Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

atdmt.com and possible malware?


  • This topic is locked This topic is locked
40 replies to this topic

#1 nizzy

nizzy

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 28 June 2009 - 07:25 PM

Pretty much all the info is in this thread here > http://www.bleepingcomputer.com/forums/t/236890/harmless/
I have had a recurring tracking cookie/adware called atdmt.com and when I went to remove it in the reg where I found it I saw lots of dodgy entries in my history part of my reg which is shown in the screenies I have posted, one is of my admin account reg and the other my user account, I am sure I have not visted any dodgy sites and I do not use my admin to browse so I am confused and was told to post here!

DDS log


DDS (Ver_09-06-26.01) - NTFSx86
Run by amanda at 1:12:32.28 on 29/06/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.2046.939 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\vsnp2uvc.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\panda\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sky.com
uWindow Title = Internet Explorer Provided By Sky Broadband
mDefault_Page_URL = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0071204
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: []
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dscactivate] c:\program files\dell support center\gs_agent\custom\dsca.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\amanda\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\amanda\appdata\roaming\mozilla\firefox\profiles\jgi178he.default\
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-6 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-28 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 55024]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-6 298776]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-6-9 1153368]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2009-06-21 16:37 189,784 a------- c:\windows\system32\PnkBstrB.xtr
2009-06-20 15:17 138,944 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-20 15:17 189,784 a------- c:\windows\system32\PnkBstrB.exe
2009-06-20 15:16 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-20 15:16 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-06-20 15:16 --d----- c:\programdata\id Software
2009-06-20 15:16 --d----- c:\progra~2\id Software
2009-06-11 20:46 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-02 03:17 --d----- c:\windows\system32\eu-ES
2009-06-02 03:17 --d----- c:\windows\system32\ca-ES
2009-06-02 03:17 --d----- c:\windows\system32\vi-VN
2009-06-02 03:17 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-06-02 03:16 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-06-02 02:58 --d----- c:\windows\system32\EventProviders
2009-06-02 02:55 93,696 a------- c:\windows\system32\drivers\bridge.sys

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-12 13:08 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-02 03:25 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-02 03:25 86,016 a------- c:\windows\inf\infstor.dat
2009-06-02 03:25 51,200 a------- c:\windows\inf\infpub.dat
2009-06-02 03:17 665,600 a------- c:\windows\inf\drvindex.dat
2009-05-28 01:54 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-09 06:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 06:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-05-02 20:26 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-02 20:26 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-23 13:14 623,616 a------- c:\windows\system32\localspl.dll
2009-04-21 12:39 2,034,688 a------- c:\windows\system32\win32k.sys
2009-04-11 07:33 986,600 a------- c:\windows\system32\winload.exe
2009-04-11 07:33 926,184 a------- c:\windows\system32\winresume.exe
2009-04-11 07:33 614,376 a------- c:\windows\system32\ci.dll
2009-04-11 07:32 50,664 a------- c:\windows\system32\PSHED.DLL
2009-04-11 07:32 3,601,896 a------- c:\windows\system32\ntkrnlpa.exe
2009-04-11 07:32 3,549,672 a------- c:\windows\system32\ntoskrnl.exe
2009-04-11 07:32 438,744 a------- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-04-11 07:32 245,736 a------- c:\windows\system32\clfs.sys
2009-04-11 07:32 177,128 a------- c:\windows\system32\halmacpi.dll
2009-04-11 07:32 140,776 a------- c:\windows\system32\halacpi.dll
2009-04-11 07:32 17,896 a------- c:\windows\system32\kd1394.dll
2009-04-11 07:32 19,944 a------- c:\windows\system32\kdusb.dll
2009-04-11 07:32 17,384 a------- c:\windows\system32\kdcom.dll
2009-04-11 07:27 627,200 a------- c:\windows\system32\sethc.exe
2009-04-11 07:22 7,168 a------- c:\windows\system32\f3ahvoas.dll
2009-04-11 07:21 37,376 a------- c:\windows\system32\cdd.dll
2009-04-11 06:03 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-04-11 06:03 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-04-11 05:57 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-04-11 05:54 2,048 a------- c:\windows\system32\mferror.dll
2009-04-11 05:39 16,384 a------- c:\windows\system32\iscsilog.dll
2009-04-11 05:27 2,560 a------- c:\windows\system32\msimsg.dll
2009-04-11 05:23 289,792 a------- c:\windows\system32\atmfd.dll
2009-04-11 05:12 617,984 a------- c:\windows\system32\adtschema.dll
2009-04-11 02:59 107,612 a------- c:\windows\system32\StructuredQuerySchema.bin
2008-11-13 00:39 56 a---h--- c:\programdata\ezsidmv.dat
2008-11-13 00:39 56 a---h--- c:\progra~2\ezsidmv.dat
2008-03-26 21:55 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-12-04 07:01 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 1:13:52.94 ===============

edit also I could not back up the reg with Erunt in my admin, It mentioned some kind of problem either hkey5 or reg 5?

