Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google/Yahoo Results Hijacked


  • This topic is locked This topic is locked
11 replies to this topic

#1 FinalParagon

FinalParagon

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 24 June 2009 - 04:35 PM

I seem to have contracted one of those things that causes search results on Google and Yahoo to get redirected elsewhere (A couple of the sites I've been redirected to recently have been: advertisingspaces.net, vitotech.com, watchamovieforfree.com. More often than not, these redirect again to another site, but I've gotten into the habit of halting the page loading before it gets to that point). Copy/pasting the link addresses from a search works fine, and this doesn't happen all the time when clicking a link, only about half, and usually not the first time I click a link in any given search.

This has been happening with both Google and Yahoo in IE, Firefox and Opera. Scans using AVG, Malwarebytes' Anti-Malware, Spybot, ActiveScan and SUPERAntiSpyware have all run to completion but even when they did manage to find things, they failed to solve the problem, although ActiveScan seemed intent on scanning my DVD drive rather than my hard drive, so I'm not sure that one helped much. I've tried clearing my cookies and temp files, and tried a couple fixes suggested to people who've had similar problems (SmitfraudFix and SDFix), but haven't noticed any real change, for better or for worse.

This only seems to be affecting those two websites; I haven't noticed any dip in computer performance or had any other clear security issues, but I'd like to resolve this in the event that it gets worse, or if it affects something more security-critical that I just haven't done yet.

So then: DDS report appended, and the other file it generated is attached. Thanks in advance for your help.
--------------------


DDS (Ver_09-05-14.01) - NTFSx86
Run by Troy Mabry at 16:48:45.50 on Wed 06/24/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.907 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
SVCHOST.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\vmnat.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Troy Mabry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.umbc.edu/
uInternet Connection Wizard,ShellNext = iexplore
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 52\axcmd.exe" /automount
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runnin~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-24 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-23 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-6-30 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-23 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 298776]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
R3 SOFTXG;YAMAHA XG SoftSynthesizer;c:\windows\system32\drivers\sxgxgwdm.sys [2007-6-19 966784]
R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [2005-6-27 72576]
S1 ShldDrv;Panda File Shield Driver; [x]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\drivers\pavproc.sys --> c:\windows\system32\drivers\PavProc.sys [?]
S2 PavPrSrv;Panda Process Protection Service;"c:\program files\common files\panda software\pavshld\pavprsrv.exe" --> c:\program files\common files\panda software\pavshld\pavprsrv.exe [?]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 npkycryp;npkycryp;\??\c:\program files\gravity\ragnarokonline\npkycryp.sys --> c:\program files\gravity\ragnarokonline\npkycryp.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

=============== Created Last 30 ================

2009-06-24 15:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-24 15:12 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-24 15:12 <DIR> --d----- c:\docume~1\troyma~1\applic~1\SUPERAntiSpyware.com
2009-06-24 14:46 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-24 14:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-24 14:07 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-24 14:07 <DIR> --d----- c:\program files\Panda Security
2009-06-24 13:57 <DIR> --d----- c:\program files\Trend Micro
2009-06-24 02:49 <DIR> --d----- c:\windows\ERUNT
2009-06-24 02:43 <DIR> --d----- C:\SDFix
2009-06-24 01:55 <DIR> --d----- c:\program files\CleanUp!
2009-06-24 01:54 3,628 a------- c:\windows\system32\tmp.reg
2009-06-24 01:44 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-23 23:56 <DIR> --d----- c:\docume~1\troyma~1\applic~1\Malwarebytes
2009-06-23 23:56 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 23:56 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-23 23:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 23:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-23 23:52 <DIR> --d----- c:\program files\SpywareBlaster
2009-06-17 02:35 0 a------- c:\windows\ativpsrm.bin
2009-06-17 02:21 <DIR> --d----- c:\program files\ATI
2009-06-17 02:19 593,920 -------- c:\windows\system32\ati2sgag.exe
2009-06-17 02:19 <DIR> --d----- C:\ATI
2009-06-17 02:10 <DIR> --d----- c:\windows\Logs
2009-06-16 20:59 <DIR> --d----- c:\program files\Microsoft WSE
2009-06-07 17:15 <DIR> --d----- c:\program files\NetSeal
2009-06-07 17:15 <DIR> --d----- C:\netseal
2009-06-05 22:30 2 a------- c:\windows\msoffice.ini
2009-06-05 22:05 <DIR> --d----- c:\windows\pss
2009-06-02 16:34 <DIR> --d----- C:\zplus
2009-05-31 20:03 <DIR> --d----- c:\program files\Magic Workstation
2009-05-27 16:57 <DIR> --d----- C:\ADOM
2009-05-27 14:20 <DIR> --d----- c:\program files\MAngband Server
2009-05-27 13:59 <DIR> --d----- c:\program files\MAngband

==================== Find3M ====================

2009-06-22 02:28 46,512 a------- c:\docume~1\troyma~1\applic~1\wklnhst.dat
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 11:44 344,064 a------- c:\windows\system32\dllcache\localspl.dll
2009-05-02 13:09 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-02 13:09 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 13:09 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 01:27 636,088 a------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 11:26 583,168 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 11:26 583,168 a------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-12 20:11 876 a------- c:\documents and settings\troy mabry\2008-md-election.dat
2009-03-12 20:11 1,702 a------- c:\documents and settings\troy mabry\2008-us-election.dat
2009-03-12 20:11 1,396 a------- c:\documents and settings\troy mabry\usa-1024px.dat
2009-03-12 18:31 908 a------- c:\documents and settings\troy mabry\2004-md-election.dat
2009-03-12 18:30 897 a------- c:\documents and settings\troy mabry\md-1024px.dat
2008-10-01 18:48 157,016 a------- c:\docume~1\troyma~1\applic~1\GDIPFONTCACHEV1.DAT
2008-02-19 01:58 5,586 a------- c:\program files\install.log
2006-06-21 23:38 32 a----r-- c:\documents and settings\all users\hash.dat
2008-01-31 23:33 56 ---shr-- c:\windows\system32\02DF03F588.sys
2007-06-16 17:54 23 a--sh--- c:\windows\system32\cbaadd4_r.dll
2005-06-22 02:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2009-01-27 20:30 1,838 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 16:50:43.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,610 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:55 PM

Posted 28 June 2009 - 02:55 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 FinalParagon

FinalParagon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 28 June 2009 - 01:16 PM

The situation is, by all available evidence, the same as in my first post, but I'll re-summarize just to be sure:

Google and Yahoo seem to be redirecting me to a number of different sites when I click on links provided in search results. I've seen about ten different sites show up, with nothing really in common with the URLs except that they all have something similar to what I searched for in the query string. This has occurred in Opera, IE and Firefox. In all three cases, it doesn't always happen, usually only after the second or third link I click in a particular search. Copy/pasting URLs from search results works fine.

Since my first post, I haven't made any real effort to fix the problem beyond performing a few virus scans with programs I'd already tried. I've also avoided testing the problem, except just now to confirm that it is still there.

Thanks again for your help!

