN NFO Viewer
2009-06-06 02:53 . 2009-06-06 02:53 -------- d-----w- c:\documents and settings\Default User.WINDOWS.1\7zS1FD1.tmp
2009-06-06 02:51 . 2009-06-06 02:51 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS.1\DRM
2009-06-06 02:44 . 2009-06-06 02:44 -------- d-----w- c:\program files\VistaExperience.org
2009-06-06 02:39 . 2009-06-06 02:52 -------- d-----w- c:\documents and settings\Default User.WINDOWS.1\Local Settings\Application Data\Microsoft
2009-06-06 02:39 . 2009-06-06 02:39 -------- d-----w- c:\documents and settings\Default User.WINDOWS.1\Application Data\uTorrent
2009-06-06 02:39 . 2009-06-06 02:39 -------- d-----w- c:\program files\Driver-Soft
2009-06-05 22:00 . 2009-06-05 22:00 -------- d-----w- c:\documents and settings\user\Application Data\TuneUp Software
2009-06-05 21:39 . 2009-06-05 21:39 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\RFA_Backups
2009-06-05 21:37 . 2009-06-05 21:37 -------- d-----w- C:\Win XP Prof EN
2009-06-05 20:27 . 2009-06-05 20:27 -------- d-----w- c:\program files\OO Software
2009-06-05 20:25 . 2009-06-05 21:18 -------- d-----w- c:\program files\Desktop Maestro
2009-06-05 20:20 . 2007-04-26 18:37 2168069 ----a-w- c:\program files\invsecr.exe
2009-06-05 20:20 . 2009-06-05 21:46 -------- d-----w- c:\program files\Invisible Secrets 4
2009-06-05 19:28 . 2009-06-06 02:55 -------- d--h--w- c:\documents and settings\Default User.WINDOWS.1
2009-06-05 19:28 . 2009-06-06 02:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS.1
2009-06-05 18:58 . 2009-06-07 22:41 -------- d-----w- C:\WINDOWS.1
2009-06-05 18:23 . 2009-06-05 21:43 -------- d---a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP
2009-06-05 18:23 . 2008-12-22 08:11 2644133 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\Uniblue DiskRescue.exe
2009-06-05 18:23 . 2008-09-10 15:22 836880 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\B4B74A3\3826204\UBDefrag.DLL
2009-06-05 18:23 . 2008-09-10 15:22 419088 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\F02A138C\3826204\update.dll
2009-06-05 18:23 . 2008-09-10 15:22 3211536 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\1FDE702B\3826204\UBDiskRescue.exe
2009-06-05 18:23 . 2008-09-10 15:22 229648 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\C_\build\AutoBuilds\DR\Installer\Raw\UBDiskRescueSrv.exe
2009-06-05 18:23 . 2008-09-10 15:22 229648 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\49994FF1\3826204\UBDiskRescueSrv.exe
2009-06-05 18:23 . 2008-09-10 15:22 1996048 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\9C335CDE\3826204\UBResdll.dll
2009-06-05 18:22 . 2009-06-05 18:23 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}
2009-06-05 16:37 . 2009-06-05 16:37 72760 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-05 16:37 . 2009-06-05 16:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\NVIDIA
2009-06-05 01:55 . 2009-06-11 17:54 -------- d-----w- c:\program files\Trend Micro
2009-06-05 01:38 . 2009-06-05 01:38 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{F7498CBA-F30B-4739-8CF3-167AF0872B2E}
2009-06-05 01:38 . 2008-07-22 11:59 2638950 -c--a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{F7498CBA-F30B-4739-8CF3-167AF0872B2E}\DriverScanner_Setup.exe
2009-06-05 00:25 . 2008-04-14 02:04 12127 ----a-w- c:\windows.0\system32\dllcache\wadv02nt.sys
2009-06-05 00:24 . 2001-08-17 16:13 17129 ----a-w- c:\windows.0\system32\dllcache\tdkcd31.sys
2009-06-05 00:23 . 2001-08-17 16:12 94698 ----a-w- c:\windows.0\system32\dllcache\sk98xwin.sys
2009-06-05 00:22 . 2001-08-18 02:36 41472 ----a-w- c:\windows.0\system32\dllcache\qvusd.dll
2009-06-05 00:21 . 2001-08-17 18:05 28032 ----a-w- c:\windows.0\system32\dllcache\ovcd.sys
2009-06-05 00:20 . 2001-08-17 18:00 2944 ----a-w- c:\windows.0\system32\dllcache\msmpu401.sys
2009-06-05 00:19 . 2006-02-28 12:00 5632 ----a-w- c:\windows.0\system32\dllcache\kbdusa.dll
2009-06-05 00:18 . 2001-08-18 02:36 372824 ----a-w- c:\windows.0\system32\dllcache\iconf32.dll
2009-06-05 00:17 . 2008-04-14 04:15 59136 ----a-w- c:\windows.0\system32\dllcache\gckernel.sys
2009-06-05 00:16 . 2001-08-17 16:11 455199 ----a-w- c:\windows.0\system32\dllcache\el985n51.sys
2009-06-05 00:15 . 2001-08-17 16:12 63208 ----a-w- c:\windows.0\system32\dllcache\dc21x4.sys
2009-06-05 00:07 . 2006-02-28 12:00 14336 ----a-w- c:\windows.0\system32\dllcache\chgusr.exe
2009-06-05 00:06 . 2008-04-14 04:16 11776 ----a-w- c:\windows.0\system32\dllcache\bdasup.sys
2009-06-05 00:05 . 2001-08-18 02:36 5632 ----a-w- c:\windows.0\system32\dllcache\EXCH_adsiisex.dll
2009-06-04 23:45 . 2009-06-04 23:45 -------- dc----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-06-04 22:32 . 2009-06-07 22:29 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\91543586
2009-06-04 21:22 . 2009-06-04 21:22 -------- d--h--w- c:\windows.0\system32\GroupPolicy
2009-06-04 19:34 . 2009-06-04 19:34 -------- d-----w- c:\documents and settings\user\Application Data\Uniblue
2009-05-26 19:23 . 2008-07-19 20:47 86016 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\gb9kvent.default\extensions\{6f7ae34f-ec7d-4ecd-871f-6efe8bf131df}\RobotWrapper.exe
2009-05-26 18:39 . 2009-05-26 20:38 1065803877 ----a-w- C:\DragonSky_setup_2009-05-21.exe
2009-05-19 01:44 . 2008-04-14 04:09 14592 ----a-w- c:\windows.0\system32\drivers\kbdhid.sys
2009-05-19 01:44 . 2008-04-14 04:09 14592 ----a-w- c:\windows.0\system32\dllcache\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 19:03 . 2004-08-03 12:00 182656 ----a-w- c:\windows.0\system32\drivers\ndis.sys