Thanks

Attached Files


Edited by nizzy, 28 June 2009 - 11:02 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:04 AM

Posted 02 July 2009 - 11:33 AM

Hello nizzy and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 02 July 2009 - 01:23 PM

Hi thanks for getting back to me, all the info about the scans that I have performed are in the link in the first post of this thread along with screenshots of my regestry

This is my new DDS log you requested


DDS (Ver_09-06-26.01) - NTFSx86
Run by amanda at 19:16:55.77 on 02/07/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.2046.1162 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\vsnp2uvc.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\AERTSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\panda\Downloads\dds(2).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sky.com
uWindow Title = Internet Explorer Provided By Sky Broadband
mDefault_Page_URL = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0071204
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dscactivate] c:\program files\dell support center\gs_agent\custom\dsca.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\amanda\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\amanda\appdata\roaming\mozilla\firefox\profiles\jgi178he.default\
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-6 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-28 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 55024]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-6 298776]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-6-9 1153368]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2009-06-21 16:37 189,784 a------- c:\windows\system32\PnkBstrB.xtr
2009-06-20 15:17 138,944 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-20 15:17 189,784 a------- c:\windows\system32\PnkBstrB.exe
2009-06-20 15:16 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-20 15:16 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-06-20 15:16 <DIR> --d----- c:\programdata\id Software
2009-06-20 15:16 <DIR> --d----- c:\progra~2\id Software
2009-06-11 20:46 784,896 a------- c:\windows\system32\rpcrt4.dll

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-12 13:08 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-02 03:25 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-02 03:25 86,016 a------- c:\windows\inf\infstor.dat
2009-06-02 03:25 51,200 a------- c:\windows\inf\infpub.dat
2009-06-02 03:17 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-02 03:17 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-06-02 03:16 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-05-28 01:54 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-09 06:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 06:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-05-02 20:26 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-23 13:14 623,616 a------- c:\windows\system32\localspl.dll
2009-04-21 12:39 2,034,688 a------- c:\windows\system32\win32k.sys
2009-04-11 07:33 986,600 a------- c:\windows\system32\winload.exe
2009-04-11 07:33 926,184 a------- c:\windows\system32\winresume.exe
2009-04-11 07:33 614,376 a------- c:\windows\system32\ci.dll
2009-04-11 07:32 50,664 a------- c:\windows\system32\PSHED.DLL
2009-04-11 07:32 3,601,896 a------- c:\windows\system32\ntkrnlpa.exe
2009-04-11 07:32 3,549,672 a------- c:\windows\system32\ntoskrnl.exe
2009-04-11 07:32 438,744 a------- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-04-11 07:32 245,736 a------- c:\windows\system32\clfs.sys
2009-04-11 07:32 177,128 a------- c:\windows\system32\halmacpi.dll
2009-04-11 07:32 140,776 a------- c:\windows\system32\halacpi.dll
2009-04-11 07:32 17,896 a------- c:\windows\system32\kd1394.dll
2009-04-11 07:32 19,944 a------- c:\windows\system32\kdusb.dll
2009-04-11 07:32 17,384 a------- c:\windows\system32\kdcom.dll
2009-04-11 07:27 627,200 a------- c:\windows\system32\sethc.exe
2009-04-11 07:22 7,168 a------- c:\windows\system32\f3ahvoas.dll
2009-04-11 07:21 37,376 a------- c:\windows\system32\cdd.dll
2009-04-11 06:03 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-04-11 06:03 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-04-11 05:57 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-04-11 05:54 2,048 a------- c:\windows\system32\mferror.dll
2009-04-11 05:39 16,384 a------- c:\windows\system32\iscsilog.dll
2009-04-11 05:27 2,560 a------- c:\windows\system32\msimsg.dll
2009-04-11 05:23 289,792 a------- c:\windows\system32\atmfd.dll
2009-04-11 05:12 617,984 a------- c:\windows\system32\adtschema.dll
2009-04-11 02:59 107,612 a------- c:\windows\system32\StructuredQuerySchema.bin
2008-11-13 00:39 56 a---h--- c:\programdata\ezsidmv.dat
2008-11-13 00:39 56 a---h--- c:\progra~2\ezsidmv.dat
2008-03-26 21:55 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-12-04 07:01 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 19:18:13.94 ===============

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:04 AM

Posted 04 July 2009 - 06:48 AM

Hi nizzy,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:04 AM

Posted 04 July 2009 - 06:56 AM

Hi nizzy,

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 04 July 2009 - 10:55 AM

Hi
I disabled avg 8.5, my windows firewall and widows defender and ran combo fix, but it said the avg 8.5 was turned on but there was nothing I could see to do so it ran anyway.
after running it would not let my open my control panel in the start menu to re appy my security as it said it was marked for deletion :thumbup2:
as is my IE and FF :) :) and my paint and alot of others!
I had to reapply my security through the help panel and am writting this by running FF in admin mode which seems to work for some reason!
possibly as all the icons and items in my user start menu seem to be up for deletion?

I am worry now and confused for turning my computer of and rebooting it if it is to remove everything!

