Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Shield 2009 Infection. Removal help needed


  • This topic is locked This topic is locked
17 replies to this topic

#1 Probedude

Probedude

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 18 June 2009 - 12:44 AM

I WinVNC'd to my PC from work to check on an auction and found some windows had come up about my PC being infected and that I can update my antivirus if I click on the link. I didn't since it did not come from AVG so I figured it was a spoof. Still it whacked my machine somehow. At the time I could not open a dos prompt, run Add Remove programs, Task Manager, desktop properties, network properties, and my AVG antivirus was disabled. I was getting redirected on my web searches on how to solve this .

I came across some other website with people with sort of similar problems, so I headed down that path first. Ran MBam which fixed some issues (command prompt, add/remove programs, my web redirects) but I still have issues where I cannot install AVG. Tried to install AVAST but it won't enable. Still don't have task manager, cannot 'netstat' from the command prompt, still cannot install AVG.

Came across this website and followed the steps.
Ran dds.scr.

Then searched the forums and found the post "Virus Shield 2009_ Vundo Malware" so I started following that.

ran comedian,
then Norman,
then RSIT
then Gamer


Here are all the logs in order of what I did once I found your website.

dds.

Here's Norman log

Rsit info.txt and log.txt

and gmer results



I'm quite amazed at all the stuff that got disabled and what still doesn't work.
Everytime I try to install AVG it says that there is already an antivirus installed.

Thanks for your help.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 18 June 2009 - 08:19 PM.


BC AdBot (Login to Remove)

 


m

#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:53 AM

Posted 23 June 2009 - 06:25 PM

Hello and welcome to Bleeping Computer. Sorry for the delay the forums here at BC are always
very busy and we do are best to keep up. If you no longer require any help could you let me no
please, so this topic can be closed.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.
First I would like to see a new log since alot could have changed since your origional post.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Thanks

unite.jpg


#3 Probedude

Probedude
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 23 June 2009 - 10:32 PM

Yes, a lot has changed.

I ran RSIT again but it only generated a log.txt file. Don't know why. I re-downloaded it and still it only gave me a log.txt file.

See attached.

Attached Files

  • Attached File  log.txt   26.04KB   4 downloads

Edited by Orange Blossom, 28 June 2009 - 12:41 PM.
Removed unnecessary quote. ~ OB


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:53 AM

Posted 23 June 2009 - 10:44 PM

Yes, a lot has changed.


Like what? can you tell me what malware related problems you are having at the moment?

unite.jpg


#5 Probedude

Probedude
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 23 June 2009 - 11:01 PM

Yes, a lot has changed.


Like what? can you tell me what malware related problems you are having at the moment?


Right now the biggest deal is that when I run dds.scr it keeps showing that Virus Shield 2009 is my AV program.
I can't find it anywhere.

I've run MalwareBytes just before I made my first post and I got some stuff back like command prompt, add/remove programs, etc, but things like Task Manager, Netstat still didn't work and I couldn't get any antivirus programs to install and work. No matter what I ran it was coming up clean yet things didn't work - even in safe mode.

Last night I ran MalwareBytes again, checked for updates then did a quick scan. It found I think ~200 problems - mostly all were disabled programs. After fixing that I got back Task Manager and Netstat. Now I could install Avast and get it to run.

But still no matter what when I run dds.scr it shows Virus Shield 2009 is there.

I'm worried that it's still taking over my system and will again lock stuff out after a while.

I just ran dds.scr and here's the dds.txt display. Note it says my AV is Virus Shield 2009 though I never installed it as far as I know.


