Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cannot connect to internet.."Win32/Agent.PAX trojan"


  • This topic is locked This topic is locked
21 replies to this topic

#1 huntforfood

huntforfood

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 21 June 2009 - 02:40 PM

First of all computers are not my thing, so if I have provided too much or too little info, I apologize.

Here is the basic profile.

Toshiba laptop

Dual core Intel T2050 1.6 GHz 2GB ram.

Win XP, Media center Edition, SP2.

ESET NOD32 Antivirus

I clicked a link by accident on some website about a week ago and I think that's what did it.

Right now ESET antivirus keeps telling me at startup that it found a variant of the "Win32/Agent.PAX trojan"

And the name of the object is "C:\WINDOWS\win32k.sys:2", they are in quarantine, total of 4.

Everything thing seems to be ok, other than that I cannot connect to the internet.

I can get on the internet on a second computer and transfer any programs or what not to the infected computer through a USB drive.

When I say, I cannot connect to the inter, what is happening is it wont load any pages, I tried different browsers, but if I try to download anything using a download client like "bit Lord", I seem to be able to download.

Also I am getting a "runtime error 53" at bootup.

This is what I have done so far:

1. f-vmonde...F-secure corp.
2. ccsetup209
3. combofix
4. cwsheredder
5. FixVundo....Symantec Corp.
6. SDFix
7. VundoFix...Atribune.org
8. Hijackthis

Don't know if I ran any of those correctly, but I ran all of those in both normal and safe mode and deleted/fixed whatever I thought was a trojan or virus.




DDS (Ver_09-05-14.01) - NTFSx86
Run by ... at 13:43:49.12 on Sun 06/21/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1561 [GMT -5:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D9634C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
svchost.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost
svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\killad\killad.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
K:\Software\Program Files\hijack this\HijackThis.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Documents and Settings\Ash\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
uInternet Settings,ProxyOverride = <local>
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [Run StartupMonitor] StartupMonitor.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\ash\startm~1\programs\startup\killad.lnk - c:\program files\killad\killad.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\thepro~1.lnk - c:\program files\proxomitron naoko-4\Proxomitron.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bananarepublic.com\www
DPF: {17492023-c23a-453e-a040-c7c580bbf700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: c:\progra~1\manson\liser.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 c:\windows\system32\urqPgGwX

============= SERVICES / DRIVERS ===============

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2007-8-8 241664]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2006-2-15 14336]
R2 windefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 dhcpsrv;Dhcp server;c:\windows\dll\rundll32.exe --> c:\windows\dll\RUNDLL32.exe [?]
S2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe --> c:\windows\system32\sopidkc.exe [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-6-13 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-6-13 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-6-13 42112]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-2-24 114464]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-06-21 11:14 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-19 12:02 <DIR> --d----- c:\windows\LastGood.Tmp
2009-06-19 11:25 <DIR> --d----- c:\program files\Exterminate It!
2009-06-18 02:33 428,032 a------- c:\windows\system32\swreg.exe
2009-06-18 02:33 212,480 a------- c:\windows\system32\swxcacls.exe
2009-06-17 15:01 <DIR> --d----- C:\Swsetup
2009-06-16 01:32 <DIR> --d----- c:\program files\QUAD Utilities
2009-06-14 11:45 7 a------- c:\windows\system32\comsa32.sys
2009-06-14 09:55 <DIR> --d----- c:\windows\DLL
2009-06-14 09:55 <DIR> --d----- c:\windows\system32\3361
2009-06-14 09:55 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-06-14 09:54 <DIR> --dshr-- c:\program files\Manson
2009-06-14 09:54 100,684 a------- c:\windows\system32\drivers\26945a9.sys

==================== Find3M ====================


============= FINISH: 13:44:03.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:11:36 PM

Posted 26 June 2009 - 06:06 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 huntforfood

huntforfood
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 28 June 2009 - 10:40 AM

No need to apologize, I understand that this is done on a volunteer basis and you I am sure have a lot more demand than you have help. This is an excellent that you guys provide free of charge and I highly appreciate the work that you do and all the help you provide.

The problem is not solved as of yet.
Below is the new log and the attachment as well.
Thanks again.