this is the combo fixs log

ComboFix 09-07-03.03 - amanda 04/07/2009 16:35.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.2046.1300 [GMT 1:00]
Running from: c:\users\panda\Downloads\Combo-Fix.exe.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-04 15:41 . 2009-07-04 15:41 -------- d-----w- c:\users\amanda\AppData\Local\temp
2009-07-04 15:41 . 2009-07-04 15:41 -------- d-----w- c:\users\panda\AppData\Local\temp
2009-06-28 22:20 . 2009-06-28 22:20 -------- d-----w- c:\program files\ERUNT
2009-06-26 09:48 . 2009-06-26 09:48 2052376 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll
2009-06-20 14:27 . 2009-06-20 14:27 -------- d-----w- c:\users\panda\AppData\Local\PunkBuster
2009-06-20 14:17 . 2009-07-02 13:20 138944 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-20 14:17 . 2009-06-20 14:17 22328 ----a-w- c:\users\panda\AppData\Roaming\PnkBstrK.sys
2009-06-20 14:17 . 2009-07-02 13:19 189784 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-20 14:16 . 2009-06-21 15:24 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-06-20 14:16 . 2009-06-20 14:16 2246144 ----a-w- c:\windows\system32\pbsvc.exe
2009-06-20 14:16 . 2009-06-20 14:16 -------- d-----w- c:\programdata\id Software
2009-06-16 23:01 . 2009-06-16 23:01 829208 ----a-w- c:\programdata\avg8\update\backup\avgcfgx.dll
2009-06-16 23:01 . 2009-06-12 12:08 1261344 ----a-w- c:\programdata\avg8\update\backup\avgwd.dll
2009-06-12 12:09 . 2009-06-16 23:01 3298072 ----a-w- c:\programdata\avg8\update\backup\setup.exe
2009-06-12 12:07 . 2009-06-16 22:59 1454360 ----a-w- c:\programdata\avg8\update\backup\avgupd.dll
2009-06-11 19:46 . 2009-04-23 12:15 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-06-10 03:22 . 2009-06-10 05:45 -------- d-----w- c:\program files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 02:30 . 2007-12-03 22:20 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-12 12:07 . 2009-07-03 14:58 1085208 ----a-w- c:\programdata\avg8\update\backup\avgupd.exe
2009-06-11 20:13 . 2007-12-03 22:32 -------- d-----w- c:\program files\Microsoft Works
2009-06-02 02:19 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-06-02 02:19 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-06-02 02:19 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-06-02 02:19 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2009-06-02 02:19 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-02 02:19 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2009-06-02 02:17 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-02 02:17 . 2009-06-02 02:17 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-06-02 02:16 . 2009-06-02 02:16 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-05-30 00:02 . 2008-11-12 23:30 -------- d-----w- c:\users\panda\AppData\Roaming\Skype
2009-05-29 23:59 . 2008-11-12 23:39 -------- d-----w- c:\users\panda\AppData\Roaming\skypePM
2009-05-28 00:54 . 2009-05-28 00:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-28 00:54 . 2007-12-03 22:21 -------- d-----w- c:\program files\Java
2009-05-18 15:42 . 2007-12-22 23:44 -------- d-----w- c:\program files\Red Storm Entertainment
2009-05-18 15:42 . 2007-12-03 22:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-18 15:39 . 2007-12-22 21:20 -------- d-----w- c:\program files\LucasArts
2009-05-18 00:59 . 2009-05-18 00:59 -------- d-----w- c:\users\panda\AppData\Roaming\JAM Software
2009-05-18 00:56 . 2009-05-18 00:56 -------- d-----w- c:\users\amanda\AppData\Roaming\JAM Software
2009-05-18 00:56 . 2009-05-18 00:56 -------- d-----w- c:\program files\JAM Software
2009-05-09 05:50 . 2009-06-11 19:47 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-11 19:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-05-05 16:34 . 2007-12-22 20:55 -------- d-----w- c:\programdata\NVIDIA
2009-05-05 16:30 . 2008-04-14 00:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-05 16:30 . 2008-12-24 00:04 -------- d-----w- c:\program files\AGEIA Technologies
2009-05-05 15:45 . 2009-05-05 15:43 -------- d-----w- c:\program files\SystemRequirementsLab
2009-05-05 15:43 . 2008-12-23 23:11 -------- d-----w- c:\users\panda\AppData\Roaming\SystemRequirementsLab
2009-05-05 15:43 . 2009-05-05 15:43 290816 ----a-w- c:\users\panda\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-05-05 15:43 . 2009-05-05 15:43 290816 ----a-w- c:\users\panda\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-05-05 15:43 . 2009-05-05 15:43 290816 ----a-w- c:\users\panda\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-05-05 15:43 . 2009-05-05 15:43 290816 ----a-w- c:\users\panda\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-05-05 09:51 . 2009-05-05 09:51 625728 ----a-w- c:\programdata\id Software\QuakeLive\npquakezero.dll
2009-05-02 19:26 . 2008-05-06 22:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-02 19:26 . 2009-01-28 22:57 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-23 12:14 . 2009-06-11 19:47 623616 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:39 . 2009-06-11 19:47 2034688 ----a-w- c:\windows\system32\win32k.sys
2009-04-11 23:46 . 2009-03-26 12:29 117760 ----a-w- c:\users\panda\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-04-11 06:33 . 2009-06-02 01:57 986600 ----a-w- c:\windows\system32\winload.exe
2009-04-11 06:33 . 2009-06-02 01:56 926184 ----a-w- c:\windows\system32\winresume.exe
2009-04-11 06:33 . 2009-06-02 01:56 292840 ----a-w- c:\windows\system32\drivers\volmgrx.sys
2009-04-11 06:33 . 2009-06-02 01:57 897000 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-04-11 06:33 . 2009-06-02 01:56 614376 ----a-w- c:\windows\system32\ci.dll
2009-04-11 06:28 . 2009-06-02 01:56 56320 ----a-w- c:\windows\system32\xmlfilter.dll
2009-04-11 06:27 . 2009-06-02 01:57 441344 ----a-w- c:\windows\system32\SearchIndexer.exe
2009-04-11 06:22 . 2009-06-02 01:55 7168 ----a-w- c:\windows\system32\f3ahvoas.dll
2009-04-11 06:21 . 2009-06-02 01:56 37376 ----a-w- c:\windows\system32\cdd.dll
2009-04-11 05:42 . 2009-06-02 01:55 93696 ----a-w- c:\windows\system32\drivers\bridge.sys
2009-04-11 05:03 . 2009-06-02 01:57 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-04-11 05:03 . 2009-06-02 01:57 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-04-11 04:57 . 2009-06-02 01:55 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-04-11 04:54 . 2009-06-02 01:55 2048 ----a-w- c:\windows\system32\mferror.dll
2009-04-11 04:51 . 2009-06-02 01:56 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2009-04-11 04:47 . 2009-06-02 01:56 273920 ----a-w- c:\windows\system32\drivers\afd.sys
2009-04-11 04:46 . 2009-06-02 01:56 69120 ----a-w- c:\windows\system32\drivers\rassstp.sys
2009-04-11 04:46 . 2009-06-02 01:56 121344 ----a-w- c:\windows\system32\drivers\ndiswan.sys
2009-04-11 04:46 . 2009-06-02 01:55 41472 ----a-w- c:\windows\system32\drivers\raspppoe.sys
2009-04-11 04:46 . 2009-06-02 01:55 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2009-04-11 04:46 . 2009-06-02 01:55 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2009-04-11 04:46 . 2009-06-02 01:56 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-04-11 04:45 . 2009-06-02 01:56 72192 ----a-w- c:\windows\system32\drivers\tdx.sys
2009-04-11 04:45 . 2009-06-02 01:56 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-04-11 04:45 . 2009-06-02 01:56 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2009-04-11 04:45 . 2009-06-02 01:56 401408 ----a-w- c:\windows\system32\drivers\http.sys
2009-04-11 04:45 . 2009-06-02 01:56 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2009-04-11 04:45 . 2009-06-02 01:56 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2009-04-11 04:43 . 2009-06-02 01:56 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-04-11 04:43 . 2009-06-02 01:56 196096 ----a-w- c:\windows\system32\drivers\usbhub.sys
2009-04-11 04:42 . 2009-06-02 01:56 226304 ----a-w- c:\windows\system32\drivers\usbport.sys
2009-04-11 04:42 . 2009-06-02 01:56 25856 ----a-w- c:\windows\system32\drivers\USBCAMD2.sys
2009-04-11 04:42 . 2009-06-02 01:56 25856 ----a-w- c:\windows\system32\drivers\USBCAMD.sys
2009-04-11 04:42 . 2009-06-02 01:56 73216 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-04-11 04:42 . 2009-06-02 01:56 39936 ----a-w- c:\windows\system32\drivers\usbehci.sys
2009-04-11 04:42 . 2009-06-02 01:55 19456 ----a-w- c:\windows\system32\drivers\usbohci.sys
2009-04-11 04:42 . 2009-06-02 01:56 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2009-04-11 04:42 . 2009-06-02 01:56 12800 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-04-11 04:42 . 2009-06-02 01:56 39424 ----a-w- c:\windows\system32\drivers\hidclass.sys
2009-04-11 04:42 . 2009-06-02 01:55 52992 ----a-w- c:\windows\system32\drivers\stream.sys
2009-04-11 04:42 . 2009-06-02 01:57 561152 ----a-w- c:\windows\system32\drivers\hdaudbus.sys
2009-04-11 04:39 . 2009-06-02 01:56 16384 ----a-w- c:\windows\system32\iscsilog.dll
2009-04-11 04:39 . 2009-06-02 01:56 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2009-04-11 04:39 . 2009-06-02 01:56 19456 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2009-04-11 04:38 . 2009-06-02 01:56 149504 ----a-w- c:\windows\system32\drivers\ks.sys
2009-04-11 04:38 . 2009-06-02 01:56 17408 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-04-11 04:27 . 2009-06-02 01:55 2560 ----a-w- c:\windows\system32\msimsg.dll
2009-04-11 04:23 . 2009-06-02 01:56 626176 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-04-11 04:23 . 2009-06-02 01:56 76288 ----a-w- c:\windows\system32\drivers\dxg.sys
2009-04-11 04:23 . 2009-06-02 01:56 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-04-11 04:22 . 2009-06-02 01:56 33280 ----a-w- c:\windows\system32\drivers\watchdog.sys
2009-04-11 04:15 . 2009-06-02 01:56 288768 ----a-w- c:\windows\system32\drivers\srv.sys
2009-04-11 04:15 . 2009-06-02 01:56 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-04-11 04:15 . 2009-06-02 01:56 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-04-11 04:14 . 2009-06-02 01:56 114688 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2009-04-11 04:14 . 2009-06-02 01:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-04-11 04:14 . 2009-06-02 01:56 225280 ----a-w- c:\windows\system32\drivers\rdbss.sys
2009-04-11 04:14 . 2009-06-02 01:56 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2009-04-11 04:14 . 2009-06-02 01:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-04-11 04:14 . 2009-06-02 01:56 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2009-04-11 04:14 . 2009-06-02 01:56 35328 ----a-w- c:\windows\system32\drivers\npfs.sys
2007-12-04 06:01 . 2007-12-04 05:52 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnhancedStorageShell]
@="{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}"
[HKEY_CLASSES_ROOT\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}]
2009-04-11 06:28 114176 ----a-w- c:\windows\System32\EhStorShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-06 1830128]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2007-07-11 569344]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-27 734264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-28 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-17 4907008]