DDS Report :

------------------------------


DDS (Ver_09-06-26.01) - NTFSx86
Run by Troy Mabry at 14:06:20.89 on Sun 06/28/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.758 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Documents and Settings\Troy Mabry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.umbc.edu/
uInternet Connection Wizard,ShellNext = iexplore
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 52\axcmd.exe" /automount
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runnin~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\troyma~1\applic~1\mozilla\firefox\profiles\9hs7c8z8.default\
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-24 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-23 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-6-30 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-23 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 298776]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
R3 SOFTXG;YAMAHA XG SoftSynthesizer;c:\windows\system32\drivers\sxgxgwdm.sys [2007-6-19 966784]
S1 ShldDrv;Panda File Shield Driver; [x]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\drivers\pavproc.sys --> c:\windows\system32\drivers\PavProc.sys [?]
S2 PavPrSrv;Panda Process Protection Service;"c:\program files\common files\panda software\pavshld\pavprsrv.exe" --> c:\program files\common files\panda software\pavshld\pavprsrv.exe [?]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 npkycryp;npkycryp;\??\c:\program files\gravity\ragnarokonline\npkycryp.sys --> c:\program files\gravity\ragnarokonline\npkycryp.sys [?]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [2005-6-27 72576]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

=============== Created Last 30 ================

2009-06-24 15:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-24 15:12 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-24 15:12 <DIR> --d----- c:\docume~1\troyma~1\applic~1\SUPERAntiSpyware.com
2009-06-24 14:46 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-24 14:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-24 14:07 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-24 14:07 <DIR> --d----- c:\program files\Panda Security
2009-06-24 13:57 <DIR> --d----- c:\program files\Trend Micro
2009-06-24 02:49 <DIR> --d----- c:\windows\ERUNT
2009-06-24 02:43 <DIR> --d----- C:\SDFix
2009-06-24 01:55 <DIR> --d----- c:\program files\CleanUp!
2009-06-24 01:54 3,628 a------- c:\windows\system32\tmp.reg
2009-06-24 01:44 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-23 23:56 <DIR> --d----- c:\docume~1\troyma~1\applic~1\Malwarebytes
2009-06-23 23:56 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 23:56 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-23 23:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 23:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-23 23:52 <DIR> --d----- c:\program files\SpywareBlaster
2009-06-17 02:35 0 a------- c:\windows\ativpsrm.bin
2009-06-17 02:21 <DIR> --d----- c:\program files\ATI
2009-06-17 02:19 593,920 -------- c:\windows\system32\ati2sgag.exe
2009-06-17 02:19 <DIR> --d----- C:\ATI
2009-06-17 02:10 <DIR> --d----- c:\windows\Logs
2009-06-16 20:59 <DIR> --d----- c:\program files\Microsoft WSE
2009-06-07 17:15 <DIR> --d----- c:\program files\NetSeal
2009-06-07 17:15 <DIR> --d----- C:\netseal
2009-06-05 22:30 2 a------- c:\windows\msoffice.ini
2009-06-05 22:05 <DIR> --d----- c:\windows\pss
2009-06-02 16:34 <DIR> --d----- C:\zplus
2009-05-31 20:03 <DIR> --d----- c:\program files\Magic Workstation

==================== Find3M ====================

2009-06-25 18:02 46,512 a------- c:\docume~1\troyma~1\applic~1\wklnhst.dat
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 11:44 344,064 a------- c:\windows\system32\dllcache\localspl.dll
2009-05-02 13:09 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 01:27 636,088 a------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 11:26 583,168 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 11:26 583,168 a------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-12 20:11 876 a------- c:\documents and settings\troy mabry\2008-md-election.dat
2009-03-12 20:11 1,702 a------- c:\documents and settings\troy mabry\2008-us-election.dat
2009-03-12 20:11 1,396 a------- c:\documents and settings\troy mabry\usa-1024px.dat
2009-03-12 18:31 908 a------- c:\documents and settings\troy mabry\2004-md-election.dat
2009-03-12 18:30 897 a------- c:\documents and settings\troy mabry\md-1024px.dat
2008-10-01 18:48 157,016 a------- c:\docume~1\troyma~1\applic~1\GDIPFONTCACHEV1.DAT
2008-02-19 01:58 5,586 a------- c:\program files\install.log
2006-06-21 23:38 32 a----r-- c:\documents and settings\all users\hash.dat
2008-01-31 23:33 56 ---shr-- c:\windows\system32\02DF03F588.sys
2007-06-16 17:54 23 a--sh--- c:\windows\system32\cbaadd4_r.dll
2005-06-22 02:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2009-01-27 20:30 1,838 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 14:08:25.84 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 PM

Posted 29 June 2009 - 01:31 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 FinalParagon

FinalParagon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 29 June 2009 - 09:11 PM

I ran both, however, when the GMER scan ran to completion, for some reason the scan, copy and save buttons all disappeared, leaving only the OK and Cancel ones. I have no idea why this happened, only that it did and this was after a nearly six-hour scan, almost all of which was through the files. I ran another scan with the files portion unselected just so I could have a log to work with.

For whatever it's worth, nothing showed up in the left field of the window during the entire original scan when it went through files anyway; everything that appeared showed up in the registry scan or earlier. I intend to run a full scan again tonight and hopefully have a log with the files portion in there as well tomorrow, should that be necessary. If this is enough information to work with, though here's both logs. I also attached them, if they'd be easier to parse through that way.

COMBOFIX LOG
------------------

ComboFix 09-06-29.01 - Troy Mabry 06/29/2009 15:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.1010 [GMT -4:00]
Running from: c:\documents and settings\Troy Mabry\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
c:\program files\INSTALL.LOG
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\SKYNETmxlnoody.sys
c:\windows\system32\SKYNETlwoumvqr.dat
c:\windows\system32\SKYNETqjmxgbao.dll
c:\windows\system32\SKYNETreigcduj.dll
c:\windows\system32\SKYNETycjhnvyb.dat
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETelwtayhl


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))
.