DDS (Ver_09-05-14.01) - NTFSx86
Run by Ash at 10:31:08.10 on Sun 06/28/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1607 [GMT -5:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
svchost.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\Program Files\killad\killad.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Ash\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
uInternet Settings,ProxyOverride = <local>
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [Run StartupMonitor] StartupMonitor.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\ash\startm~1\programs\startup\killad.lnk - c:\program files\killad\killad.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\thepro~1.lnk - c:\program files\proxomitron naoko-4\Proxomitron.exe
uPolicies-explorer: EditLevel = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bananarepublic.com\www
DPF: {17492023-c23a-453e-a040-c7c580bbf700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 c:\windows\system32\urqPgGwX

============= SERVICES / DRIVERS ===============

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2007-8-8 241664]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 26945a9;26945a9;c:\windows\system32\drivers\26945a9.sys --> c:\windows\system32\drivers\26945a9.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-6-13 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-6-13 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-6-13 42112]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-2-24 114464]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-06-27 12:12 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 12:12 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-27 12:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 10:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-27 10:59 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-27 10:59 <DIR> --d----- c:\docume~1\ash\applic~1\SUPERAntiSpyware.com
2009-06-26 12:51 1,845,632 a------- c:\windows\system32\win32k.sys
2009-06-25 13:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-25 11:56 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-25 11:42 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-25 11:41 <DIR> --d----- c:\program files\Lavasoft
2009-06-24 14:01 2,426 a------- c:\windows\system32\tmp.reg
2009-06-24 14:00 289,144 a------- c:\windows\system32\VCCLSID.exe
2009-06-24 14:00 288,417 a------- c:\windows\system32\SrchSTS.exe
2009-06-24 14:00 87,552 a------- c:\windows\system32\VACFix.exe
2009-06-24 14:00 82,944 a------- c:\windows\system32\IEDFix.exe
2009-06-24 14:00 82,944 a------- c:\windows\system32\IEDFix.C.exe
2009-06-24 14:00 80,384 a------- c:\windows\system32\o4Patch.exe
2009-06-24 14:00 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2009-06-24 14:00 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-06-24 14:00 53,248 a------- c:\windows\system32\Process.exe
2009-06-24 14:00 51,200 a------- c:\windows\system32\dumphive.exe
2009-06-24 11:51 39,424 ac------ c:\windows\system32\dllcache\grpconv.exe
2009-06-24 11:51 39,424 a------- c:\windows\system32\grpconv.exe
2009-06-22 11:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-06-21 11:14 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-19 11:25 <DIR> --d----- c:\program files\Exterminate It!
2009-06-18 02:33 428,032 a------- c:\windows\system32\swreg.exe
2009-06-18 02:33 212,480 a------- c:\windows\system32\swxcacls.exe
2009-06-17 15:01 <DIR> --d----- C:\Swsetup
2009-06-16 01:32 <DIR> --d----- c:\program files\QUAD Utilities
2009-06-14 09:55 <DIR> --d----- c:\windows\DLL
2009-06-14 09:55 108,336 a------- c:\windows\system32\MSWINSCK.OCX

==================== Find3M ====================


============= FINISH: 10:31:24.15 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 29 June 2009 - 01:27 PM

Hello.

Please run Combofix.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 huntforfood

huntforfood
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 29 June 2009 - 02:16 PM

Here is the combofix log.


"Ash" - 2009-06-29 14:08:39 - ComboFix 07-07-04.4 - Service Pack 2


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))


2009-06-29 10:01 <DIR> d-------- C:\DOCUME~1\Ash\APPLIC~1\WinRAR
2009-06-27 12:12 38,160 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-06-27 12:12 19,096 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2009-06-27 12:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-06-27 10:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2009-06-27 10:59 <DIR> d-------- C:\DOCUME~1\Ash\APPLIC~1\SUPERAntiSpyware.com
2009-06-27 10:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-06-26 12:51 1,845,632 --a------ C:\WINDOWS\system32\win32k.sys
2009-06-25 13:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-06-25 11:56 15,688 --a------ C:\WINDOWS\system32\lsdelete.exe
2009-06-25 11:42 <DIR> d--h-c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-25 11:41 <DIR> d-------- C:\Program Files\Lavasoft
2009-06-24 14:01 2,426 --a------ C:\WINDOWS\system32\tmp.reg
2009-06-24 14:00 87,552 --a------ C:\WINDOWS\system32\VACFix.exe
2009-06-24 14:00 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2009-06-24 14:00 82,944 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2009-06-24 14:00 80,384 --a------ C:\WINDOWS\system32\o4Patch.exe
2009-06-24 14:00 78,336 --a------ C:\WINDOWS\system32\Agent.OMZ.Fix.exe
2009-06-24 14:00 75,776 --a------ C:\WINDOWS\system32\WS2Fix.exe
2009-06-24 14:00 53,248 --a------ C:\WINDOWS\system32\Process.exe
2009-06-24 14:00 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2009-06-24 14:00 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2009-06-24 14:00 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2009-06-24 11:51 39,424 --a------ C:\WINDOWS\system32\grpconv.exe
2009-06-22 11:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab Setup Files
2009-06-21 11:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2009-06-21 10:21 262,144 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat
2009-06-19 11:25 <DIR> d-------- C:\Program Files\Exterminate It!
2009-06-17 15:01 <DIR> d-------- C:\Swsetup
2009-06-16 01:32 <DIR> d-------- C:\Program Files\QUAD Utilities
2009-06-14 09:55 <DIR> d-------- C:\WINDOWS\DLL