c:\users\amanda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"BindDirectlyToPropertySetStorage"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-01-07 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-07 14:00 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:cool::9a,fd,1b,27,29,e3,c9,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{56FFB15E-1E77-4AAE-981C-75095A2AB5E0}"= UDP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{3A018FB2-5076-40A8-B9A0-7C4304F7CE73}"= TCP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{E9182748-2397-468C-B38F-642E0783A35E}"= UDP:c:\program files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{5BAE9773-963F-41E9-BE7A-FB63333BFE58}"= TCP:c:\program files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{DBF4A90C-78C4-4D64-A501-E0B7CC969385}"= UDP:c:\program files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{1B69096B-DF59-45C8-A1AA-F785D389C24D}"= TCP:c:\program files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{856C10EB-9555-4A30-9ED5-728E6C62E5A2}"= UDP:c:\program files\Grisoft\AVG7\avgemc.exe:avgemc.exe
"{FA8F42C0-19B4-4888-BDB4-63C18993D08C}"= TCP:c:\program files\Grisoft\AVG7\avgemc.exe:avgemc.exe
"{32CEE7D4-6965-483F-B562-ED42AA0F6BCD}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{E4683076-B2BB-47F3-A161-14A511D9F05B}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{4DBFF1FE-4E79-4DBD-A74F-97699BAD182E}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{FC0C3EC2-EA34-4075-BEAD-BFBAF11169A7}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{B3A9F37D-859C-4C32-90EC-79200150AB8C}"= UDP:c:\program files\Steam\steamapps\common\monster trucks nitro demo\MonsterTrucksNitro.exe:Monster Trucks Nitro Demo
"{E58A3978-CB87-42D2-914A-508133C70D78}"= TCP:c:\program files\Steam\steamapps\common\monster trucks nitro demo\MonsterTrucksNitro.exe:Monster Trucks Nitro Demo
"{D9CBBF69-9424-4E01-AA79-D12573C6E84C}"= UDP:c:\program files\Steam\steamapps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{E908430B-F2ED-463F-80C7-E5E2F003DF6C}"= TCP:c:\program files\Steam\steamapps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{EB46619A-28F9-4923-8C12-2D54357B8F7C}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{0EFB9834-DC42-447A-A4A3-8ECA984DA004}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{141BDA0F-5259-4A68-B2D7-1653F46990A0}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{F04EE9C7-4A55-4C4E-B70E-BFEFDC2F27E4}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [06/05/2008 23:17 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [28/01/2009 23:57 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [29/02/2008 16:03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [29/02/2008 16:03 55024]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [05/12/2007 07:17 77824]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [03/07/2008 17:13 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [06/05/2008 23:17 298776]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [09/06/2008 15:34 1153368]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 16:51 4096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
FF - ProfilePath - c:\users\amanda\AppData\Roaming\Mozilla\Firefox\Profiles\jgi178he.default\
FF - plugin: c:\programdata\id Software\QuakeLive\npquakezero.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 16:41
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\amanda\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2069415660-1087055719-4139926696-1001\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-07-04 16:43
ComboFix-quarantined-files.txt 2009-07-04 15:43