DDS (Ver_09-05-14.01) - NTFSx86
Run by User at 20:58:09.51 on Tue 06/23/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1572 [GMT -7:00]

AV: Virus Shield 2009 *On-access scanning enabled* (Updated) {4D1CCD69-9BC4-49D4-BA7F-4EFC975D11EC}
AV: avast! antivirus 4.8.1335 [VPS 090623-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Virus Shield 2009 *enabled* {7E2A10B0-CD65-4BC8-B778-D508A6330570}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\User\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Desktop\malware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [SansaDispatch] c:\documents and settings\user\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to MVP Favorite Radio Stations - c:\program files\hauppauge mediamvp\mvp.htm
IE: {5CC5AADB-AD8E-433a-A5DE-46F33901281A} - c:\program files\pc techzone\merlin auctionmagic\ie toolbar\iebutton.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxps://etimecvs.flir.com/wfcstatic/plugins/jre-1_5_0_09-windows-i586-p.exe
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://calient.webex.com/client/T26L/webex/ieatgpc.cab
TCP: {6FA1E0BF-2593-4557-812A-BCE644EB5881} = 192.168.78.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\bhzahdrp.default\
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-22 114768]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-22 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-22 138680]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-22 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-22 352920]
R3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2008-9-27 34639]
R3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);c:\windows\system32\drivers\hcwPVRP2.sys [2008-9-28 796064]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [2008-10-2 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [2008-10-2 17700]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
S2 UDNT;UDNT; [x]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2008-10-2 10880]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 MVPMedia;MVPMedia;c:\progra~1\hauppa~1\MVPStart.exe [2008-10-4 65536]
S4 MVPMediaSvc;MVPMediaSvc;c:\progra~1\hauppa~1\hardware\DglSvcMain.exe [2008-10-4 57344]
S4 SageTV;SageTV;c:\program files\frey technologies\sagetv\SageTVService.exe [2005-4-4 622592]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]

=============== Created Last 30 ================

2009-06-22 21:11 1,270 a------- c:\windows\system32\tmp.reg
2009-06-15 23:43 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-15 23:32 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-06-15 23:27 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-06-15 23:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-15 23:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 23:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 23:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-15 23:02 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-15 23:02 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-06-15 23:02 <DIR> --d----- c:\program files\CCleaner
2009-06-15 22:32 <DIR> --d----- C:\VundoFix Backups
2009-06-15 22:24 <DIR> --d----- c:\program files\Lavasoft
2009-06-13 18:44 <DIR> --d----- c:\program files\Digi
2009-06-02 21:45 <DIR> --d----- c:\windows\system\drivers
2009-06-02 21:45 <DIR> --d----- c:\program files\LogicPort
2009-05-26 22:24 <DIR> --d----- c:\program files\TomTom International B.V

==================== Find3M ====================

2009-06-15 07:48 87,608 a------- c:\docume~1\user\applic~1\inst.exe
2009-06-15 07:48 47,360 a------- c:\docume~1\user\applic~1\pcouffin.sys
2009-05-24 16:12 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 08:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-28 21:52 659,456 a------- c:\windows\system32\wininet.dll
2009-04-28 21:52 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-17 02:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 08:11 584,192 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 20:58:23.17 ===============

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:53 AM

Posted 23 June 2009 - 11:06 PM

Ok please give me some time to look over you log, can you post the last scan you did with MBAM please.

unite.jpg


#7 Probedude

Probedude
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 23 June 2009 - 11:24 PM

Ok please give me some time to look over you log, can you post the last scan you did with MBAM please.


Here's 2 logs files from last night. One has the 200+ problems, the other shows a clean bill of health after taking care of the problems.
Still afterwards I show that "virus shield 2009" is my AV program.

Attached Files



#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:53 AM

Posted 24 June 2009 - 04:48 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#9 Probedude

Probedude
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 24 June 2009 - 09:09 PM

Done.

Note that I could not disable Virus Shield 2009 before running this (of course)

See attached log file from ComboFix.

Attached Files



#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:53 AM

Posted 25 June 2009 - 02:36 PM

Hi Probedude, Im not seeing to much wrong here, lets try and get rid of that Virus Shield. When your reply with any logs can you
please copy and paste them rather than attaching them, thanks.