2009-06-24 19:13 . 2009-06-29 05:17 117760 ----a-w- c:\documents and settings\Troy Mabry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-24 19:12 . 2009-06-24 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-24 19:12 . 2009-06-24 19:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-24 19:12 . 2009-06-24 19:12 -------- d-----w- c:\documents and settings\Troy Mabry\Application Data\SUPERAntiSpyware.com
2009-06-24 18:46 . 2009-06-24 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-24 18:46 . 2009-06-24 18:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-24 18:07 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-06-24 18:07 . 2009-06-24 18:07 -------- d-----w- c:\program files\Panda Security
2009-06-24 17:57 . 2009-06-24 17:57 -------- d-----w- c:\program files\Trend Micro
2009-06-24 06:49 . 2009-06-24 06:49 -------- d-----w- c:\windows\ERUNT
2009-06-24 06:43 . 2009-06-24 07:45 -------- d-----w- C:\SDFix
2009-06-24 05:55 . 2009-06-24 06:17 -------- d-----w- c:\program files\CleanUp!
2009-06-24 05:38 . 2009-06-24 05:38 40 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E9C5FD6529363D643B6692B7411EADFA.dll
2009-06-24 05:38 . 2009-06-24 05:38 27 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E01DD27603E8E23459CE0A95D59AC45A.dll
2009-06-24 05:38 . 2009-06-24 05:38 193 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AC7F955943E573242A9D8D6564A47D72.dll
2009-06-24 05:38 . 2009-06-24 05:38 74 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_70D17E3E72DCBC644884614DBF92AA31.dll
2009-06-24 05:38 . 2009-06-24 05:38 75 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F2004B65C1764F9489C47C06EF83605B.dll
2009-06-24 05:38 . 2009-06-24 05:38 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F5F63727D025A27488CCB72078F23DE4.dll
2009-06-24 05:38 . 2009-06-24 05:38 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F0410D6AF26EE1D94280C9FF19FFF68C.dll
2009-06-24 05:38 . 2009-06-24 05:38 55 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EE811DE4C58781CCD5E25DACB4AA300F.dll
2009-06-24 05:38 . 2009-06-24 05:38 152 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DDA39468D428E8B4DB27C8D5DC5CA217.dll
2009-06-24 05:38 . 2009-06-24 05:38 60 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D71DC0C260B0007438AF37448B860B2A.dll
2009-06-24 05:38 . 2009-06-24 05:38 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D7314F9862C648A4DB8BE2A5B47BE100.dll
2009-06-24 03:56 . 2009-06-24 03:56 -------- d-----w- c:\documents and settings\Troy Mabry\Application Data\Malwarebytes
2009-06-24 03:56 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-24 03:56 . 2009-06-24 03:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-24 03:56 . 2009-06-24 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-24 03:56 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-24 03:53 . 2009-06-24 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-24 03:52 . 2009-06-24 03:52 -------- d-----w- c:\program files\SpywareBlaster
2009-06-17 06:36 . 2009-06-17 06:36 -------- d-----w- c:\documents and settings\Troy Mabry\Local Settings\Application Data\ATI
2009-06-17 06:36 . 2009-06-17 06:36 -------- d-----w- c:\documents and settings\Troy Mabry\Application Data\ATI
2009-06-17 06:36 . 2009-06-17 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-06-17 06:35 . 2009-06-17 06:35 0 ----a-w- c:\windows\ativpsrm.bin
2009-06-17 06:21 . 2009-06-17 06:21 -------- d-----w- c:\program files\ATI
2009-06-17 06:19 . 2009-02-25 19:15 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-06-17 06:19 . 2009-06-17 06:19 -------- d-----w- C:\ATI
2009-06-17 06:10 . 2009-06-17 06:10 -------- d-----w- c:\windows\Logs
2009-06-17 00:59 . 2009-06-17 00:59 10134 ----a-r- c:\documents and settings\Troy Mabry\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-17 00:59 . 2009-06-17 00:59 -------- d-----w- c:\program files\Microsoft WSE
2009-06-07 21:15 . 2009-06-07 21:15 -------- d-----w- c:\program files\NetSeal
2009-06-07 21:15 . 2009-06-07 21:15 -------- d-----w- C:\netseal
2009-06-02 20:34 . 2009-06-02 20:34 -------- d-----w- C:\zplus
2009-06-01 00:03 . 2009-06-01 00:12 -------- d-----w- c:\program files\Magic Workstation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-29 19:06 . 2008-02-09 19:15 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-06-29 19:06 . 2008-02-07 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-06-25 22:02 . 2005-06-28 00:27 46512 ----a-w- c:\documents and settings\Troy Mabry\Application Data\wklnhst.dat
2009-06-24 19:12 . 2007-11-07 00:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-24 05:38 . 2006-01-04 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-06-24 05:38 . 2009-06-24 05:37 170 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D64F86DB28A84664E8868FC755DBFE4D.dll
2009-06-23 07:14 . 2007-09-27 19:33 1878984 ----a-w- c:\documents and settings\Troy Mabry\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-17 06:21 . 2005-06-23 00:43 -------- d-----w- c:\program files\ATI Technologies
2009-06-17 06:20 . 2005-06-23 00:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-17 00:12 . 2007-08-18 22:30 -------- d-----w- c:\program files\Electronic Arts
2009-06-06 23:56 . 2007-05-25 22:16 -------- d-----w- c:\program files\Warcraft III
2009-06-06 02:35 . 2007-08-09 00:23 -------- d-----w- c:\program files\nbos
2009-06-06 02:32 . 2005-07-22 15:06 -------- d-----w- c:\program files\Activision Value
2009-06-06 02:30 . 2005-06-23 00:49 -------- d-----w- c:\program files\Common Files\AOL
2009-06-06 02:30 . 2005-06-23 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-27 18:20 . 2009-05-27 18:20 -------- d-----w- c:\program files\MAngband Server
2009-05-27 17:59 . 2009-05-27 17:59 -------- d-----w- c:\program files\MAngband
2009-05-24 01:54 . 2008-09-05 18:27 -------- d-----w- c:\program files\EnchantRO
2009-05-24 01:20 . 2006-02-12 19:17 -------- d-----w- c:\program files\EtherealRO
2009-05-23 21:27 . 2005-07-27 19:56 -------- d-----w- c:\program files\DOSBox-0.63
2009-05-07 15:44 . 2004-08-04 10:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 04:40 . 2009-05-06 18:50 -------- d-----w- c:\program files\Phantasy Star Online Blue Burst
2009-05-02 17:09 . 2008-05-23 22:39 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 04:56 . 2004-08-04 10:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-04 10:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:26 . 2004-08-04 10:00 583168 ----a-w- c:\windows\system32\rpcrt4.dll
2008-02-01 03:33 . 2007-01-25 04:53 56 --sh--r- c:\windows\SYSTEM32\02DF03F588.sys
2007-06-16 21:54 . 2007-06-16 21:54 23 --sha-w- c:\windows\SYSTEM32\cbaadd4_r.dll
2005-06-22 06:37 . 2006-05-24 18:37 45568 --sha-r- c:\windows\SYSTEM32\cygz.dll
2009-01-28 00:30 . 2007-01-25 04:53 1838 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2007-07-02 219008]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [1999-06-25 1948440]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2008-2-19 1073152]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
1999-06-25 05:03 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MAIET\\Gunz\\Gunz.exe"=
"c:\\Program Files\\bleepbleepbleep\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [6/24/2009 2:07 PM 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/23/2008 6:39 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/23/2008 6:39 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 4:54 PM 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 4:54 PM 298776]
R3 SOFTXG;YAMAHA XG SoftSynthesizer;c:\windows\SYSTEM32\DRIVERS\sxgxgwdm.sys [6/19/2007 8:19 PM 966784]
R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\SYSTEM32\DRIVERS\netusbxp.sys [6/27/2005 2:08 PM 72576]
S1 ShldDrv;Panda File Shield Driver; [x]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 npkycryp;npkycryp;\??\c:\program files\Gravity\RagnarokOnline\npkycryp.sys --> c:\program files\Gravity\RagnarokOnline\npkycryp.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.umbc.edu/
uInternet Connection Wizard,ShellNext = iexplore
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Troy Mabry\Application Data\Mozilla\Firefox\Profiles\9hs7c8z8.default\
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 15:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-817111788-1044120104-1097184101-1005\Software\Aypio\ *}*`*]
"SoundSelect"=dword:00000000
"FullTimeMenu"=dword:00000001
"FontSize"=dword:00000010
"PlayCount"=dword:00000001

[HKEY_USERS\S-1-5-21-817111788-1044120104-1097184101-1005\Software\Aypio\ *}*`*\GlobalName]
"Name0"="’ŽŠ"
"Name1"="^“"
"Name2"=""