Pre-Run: 169,970,372,608 bytes free
Post-Run: 170,076,770,304 bytes free

250 --- E O F --- 2009-07-02 17:56

Edited by nizzy, 04 July 2009 - 11:01 AM.


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:04 AM

Posted 04 July 2009 - 11:53 AM

Nothing is up for deletion on the log. What is telling you that?

Interestingly though Combofix did not find anything and this could well be because AVG interfered with the fix.

Please disable AVG or if that isn't working uninstall AVG and then rerun Combofix. After posting that log please reinstall your antivirus. Working without a running antivirus is okay during a fix though.
Posted Image
m0le is a proud member of UNITE

#8 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 04 July 2009 - 12:09 PM

I get a pop up saying "illegal operation attempted on a registry key that has been marked for deletion."
I get this pop up on all icons on my desk top and in my start menu, i cannot even open my thunderbird email, with that after clicking on thunderbird and reading the pop up another one comes up saying "the item you selected is unavailable, it might have been moved, renamed, or removed. do you want to remove it from the list?"

This is all in my user account, i have not tryed my admin account but right clicking the mouse in user to run in admin lets me access FF atleast.

EDIT

I chanced a rebooting and all is fine! i can use all my icons in admin now! :thumbup2:

should I still rescan after uninstalling avg again?
And one question about my avg... why does it state my avg antispyware is outdated when avg updates fine everyday?

Edited by nizzy, 04 July 2009 - 12:44 PM.


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:04 AM

Posted 04 July 2009 - 01:16 PM

Yes, please rescan with Combofix.

AVG seems to cause problems with Combofix. In some cases, once uninstalled Combofix still detects it.

Let's hope that Combofix can run free now. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#10 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 04 July 2009 - 01:54 PM

I downloaded avgs own uninstaller and removed it, i doubled check in my install/uninstall program list and avg was not there.
then i ran combo fix and it detected it :thumbup2:

I have now reinstalled avg to be safe while i browse!