Install MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Next

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

SecCenter::
{4D1CCD69-9BC4-49D4-BA7F-4EFC975D11EC}
{7E2A10B0-CD65-4BC8-B778-D508A6330570}

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next

Please run a BitDefender Online Scan
  • Click on the Start Scanner button.
  • Check I Agree to agree to the EULA, then click start here.
  • Allow the ActiveX control to install when prompted.
  • Click Start scan to begin scanning.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
Then please post back here with Combofix.txt and the Bitdefender results.

unite.jpg


#11 Probedude

Probedude
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 25 June 2009 - 09:30 PM

Here the ComboFix and BitDefender logs
(BitDefender would only export an html file)


ComboFix 09-06-23.01 - User 06/25/2009 18:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1640 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\malware\Bleeping\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\malware\Bleeping\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090625-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Virus Shield 2009 *On-access scanning enabled* (Updated) {4D1CCD69-9BC4-49D4-BA7F-4EFC975D11EC}
FW: Virus Shield 2009 *enabled* {7E2A10B0-CD65-4BC8-B778-D508A6330570}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.

2009-06-25 02:06 . 2009-06-25 02:06 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-23 05:20 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-23 05:20 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-23 05:20 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-23 05:20 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-23 05:20 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-23 05:20 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-23 05:20 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-23 05:20 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-23 05:20 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-23 05:20 . 2009-06-23 05:20 -------- d-----w- c:\program files\Alwil Software
2009-06-23 04:18 . 2009-06-23 04:18 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-18 04:57 . 2009-06-24 03:29 -------- d-----w- C:\rsit
2009-06-18 04:11 . 2009-06-18 04:11 -------- d-----w- c:\program files\ERUNT
2009-06-17 12:51 . 2009-06-17 12:51 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-17 12:51 . 2009-06-17 12:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-06-17 05:20 . 2009-06-17 05:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-17 02:22 . 2009-06-17 03:30 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-06-16 06:43 . 2009-06-16 06:42 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-16 06:32 . 2009-06-16 06:32 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-16 06:27 . 2009-06-16 06:27 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-06-16 06:27 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-16 06:27 . 2009-06-16 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-16 06:27 . 2009-06-23 04:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-16 06:27 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 06:02 . 2009-06-26 01:29 117760 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-16 06:02 . 2009-06-16 06:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-16 06:02 . 2009-06-24 03:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-16 06:02 . 2009-06-16 06:02 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-06-16 06:02 . 2009-06-16 06:02 -------- d-----w- c:\program files\CCleaner
2009-06-16 05:46 . 2009-06-16 05:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\TextPad
2009-06-16 05:32 . 2009-06-16 05:32 -------- d-----w- C:\VundoFix Backups
2009-06-16 05:27 . 2009-06-16 05:27 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-16 05:24 . 2009-06-16 05:24 -------- d-----w- c:\program files\Lavasoft
2009-06-16 05:24 . 2009-06-16 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-16 04:09 . 2009-06-17 05:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-06-14 01:44 . 2009-06-14 01:44 -------- d-----w- c:\program files\Digi
2009-06-12 03:52 . 2009-06-12 03:52 0 ----a-w- c:\windows\nsreg.dat
2009-06-12 03:51 . 2009-06-12 03:51 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Mozilla
2009-06-03 04:45 . 2009-06-05 05:00 -------- d-----w- c:\program files\LogicPort
2009-06-03 04:45 . 2009-06-03 04:45 -------- d-----w- c:\windows\system\drivers
2009-05-27 05:24 . 2009-05-27 05:24 -------- d-----w- c:\program files\TomTom International B.V