2009-06-11 18:54 . 2009-01-15 18:08 -------- d-----w- c:\documents and settings\Admin\Application Data\U3
2009-06-10 03:23 . 2009-05-04 22:25 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Skype
2009-06-10 03:18 . 2009-02-13 22:57 -------- d-----w- c:\program files\Common Files\Apple
2009-06-09 05:31 . 2009-05-04 22:27 -------- d-----w- c:\documents and settings\Admin\Application Data\skypePM
2009-06-08 00:37 . 2008-12-18 08:35 -------- d-----w- c:\documents and settings\Admin\Application Data\Uniblue
2009-06-07 18:22 . 2008-03-06 22:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-06 09:11 . 2008-12-16 03:17 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-06 07:37 . 2009-02-21 20:47 -------- d-----w- c:\program files\Google
2009-06-06 03:19 . 2007-03-07 20:52 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-06 03:18 . 2009-02-18 20:29 -------- d-----w- c:\program files\OpenOffice.org 2.3
2009-06-06 03:06 . 2008-12-16 06:17 -------- d-----w- c:\program files\Uniblue
2009-06-06 03:06 . 2008-12-16 06:17 -------- d-----w- c:\program files\Tiger System Preferences v2
2009-06-06 03:05 . 2008-12-16 06:16 -------- d-----w- c:\program files\AEP2008 Pro
2009-06-06 02:54 . 2008-12-16 03:31 -------- d-----w- c:\program files\TuneUp Utilities 2008
2009-06-06 02:53 . 2008-12-16 03:31 -------- d-----w- c:\program files\Opera
2009-06-06 02:53 . 2008-12-16 03:30 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-06-06 02:53 . 2008-12-16 03:30 -------- d-----w- c:\program files\BackupFox
2009-06-06 02:46 . 2008-12-16 03:18 -------- d-----w- c:\program files\Windows Sidebar
2009-06-06 02:39 . 2009-06-06 02:58 -------- d-----w- c:\documents and settings\Admin.PAL\Application Data\uTorrent
2009-06-05 22:12 . 2006-02-21 06:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-05 21:46 . 2006-12-08 00:00 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent
2009-06-05 21:46 . 2008-12-07 03:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-06-04 20:41 . 2004-08-03 12:00 14336 ----a-w- c:\windows.0\system32\svchost.exe
2009-06-04 19:35 . 2007-02-08 09:45 -------- d-----w- c:\documents and settings\user\Application Data\U3
2009-05-05 23:03 . 2006-02-22 09:41 -------- d-----w- c:\program files\Java
2009-05-05 23:02 . 2009-05-05 23:02 152576 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-04 22:27 . 2009-05-04 22:27 56 ---ha-w- c:\windows.0\system32\ezsidmv.dat
2009-04-18 17:52 . 2009-04-18 17:52 -------- d-----w- c:\program files\Blender Foundation
2009-04-15 02:42 . 2009-04-15 02:42 2134016 ----a-w- c:\windows.0\system32\python26.dll
2009-04-10 06:53 . 2008-12-23 18:05 34 ----a-w- c:\documents and settings\Admin\jagex_runescape_preferences.dat
2007-11-28 19:12 . 2009-06-06 02:53 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-11-28 19:12 . 2009-06-06 02:53 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-11-28 19:12 . 2009-06-06 02:53 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2007-11-28 19:12 . 2009-06-06 02:53 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2007-11-28 19:12 . 2009-06-06 02:53 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-11_19.19.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-12 02:17 . 2009-06-12 02:17 16384 c:\windows.0\Temp\Perflib_Perfdata_700.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows.0\system32\ctfmon.exe" [2008-04-14 15360]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-09-06 1910040]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]
"Uniblue SpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-07-05 9495832]
"Uniblue SpyEraser"="c:\program files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-10 1260296]
"ares destiny"="c:\documents and settings\Admin\Desktop\Ares.exe" [2007-08-27 2973184]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows.0\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"NvCplDaemon"="c:\windows.0\system32\NvCpl.dll" [2006-10-22 7700480]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-06-12 335872]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 79224]
"NvMediaCenter"="c:\windows.0\system32\NvMcTray.dll" [2006-10-22 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows.0\SOUNDMAN.EXE [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows.0\system32\advpack.dll [2008-04-14 99840]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^Tierras del Sur.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\Tierras del Sur.lnk
backup=c:\windows.0\pss\Tierras del Sur.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"6to4"=2 (0x2)
"o&o defrag"=2 (0x2)
"dhcpsrv"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Admin\\Desktop\\Ares.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows.0\system32\drivers\aswSP.sys [2/23/2009 1:26 AM 114768]
R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows.0\system32\drivers\aswFsBlk.sys [2/23/2009 1:26 AM 20560]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S2 uniblue diskrescue;Uniblue DiskRescue;c:\program files\Uniblue\DiskRescue\UBDiskRescueSrv.exe [9/10/2008 11:22 AM 229648]
S3 npggsvc;nProtect GameGuard Service;c:\windows.0\system32\GameMon.des -service --> c:\windows.0\system32\GameMon.des -service [?]
S3 sassvc;ProgramCheckerPro;c:\program files\Zenturi\ProgramChecker\sassvc.exe [2/15/2006 4:17 PM 122880]
S3 XDva269;XDva269;\??\c:\windows.0\system32\XDva269.sys --> c:\windows.0\system32\XDva269.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
Contents of the 'Scheduled Tasks' folder