[HKEY_USERS\S-1-5-21-817111788-1044120104-1097184101-1005\Software\Aypio\ *}*`*\SystemFlag]
"S000"=dword:00000000
"S001"=dword:00000000
"S002"=dword:00000000
"S003"=dword:00000000
"S004"=dword:00000000
"S005"=dword:00000000
"S006"=dword:00000000
"S007"=dword:00000000
"S008"=dword:00000000
"S009"=dword:00000000
"S010"=dword:00000000
"S011"=dword:00000000
"S012"=dword:00000000
"S013"=dword:00000000
"S014"=dword:00000000
"S015"=dword:00000000
"S016"=dword:00000000
"S017"=dword:00000000
"S018"=dword:00000000
"S019"=dword:00000000
"S020"=dword:00000000
"S021"=dword:00000000
"S022"=dword:00000000
"S023"=dword:00000000
"S024"=dword:00000001
"S025"=dword:00000001
"S026"=dword:00000001
"S027"=dword:00000001
"S028"=dword:00000001
"S029"=dword:00000001
"S030"=dword:00000001
"S031"=dword:00000001
"S032"=dword:00000001
"S033"=dword:00000001
"S034"=dword:00000001
"S035"=dword:00000000
"S036"=dword:00000001
"S037"=dword:00000001
"S038"=dword:00000001
"S039"=dword:00000001
"S040"=dword:00000001
"S041"=dword:00000001
"S042"=dword:00000001
"S043"=dword:00000001
"S044"=dword:00000001
"S045"=dword:00000000
"S046"=dword:00000001
"S047"=dword:00000001
"S048"=dword:00000001
"S049"=dword:00000001
"S050"=dword:00000001
"S051"=dword:00000001
"S052"=dword:00000001
"S053"=dword:00000001
"S054"=dword:00000001
"S055"=dword:00000001
"S056"=dword:00000001
"S057"=dword:00000001
"S058"=dword:00000001
"S059"=dword:00000001
"S060"=dword:00000001
"S061"=dword:00000001
"S062"=dword:00000000
"S063"=dword:00000000
"S064"=dword:00000000
"S065"=dword:00000000
"S066"=dword:00000001
"S067"=dword:00000001
"S068"=dword:00000001
"S069"=dword:00000001
"S070"=dword:00000001
"S071"=dword:00000001
"S072"=dword:00000001
"S073"=dword:00000001
"S074"=dword:00000000
"S075"=dword:00000000
"S076"=dword:00000000
"S077"=dword:00000000
"S078"=dword:00000000
"S079"=dword:00000000
"S080"=dword:00000000
"S081"=dword:00000000
"S082"=dword:00000000
"S083"=dword:00000000
"S084"=dword:00000000
"S085"=dword:00000000
"S086"=dword:00000000
"S087"=dword:00000000
"S088"=dword:00000000
"S089"=dword:00000000
"S090"=dword:00000000
"S091"=dword:00000000
"S092"=dword:00000000
"S093"=dword:00000000
"S094"=dword:00000000
"S095"=dword:00000000
"S096"=dword:00000000
"S097"=dword:00000000
"S098"=dword:00000000
"S099"=dword:00000000
"S100"=dword:00000000
"S101"=dword:00000000
"S102"=dword:00000000
"S103"=dword:00000000
"S104"=dword:00000000
"S105"=dword:00000000
"S106"=dword:00000000
"S107"=dword:00000000
"S108"=dword:00000000
"S109"=dword:00000000
"S110"=dword:00000000
"S111"=dword:00000000
"S112"=dword:00000000
"S113"=dword:00000000
"S114"=dword:00000000
"S115"=dword:00000000
"S116"=dword:00000000
"S117"=dword:00000000
"S118"=dword:00000000
"S119"=dword:00000000
"S120"=dword:00000000
"S121"=dword:00000000
"S122"=dword:00000000
"S123"=dword:00000000
"S124"=dword:00000000
"S125"=dword:00000000
"S126"=dword:00000000
"S127"=dword:00000000
"S128"=dword:00000000
"S129"=dword:00000000
"S130"=dword:00000000
"S131"=dword:00000000
"S132"=dword:00000000
"S133"=dword:00000000
"S134"=dword:00000000
"S135"=dword:00000000
"S136"=dword:00000000
"S137"=dword:00000000
"S138"=dword:00000000
"S139"=dword:00000000
"S140"=dword:00000000
"S141"=dword:00000000
"S142"=dword:00000000
"S143"=dword:00000000
"S144"=dword:00000000
"S145"=dword:00000000
"S146"=dword:00000000
"S147"=dword:00000000
"S148"=dword:00000000
"S149"=dword:00000000
"S150"=dword:00000000
"S151"=dword:00000000
"S152"=dword:00000000
"S153"=dword:00000000
"S154"=dword:00000000
"S155"=dword:00000000
"S156"=dword:00000000
"S157"=dword:00000000
"S158"=dword:00000000
"S159"=dword:00000000
"S160"=dword:00000000
"S161"=dword:00000000
"S162"=dword:00000000
"S163"=dword:00000000
"S164"=dword:00000000
"S165"=dword:00000000
"S166"=dword:00000000
"S167"=dword:00000000
"S168"=dword:00000000
"S169"=dword:00000000
"S170"=dword:00000000
"S171"=dword:00000000
"S172"=dword:00000000
"S173"=dword:00000000
"S174"=dword:00000000
"S175"=dword:00000000
"S176"=dword:00000000
"S177"=dword:00000000
"S178"=dword:00000000
"S179"=dword:00000000
"S180"=dword:00000000
"S181"=dword:00000000
"S182"=dword:00000000
"S183"=dword:00000000
"S184"=dword:00000000
"S185"=dword:00000000
"S186"=dword:00000000
"S187"=dword:00000000
"S188"=dword:00000000
"S189"=dword:00000000
"S190"=dword:00000000
"S191"=dword:00000000
"S192"=dword:00000000
"S193"=dword:00000000
"S194"=dword:00000000
"S195"=dword:00000000
"S196"=dword:00000000
"S197"=dword:00000000
"S198"=dword:00000000
"S199"=dword:00000000
"S200"=dword:00000000
"S201"=dword:00000000
"S202"=dword:00000000
"S203"=dword:00000000
"S204"=dword:00000000
"S205"=dword:00000000
"S206"=dword:00000000
"S207"=dword:00000000
"S208"=dword:00000000
"S209"=dword:00000000
"S210"=dword:00000000
"S211"=dword:00000000
"S212"=dword:00000000
"S213"=dword:00000000
"S214"=dword:00000000
"S215"=dword:00000000
"S216"=dword:00000000
"S217"=dword:00000000
"S218"=dword:00000000
"S219"=dword:00000000
"S220"=dword:00000000
"S221"=dword:00000000
"S222"=dword:00000000
"S223"=dword:00000000
"S224"=dword:00000000
"S225"=dword:00000000
"S226"=dword:00000000
"S227"=dword:00000000
"S228"=dword:00000000
"S229"=dword:00000000
"S230"=dword:00000000
"S231"=dword:00000000
"S232"=dword:00000000
"S233"=dword:00000000
"S234"=dword:00000000
"S235"=dword:00000000
"S236"=dword:00000000
"S237"=dword:00000000
"S238"=dword:00000000
"S239"=dword:00000000
"S240"=dword:00000000
"S241"=dword:00000000
"S242"=dword:00000000
"S243"=dword:00000000
"S244"=dword:00000000
"S245"=dword:00000000
"S246"=dword:00000000
"S247"=dword:00000000
"S248"=dword:00000000
"S249"=dword:00000000
"S250"=dword:00000000
"S251"=dword:00000000
"S252"=dword:00000000
"S253"=dword:00000000
"S254"=dword:00000000
"S255"=dword:00000001

[HKEY_USERS\S-1-5-21-817111788-1044120104-1097184101-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5d,96,93,51,f8,e1,a8,9a,79,30,cd,b7,e5,df,d6,27,34,3a,9c,73,69,29,ed,
90,84,d6,3b,f5,ab,04,a3,06,bb,3d,a0,b6,cb,93,9a,95,d9,0f,ab,da,bf,04,63,e1,\
"??"=hex:4e,5b,94,3c,fd,7c,e9,4e,cd,39,69,eb,e3,76,76,ba
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-29 15:18
ComboFix-quarantined-files.txt 2009-06-29 19:18

Pre-Run: 42,752,196,608 bytes free
Post-Run: 42,740,162,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

521 --- E O F --- 2009-06-19 04:26



--------------------
GMER SCAN LOG
--------------------

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-29 21:51:35
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xB9EBE0D0]
SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340]
SSDT sptd.sys ZwOpenKey [0xB9EBE0B0]
SSDT sptd.sys ZwQueryKey [0xB9EC4418]
SSDT sptd.sys ZwQueryValueKey [0xB9EC4298]
SSDT sptd.sys ZwSetValueKey [0xB9EC44AA]

Code \??\C:\DOCUME~1\TROYMA~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? Combo-Fix.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B7B6762C 5 Bytes JMP 89DD7770
? System32\Drivers\agvhnsnw.SYS The system cannot find the path specified. !
? C:\DOCUME~1\TROYMA~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EBEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EBEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EBEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EBF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EBF61E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9ED429A] sptd.sys