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-23 04:41 . 2008-10-05 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-06-21 04:53 . 2008-05-10 06:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-18 04:23 . 2008-05-10 07:02 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-06-16 06:02 . 2008-09-29 03:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-16 05:52 . 2009-01-11 00:26 -------- d--h--r- c:\documents and settings\User\Application Data\Microchip
2009-06-16 04:43 . 2008-09-29 03:27 -------- d-----w- c:\program files\Java
2009-06-16 03:45 . 2009-03-24 03:07 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2009-06-16 02:45 . 2009-03-24 03:13 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2009-06-16 02:44 . 2008-10-05 02:31 -------- d-----w- c:\program files\Hauppauge MediaMVP
2009-06-15 14:48 . 2008-10-05 02:33 47360 ----a-w- c:\documents and settings\User\Application Data\pcouffin.sys
2009-06-15 14:48 . 2008-10-05 02:33 47360 ----a-w- c:\documents and settings\User\Application Data\pcouffin.sys
2009-06-14 21:57 . 2009-05-24 23:49 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-27 05:23 . 2009-02-08 06:32 -------- d-----w- c:\program files\TomTom HOME 2
2009-05-25 03:20 . 2008-05-11 05:47 16504 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-24 23:49 . 2009-05-24 23:49 -------- d-----w- c:\documents and settings\User\Application Data\OpenOffice.org
2009-05-24 23:12 . 2009-05-24 23:12 -------- d-----w- c:\program files\JRE
2009-05-24 23:12 . 2009-05-24 23:12 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-24 23:12 . 2009-05-24 23:12 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-17 23:03 . 2008-05-10 07:07 -------- d-----w- c:\program files\WS_FTP
2009-05-07 15:44 . 2004-08-04 04:56 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2004-08-04 04:56 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2004-08-04 04:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-04 03:17 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-04 04:56 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-25_02.06.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-26 01:29 . 2009-06-26 01:29 16384 c:\windows\Temp\Perflib_Perfdata_560.dat
- 2009-06-25 02:00 . 2009-06-25 02:00 16384 c:\windows\Temp\Perflib_Perfdata_560.dat
+ 2009-06-25 02:06 . 2008-10-16 22:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-25 02:06 . 2004-08-04 04:56 82944 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-25 02:06 . 2004-08-04 04:56 24576 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-25 02:06 . 2004-08-04 04:56 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-25 02:06 . 2005-06-10 23:53 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-25 02:06 . 2004-08-04 04:56 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-25 02:06 . 2004-08-04 04:56 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-25 02:06 . 2004-08-04 02:58 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-25 02:06 . 2004-08-04 03:00 29056 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-25 02:06 . 2004-08-04 04:56 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-25 02:06 . 2004-08-04 04:56 502272 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-25 02:06 . 2009-04-29 04:52 659456 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-25 02:06 . 2007-03-08 15:36 577536 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-25 02:06 . 2004-08-04 04:56 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-25 02:06 . 2008-06-20 10:45 360320 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-25 02:06 . 2009-02-06 17:14 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-25 02:06 . 2004-08-04 03:14 182912 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-25 02:06 . 2009-03-21 14:18 986112 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-25 02:06 . 2004-08-04 04:56 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-25 02:06 . 2004-08-04 04:56 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-26 01:29 . 2009-06-26 01:29 204800 c:\windows\ERDNT\AutoBackup\6-25-2009\Users\00000002\UsrClass.dat
+ 2009-06-26 01:29 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\6-25-2009\ERDNT.EXE
+ 2009-06-25 02:06 . 2004-08-04 04:56 1580544 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-25 02:06 . 2009-02-06 17:22 2136064 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-25 02:06 . 2009-02-06 16:49 2015744 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-25 02:06 . 2007-06-13 10:23 1033216 c:\windows\system32\dllcache\cache\explorer.exe
+ 2009-06-26 01:29 . 2009-06-26 01:29 3293184 c:\windows\ERDNT\AutoBackup\6-25-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\User\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2008-12-11 79872]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-24 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-16 518488]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

c:\documents and settings\User\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^CIT200.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\CIT200.lnk
backup=c:\windows\pss\CIT200.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^UMAX VistaAccess.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\UMAX VistaAccess.lnk
backup=c:\windows\pss\UMAX VistaAccess.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"WebClient"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"TomTomHOMEService"=2 (0x2)
"stisvc"=2 (0x2)
"MVPMediaSvc"=2 (0x2)
"MVPMedia"=2 (0x2)
"mnmsrvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"CVPND"=2 (0x2)
"CryptSvc"=2 (0x2)
"CiSvc"=3 (0x3)
"avg8wd"=2 (0x2)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Airlink101\\IPView Pro\\IPView Pro.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Documents and Settings\\User\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Digi\\XCTU\\X-CTU.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5904:TCP"= 5904:TCP:WinVNC