2009-06-05 c:\windows.0\Tasks\Uniblue DiskRescue 2009.job
- c:\program files\Uniblue\DiskRescue\UBDiskRescue.exe [2008-09-10 15:22]

2009-03-14 c:\windows.0\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-12-16 19:22]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = local
IE: &Highlight - c:\windows.0\WEB\highlight.htm
IE: &Links List - c:\windows.0\WEB\urllist.htm
IE: &U使用纳米机器人下载并收藏 - d:\program files\NamiRobot\Data\du.html
IE: &U???????????? - d:\program files\NamiRobot\Data\du.html
IE: &Web Search - c:\windows.0\WEB\selsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: I&mages List - c:\windows.0\Web\imglist.htm
IE: Open Frame in &New Window - c:\windows.0\WEB\frm2new.htm
IE: Zoom &In - c:\windows.0\WEB\zoomin.htm
IE: Zoom O&ut - c:\windows.0\WEB\zoomout.htm
TCP: {078F4114-CBF7-41FD-8EFF-154CCF847943} = 208.92.72.118,209.42.47.149
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 22:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows.0\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3336)
c:\windows.0\system32\wpdshserviceobj.dll
c:\windows.0\system32\portabledevicetypes.dll
c:\windows.0\system32\portabledeviceapi.dll
.
Completion time: 2009-06-12 22:37
ComboFix-quarantined-files.txt 2009-06-12 02:37
ComboFix2.txt 2009-06-11 19:21
ComboFix3.txt 2009-06-11 19:10

Pre-Run: 11,916,873,728 bytes free
Post-Run: 11,905,495,040 bytes free

269

#6 atazk

atazk
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 12 June 2009 - 08:56 AM

I had trouble downloading it at first, but I was able to get it, here is the drweb log:

autorun.inf;g:;Probably Win32.HLLW.Autoruner.corrupted;Moved.;
Copy of ge.exe;D:\Program Files\Granado Espada\release;Probably DLOADER.Trojan;Incurable.Deleted.;
ge.exe;D:\Program Files\Granado Espada\release;Probably DLOADER.Trojan;;
A1522119.exe;D:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP685;Probably DLOADER.Trojan;;
A1522122.dll;D:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP685;Probably DLOADER.Trojan;;
A1539553.dll;D:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP715;Probably DLOADER.Trojan;;
Adware.shopper.v_08_06_2009_16_32_47.asq292;C:\Documents and Settings\Admin\Application Data\Uniblue\SpyEraser\Quarantine;Adware.Shoper;;
ComboFix.exe/data002\32788R22FWJFW\FIND3M.bat;C:\Documents and Settings\Admin\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;
data002;C:\Documents and Settings\Admin\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\Admin\Desktop;Container contains infected objects;Moved.;
All.Fengtao.Software.Universal.Patch.1.01-ICU.exe;C:\Documents and Settings\All Users\Desktop\keys\DDVDFabPlat3200Reg.ICU\All.Fengtao.Software.Universal.Patch.1.01-ICU;Trojan.PWS.Qqpass.2454;Deleted.;
invsecr.exe;C:\Program Files;Probably BACKDOOR.Trojan;;
JSCRIPT5.CHM\htm/jstextwriteln.htm;C:\Program Files\Microsoft Office\OFFICE11\3082\JSCRIPT5.CHM;Modification of VBS.Generic.94;;
JSCRIPT5.CHM;C:\Program Files\Microsoft Office\OFFICE11\3082;Container contains infected objects;Moved.;
setupapi.dll;C:\Program Files\Opera;Trojan.DownLoad.33781;Deleted.;
11533594.exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS.0\Application Data\11533594;Trojan.Fakealert.4362;Deleted.;
1301700638.exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\LocalService.NT AUTHORITY\Application Data;Trojan.Chrome.50;Deleted.;
1361538659.exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\LocalService.NT AUTHORITY\Application Data;Trojan.Fakealert.4335;Deleted.;
755020800.exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\LocalService.NT AUTHORITY\Application Data;Trojan.Spambot.4117;Incurable.Moved.;
setupapi.dll.vir;C:\Qoobox\Quarantine\C\Program Files\Internet Explorer;Trojan.DownLoad.33781;Deleted.;
setupapi.dll.vir;C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox;Trojan.DownLoad.33781;Deleted.;
9129837.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS.0;Trojan.Sniff.99;Deleted.;
avast!Antivirus.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS.0\system32;Trojan.DownLoad.37569;Deleted.;
sys0_32.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS.0\system32;Win32.HLLM.Beagle.249;Deleted.;
00775984.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS.0\Temp;Trojan.MulDrop.31860;Deleted.;
A1550453.exe;C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717;Trojan.MulDrop.31860;Deleted.;
A1550465.exe;C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717;Trojan.DownLoad.38346;Deleted.;
A1550469.exe;C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717;Trojan.DownLoad.29459;Deleted.;
A1550470.exe;C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717;Trojan.DownLoad.33658;Deleted.;
A1550471.exe;C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717;Trojan.DownLoad.33658;Deleted.;
A1550472.exe;C:\System Volume Information\_restore{54BDB0DF-168E-4068-934E-ECADF875EBF5}\RP717;Trojan.DownLoad.33658;Deleted.;
A0008220.dll;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Trojan.DownLoad.33781;Deleted.;
A0008221.dll;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Trojan.DownLoad.33781;Deleted.;
A0008222.exe;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Trojan.Sniff.99;Deleted.;
A0008223.exe;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Trojan.DownLoad.37569;Deleted.;
A0008224.dll;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Win32.HLLM.Beagle.249;Deleted.;
A0008228.exe;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Trojan.Fakealert.4362;Deleted.;
A0008229.exe;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Trojan.Chrome.50;Deleted.;
A0008230.exe;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Trojan.Fakealert.4335;Deleted.;
A0008232.exe;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Trojan.Spambot.4117;Incurable.Moved.;
A0008242.sys;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Trojan.NtRootKit.2912;Deleted.;
A0008243.sys;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Trojan.NtRootKit.2912;Deleted.;
A0009332.bat;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Probably BATCH.Virus;;
A0009409.bat;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Probably BATCH.Virus;;
A0009467.bat;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Probably BATCH.Virus;;
A0009578.bat;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Probably BATCH.Virus;;
A0009653.bat;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Probably BATCH.Virus;;
A0009721.bat;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Probably BATCH.Virus;;
A0009748.exe;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Trojan.PWS.Qqpass.2454;Deleted.;
A0009753.dll;C:\System Volume Information\_restore{D7F8F038-85EA-42DA-ABDE-0283E5E038D9}\RP8;Trojan.DownLoad.33781;Deleted.;
Process.exe;C:\WINDOWS.0\icon_TMP;Tool.Prockill;;
asgupd32.exeStartup;C:\WINDOWS.0\pss;Trojan.Botnetlog.11;Deleted.;
fmnupd32.exeStartup;C:\WINDOWS.0\pss;Trojan.Botnetlog.11;Deleted.;
psfile.exe;C:\WINDOWS.0\system32;Program.PsFile.origin;;
psgetsid.exe;C:\WINDOWS.0\system32;Program.PsSid.142;;
pskill.exe;C:\WINDOWS.0\system32;Tool.Prockill;;
pssuspend.exe;C:\WINDOWS.0\system32;Program.PsSuspend.105;;
wm0dap32.exe;C:\WINDOWS.0\system32;Trojan.MulDrop.28461;Deleted.;
Process.exe;C:\WINDOWS.1\icon_TMP;Tool.Prockill;Incurable.Deleted.;
psfile.exe;C:\WINDOWS.1\system32;Program.PsFile.origin;;
psgetsid.exe;C:\WINDOWS.1\system32;Program.PsSid.142;;
pskill.exe;C:\WINDOWS.1\system32;Tool.Prockill;;
pssuspend.exe;C:\WINDOWS.1\system32;Program.PsSuspend.105;;
Iasass.exe;G:\RECYCLER;Win32.HLLW.Autoruner.4013;Deleted.;

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:46 PM

Posted 12 June 2009 - 10:35 AM

The good news is that I don't see any evidence of an actual virut infection. :thumbup2:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 atazk

atazk
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 12 June 2009 - 12:34 PM

Edit: so far computer is ok, however most microsoft services are stopped, and my internet connection is not all that stable as it should be.
Also i have two other computers with a similar infection, is it possible for you to help me with them as well?

here is the malwarebytes log:

Malwarebytes' Anti-Malware 1.37
Database version: 2266
Windows 5.1.2600 Service Pack 3

6/12/2009 4:20:42 PM
mbam-log-2009-06-12 (16-20-42).txt

Scan type: Quick Scan
Objects scanned: 142931
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by atazk, 12 June 2009 - 12:34 PM.


#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:46 PM

Posted 13 June 2009 - 10:25 AM

however most microsoft services are stopped, and my internet connection is not all that stable as it should be.

Many services are not needed to be running all the time, so unless they are necessary services for your computer this does not really indicate a problem.

What type of connection are you using?


I can help you with your other computers, but we need to stay on just one at a time. When you are ready to push on with the next one run Combofix and post the resulting log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 atazk

atazk
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 13 June 2009 - 11:42 AM

its a wireless connection, and it works ok, but many times pages fail to load and the browser shows that there was a connection error to the site, many times happens randomly while refreshing. I suspect this was due to the infection and the services which were not running. Originally when the network connection was not working at all was due to the windows services that were stopped, at least im pretty sure of this. I restarted several services related to internet connections to see if it solved the problem and i suppose it did for the most part.

Also does it mean this computer is clean finally?

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:46 PM

Posted 13 June 2009 - 12:33 PM

From what I can see in your logs it does look clean to me. Now if you start to notice the same type of symptoms you had before then we'll have to revisit it. But for now I think we can move on to the next computer.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 atazk

atazk
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 13 June 2009 - 12:38 PM

thats good news, so there is no problem with network connections then?