---- Devices - GMER 1.0.15 ----

Device 8A23A1E8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device 89C011E8
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{54F6A767-520B-4FF8-BA4A-54A7D73CE93E} 8998C790
Device \Driver\usbuhci \Device\USBPDO-0 89D8A1E8
Device \Driver\usbuhci \Device\USBPDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A2C91E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A2C91E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A2C91E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A2C91E8
Device \Driver\usbuhci \Device\USBPDO-1 89D8A1E8
Device \Driver\usbuhci \Device\USBPDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBPDO-2 89D8A1E8
Device \Driver\usbuhci \Device\USBPDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBPDO-3 89D8A1E8
Device \Driver\usbuhci \Device\USBPDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbehci \Device\USBPDO-4 89D75790
Device \Driver\usbehci \Device\USBPDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbhub \Device\USBPDO-5 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A2571E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A2571E8
Device \Driver\Cdrom \Device\CdRom0 89DC9790
Device \Driver\usbhub \Device\000000b0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\iaStor \Device\Ide\iaStor0 8A2C81E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8A2551E8
Device \Driver\atapi \Device\Ide\IdePort0 8A2551E8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 8A2C81E8
Device \Driver\Cdrom \Device\CdRom1 89DC9790
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A2571E8
Device \Driver\usbhub \Device\000000b1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\NetBT \Device\NetBt_Wins_Export 8998C790
Device \Driver\NetBT \Device\NetbiosSmb 8998C790
Device \Driver\PCI_NTPNP1154 \Device\00000092 sptd.sys

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{40F41678-C819-4BB5-9363-A7CF84D822FD} 8998C790

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 89D8A1E8
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\NetBT \Device\NetBT_Tcpip_{03EF4C7D-295F-4156-8922-178A48B29CEF} 8998C790
Device \Driver\usbuhci \Device\USBFDO-1 89D8A1E8
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89068790
Device \Driver\usbuhci \Device\USBFDO-2 89D8A1E8
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\000000ad hcmon.sys (VMware USB monitor/VMware, Inc.)
Device 89068790
Device \Driver\usbuhci \Device\USBFDO-3 89D8A1E8
Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\000000ae hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbehci \Device\USBFDO-4 89D75790
Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\000000af hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\Ftdisk \Device\FtControl 8A2571E8
Device \Driver\agvhnsnw \Device\Scsi\agvhnsnw1Port2Path0Target0Lun0 89C701E8
Device \Driver\agvhnsnw \Device\Scsi\agvhnsnw1 89C701E8

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device 89BE0790
Device tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:4024] A3853608
Thread System [4:3500] A3852FC2
Thread System [4:3772] A385477C

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x32 0xB4 0x4C 0xC4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xD1 0x12 0x1B 0x01 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x7F 0x43 0xEC 0x70 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x5E 0xE0 0xCD 0xBF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x32 0xB4 0x4C 0xC4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xD1 0x12 0x1B 0x01 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x7F 0x43 0xEC 0x70 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x5E 0xE0 0xCD 0xBF ...

---- EOF - GMER 1.0.15 ----

Attached Files



#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 PM

Posted 30 June 2009 - 08:47 AM

Hello.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    Driver::
    npkycryp
    PavProc
    ShldDrv
    
    DirLook::
    c:\program files\NetSeal
    
    FileLook::
    c:\documents and settings\Troy Mabry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Tell me how it goes.

With Regards,
The Panda

#7 FinalParagon

FinalParagon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 30 June 2009 - 05:38 PM

Done and done; I'm attaching the ComboFix log in case there's something there you wanted to check.

Testing the problem in Opera and Google, and while I can't be 100% sure it's gone since it didn't happen every time I clicked a link to begin with, I've run two separate searches and clicked about ten links on each, all of which sent me to the URLs they were supposed to. So unless I'm having really strange luck with this, the problem appears to be solved.

If there's any other steps I should take, just let me know. But if that's all, thanks so much for your help!

ComboFix 09-06-29.01 - Troy Mabry 06/30/2009 14:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.921 [GMT -4:00]
Running from: c:\documents and settings\Troy Mabry\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Troy Mabry\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PAVPROC
-------\Legacy_SHLDDRV
-------\Service_npkycryp
-------\Service_PavProc
-------\Service_ShldDrv


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-24 19:13 . 2009-06-30 18:58 117760 ----a-w- c:\documents and settings\Troy Mabry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-24 19:12 . 2009-06-24 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-24 19:12 . 2009-06-24 19:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-24 19:12 . 2009-06-24 19:12 -------- d-----w- c:\documents and settings\Troy Mabry\Application Data\SUPERAntiSpyware.com
2009-06-24 18:46 . 2009-06-24 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-24 18:46 . 2009-06-24 18:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-24 18:07 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-06-24 18:07 . 2009-06-24 18:07 -------- d-----w- c:\program files\Panda Security
2009-06-24 17:57 . 2009-06-24 17:57 -------- d-----w- c:\program files\Trend Micro
2009-06-24 06:49 . 2009-06-24 06:49 -------- d-----w- c:\windows\ERUNT
2009-06-24 06:43 . 2009-06-24 07:45 -------- d-----w- C:\SDFix
2009-06-24 05:55 . 2009-06-24 06:17 -------- d-----w- c:\program files\CleanUp!
2009-06-24 05:38 . 2009-06-24 05:38 40 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E9C5FD6529363D643B6692B7411EADFA.dll
2009-06-24 05:38 . 2009-06-24 05:38 27 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E01DD27603E8E23459CE0A95D59AC45A.dll
2009-06-24 05:38 . 2009-06-24 05:38 193 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AC7F955943E573242A9D8D6564A47D72.dll
2009-06-24 05:38 . 2009-06-24 05:38 74 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_70D17E3E72DCBC644884614DBF92AA31.dll
2009-06-24 05:38 . 2009-06-24 05:38 75 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F2004B65C1764F9489C47C06EF83605B.dll
2009-06-24 05:38 . 2009-06-24 05:38 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F5F63727D025A27488CCB72078F23DE4.dll
2009-06-24 05:38 . 2009-06-24 05:38 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F0410D6AF26EE1D94280C9FF19FFF68C.dll
2009-06-24 05:38 . 2009-06-24 05:38 55 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EE811DE4C58781CCD5E25DACB4AA300F.dll
2009-06-24 05:38 . 2009-06-24 05:38 152 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DDA39468D428E8B4DB27C8D5DC5CA217.dll
2009-06-24 05:38 . 2009-06-24 05:38 60 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D71DC0C260B0007438AF37448B860B2A.dll
2009-06-24 05:38 . 2009-06-24 05:38 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D7314F9862C648A4DB8BE2A5B47BE100.dll
2009-06-24 03:56 . 2009-06-24 03:56 -------- d-----w- c:\documents and settings\Troy Mabry\Application Data\Malwarebytes
2009-06-24 03:56 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-24 03:56 . 2009-06-24 03:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-24 03:56 . 2009-06-24 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-24 03:56 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-24 03:53 . 2009-06-24 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-24 03:52 . 2009-06-24 03:52 -------- d-----w- c:\program files\SpywareBlaster
2009-06-17 06:36 . 2009-06-17 06:36 -------- d-----w- c:\documents and settings\Troy Mabry\Local Settings\Application Data\ATI
2009-06-17 06:36 . 2009-06-17 06:36 -------- d-----w- c:\documents and settings\Troy Mabry\Application Data\ATI
2009-06-17 06:36 . 2009-06-17 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-06-17 06:35 . 2009-06-17 06:35 0 ----a-w- c:\windows\ativpsrm.bin
2009-06-17 06:21 . 2009-06-17 06:21 -------- d-----w- c:\program files\ATI
2009-06-17 06:19 . 2009-02-25 19:15 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-06-17 06:19 . 2009-06-17 06:19 -------- d-----w- C:\ATI
2009-06-17 06:10 . 2009-06-17 06:10 -------- d-----w- c:\windows\Logs
2009-06-17 00:59 . 2009-06-17 00:59 10134 ----a-r- c:\documents and settings\Troy Mabry\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-17 00:59 . 2009-06-17 00:59 -------- d-----w- c:\program files\Microsoft WSE
2009-06-07 21:15 . 2009-06-07 21:15 -------- d-----w- c:\program files\NetSeal
2009-06-07 21:15 . 2009-06-07 21:15 -------- d-----w- C:\netseal
2009-06-02 20:34 . 2009-06-02 20:34 -------- d-----w- C:\zplus
2009-06-01 00:03 . 2009-06-01 00:12 -------- d-----w- c:\program files\Magic Workstation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 18:57 . 2008-02-09 19:15 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-06-30 18:57 . 2008-02-07 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-06-25 22:02 . 2005-06-28 00:27 46512 ----a-w- c:\documents and settings\Troy Mabry\Application Data\wklnhst.dat
2009-06-24 19:12 . 2007-11-07 00:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-24 05:38 . 2006-01-04 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-06-24 05:38 . 2009-06-24 05:37 170 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D64F86DB28A84664E8868FC755DBFE4D.dll
2009-06-23 07:14 . 2007-09-27 19:33 1878984 ----a-w- c:\documents and settings\Troy Mabry\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-17 06:21 . 2005-06-23 00:43 -------- d-----w- c:\program files\ATI Technologies
2009-06-17 06:20 . 2005-06-23 00:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-17 00:12 . 2007-08-18 22:30 -------- d-----w- c:\program files\Electronic Arts
2009-06-06 23:56 . 2007-05-25 22:16 -------- d-----w- c:\program files\Warcraft III
2009-06-06 02:35 . 2007-08-09 00:23 -------- d-----w- c:\program files\nbos
2009-06-06 02:32 . 2005-07-22 15:06 -------- d-----w- c:\program files\Activision Value
2009-06-06 02:30 . 2005-06-23 00:49 -------- d-----w- c:\program files\Common Files\AOL
2009-06-06 02:30 . 2005-06-23 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-27 18:20 . 2009-05-27 18:20 -------- d-----w- c:\program files\MAngband Server
2009-05-27 17:59 . 2009-05-27 17:59 -------- d-----w- c:\program files\MAngband
2009-05-24 01:54 . 2008-09-05 18:27 -------- d-----w- c:\program files\EnchantRO
2009-05-24 01:20 . 2006-02-12 19:17 -------- d-----w- c:\program files\EtherealRO
2009-05-23 21:27 . 2005-07-27 19:56 -------- d-----w- c:\program files\DOSBox-0.63
2009-05-07 15:44 . 2004-08-04 10:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 04:40 . 2009-05-06 18:50 -------- d-----w- c:\program files\Phantasy Star Online Blue Burst
2009-05-02 17:09 . 2008-05-23 22:39 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 04:56 . 2004-08-04 10:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-04 10:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:26 . 2004-08-04 10:00 583168 ----a-w- c:\windows\system32\rpcrt4.dll
2008-02-01 03:33 . 2007-01-25 04:53 56 --sh--r- c:\windows\SYSTEM32\02DF03F588.sys
2007-06-16 21:54 . 2007-06-16 21:54 23 --sha-w- c:\windows\SYSTEM32\cbaadd4_r.dll
2005-06-22 06:37 . 2006-05-24 18:37 45568 --sha-r- c:\windows\SYSTEM32\cygz.dll
2009-01-28 00:30 . 2007-01-25 04:53 1838 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\documents and settings\Troy Mabry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 117760
Created time: 2009-06-24 19:13
Modified time: 2009-06-30 18:41
MD5: 11AB72D5D603DB401C190B454FB935A7
SHA1: C5FBCCB1B379BD6D4CB35C4F6B7218B46E2AB521