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/22/2009 10:20 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/22/2009 10:20 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1005904]
R3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [9/27/2008 1:18 AM 34639]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [10/2/2008 9:13 PM 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [10/2/2008 9:13 PM 17700]
S2 UDNT;UDNT; [x]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [10/2/2008 9:16 PM 10880]
S4 MVPMedia;MVPMedia;c:\progra~1\HAUPPA~1\MVPStart.exe [10/4/2008 7:31 PM 65536]
S4 MVPMediaSvc;MVPMediaSvc;c:\progra~1\HAUPPA~1\Hardware\DglSvcMain.exe [10/4/2008 7:31 PM 57344]
S4 SageTV;SageTV;c:\program files\Frey Technologies\SageTV\SageTVService.exe [4/4/2005 9:46 AM 622592]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 3:38 AM 92008]
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 05:26]

2009-06-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1844237615-839522115-1003.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-29 02:32]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to MVP Favorite Radio Stations - c:\program files\Hauppauge MediaMVP\mvp.htm
IE: {{5CC5AADB-AD8E-433a-A5DE-46F33901281A} - c:\program files\PC TechZone\Merlin AuctionMagic\IE Toolbar\iebutton.htm
TCP: {6FA1E0BF-2593-4557-812A-BCE644EB5881} = 192.168.78.1
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 18:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\User\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?20Installer%26platform%3d%26is-debug%3d%26rom-version%3d%26part-number%3d%26product-name

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3648)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-26 18:41
ComboFix-quarantined-files.txt 2009-06-26 01:41
ComboFix2.txt 2009-06-25 02:07

Pre-Run: 40,636,411,904 bytes free
Post-Run: 40,625,577,984 bytes free

237 --- E O F --- 2009-06-16 01:45







<HTML>
<HEAD>
<TITLE>BitDefender Online Scanner -Scan Report</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta name="generator" content="Namo WebEditor v5.0(Trial)">
</HEAD>
<BODY BGCOLOR=#FFFFFF leftmargin="10" marginwidth="0" topmargin="20" marginheight="0" >


<table align="center" border="0" cellpadding="0" cellspacing="0" width="90%">
<tr>
<td width="458">
<p><font face="Arial" color=red><span style="font-size:14pt;"><b>BitDefender
Online Scanner</b></span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>
<tr>
<td colspan="3" width="912">
<p><font face="Arial"><span style="font-size:11pt;"><B>Scan report generated
at: Thu, Jun 25, 2009 - 19:14:20</b></span></font></p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B> </b></span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B>Scan
path: </b></span><span style="font-size:10pt;">C:\Documents and Settings\User\My Documents;C:\Documents and Settings\All Users\Documents;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;</span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B> </b></span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Statistics</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Time</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">00:22:52</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">184284</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Folders</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">4781</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Boot Sectors</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Archives</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">2733</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Packed Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">7897</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>



<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Results</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Identified Viruses </font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">1</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Infected Files </font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">5</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Suspect Files </font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Warnings</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Disinfected</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Deleted Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">5</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Engines Info</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Virus Definitions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">3566084</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Engine build</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">17</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Archive plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">44</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Unpack plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">7</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">E-mail plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">6</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">System plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">4</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Scan Settings</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">First Action</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Disinfect</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Second Action</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Delete</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Heuristics</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Enable Warnings</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scanned Extensions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">*;</font></p>
</td>
</tr>

<tr>
<td width="57%">
<p><font face="Arial" size="2">Exclude Extensions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2"> </font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Emails</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Archives</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Packed</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Boot</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>