Here is RSIT log for the other infected computer:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Leslie at 2009-06-13 10:53:00
Microsoft Windows XP Professional Service Pack 2
System drive C: has 17 GB (46%) free of 38 GB
Total RAM: 1271 MB (71% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:08 AM, on 06/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Leslie\Desktop\RSIT.exe
C:\Program Files\trend micro\Leslie.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] F:\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Bold Mapi] C:\DOCUME~1\Leslie\APPLIC~1\IDOLGR~1\Byte Jump.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: c:\progra~1\MicPhone\antit.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: avast!AVSControlService - Unknown owner - C:\WINDOWS\System32\avast!AVSControlService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 5099 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\A64E6E689065EB8C.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job
C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job
C:\WINDOWS\tasks\Uniblue SpyEraser.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"ShStatEXE"=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE /STANDALONE []
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-12-08 32768]
"Network Associates Error Reporting Service"=C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe []
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2003-09-23 88363]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"=F:\Uniblue\RegistryBooster 2\RegistryBooster.exe /S []
"Bold Mapi"=C:\DOCUME~1\Leslie\APPLIC~1\IDOLGR~1\Byte Jump.exe [2009-05-03 524288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\copy bin slow 16]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
[]

C:\Documents and Settings\Leslie\Start Menu\Programs\Startup
V CAST Music Monitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="c:\progra~1\MicPhone\antit.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"D:\2007\CL Applications\bin\jre1.5\bin\javaw.exe"="D:\2007\CL Applications\bin\jre1.5\bin\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:礣orrent"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Disabled:Framework Service"
"C:\Program Files\Java\jre1.5.0_08\bin\javaw.exe"="C:\Program Files\Java\jre1.5.0_08\bin\javaw.exe:*:Disabled:Java™ 2 Platform Standard Edition binary"
"C:\Documents and Settings\Guest\Local Settings\Application Data\Skype\Phone\Skype.exe"="C:\Documents and Settings\Guest\Local Settings\Application Data\Skype\Phone\Skype.exe:*:Disabled:Skype"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62d18f55-df48-11dc-9597-001217996920}]
shell\autorun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62d18f56-df48-11dc-9597-001217996920}]
shell\autorun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\m.exe /s

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f18ac88-2ecf-11de-9725-001217996920}]
shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a080033-524a-11de-975f-001217996920}]
shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a080034-524a-11de-975f-001217996920}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\m.exe /s

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad1b085e-3261-11dc-9544-001217996920}]
shell\AutoRun\command - E:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2009-06-13 10:53:01 ----D---- C:\Program Files\trend micro
2009-06-13 10:53:00 ----D---- C:\rsit
2009-06-11 02:23:25 ----A---- C:\WINDOWS\system32\jbnmcd.dll
2009-06-10 15:31:59 ----A---- C:\WINDOWS\system32\avast!AVSControlService.exe
2009-06-10 02:57:51 ----A---- C:\WINDOWS\system32\avast!Antivirus.exe
2009-06-08 15:53:22 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-08 15:51:13 ----D---- C:\Program Files\SUPERAntiSpyware
2009-06-08 15:51:13 ----D---- C:\Documents and Settings\Leslie\Application Data\SUPERAntiSpyware.com
2009-06-08 15:50:52 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-06-07 19:54:32 ----D---- C:\WINDOWS\pss
2009-06-07 16:08:53 ----A---- C:\WINDOWS\ntbtlog.txt
2009-06-07 15:10:38 ----D---- C:\Malwarebytes' Anti-Malware
2009-06-07 14:53:29 ----D---- C:\Avenger
2009-06-07 14:53:28 ----A---- C:\avenger.txt
2009-06-06 15:17:26 ----A---- C:\WINDOWS\IE4 Error Log.txt
2009-06-06 11:29:06 ----D---- C:\WINDOWS\system32\3361
2009-06-06 11:20:06 ----A---- C:\WINDOWS\irc.txt
2009-06-06 11:19:40 ----D---- C:\Documents and Settings\Leslie\Application Data\Malwarebytes
2009-06-06 11:19:21 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-06-06 11:19:02 ----D---- C:\WINDOWS\dhcp
2009-06-06 11:18:08 ----A---- C:\undlh.exe
2009-06-05 15:50:25 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-06-05 14:22:45 ----D---- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2009-05-30 15:32:53 ----SHD---- C:\WINDOWS\CSC
2009-05-25 19:22:55 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-05-25 19:20:34 ----D---- C:\Documents and Settings\Leslie\Application Data\PC Tools
2009-05-25 18:55:14 ----D---- C:\WINDOWS\system32\sysloc
2009-05-25 18:15:10 ----D---- C:\Documents and Settings\Leslie\Application Data\WinRAR
2009-05-25 18:15:04 ----D---- C:\Program Files\WinRAR
2009-05-14 10:21:21 ----A---- C:\WINDOWS\system32\MRT.INI