---- Directory of c:\program files\NetSeal ----

2008-07-27 18:38 . 2008-07-27 18:38 98304 ----a-w- c:\program files\NetSeal\NetSeal.exe
2008-07-27 18:29 . 2008-07-27 18:29 6681 ----a-w- c:\program files\NetSeal\Spoilers\Base Set.txt
2007-03-24 19:29 . 2007-03-24 19:29 2868 ----a-w- c:\program files\NetSeal\Spoilers\Dangerous Allies.txt
2007-03-24 19:29 . 2007-03-24 19:29 1679 ----a-w- c:\program files\NetSeal\Spoilers\Chrysalid Matrix.txt
2006-08-08 23:44 . 2006-08-08 23:44 20480 ----a-w- c:\program files\NetSeal\HashTest.dll
2006-08-07 23:48 . 2006-08-07 23:48 479 ----a-w- c:\program files\NetSeal\Spoilers\Utility.txt
2006-08-07 23:48 . 2006-08-07 23:48 2672 ----a-w- c:\program files\NetSeal\Spoilers\Proteus.txt
2006-08-07 14:49 . 2006-08-07 14:49 229 ----a-w- c:\program files\NetSeal\Packages\Classic Booster.txt
2006-08-06 17:21 . 2006-08-06 17:21 247 ----a-w- c:\program files\NetSeal\Packages\Dangerous Allies Booster.txt
2006-08-06 17:21 . 2006-08-06 17:21 229 ----a-w- c:\program files\NetSeal\Packages\Proteus Booster.txt
2006-08-06 17:21 . 2006-08-06 17:21 265 ----a-w- c:\program files\NetSeal\Packages\Repeat Intrusion Patterns Booster.txt
2006-08-06 17:21 . 2006-08-06 17:21 235 ----a-w- c:\program files\NetSeal\Packages\Winterdawn Booster.txt
2006-08-06 17:13 . 2006-08-06 17:13 237 ----a-w- c:\program files\NetSeal\Packages\Base Set Starter.txt
2006-08-05 23:33 . 2006-08-05 23:33 247 ----a-w- c:\program files\NetSeal\Packages\Chrysalid Matrix Booster.txt
2006-08-05 23:33 . 2006-08-05 23:33 231 ----a-w- c:\program files\NetSeal\Packages\Base Set Booster.txt
2006-08-05 22:22 . 2006-08-05 22:22 2852 ----a-w- c:\program files\NetSeal\Spoilers\Winterdawn.txt
2006-08-05 22:03 . 2006-08-05 22:03 2952 ----a-w- c:\program files\NetSeal\Spoilers\Repeat Intrusion Patterns.txt
2006-08-05 21:21 . 2006-08-05 21:21 1008 ----a-w- c:\program files\NetSeal\Spoilers\Classic.txt


((((((((((((((((((((((((((((( SnapShot@2009-06-29_19.15.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-30 18:41 . 2009-06-30 18:41 16384 c:\windows\Temp\Perflib_Perfdata_c84.dat
+ 2009-06-30 18:57 . 2009-06-30 18:57 16384 c:\windows\Temp\Perflib_Perfdata_ac8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2007-07-02 219008]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [1999-06-25 1948440]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2008-2-19 1073152]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
1999-06-25 05:03 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MAIET\\Gunz\\Gunz.exe"=
"c:\\Program Files\\bleepbleepbleep\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [6/24/2009 2:07 PM 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/23/2008 6:39 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/23/2008 6:39 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 4:54 PM 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 4:54 PM 298776]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
R3 SOFTXG;YAMAHA XG SoftSynthesizer;c:\windows\SYSTEM32\DRIVERS\sxgxgwdm.sys [6/19/2007 8:19 PM 966784]
R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\SYSTEM32\DRIVERS\netusbxp.sys [6/27/2005 2:08 PM 72576]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.umbc.edu/
uInternet Connection Wizard,ShellNext = iexplore
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Troy Mabry\Application Data\Mozilla\Firefox\Profiles\9hs7c8z8.default\
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 14:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-817111788-1044120104-1097184101-1005\Software\Aypio\ ?}?`?]
"SoundSelect"=dword:00000000
"FullTimeMenu"=dword:00000001
"FontSize"=dword:00000010
"PlayCount"=dword:00000001

[HKEY_USERS\S-1-5-21-817111788-1044120104-1097184101-1005\Software\Aypio\ ?}?`?\GlobalName]
"Name0"="拲幩婍"
"Name1"="恀撧"
"Name2"=""