here is the new log

ComboFix 09-07-03.03 - amanda 04/07/2009 19:41.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.2046.1387 [GMT 1:00]
Running from: c:\users\panda\Downloads\Combo-Fix.exe.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-04 18:46 . 2009-07-04 18:46 -------- d-----w- c:\users\amanda\AppData\Local\temp
2009-07-04 18:46 . 2009-07-04 18:46 -------- d-----w- c:\users\panda\AppData\Local\temp
2009-06-28 22:20 . 2009-06-28 22:20 -------- d-----w- c:\program files\ERUNT
2009-06-20 14:27 . 2009-06-20 14:27 -------- d-----w- c:\users\panda\AppData\Local\PunkBuster
2009-06-20 14:17 . 2009-07-02 13:20 138944 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-20 14:17 . 2009-06-20 14:17 22328 ----a-w- c:\users\panda\AppData\Roaming\PnkBstrK.sys
2009-06-20 14:17 . 2009-07-02 13:19 189784 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-20 14:16 . 2009-06-21 15:24 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-06-20 14:16 . 2009-06-20 14:16 2246144 ----a-w- c:\windows\system32\pbsvc.exe
2009-06-20 14:16 . 2009-06-20 14:16 -------- d-----w- c:\programdata\id Software
2009-06-11 19:46 . 2009-04-23 12:15 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-06-10 03:22 . 2009-06-10 05:45 -------- d-----w- c:\program files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 18:40 . 2008-05-06 22:17 -------- d-----w- c:\programdata\avg8
2009-07-04 18:35 . 2007-12-03 22:20 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-29 03:54 . 2009-05-02 21:40 117760 ----a-w- c:\users\amanda\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-27 01:27 . 2007-12-23 21:52 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-06-23 22:20 . 2009-02-11 15:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 22:20 . 2009-04-05 10:41 3561743 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-23 16:34 . 2008-01-04 20:14 7700 ----a-w- c:\users\panda\AppData\Local\d3d9caps.dat
2009-06-18 23:48 . 2008-12-25 12:17 -------- d-----w- c:\program files\Common Files\Steam
2009-06-18 23:48 . 2008-12-25 12:17 -------- d-----w- c:\program files\Steam
2009-06-17 10:27 . 2009-02-25 13:19 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 10:27 . 2009-02-25 13:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 20:13 . 2007-12-03 22:32 -------- d-----w- c:\program files\Microsoft Works
2009-06-02 02:19 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-06-02 02:19 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-06-02 02:19 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-06-02 02:19 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2009-06-02 02:19 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-02 02:19 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2009-06-02 02:17 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-02 02:17 . 2009-06-02 02:17 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-06-02 02:16 . 2009-06-02 02:16 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-05-30 00:02 . 2008-11-12 23:30 -------- d-----w- c:\users\panda\AppData\Roaming\Skype
2009-05-29 23:59 . 2008-11-12 23:39 -------- d-----w- c:\users\panda\AppData\Roaming\skypePM
2009-05-28 00:54 . 2009-05-28 00:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-28 00:54 . 2007-12-03 22:21 -------- d-----w- c:\program files\Java
2009-05-18 15:42 . 2007-12-22 23:44 -------- d-----w- c:\program files\Red Storm Entertainment
2009-05-18 15:42 . 2007-12-03 22:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-18 15:39 . 2007-12-22 21:20 -------- d-----w- c:\program files\LucasArts
2009-05-18 00:59 . 2009-05-18 00:59 -------- d-----w- c:\users\panda\AppData\Roaming\JAM Software
2009-05-18 00:56 . 2009-05-18 00:56 -------- d-----w- c:\users\amanda\AppData\Roaming\JAM Software
2009-05-18 00:56 . 2009-05-18 00:56 -------- d-----w- c:\program files\JAM Software
2009-05-09 05:50 . 2009-06-11 19:47 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-11 19:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-05-05 15:43 . 2009-05-05 15:43 290816 ----a-w- c:\users\panda\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-05-05 15:43 . 2009-05-05 15:43 290816 ----a-w- c:\users\panda\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-05-05 15:43 . 2009-05-05 15:43 290816 ----a-w- c:\users\panda\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-05-05 15:43 . 2009-05-05 15:43 290816 ----a-w- c:\users\panda\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-05-05 09:51 . 2009-05-05 09:51 625728 ----a-w- c:\programdata\id Software\QuakeLive\npquakezero.dll
2009-04-23 12:14 . 2009-06-11 19:47 623616 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:39 . 2009-06-11 19:47 2034688 ----a-w- c:\windows\system32\win32k.sys
2009-04-11 23:46 . 2009-03-26 12:29 117760 ----a-w- c:\users\panda\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-04-11 06:33 . 2009-06-02 01:57 986600 ----a-w- c:\windows\system32\winload.exe
2009-04-11 06:33 . 2009-06-02 01:56 926184 ----a-w- c:\windows\system32\winresume.exe
2009-04-11 06:33 . 2009-06-02 01:56 292840 ----a-w- c:\windows\system32\drivers\volmgrx.sys
2009-04-11 06:33 . 2009-06-02 01:57 897000 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-04-11 06:33 . 2009-06-02 01:56 614376 ----a-w- c:\windows\system32\ci.dll
2009-04-11 06:28 . 2009-06-02 01:56 56320 ----a-w- c:\windows\system32\xmlfilter.dll
2009-04-11 06:27 . 2009-06-02 01:57 441344 ----a-w- c:\windows\system32\SearchIndexer.exe
2009-04-11 06:22 . 2009-06-02 01:55 7168 ----a-w- c:\windows\system32\f3ahvoas.dll
2009-04-11 06:21 . 2009-06-02 01:56 37376 ----a-w- c:\windows\system32\cdd.dll
2009-04-11 05:42 . 2009-06-02 01:55 93696 ----a-w- c:\windows\system32\drivers\bridge.sys
2009-04-11 05:03 . 2009-06-02 01:57 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-04-11 05:03 . 2009-06-02 01:57 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-04-11 04:57 . 2009-06-02 01:55 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-04-11 04:54 . 2009-06-02 01:55 2048 ----a-w- c:\windows\system32\mferror.dll
2009-04-11 04:51 . 2009-06-02 01:56 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2009-04-11 04:47 . 2009-06-02 01:56 273920 ----a-w- c:\windows\system32\drivers\afd.sys
2009-04-11 04:46 . 2009-06-02 01:56 69120 ----a-w- c:\windows\system32\drivers\rassstp.sys
2009-04-11 04:46 . 2009-06-02 01:56 121344 ----a-w- c:\windows\system32\drivers\ndiswan.sys
2009-04-11 04:46 . 2009-06-02 01:55 41472 ----a-w- c:\windows\system32\drivers\raspppoe.sys
2009-04-11 04:46 . 2009-06-02 01:55 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2009-04-11 04:46 . 2009-06-02 01:55 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2009-04-11 04:46 . 2009-06-02 01:56 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-04-11 04:45 . 2009-06-02 01:56 72192 ----a-w- c:\windows\system32\drivers\tdx.sys
2009-04-11 04:45 . 2009-06-02 01:56 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-04-11 04:45 . 2009-06-02 01:56 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2009-04-11 04:45 . 2009-06-02 01:56 401408 ----a-w- c:\windows\system32\drivers\http.sys
2009-04-11 04:45 . 2009-06-02 01:56 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2009-04-11 04:45 . 2009-06-02 01:56 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2009-04-11 04:43 . 2009-06-02 01:56 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-04-11 04:43 . 2009-06-02 01:56 196096 ----a-w- c:\windows\system32\drivers\usbhub.sys
2009-04-11 04:42 . 2009-06-02 01:56 226304 ----a-w- c:\windows\system32\drivers\usbport.sys
2009-04-11 04:42 . 2009-06-02 01:56 25856 ----a-w- c:\windows\system32\drivers\USBCAMD2.sys
2009-04-11 04:42 . 2009-06-02 01:56 25856 ----a-w- c:\windows\system32\drivers\USBCAMD.sys
2009-04-11 04:42 . 2009-06-02 01:56 73216 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-04-11 04:42 . 2009-06-02 01:56 39936 ----a-w- c:\windows\system32\drivers\usbehci.sys
2009-04-11 04:42 . 2009-06-02 01:55 19456 ----a-w- c:\windows\system32\drivers\usbohci.sys
2009-04-11 04:42 . 2009-06-02 01:56 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2009-04-11 04:42 . 2009-06-02 01:56 12800 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-04-11 04:42 . 2009-06-02 01:56 39424 ----a-w- c:\windows\system32\drivers\hidclass.sys
2009-04-11 04:42 . 2009-06-02 01:55 52992 ----a-w- c:\windows\system32\drivers\stream.sys
2009-04-11 04:42 . 2009-06-02 01:57 561152 ----a-w- c:\windows\system32\drivers\hdaudbus.sys
2009-04-11 04:39 . 2009-06-02 01:56 16384 ----a-w- c:\windows\system32\iscsilog.dll
2009-04-11 04:39 . 2009-06-02 01:56 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2009-04-11 04:39 . 2009-06-02 01:56 19456 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2009-04-11 04:38 . 2009-06-02 01:56 149504 ----a-w- c:\windows\system32\drivers\ks.sys
2009-04-11 04:38 . 2009-06-02 01:56 17408 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-04-11 04:27 . 2009-06-02 01:55 2560 ----a-w- c:\windows\system32\msimsg.dll
2009-04-11 04:23 . 2009-06-02 01:56 626176 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-04-11 04:23 . 2009-06-02 01:56 76288 ----a-w- c:\windows\system32\drivers\dxg.sys
2009-04-11 04:23 . 2009-06-02 01:56 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-04-11 04:22 . 2009-06-02 01:56 33280 ----a-w- c:\windows\system32\drivers\watchdog.sys
2009-04-11 04:15 . 2009-06-02 01:56 288768 ----a-w- c:\windows\system32\drivers\srv.sys
2009-04-11 04:15 . 2009-06-02 01:56 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-04-11 04:15 . 2009-06-02 01:56 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-04-11 04:14 . 2009-06-02 01:56 114688 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2009-04-11 04:14 . 2009-06-02 01:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-04-11 04:14 . 2009-06-02 01:56 225280 ----a-w- c:\windows\system32\drivers\rdbss.sys
2009-04-11 04:14 . 2009-06-02 01:56 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2009-04-11 04:14 . 2009-06-02 01:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2007-12-04 06:01 . 2007-12-04 05:52 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-07-04_15.41.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-03 22:37 . 2009-07-04 18:39 53004 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-07-04 18:39 65212 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:02 . 2009-07-04 15:14 65212 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-12-16 17:42 . 2009-07-04 18:39 18958 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2069415660-1087055719-4139926696-1001_UserData.bin
+ 2009-07-04 18:37 . 2009-07-04 18:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-07-04 15:12 . 2009-07-04 15:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-07-04 18:37 . 2009-07-04 18:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-04 15:12 . 2009-07-04 15:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnhancedStorageShell]
@="{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}"
[HKEY_CLASSES_ROOT\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}]
2009-04-11 06:28 114176 ----a-w- c:\windows\System32\EhStorShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-06 1830128]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2007-07-11 569344]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-27 734264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-28 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-17 4907008]