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2009-06-24 21:35:09 -------- d-----w C:\Program Files\Proxomitron Naoko-4
2009-06-20 19:59:00 -------- d-----w C:\DOCUME~1\Ash\APPLIC~1\vlc
2009-06-19 20:06:16 -------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2009-06-18 07:20:45 -------- d-----w C:\Program Files\Google
2009-06-17 20:16:41 -------- d--h--w C:\Program Files\InstallShield Installation Information


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-11 18:03 C:\WINDOWS\system32\TDispVol.exe]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 17:02]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 03:34]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 03:32]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 15:25]
"TPSMain"="TPSMain.exe" [2005-06-01 00:00 C:\WINDOWS\system32\TPSMain.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 20:37]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 18:23 C:\WINDOWS\StartupMonitor.exe]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 07:00 C:\WINDOWS\system32\bthprops.cpl]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 09:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 11:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoClose"=0 (0x0)
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 C:\WINDOWS\system32\urqPgGwX

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^ash^start menu^programs^startup^fmnupd32.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ash^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^ash^start menu^programs^startup^zqosys32.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
"C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
"C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"Swupdtmr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
msncache


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
AutoRun\command- L:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58604e40-f674-11db-a24e-0018de064356}]
AutoRun\command- L:\LaunchU3.exe


Contents of the 'Scheduled Tasks' folder
2009-06-25 16:42:33 C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
2006-10-05 03:20:02 C:\WINDOWS\tasks\Registration reminder 1.job
2006-10-05 23:50:00 C:\WINDOWS\tasks\Registration reminder 2.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 14:10:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2009-06-29 14:10:17
C:\ComboFix-quarantined-files.txt ... 2009-06-29 14:10
C:\ComboFix2.txt ... 2009-06-20 12:00
C:\ComboFix3.txt ... 2009-06-18 02:34

--- E O F ---

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 29 June 2009 - 06:46 PM

Hello.

Please make sure the Combofix is downloaded is from one of those 3 links.

Please delete Combofix and re-download it.

Then, run it again and post back with the log.

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 huntforfood

huntforfood
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 29 June 2009 - 07:23 PM

Downloaded from the 3rd link, this time it did a few things it did not the first time around.

here is the log.

thanks again.

ComboFix 09-06-29.02 - Ash 06/29/2009 19:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1539 [GMT -5:00]
Running from: c:\documents and settings\Ash\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\QUAD Utilities
c:\program files\QUAD Utilities\QUAD Registry Cleaner\Vista Scheduler.dll
c:\windows\Install.txt
c:\windows\irc.txt
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\skinboxer43.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\system32\X1
c:\windows\system32\X2
c:\windows\system32\X3
c:\windows\system32\X5
c:\windows\system32\X9

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP71\A0010749.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_dhcpsrv