[HKEY_USERS\S-1-5-21-817111788-1044120104-1097184101-1005\Software\Aypio\ ?}?`?\SystemFlag]
"S000"=dword:00000000
"S001"=dword:00000000
"S002"=dword:00000000
"S003"=dword:00000000
"S004"=dword:00000000
"S005"=dword:00000000
"S006"=dword:00000000
"S007"=dword:00000000
"S008"=dword:00000000
"S009"=dword:00000000
"S010"=dword:00000000
"S011"=dword:00000000
"S012"=dword:00000000
"S013"=dword:00000000
"S014"=dword:00000000
"S015"=dword:00000000
"S016"=dword:00000000
"S017"=dword:00000000
"S018"=dword:00000000
"S019"=dword:00000000
"S020"=dword:00000000
"S021"=dword:00000000
"S022"=dword:00000000
"S023"=dword:00000000
"S024"=dword:00000001
"S025"=dword:00000001
"S026"=dword:00000001
"S027"=dword:00000001
"S028"=dword:00000001
"S029"=dword:00000001
"S030"=dword:00000001
"S031"=dword:00000001
"S032"=dword:00000001
"S033"=dword:00000001
"S034"=dword:00000001
"S035"=dword:00000000
"S036"=dword:00000001
"S037"=dword:00000001
"S038"=dword:00000001
"S039"=dword:00000001
"S040"=dword:00000001
"S041"=dword:00000001
"S042"=dword:00000001
"S043"=dword:00000001
"S044"=dword:00000001
"S045"=dword:00000000
"S046"=dword:00000001
"S047"=dword:00000001
"S048"=dword:00000001
"S049"=dword:00000001
"S050"=dword:00000001
"S051"=dword:00000001
"S052"=dword:00000001
"S053"=dword:00000001
"S054"=dword:00000001
"S055"=dword:00000001
"S056"=dword:00000001
"S057"=dword:00000001
"S058"=dword:00000001
"S059"=dword:00000001
"S060"=dword:00000001
"S061"=dword:00000001
"S062"=dword:00000000
"S063"=dword:00000000
"S064"=dword:00000000
"S065"=dword:00000000
"S066"=dword:00000001
"S067"=dword:00000001
"S068"=dword:00000001
"S069"=dword:00000001
"S070"=dword:00000001
"S071"=dword:00000001
"S072"=dword:00000001
"S073"=dword:00000001
"S074"=dword:00000000
"S075"=dword:00000000
"S076"=dword:00000000
"S077"=dword:00000000
"S078"=dword:00000000
"S079"=dword:00000000
"S080"=dword:00000000
"S081"=dword:00000000
"S082"=dword:00000000
"S083"=dword:00000000
"S084"=dword:00000000
"S085"=dword:00000000
"S086"=dword:00000000
"S087"=dword:00000000
"S088"=dword:00000000
"S089"=dword:00000000
"S090"=dword:00000000
"S091"=dword:00000000
"S092"=dword:00000000
"S093"=dword:00000000
"S094"=dword:00000000
"S095"=dword:00000000
"S096"=dword:00000000
"S097"=dword:00000000
"S098"=dword:00000000
"S099"=dword:00000000
"S100"=dword:00000000
"S101"=dword:00000000
"S102"=dword:00000000
"S103"=dword:00000000
"S104"=dword:00000000
"S105"=dword:00000000
"S106"=dword:00000000
"S107"=dword:00000000
"S108"=dword:00000000
"S109"=dword:00000000
"S110"=dword:00000000
"S111"=dword:00000000
"S112"=dword:00000000
"S113"=dword:00000000
"S114"=dword:00000000
"S115"=dword:00000000
"S116"=dword:00000000
"S117"=dword:00000000
"S118"=dword:00000000
"S119"=dword:00000000
"S120"=dword:00000000
"S121"=dword:00000000
"S122"=dword:00000000
"S123"=dword:00000000
"S124"=dword:00000000
"S125"=dword:00000000
"S126"=dword:00000000
"S127"=dword:00000000
"S128"=dword:00000000
"S129"=dword:00000000
"S130"=dword:00000000
"S131"=dword:00000000
"S132"=dword:00000000
"S133"=dword:00000000
"S134"=dword:00000000
"S135"=dword:00000000
"S136"=dword:00000000
"S137"=dword:00000000
"S138"=dword:00000000
"S139"=dword:00000000
"S140"=dword:00000000
"S141"=dword:00000000
"S142"=dword:00000000
"S143"=dword:00000000
"S144"=dword:00000000
"S145"=dword:00000000
"S146"=dword:00000000
"S147"=dword:00000000
"S148"=dword:00000000
"S149"=dword:00000000
"S150"=dword:00000000
"S151"=dword:00000000
"S152"=dword:00000000
"S153"=dword:00000000
"S154"=dword:00000000
"S155"=dword:00000000
"S156"=dword:00000000
"S157"=dword:00000000
"S158"=dword:00000000
"S159"=dword:00000000
"S160"=dword:00000000
"S161"=dword:00000000
"S162"=dword:00000000
"S163"=dword:00000000
"S164"=dword:00000000
"S165"=dword:00000000
"S166"=dword:00000000
"S167"=dword:00000000
"S168"=dword:00000000
"S169"=dword:00000000
"S170"=dword:00000000
"S171"=dword:00000000
"S172"=dword:00000000
"S173"=dword:00000000
"S174"=dword:00000000
"S175"=dword:00000000
"S176"=dword:00000000
"S177"=dword:00000000
"S178"=dword:00000000
"S179"=dword:00000000
"S180"=dword:00000000
"S181"=dword:00000000
"S182"=dword:00000000
"S183"=dword:00000000
"S184"=dword:00000000
"S185"=dword:00000000
"S186"=dword:00000000
"S187"=dword:00000000
"S188"=dword:00000000
"S189"=dword:00000000
"S190"=dword:00000000
"S191"=dword:00000000
"S192"=dword:00000000
"S193"=dword:00000000
"S194"=dword:00000000
"S195"=dword:00000000
"S196"=dword:00000000
"S197"=dword:00000000
"S198"=dword:00000000
"S199"=dword:00000000
"S200"=dword:00000000
"S201"=dword:00000000
"S202"=dword:00000000
"S203"=dword:00000000
"S204"=dword:00000000
"S205"=dword:00000000
"S206"=dword:00000000
"S207"=dword:00000000
"S208"=dword:00000000
"S209"=dword:00000000
"S210"=dword:00000000
"S211"=dword:00000000
"S212"=dword:00000000
"S213"=dword:00000000
"S214"=dword:00000000
"S215"=dword:00000000
"S216"=dword:00000000
"S217"=dword:00000000
"S218"=dword:00000000
"S219"=dword:00000000
"S220"=dword:00000000
"S221"=dword:00000000
"S222"=dword:00000000
"S223"=dword:00000000
"S224"=dword:00000000
"S225"=dword:00000000
"S226"=dword:00000000
"S227"=dword:00000000
"S228"=dword:00000000
"S229"=dword:00000000
"S230"=dword:00000000
"S231"=dword:00000000
"S232"=dword:00000000
"S233"=dword:00000000
"S234"=dword:00000000
"S235"=dword:00000000
"S236"=dword:00000000
"S237"=dword:00000000
"S238"=dword:00000000
"S239"=dword:00000000
"S240"=dword:00000000
"S241"=dword:00000000
"S242"=dword:00000000
"S243"=dword:00000000
"S244"=dword:00000000
"S245"=dword:00000000
"S246"=dword:00000000
"S247"=dword:00000000
"S248"=dword:00000000
"S249"=dword:00000000
"S250"=dword:00000000
"S251"=dword:00000000
"S252"=dword:00000000
"S253"=dword:00000000
"S254"=dword:00000000
"S255"=dword:00000001

[HKEY_USERS\S-1-5-21-817111788-1044120104-1097184101-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5d,96,93,51,f8,e1,a8,9a,79,30,cd,b7,e5,df,d6,27,34,3a,9c,73,69,29,ed,
90,84,d6,3b,f5,ab,04,a3,06,bb,3d,a0,b6,cb,93,9a,95,d9,0f,ab,da,bf,04,63,e1,\
"??"=hex:4e,5b,94,3c,fd,7c,e9,4e,cd,39,69,eb,e3,76,76,ba
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3104)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\SYSTEM32\vmnat.exe
c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\SYSTEM32\vmnetdhcp.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\program files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
.
**************************************************************************
.
Completion time: 2009-06-30 15:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-30 19:05
ComboFix2.txt 2009-06-29 19:18

Pre-Run: 42,815,250,432 bytes free
Post-Run: 42,714,431,488 bytes free

580 --- E O F --- 2009-06-19 04:26

Attached Files


Edited by PropagandaPanda, 01 July 2009 - 08:50 AM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 PM

Posted 01 July 2009 - 09:08 AM

Hello.