======List of files/folders modified in the last 1 months======

2009-06-13 10:53:01 ----RD---- C:\Program Files
2009-06-13 10:51:45 ----D---- C:\Program Files\Mozilla Firefox
2009-06-13 10:51:38 ----D---- C:\WINDOWS\Temp
2009-06-13 10:50:54 ----D---- C:\WINDOWS\system32
2009-06-12 07:28:13 ----D---- C:\WINDOWS\Prefetch
2009-06-11 01:23:39 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-06-11 01:23:35 ----D---- C:\WINDOWS\system32\drivers
2009-06-11 01:23:35 ----D---- C:\WINDOWS\system32\CatRoot2
2009-06-10 15:43:29 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-06-10 15:36:03 ----D---- C:\Program Files\Internet Explorer
2009-06-08 21:15:43 ----D---- C:\WINDOWS
2009-06-08 21:15:42 ----A---- C:\WINDOWS\NeroDigital.ini
2009-06-08 21:15:38 ----RD---- C:\My Downloads
2009-06-08 15:53:26 ----D---- C:\Documents and Settings\Leslie\Application Data\U3
2009-06-08 15:51:16 ----SHD---- C:\WINDOWS\Installer
2009-06-08 15:50:52 ----D---- C:\Program Files\Common Files
2009-06-07 20:16:47 ----SH---- C:\boot.ini
2009-06-07 20:16:47 ----A---- C:\WINDOWS\win.ini
2009-06-07 20:16:47 ----A---- C:\WINDOWS\system.ini
2009-05-30 15:36:21 ----SD---- C:\WINDOWS\Tasks
2009-05-25 19:22:19 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-25 18:53:23 ----SHD---- C:\RECYCLER
2009-05-25 18:46:24 ----A---- C:\WINDOWS\system32\userinit.exe
2009-05-17 13:01:36 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-17 13:01:17 ----HD---- C:\WINDOWS\inf
2009-05-17 12:48:49 ----AC---- C:\WINDOWS\M3JPEG.INI
2009-05-17 00:19:25 ----D---- C:\Program Files\LimeWire

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2003-11-26 44032]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 RT2500;Linksys Wireless Driver; C:\WINDOWS\system32\DRIVERS\RT2500.sys [2004-03-27 120448]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 30c66ca8;30c66ca8; C:\WINDOWS\System32\drivers\30c66ca8.sys []
S1 d59dac20;d59dac20; C:\WINDOWS\System32\drivers\d59dac20.sys []
S1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
S1 sasdifsv;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
S1 saskutil;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-03-13 112288]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-03-13 78496]
S3 ac97intc;Intel® 82801DB/DBM Audio Driver Service (WDM); C:\WINDOWS\system32\drivers\ac97ich4.sys [2002-04-15 107776]
S3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-03-04 1066278]
S3 EntDrv51;EntDrv51; \??\C:\WINDOWS\system32\drivers\EntDrv51.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2003-03-13 90395]
S3 sasenum;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2007-09-04 30336]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-09-04 110592]
S2 avast!Antivirus;avast!Antivirus; C:\WINDOWS\System32\avast!Antivirus.exe [2009-06-13 36864]
S2 avast!AVSControlService;avast!AVSControlService; C:\WINDOWS\System32\avast!AVSControlService.exe [2009-06-10 124416]
S2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-09-22 53248]
S2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-20 322120]
S2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-09-05 503608]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------



And here is the combofix log:

ComboFix 09-06-12.04 - Leslie 06/13/2009 12:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1271.980 [GMT -5:00]
Running from: c:\documents and settings\Leslie\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\init32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_avast!antivirus
-------\Legacy_dhcpsrv
-------\Legacy_win32x
-------\Service_avast!Antivirus
-------\Service_kungsfstipxdoe
-------\Legacy_avast!AVSControlService
-------\Service_avast!AVSControlService