<tr>
<td colspan=2>  
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="252" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Scanned File</b></font></p>
</td>
<td width="195" bgcolor="#CCCCCC" align="right">
<p align="left"><b><font size="2" face="Arial"> Status</font></b></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\SKYNEToyktfnm0.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: Gen:Rootkit.Heur.4018E7A6A6</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\SKYNEToyktfnm0.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\SKYNEToyktfnm0.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\skynetoyktfnmx.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: Gen:Rootkit.Heur.4018E7A6A6</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\skynetoyktfnmx.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\skynetoyktfnmx.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{3AE93700-77DC-48FF-BA7F-57162E4A0386}\RP407\A0015883.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: Gen:Rootkit.Heur.4018E7A6A6</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{3AE93700-77DC-48FF-BA7F-57162E4A0386}\RP407\A0015883.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{3AE93700-77DC-48FF-BA7F-57162E4A0386}\RP407\A0015883.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{3AE93700-77DC-48FF-BA7F-57162E4A0386}\RP413\A0016551.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: Gen:Rootkit.Heur.4018E7A6A6</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{3AE93700-77DC-48FF-BA7F-57162E4A0386}\RP413\A0016551.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{3AE93700-77DC-48FF-BA7F-57162E4A0386}\RP413\A0016551.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{3AE93700-77DC-48FF-BA7F-57162E4A0386}\RP413\A0016552.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: Gen:Rootkit.Heur.4018E7A6A6</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{3AE93700-77DC-48FF-BA7F-57162E4A0386}\RP413\A0016552.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{3AE93700-77DC-48FF-BA7F-57162E4A0386}\RP413\A0016552.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr>
</table>
</td>

<td width="10%">
<p> </p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B> </b></span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B> </b></span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>

</table>
<p> </p>

</body>
</html>

#12 Probedude

Probedude
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 25 June 2009 - 10:26 PM

Just a heads up. My system looks clean now!
I ran dds.scr and don't see Virus Shield 2009 anymore.

THANK YOU!

Question: How does ComboFix use the data you put in the text file? How does it find the bad files?

Dave

#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:53 AM

Posted 26 June 2009 - 12:22 AM

Question: How does ComboFix use the data you put in the text file? How does it find the bad files?


I can not discus the working of combofix, this information is kept private for a good reason and the author does not
permit it to be disused outside of private area's.


You don't have the latest service pack for windows, The service packs patch security vulnerabilities found in windows. You should
keep these upto date to keep you protected against malware, that can take advantage of these security vulnerabilities to attack
your system.The latest service pack is SP3, Click on Start >> All programs >> Windows update then select Express
and allow it to install all updates including SP3.
Note: If it prompts you to install an ActiveX control allow it to install it.

Next

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Then please post back with a new DDS log.

Thanks

unite.jpg


#14 Probedude

Probedude
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 27 June 2009 - 12:06 AM

Working on it. Just did installed SP3 (took forever).
Uninstalled all the Javas but couldn't uninstall Java 6 Update 13. It gives me a "Fatal error during installation".

Downloaded lastest version of Java.

Will install, clean up some other stuff and then post a dds log.

Dave

#15 Probedude

Probedude
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 27 June 2009 - 12:19 AM

Okay, cannot load the new version of Java. It looks like it's working but then throws up the error
"Installation Failed: The wizard was interrupted before Java ™ 6 update 14 could be completely installed. To complete installation another time, please run setup again.
Click OK to exit the wizard."

Click on it again just comes up the same error.

EDIT: I downloaded Microsoft's "Install cleanup" software and uninstalled Java 6 update 13. After this I was able to install Java 6 update 14.