c:\users\amanda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"BindDirectlyToPropertySetStorage"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-01-07 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-07 14:00 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:):9a,fd,1b,27,29,e3,c9,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{56FFB15E-1E77-4AAE-981C-75095A2AB5E0}"= UDP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{3A018FB2-5076-40A8-B9A0-7C4304F7CE73}"= TCP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{E9182748-2397-468C-B38F-642E0783A35E}"= UDP:c:\program files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{5BAE9773-963F-41E9-BE7A-FB63333BFE58}"= TCP:c:\program files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{DBF4A90C-78C4-4D64-A501-E0B7CC969385}"= UDP:c:\program files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{1B69096B-DF59-45C8-A1AA-F785D389C24D}"= TCP:c:\program files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{856C10EB-9555-4A30-9ED5-728E6C62E5A2}"= UDP:c:\program files\Grisoft\AVG7\avgemc.exe:avgemc.exe
"{FA8F42C0-19B4-4888-BDB4-63C18993D08C}"= TCP:c:\program files\Grisoft\AVG7\avgemc.exe:avgemc.exe
"{32CEE7D4-6965-483F-B562-ED42AA0F6BCD}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{E4683076-B2BB-47F3-A161-14A511D9F05B}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{4DBFF1FE-4E79-4DBD-A74F-97699BAD182E}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{FC0C3EC2-EA34-4075-BEAD-BFBAF11169A7}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{B3A9F37D-859C-4C32-90EC-79200150AB8C}"= UDP:c:\program files\Steam\steamapps\common\monster trucks nitro demo\MonsterTrucksNitro.exe:Monster Trucks Nitro Demo
"{E58A3978-CB87-42D2-914A-508133C70D78}"= TCP:c:\program files\Steam\steamapps\common\monster trucks nitro demo\MonsterTrucksNitro.exe:Monster Trucks Nitro Demo
"{D9CBBF69-9424-4E01-AA79-D12573C6E84C}"= UDP:c:\program files\Steam\steamapps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{E908430B-F2ED-463F-80C7-E5E2F003DF6C}"= TCP:c:\program files\Steam\steamapps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{EB46619A-28F9-4923-8C12-2D54357B8F7C}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{0EFB9834-DC42-447A-A4A3-8ECA984DA004}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{141BDA0F-5259-4A68-B2D7-1653F46990A0}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{F04EE9C7-4A55-4C4E-B70E-BFEFDC2F27E4}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [29/02/2008 16:03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [29/02/2008 16:03 55024]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [05/12/2007 07:17 77824]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [09/06/2008 15:34 1153368]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 16:51 4096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
FF - ProfilePath - c:\users\amanda\AppData\Roaming\Mozilla\Firefox\Profiles\jgi178he.default\
FF - plugin: c:\programdata\id Software\QuakeLive\npquakezero.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 19:46
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2069415660-1087055719-4139926696-1001\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-07-04 19:47
ComboFix-quarantined-files.txt 2009-07-04 18:47
ComboFix2.txt 2009-07-04 15:43