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-30 00:13 . 2004-08-10 12:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-30 00:13 . 2004-08-10 12:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-29 14:53 . 2009-06-29 14:53 577024 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-06-27 17:12 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 17:12 . 2009-06-27 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 17:12 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-27 16:00 . 2009-06-30 00:16 117760 ----a-w- c:\documents and settings\Ash\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-27 15:59 . 2009-06-27 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-27 15:59 . 2009-06-27 15:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-27 15:59 . 2009-06-27 15:59 -------- d-----w- c:\documents and settings\Ash\Application Data\SUPERAntiSpyware.com
2009-06-26 17:51 . 2008-04-14 06:00 1845632 ----a-w- c:\windows\system32\win32k.sys
2009-06-25 18:09 . 2009-06-25 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-25 16:56 . 2009-03-09 19:06 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-25 16:42 . 2009-06-25 16:42 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-25 16:42 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-25 16:41 . 2009-06-25 16:41 -------- d-----w- c:\program files\Lavasoft
2009-06-24 16:51 . 2004-08-10 12:00 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-06-24 16:51 . 2004-08-10 12:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-06-22 16:47 . 2009-06-23 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-06-21 16:14 . 2009-06-27 15:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-19 16:25 . 2009-06-19 16:36 -------- d-----w- c:\program files\Exterminate It!
2009-06-17 20:01 . 2009-06-17 20:01 -------- d-----w- C:\Swsetup
2009-06-14 14:55 . 2009-06-14 18:43 -------- d-----w- c:\windows\DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-28 14:01 . 2006-02-16 09:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-25 16:41 . 2008-07-02 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-24 21:35 . 2006-11-23 20:48 -------- d-----w- c:\program files\Proxomitron Naoko-4
2009-06-20 19:59 . 2009-05-15 16:44 -------- d-----w- c:\documents and settings\Ash\Application Data\vlc
2009-06-19 20:06 . 2008-07-01 20:13 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-06-18 07:20 . 2006-02-18 15:56 -------- d-----w- c:\program files\Google
2009-06-17 20:16 . 2006-02-15 16:20 -------- d--h--w- c:\program files\InstallShield Installation Information
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" - c:\windows\system32\TDispVol.exe [2005-03-11 73728]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"Run StartupMonitor"="StartupMonitor.exe" - c:\windows\StartupMonitor.exe [2000-05-20 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-10 110592]

c:\documents and settings\Ash\Start Menu\Programs\Startup\
killad.lnk - c:\program files\killad\killad.exe [2007-7-5 30720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-11-16 221247]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
The Proxomitron.lnk - c:\program files\Proxomitron Naoko-4\Proxomitron.exe [2006-11-23 295424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\c:^documents and settings^ash^start menu^programs^startup^fmnupd32.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^Ash^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\c:^documents and settings^ash^start menu^programs^startup^zqosys32.exe]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"Swupdtmr"=2 (0x2)

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [8/8/2007 11:15 AM 241664]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [7/1/2008 9:04 AM 34312]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12/21/2007 8:21 AM 468224]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 951632]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 26945a9;26945a9;c:\windows\system32\drivers\26945a9.sys --> c:\windows\system32\drivers\26945a9.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [6/13/2007 1:57 PM 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [6/13/2007 1:57 PM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [6/13/2007 1:57 PM 42112]
.
Contents of the 'Scheduled Tasks' folder

2009-06-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2006-10-05 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-02-15 12:00]

2006-10-05 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-02-15 12:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bananarepublic.com\www
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 19:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1168)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(844)
c:\program files\killad\KILLDLL.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\msi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\wdfmgr.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-06-30 19:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-30 00:18

Pre-Run: 15,317,671,936 bytes free
Post-Run: 15,332,331,520 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

200

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 30 June 2009 - 08:54 AM

Hello.

Please do the following.

Download and Run OTMoveIT
  • Please download OTM by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTM.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :services
    26945a9
    :files
    c:\windows\system32\drivers\26945a9.sys 
    :commands
    [emptytemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

You can refer to this page which has a visual of the instructions above.


Take a new DDS run and post the log afterwards.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 huntforfood

huntforfood
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 30 June 2009 - 11:59 AM

This reply contains

OTmoveIt log.
Malwarebytes log.
DDS log.

Thanks for your help.



All processes killed
========== SERVICES/DRIVERS ==========

Service\Driver 26945a9 deleted successfully.
========== FILES ==========
File/Folder c:\windows\system32\drivers\26945a9.sys not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Ash
->Temp folder emptied: 200128 bytes
->Temporary Internet Files folder emptied: 9831900 bytes
->Java cache emptied: 12 bytes
->Opera cache emptied: 1007814 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 10.63 mb


OTM by OldTimer - Version 3.0.0.2 log created on 06302009_113500

Files moved on Reboot...

Registry entries deleted on Reboot...

=================================================

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

6/30/2009 11:47:17 AM
mbam-log-2009-06-30 (11-47-17).txt

Scan type: Quick Scan
Objects scanned: 94573
Time elapsed: 3 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Ash\Start Menu\Programs\Startup\rncsys32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Ash\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.