Here's my latest dds log after SP3 and newest Java

DDS (Ver_09-05-14.01) - NTFSx86
Run by User at 22:29:51.57 on Fri 06/26/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1579 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090626-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PC TechZone\Merlin AuctionMagic\AuctionMagic.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\User\Desktop\malware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Merlin AuctionMagic] "c:\program files\pc techzone\merlin auctionmagic\AuctionMagic.exe" automatic
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to MVP Favorite Radio Stations - c:\program files\hauppauge mediamvp\mvp.htm
IE: {5CC5AADB-AD8E-433a-A5DE-46F33901281A} - c:\program files\pc techzone\merlin auctionmagic\ie toolbar\iebutton.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://calient.webex.com/client/T26L/webex/ieatgpc.cab
TCP: {6FA1E0BF-2593-4557-812A-BCE644EB5881} = 192.168.78.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\bhzahdrp.default\
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-22 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-22 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-22 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-22 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-22 352920]
R3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2008-9-27 34639]
R3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);c:\windows\system32\drivers\hcwPVRP2.sys [2008-9-28 796064]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [2008-10-2 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [2008-10-2 17700]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S2 UDNT;UDNT; [x]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2008-10-2 11520]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 MVPMedia;MVPMedia;c:\progra~1\hauppa~1\MVPStart.exe [2008-10-4 65536]
S4 MVPMediaSvc;MVPMediaSvc;c:\progra~1\hauppa~1\hardware\DglSvcMain.exe [2008-10-4 57344]
S4 SageTV;SageTV;c:\program files\frey technologies\sagetv\SageTVService.exe [2005-4-4 622592]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]

=============== Created Last 30 ================

2009-06-26 22:28 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-06-26 22:27 <DIR> --d----- c:\program files\MSECACHE
2009-06-26 21:59 221,184 a------- c:\windows\system32\wmpns.dll
2009-06-26 21:35 <DIR> --d----- c:\windows\LastGood.Tmp
2009-06-26 21:32 <DIR> --d----- c:\windows\system32\scripting
2009-06-26 21:32 32,866 -------- c:\windows\slrundll.exe
2009-06-26 21:32 <DIR> --d----- c:\windows\system32\en
2009-06-26 21:32 <DIR> --d----- c:\windows\system32\bits
2009-06-26 21:32 <DIR> --d----- c:\windows\l2schemas
2009-06-26 21:31 <DIR> --d----- c:\windows\ServicePackFiles
2009-06-26 21:30 294,912 -c------ c:\windows\system32\dllcache\dlimport.exe
2009-06-26 21:27 19,569 a------- c:\windows\003069_.tmp
2009-06-26 19:11 0 a------- c:\windows\system32\REN16.tmp
2009-06-26 19:11 0 a------- c:\windows\system32\REN15.tmp
2009-06-26 19:11 0 a------- c:\windows\system32\REN14.tmp
2009-06-26 19:10 0 a------- c:\windows\system32\RENA.tmp
2009-06-26 19:10 0 a------- c:\windows\system32\REN9.tmp
2009-06-24 19:06 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-06-24 19:03 161,792 a------- c:\windows\SWREG.exe
2009-06-24 19:03 155,136 a------- c:\windows\PEV.exe
2009-06-24 19:03 98,816 a------- c:\windows\sed.exe
2009-06-15 23:43 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-15 23:32 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-06-15 23:27 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-06-15 23:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-15 23:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 23:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 23:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-15 23:02 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-15 23:02 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-06-15 23:02 <DIR> --d----- c:\program files\CCleaner
2009-06-15 22:32 <DIR> --d----- C:\VundoFix Backups
2009-06-15 22:24 <DIR> --d----- c:\program files\Lavasoft
2009-06-13 18:44 <DIR> --d----- c:\program files\Digi
2009-06-02 21:45 <DIR> --d----- c:\windows\system\drivers
2009-06-02 21:45 <DIR> --d----- c:\program files\LogicPort

==================== Find3M ====================

2009-06-26 22:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-26 21:34 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-15 07:48 47,360 a------- c:\docume~1\user\applic~1\pcouffin.sys
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 21:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-28 21:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 22:29:59.79 ===============

Edited by Probedude, 27 June 2009 - 12:32 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users