Pre-Run: 166,273,310,720 bytes free
Post-Run: 166,168,956,928 bytes free

251 --- E O F --- 2009-07-02 17:56

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:04 AM

Posted 04 July 2009 - 05:07 PM

Hi nizzy,

That's a clean log. That leaves us with the cookie.

admt.com is a tracking cookie which isn't actually harmful. In this case, it appears that it is quite an agressive file.

Atlas, the creators, seem to have an opt-out page. Try that here

As the cookie is a legit (if dubious) one this may affect page loading times on some sites.

Let me know how that goes. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#12 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 04 July 2009 - 06:23 PM

Thanks for that, what about the dubious history in my reg in the screenie I posted?
I dont understand where those came from.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:04 AM

Posted 04 July 2009 - 07:02 PM

Hmm, yes, editing your registry is a bit rich from a legit source.

Click Start and then Run.

Paste this line into the box.

reg export HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\P3P\History\.atdmt.com C:\export.reg

Paste the file contents (found in the file export.reg - if you can't find it search for the file name - in your C drive) into the next reply.

Let's see if there's something more to it. How has the opt-out been working out?
Posted Image
m0le is a proud member of UNITE

#14 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 05 July 2009 - 05:12 PM

the opt out has not worked the cookie is still appearing, and the "run" thing doesnt pull anything up, "run" just closes when I paste that line and click enter into it.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:04 AM

Posted 05 July 2009 - 06:44 PM

and the "run" thing doesnt pull anything up, "run" just closes when I paste that line and click enter into it.


Have you looked for the log found here: C:\export.reg

As for this cookie problem, I researched possible solutions and this one stood out. I take no responsibility for this attempted fix.

From Tech Support Guy Forums

Man this was a pesky one, but i finally got rid of the atdmt redirector. I tried all the spyware removers i could get and tried in safe mode with no results. I finally figured it out after a couple of days.

It lies in your hidden temp folder......you'd think that it would be in the cookies folder and could be cleaned out but it's not.

So here's the fix

click start and then run ....Type %temp%
A folder will show up and it will have many temp files in it.

Now you don't see the pesky file your looking for right now,

Click on view > select all and push your delete button.

Now go to tools and then click on folder options. Go to the View tab and go down to the radio button "show hidden files and folders" and select it.

Now you should see a file that says altasdmt or something like that. I want you to highlight that file and delete it also.

Now go back and reverse the hidden file types stuff and you should be good to go.



To remove it from the registry we will try a registry edit.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it to your desktop (click file, save as) as fixit.reg In the same open notepad, at the bottom select:(filetype = any).

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\P3P\History\.atdmt.com]

NOTICE: This file was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please reply back letting me know if it merged correctly.

Then block the cookie with SpywareBlaster as stang mentioned in the other thread.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users