==========================================





DDS (Ver_09-05-14.01) - NTFSx86
Run by Ash at 11:50:22.56 on Tue 06/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1520 [GMT -5:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
svchost.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\killad\killad.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Ash\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k HTTPFilter

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [Run StartupMonitor] StartupMonitor.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\ash\startm~1\programs\startup\killad.lnk - c:\program files\killad\killad.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\thepro~1.lnk - c:\program files\proxomitron naoko-4\Proxomitron.exe
uPolicies-explorer: EditLevel = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bananarepublic.com\www
DPF: {17492023-c23a-453e-a040-c7c580bbf700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2007-8-8 241664]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-6-13 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-6-13 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-6-13 42112]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-2-24 114464]

=============== Created Last 30 ================

2009-06-30 11:35 <DIR> --d----- C:\_OTM
2009-06-30 07:57 93,056 a------- c:\windows\system32\drivers\c25a0d6c.sys
2009-06-29 19:18 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-06-29 19:13 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-06-29 19:13 50,176 a------- c:\windows\system32\proquota.exe
2009-06-29 19:10 <DIR> a-dshr-- C:\cmdcons
2009-06-29 19:08 161,792 a------- c:\windows\SWREG.exe
2009-06-29 19:08 155,136 a------- c:\windows\PEV.exe
2009-06-29 19:08 98,816 a------- c:\windows\sed.exe
2009-06-29 09:53 577,024 ac------ c:\windows\system32\dllcache\user32.dll
2009-06-27 12:12 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 12:12 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-27 12:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 10:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-27 10:59 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-27 10:59 <DIR> --d----- c:\docume~1\ash\applic~1\SUPERAntiSpyware.com
2009-06-26 12:51 1,845,632 a------- c:\windows\system32\win32k.sys
2009-06-25 13:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-25 11:56 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-25 11:42 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-25 11:41 <DIR> --d----- c:\program files\Lavasoft
2009-06-24 11:51 39,424 ac------ c:\windows\system32\dllcache\grpconv.exe
2009-06-24 11:51 39,424 a------- c:\windows\system32\grpconv.exe
2009-06-22 11:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-06-21 11:14 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-19 11:25 <DIR> --d----- c:\program files\Exterminate It!
2009-06-17 15:01 10,843 a--s---- c:\windows\system32\oem47.CAT
2009-06-17 15:01 <DIR> --d----- C:\Swsetup
2009-06-14 09:55 <DIR> --d----- c:\windows\DLL
2009-06-14 09:55 108,336 a------- c:\windows\system32\MSWINSCK.OCX

==================== Find3M ====================


============= FINISH: 11:50:52.64 ===============

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 30 June 2009 - 12:31 PM

Hello.

Please update java and run an online scan.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Take a new DDS run and post back with both log as well.

~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 huntforfood

huntforfood
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 30 June 2009 - 02:45 PM

Was unable to do kaspersky scanner since i was not able to connect to the internet after going through the java uninstall and install process, even though it connected to the internet when i was downloading java, i have tried rebooting a few times, diabled all the virus protection and spyware programs, still no go.

DDS log is below, will wait of instructions, thanks again.



DDS (Ver_09-05-14.01) - NTFSx86
Run by Ash at 14:38:25.51 on Tue 06/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1605 [GMT -5:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\Program Files\killad\killad.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
svchost.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\BitLord\BitLord.exe
C:\Documents and Settings\Ash\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [Run StartupMonitor] StartupMonitor.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\ash\startm~1\programs\startup\killad.lnk - c:\program files\killad\killad.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\thepro~1.lnk - c:\program files\proxomitron naoko-4\Proxomitron.exe
uPolicies-explorer: EditLevel = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bananarepublic.com\www
DPF: {17492023-c23a-453e-a040-c7c580bbf700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {cafeefac-0016-0000-0014-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2007-8-8 241664]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-6-13 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-6-13 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-6-13 42112]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-2-24 114464]