((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-13 15:53 . 2009-06-13 15:53 -------- d-----w- c:\program files\trend micro
2009-06-13 15:53 . 2009-06-13 15:53 -------- d-----w- C:\rsit
2009-06-08 20:54 . 2009-06-13 15:51 117760 ----a-w- c:\documents and settings\Leslie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-08 20:53 . 2009-06-08 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-08 20:51 . 2009-06-08 21:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-08 20:51 . 2009-06-08 20:51 -------- d-----w- c:\documents and settings\Leslie\Application Data\SUPERAntiSpyware.com
2009-06-08 20:50 . 2009-06-08 20:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-07 20:10 . 2009-06-07 20:10 -------- d-----w- C:\Malwarebytes' Anti-Malware
2009-06-06 16:19 . 2009-06-06 16:19 -------- d-----w- c:\documents and settings\Leslie\Application Data\Malwarebytes
2009-06-06 16:19 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-06 16:19 . 2009-06-06 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-06 16:19 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-06 16:19 . 2009-06-07 19:50 -------- d-----w- c:\windows\dhcp
2009-06-06 16:18 . 2009-06-06 16:18 9728 ----a-w- C:\undlh.exe
2009-06-05 20:50 . 2009-06-05 20:50 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-05 19:29 . 2009-06-05 19:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-06-05 19:22 . 2009-06-05 19:22 2308 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1AEB016867DF043438629764DD2CEEB7.dll
2009-06-05 19:22 . 2009-06-05 19:22 152 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0E23E40C6140D434FA9B96967D309AFE.dll
2009-06-05 19:22 . 2009-06-05 19:22 108 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472.dll
2009-06-05 19:22 . 2009-06-05 19:22 423 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109020090400000000000F01FEC.dll
2009-06-05 19:22 . 2009-06-05 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-06-04 18:47 . 2009-06-04 19:16 -------- d-----w- c:\documents and settings\Guest\Application Data\Uniblue
2009-05-30 20:36 . 2009-06-05 17:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-05-30 20:30 . 2009-05-30 20:30 0 ----a-w- c:\windows\system32\drivers\d59dac20.sys
2009-05-30 20:21 . 2009-05-30 20:21 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-05-26 00:22 . 2009-06-05 20:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-26 00:20 . 2009-05-26 00:20 -------- d-----w- c:\documents and settings\Leslie\Application Data\PC Tools
2009-05-25 23:46 . 2009-05-26 00:46 0 ----a-w- c:\windows\system32\drivers\30c66ca8.sys
2009-05-14 18:33 . 2009-05-14 18:33 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 17:30 . 2009-05-04 04:21 786432 ----a-w- c:\documents and settings\All Users\Application Data\Send acid copy bin\love hide.exe
2009-06-13 16:39 . 2004-08-04 06:14 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-08 20:53 . 2007-07-14 23:28 -------- d-----w- c:\documents and settings\Leslie\Application Data\U3
2009-06-06 16:15 . 2009-04-21 23:52 -------- d-----w- c:\documents and settings\Guest\Application Data\U3
2009-06-05 19:31 . 2009-01-22 19:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-05-17 05:19 . 2006-11-30 20:32 -------- d-----w- c:\program files\LimeWire
2009-05-14 22:18 . 2009-01-29 01:42 -------- d-----w- c:\documents and settings\Guest\Application Data\Skype
2009-05-13 18:25 . 2009-01-29 01:45 -------- d-----w- c:\documents and settings\Guest\Application Data\skypePM
2009-05-04 04:22 . 2009-05-04 04:22 262144 ----a-w- c:\documents and settings\Leslie\Application Data\idol grim ooze\Dog mode pop.exe
2009-05-04 04:22 . 2007-02-18 03:22 -------- d-----w- c:\documents and settings\Leslie\Application Data\idol grim ooze
2009-05-04 04:22 . 2007-02-18 03:23 315392 ----a-w- c:\documents and settings\Leslie\Application Data\idol grim ooze\Platformmeetcashdeaf.exe
2009-05-04 04:21 . 2009-05-04 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Send acid copy bin
2009-05-04 04:21 . 2009-05-04 04:21 782336 ----a-w- c:\documents and settings\Leslie\Application Data\idol grim ooze\qrrbxmtn.exe
2009-05-04 04:21 . 2009-02-08 08:37 524288 ----a-w- c:\documents and settings\Leslie\Application Data\idol grim ooze\Byte Jump.exe
2009-04-26 22:53 . 2007-02-18 03:21 -------- d-----w- c:\program files\Messenger Plus! Live
2009-03-20 02:41 . 2009-03-20 02:41 0 ----a-w- c:\windows\nsreg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bold Mapi"="c:\docume~1\Leslie\APPLIC~1\IDOLGR~1\Byte Jump.exe" [2009-05-04 524288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-09-23 88363]

c:\documents and settings\Leslie\Start Menu\Programs\Startup\
V CAST Music Monitor.lnk - c:\program files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe [2005-11-30 327680]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\copy bin slow 16
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jre1.5.0_08\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Guest\\Local Settings\\Application Data\\Skype\\Phone\\Skype.exe"=

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/26/2009 10:05 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/26/2009 10:05 AM 72944]
S1 30c66ca8;30c66ca8;c:\windows\system32\drivers\30c66ca8.sys [05/25/2009 06:46 PM 0]
S1 d59dac20;d59dac20;c:\windows\system32\drivers\d59dac20.sys [05/30/2009 03:30 PM 0]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/26/2009 10:05 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\A64E6E689065EB8C.job
- c:\docume~1\leslie\applic~1\idolgr~1\Dog mode pop.exe [2009-05-04 04:22]

2009-06-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 22:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2 - f:\uniblue\RegistryBooster 2\RegistryBooster.exe
HKLM-Run-ShStatEXE - c:\program files\Network Associates\VirusScan\SHSTAT.EXE
HKLM-Run-Network Associates Error Reporting Service - c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=0.0.0.0:80
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 12:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(676)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-13 12:36
ComboFix-quarantined-files.txt 2009-06-13 17:36

Pre-Run: 18,495,721,472 bytes free
Post-Run: 18,486,460,416 bytes free

160 --- E O F --- 2009-05-14 15:21


Thank you for your help.

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:46 PM

Posted 13 June 2009 - 12:57 PM

I'm not much of a networking guy I'm afraid, so I can't really tell you that there's not a problem. I can tell you that there's no evidence in your latest logs that malware is causing those issues for you.


Please uninstall Messenger Plus
It bundles malware with it and that's part of the infection that you have on this computer.



Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
30c66ca8
d59dac20

File::
c:\windows\Tasks\A64E6E689065EB8C.job
c:\windows\system32\drivers\30c66ca8.sys
c:\windows\system32\drivers\d59dac20.sys
C:\undlh.exe

Folder::
c:\documents and settings\Leslie\Application Data\idol grim ooze
c:\documents and settings\All Users\Application Data\Send acid copy bin
c:\windows\dhcp

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\copy bin slow 16]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bold Mapi"=-
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===================



Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 atazk

atazk
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 13 June 2009 - 04:19 PM

here is the combofix log:

ComboFix 09-06-13.02 - Leslie 06/13/2009 14:56.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1271.924 [GMT -5:00]
Running from: c:\documents and settings\Leslie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Leslie\Desktop\CFScript.txt

FILE ::
"C:\undlh.exe"
"c:\windows\system32\drivers\30c66ca8.sys"
"c:\windows\system32\drivers\d59dac20.sys"
"c:\windows\Tasks\A64E6E689065EB8C.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_30c66ca8
-------\Service_d59dac20