That looks good.

Update Java to Version 6 Update 14
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.


Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Also take a new DDS.txt log after.

With Regards,
The Panda

#9 FinalParagon

FinalParagon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 01 July 2009 - 08:54 PM

The curious thing about the one thing Kaspersky detected is that I'm fairly certain I removed mIRC from my computer recently on the grounds that I never use it anyway.

In any event. DDS log and scan report follow:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, July 1, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, July 01, 2009 20:50:31
Records in database: 2412125

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\

Scan statistics
Files scanned 276267
Threat name 2
Infected objects 2
Suspicious objects 0
Duration of the scan 05:05:34

File name Threat name Threats count
C:\Program Files\mIRC\backups\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0005617.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1

The selected area was scanned.

----------------------------


DDS (Ver_09-06-26.01) - NTFSx86
Run by Troy Mabry at 21:46:44.98 on Wed 07/01/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.879 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\GBA\VisualBoyAdvance.exe
C:\Documents and Settings\Troy Mabry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.umbc.edu/
uInternet Connection Wizard,ShellNext = iexplore
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 52\axcmd.exe" /automount
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runnin~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246388980796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\troyma~1\applic~1\mozilla\firefox\profiles\9hs7c8z8.default\
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-23 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-6-30 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-23 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 298776]
R3 SOFTXG;YAMAHA XG SoftSynthesizer;c:\windows\system32\drivers\sxgxgwdm.sys [2007-6-19 966784]
R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [2005-6-27 72576]
S2 PavPrSrv;Panda Process Protection Service;"c:\program files\common files\panda software\pavshld\pavprsrv.exe" --> c:\program files\common files\panda software\pavshld\pavprsrv.exe [?]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2009-07-01 15:47 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-01 15:47 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-30 18:08 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-06-30 17:53 <DIR> --dsh--- c:\documents and settings\troy mabry\IECompatCache
2009-06-30 17:51 <DIR> --dsh--- c:\documents and settings\troy mabry\PrivacIE
2009-06-30 17:48 <DIR> --dsh--- c:\documents and settings\troy mabry\IETldCache
2009-06-30 17:37 <DIR> --d----- C:\4b6ab2aeb7f6eb1a3c121a85
2009-06-30 17:37 <DIR> --d----- c:\windows\SxsCaPendDel
2009-06-30 17:30 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-30 17:29 <DIR> --d----- c:\windows\ie8updates
2009-06-30 17:29 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-30 17:29 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-30 17:28 <DIR> -cd-h--- c:\windows\ie8
2009-06-30 15:24 <DIR> --d----- c:\windows\system32\scripting
2009-06-30 15:24 <DIR> --d----- c:\windows\system32\en
2009-06-30 15:24 <DIR> --d----- c:\windows\system32\bits
2009-06-30 15:24 <DIR> --d----- c:\windows\l2schemas
2009-06-30 15:22 <DIR> --d----- c:\windows\ServicePackFiles
2009-06-29 15:16 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-06-29 14:59 <DIR> a-dshr-- C:\cmdcons
2009-06-29 14:46 161,792 a------- c:\windows\SWREG.exe
2009-06-29 14:46 155,136 a------- c:\windows\PEV.exe
2009-06-29 14:46 98,816 a------- c:\windows\sed.exe
2009-06-24 15:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-24 15:12 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-24 15:12 <DIR> --d----- c:\docume~1\troyma~1\applic~1\SUPERAntiSpyware.com
2009-06-24 14:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-24 14:07 <DIR> --d----- c:\program files\Panda Security
2009-06-24 13:57 <DIR> --d----- c:\program files\Trend Micro
2009-06-24 02:49 <DIR> --d----- c:\windows\ERUNT
2009-06-24 02:43 <DIR> --d----- C:\SDFix
2009-06-24 01:55 <DIR> --d----- c:\program files\CleanUp!
2009-06-24 01:44 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-23 23:56 <DIR> --d----- c:\docume~1\troyma~1\applic~1\Malwarebytes
2009-06-23 23:56 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 23:56 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-23 23:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 23:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-23 23:52 <DIR> --d----- c:\program files\SpywareBlaster
2009-06-17 02:35 0 a------- c:\windows\ativpsrm.bin
2009-06-17 02:21 <DIR> --d----- c:\program files\ATI
2009-06-17 02:19 593,920 -------- c:\windows\system32\ati2sgag.exe
2009-06-17 02:19 <DIR> --d----- C:\ATI
2009-06-17 02:10 <DIR> --d----- c:\windows\Logs
2009-06-16 20:59 <DIR> --d----- c:\program files\Microsoft WSE
2009-06-07 17:15 <DIR> --d----- c:\program files\NetSeal
2009-06-07 17:15 <DIR> --d----- C:\netseal
2009-06-05 22:30 2 a------- c:\windows\msoffice.ini
2009-06-05 22:05 <DIR> --d----- c:\windows\pss
2009-06-02 16:34 <DIR> --d----- C:\zplus

==================== Find3M ====================

2009-06-30 16:28 46,512 a------- c:\docume~1\troyma~1\applic~1\wklnhst.dat
2009-06-30 15:26 88,359 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-04-29 00:55 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-12 20:11 876 a------- c:\documents and settings\troy mabry\2008-md-election.dat
2009-03-12 20:11 1,702 a------- c:\documents and settings\troy mabry\2008-us-election.dat
2009-03-12 20:11 1,396 a------- c:\documents and settings\troy mabry\usa-1024px.dat
2009-03-12 18:31 908 a------- c:\documents and settings\troy mabry\2004-md-election.dat
2009-03-12 18:30 897 a------- c:\documents and settings\troy mabry\md-1024px.dat
2008-10-01 18:48 157,016 a------- c:\docume~1\troyma~1\applic~1\GDIPFONTCACHEV1.DAT
2006-06-21 23:38 32 a----r-- c:\documents and settings\all users\hash.dat
2008-01-31 23:33 56 ---shr-- c:\windows\system32\02DF03F588.sys
2007-06-16 17:54 23 a--sh--- c:\windows\system32\cbaadd4_r.dll
2005-06-22 02:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2009-01-27 20:30 1,838 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 21:47:43.71 ===============

Attached Files



#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 PM

Posted 02 July 2009 - 09:33 AM

Hello.

Note that Kaspersky detected it as "not-a-virus:Client-IRC.Win32". This means that the program could potentially be used by an IRC bot. In this case, it is good.

That looks good. Unless there are any issues at the moment, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    ComboFix /u

    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#11 FinalParagon

FinalParagon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 03 July 2009 - 02:12 AM

I can't think of any pressing questions off-hand, so I think I'm all set.

Thanks again!

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 PM

Posted 03 July 2009 - 08:20 AM

Glad we could help.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users