=============== Created Last 30 ================

2009-06-30 14:17 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-30 14:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-30 11:35 <DIR> --d----- C:\_OTM
2009-06-30 07:57 93,056 a------- c:\windows\system32\drivers\c25a0d6c.sys
2009-06-29 19:18 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-06-29 19:13 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-06-29 19:13 50,176 a------- c:\windows\system32\proquota.exe
2009-06-29 19:10 <DIR> a-dshr-- C:\cmdcons
2009-06-29 19:08 161,792 a------- c:\windows\SWREG.exe
2009-06-29 19:08 155,136 a------- c:\windows\PEV.exe
2009-06-29 19:08 98,816 a------- c:\windows\sed.exe
2009-06-29 09:53 577,024 ac------ c:\windows\system32\dllcache\user32.dll
2009-06-27 12:12 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 12:12 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-27 12:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 10:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-27 10:59 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-27 10:59 <DIR> --d----- c:\docume~1\ash\applic~1\SUPERAntiSpyware.com
2009-06-26 12:51 1,845,632 a------- c:\windows\system32\win32k.sys
2009-06-25 13:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-24 11:51 39,424 ac------ c:\windows\system32\dllcache\grpconv.exe
2009-06-24 11:51 39,424 a------- c:\windows\system32\grpconv.exe
2009-06-22 11:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-06-21 11:14 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-19 11:25 <DIR> --d----- c:\program files\Exterminate It!
2009-06-17 15:01 10,843 a--s---- c:\windows\system32\oem47.CAT
2009-06-17 15:01 <DIR> --d----- C:\Swsetup
2009-06-14 09:55 <DIR> --d----- c:\windows\DLL
2009-06-14 09:55 108,336 a------- c:\windows\system32\MSWINSCK.OCX

==================== Find3M ====================


============= FINISH: 14:38:43.48 ===============

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 30 June 2009 - 06:50 PM

Hello.

Please run ESET online scan then.

Run online scan with ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Post a new set of DDS log afterwards.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 huntforfood

huntforfood
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 01 July 2009 - 11:09 AM

Sorry, i tried everything but it just wont let me connect to the internet, hence i cannot do an online scan.

The internet connection is ok, as i have this 2nd computer on the same line and it connects fine.

thanks again.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 01 July 2009 - 11:31 AM

Hello.

Please take a new DDS log please.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 huntforfood

huntforfood
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 01 July 2009 - 11:53 AM

there goes.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Ash at 11:48:49.98 on Wed 07/01/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1581 [GMT -5:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\Program Files\killad\killad.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
svchost.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Ash\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [Run StartupMonitor] StartupMonitor.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\ash\startm~1\programs\startup\killad.lnk - c:\program files\killad\killad.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\thepro~1.lnk - c:\program files\proxomitron naoko-4\Proxomitron.exe
uPolicies-explorer: EditLevel = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bananarepublic.com\www
DPF: {17492023-c23a-453e-a040-c7c580bbf700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {cafeefac-0016-0000-0014-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2007-8-8 241664]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-6-13 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-6-13 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-6-13 42112]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-2-24 114464]

=============== Created Last 30 ================

2009-06-30 14:17 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-30 14:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-30 11:35 <DIR> --d----- C:\_OTM
2009-06-29 19:18 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-06-29 19:13 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-06-29 19:13 50,176 a------- c:\windows\system32\proquota.exe
2009-06-29 19:10 <DIR> a-dshr-- C:\cmdcons
2009-06-29 19:08 161,792 a------- c:\windows\SWREG.exe
2009-06-29 19:08 155,136 a------- c:\windows\PEV.exe
2009-06-29 19:08 98,816 a------- c:\windows\sed.exe
2009-06-29 09:53 577,024 ac------ c:\windows\system32\dllcache\user32.dll
2009-06-27 12:12 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 12:12 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-27 12:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 10:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-27 10:59 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-27 10:59 <DIR> --d----- c:\docume~1\ash\applic~1\SUPERAntiSpyware.com
2009-06-26 12:51 1,845,632 a------- c:\windows\system32\win32k.sys
2009-06-25 13:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-24 11:51 39,424 ac------ c:\windows\system32\dllcache\grpconv.exe
2009-06-24 11:51 39,424 a------- c:\windows\system32\grpconv.exe
2009-06-22 11:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-06-21 11:14 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-19 11:25 <DIR> --d----- c:\program files\Exterminate It!
2009-06-17 15:01 10,843 a--s---- c:\windows\system32\oem47.CAT
2009-06-17 15:01 <DIR> --d----- C:\Swsetup
2009-06-14 09:55 <DIR> --d----- c:\windows\DLL
2009-06-14 09:55 108,336 a------- c:\windows\system32\MSWINSCK.OCX

==================== Find3M ====================


============= FINISH: 11:49:07.67 ===============




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users