((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-13 15:53 . 2009-06-13 15:53 -------- d-----w- c:\program files\trend micro
2009-06-13 15:53 . 2009-06-13 15:53 -------- d-----w- C:\rsit
2009-06-08 20:54 . 2009-06-13 15:51 117760 ----a-w- c:\documents and settings\Leslie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-08 20:53 . 2009-06-08 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-08 20:51 . 2009-06-08 21:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-08 20:51 . 2009-06-08 20:51 -------- d-----w- c:\documents and settings\Leslie\Application Data\SUPERAntiSpyware.com
2009-06-08 20:50 . 2009-06-08 20:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-07 20:10 . 2009-06-07 20:10 -------- d-----w- C:\Malwarebytes' Anti-Malware
2009-06-06 16:19 . 2009-06-06 16:19 -------- d-----w- c:\documents and settings\Leslie\Application Data\Malwarebytes
2009-06-06 16:19 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-06 16:19 . 2009-06-06 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-06 16:19 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-05 20:50 . 2009-06-05 20:50 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-05 19:29 . 2009-06-05 19:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-06-05 19:22 . 2009-06-05 19:22 2308 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1AEB016867DF043438629764DD2CEEB7.dll
2009-06-05 19:22 . 2009-06-05 19:22 152 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0E23E40C6140D434FA9B96967D309AFE.dll
2009-06-05 19:22 . 2009-06-05 19:22 108 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472.dll
2009-06-05 19:22 . 2009-06-05 19:22 423 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109020090400000000000F01FEC.dll
2009-06-05 19:22 . 2009-06-05 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-06-04 18:47 . 2009-06-04 19:16 -------- d-----w- c:\documents and settings\Guest\Application Data\Uniblue
2009-05-30 20:36 . 2009-06-05 17:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-05-30 20:21 . 2009-05-30 20:21 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-05-26 00:22 . 2009-06-05 20:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-26 00:20 . 2009-05-26 00:20 -------- d-----w- c:\documents and settings\Leslie\Application Data\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 16:39 . 2004-08-04 06:14 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-08 20:53 . 2007-07-14 23:28 -------- d-----w- c:\documents and settings\Leslie\Application Data\U3
2009-06-06 16:15 . 2009-04-21 23:52 -------- d-----w- c:\documents and settings\Guest\Application Data\U3
2009-06-05 19:31 . 2009-01-22 19:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-05-17 05:19 . 2006-11-30 20:32 -------- d-----w- c:\program files\LimeWire
2009-05-14 22:18 . 2009-01-29 01:42 -------- d-----w- c:\documents and settings\Guest\Application Data\Skype
2009-05-13 18:25 . 2009-01-29 01:45 -------- d-----w- c:\documents and settings\Guest\Application Data\skypePM
2009-03-20 02:41 . 2009-03-20 02:41 0 ----a-w- c:\windows\nsreg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-09-23 88363]

c:\documents and settings\Leslie\Start Menu\Programs\Startup\
V CAST Music Monitor.lnk - c:\program files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe [2005-11-30 327680]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jre1.5.0_08\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Guest\\Local Settings\\Application Data\\Skype\\Phone\\Skype.exe"=

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/26/2009 10:05 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/26/2009 10:05 AM 72944]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/26/2009 10:05 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-06-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=0.0.0.0:80
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 14:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3828)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-13 15:00
ComboFix-quarantined-files.txt 2009-06-13 20:00
ComboFix2.txt 2009-06-13 17:36

Pre-Run: 18,470,113,280 bytes free
Post-Run: 18,460,422,144 bytes free

134 --- E O F --- 2009-05-14 15:21




here is the malwarebytes log:

Malwarebytes' Anti-Malware 1.37
Database version: 2273
Windows 5.1.2600 Service Pack 2

06/13/2009 05:15:29 PM
mbam-log-2009-06-13 (17-15-29).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 153142
Time elapsed: 40 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 58

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\documents and settings\localservice\application data\1005001059.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\localservice\application data\1361538659.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\localservice\application data\1458931097.exe.vir (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\avast!AVSControlService.exe.vir (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\dncyool32.sys.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\userinit.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\716ac762.sys.vir (Rootkit.Rustock) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\76a27460.sys.vir (Rootkit.Rustock) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP649\A0412735.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP649\A0413735.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP649\A0416734.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP649\A0417734.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP649\A0418734.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP649\A0418735.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP649\A0418736.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP649\A0419735.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP649\A0419736.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP649\A0419737.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP649\A0419743.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP649\A0419744.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP649\A0419745.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP650\A0420749.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP650\A0420750.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP650\A0420751.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP650\A0421749.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP650\A0421750.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP650\A0421751.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP650\A0422749.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP650\A0422750.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP650\A0422751.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP653\A0429964.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP653\A0429966.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP653\A0429968.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP654\A0430975.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP654\A0430976.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP654\A0430977.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP654\A0431975.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP654\A0431976.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP654\A0431977.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP654\A0432974.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP654\A0432975.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP654\A0433988.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP654\A0433989.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP655\A0433993.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP655\A0433994.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP655\A0433995.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP656\A0434001.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP657\A0434007.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP657\A0435004.exe (Trojan.Banker) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP657\A0435039.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP657\A0435040.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP657\A0435043.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP657\A0435044.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP657\A0435045.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP657\A0434995.old (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP657\A0435144.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP657\A0435145.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6422afe9-2f70-46a6-97cd-3a1928cb95ac}\RP657\A0435146.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:46 PM

Posted 13 June 2009 - 07:54 PM

Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer, turn it back on and create a restore point.

Create a restore point:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.


How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users