Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Redirect Virus


  • Please log in to reply
10 replies to this topic

#1 CavMac05

CavMac05

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 04 July 2009 - 04:45 PM

Lately I've had a problem with using search engines like Google and Yahoo. After I make a search, I then click on a result and I get redirected to some random site or search engine that is most likely associated with malware. Some of these random sites include the following:

www.shopzilla.com/search
www.toseeka.com/search
www.shopica.com/search
aboutaustralia.net/result
metacompare.com/search
findpleasure.info
www.mrseeka.com/search44
aeroworld.de
nboak.net

After doing some research, I've realized that this is a common malware problem. I actually had this problem before and a simple malwarebytes quick scan cleared everything up. This hasn't worked at all this time. I've ran scans on my computer with the following software and they haven't found anything: Ad-aware, Symantec Anti-Virus, Windows Defender, Malwarebyte's Anti-Malware, SUPERAntiSpyware Free Edition, and CCleaner. I also just used SDFix and it didn't find any trojans. I really don't want to have to reinstall Windows XP (Professional) because I just did it very recently. I'd love to know what could fix this problem, such as what registries are infected and what can be fixed.

Thanks in advance for any help you can offer.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Student at 17:02:30.93 on Sat 07/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.116 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell.com/
uSearch Bar =
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
uCustomizeSearch =
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [vptray] c:\progra~1\symant~1\\vptray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-explorer: NoRecentDocsNetHood = 01000000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111505473406
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\tds94tx5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.virginia.edu/
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\tds94tx5.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-25 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-10-7 1822648]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-3 101936]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-3-14 80384]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090624.003\naveng.sys [2009-6-25 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090624.003\navex15.sys [2009-6-25 876144]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2009-6-9 25728]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2009-6-9 9472]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]

=============== Created Last 30 ================

2009-07-04 16:05 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-07-04 15:56 <DIR> --d----- c:\windows\ERUNT
2009-07-04 15:46 <DIR> --d----- C:\SDFix
2009-07-01 17:03 <DIR> --dsh--- c:\windows\system32\lowsec
2009-06-30 02:01 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-30 01:58 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-30 01:58 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-29 23:59 <DIR> --d----- c:\program files\CCleaner
2009-06-25 19:05 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-25 18:23 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-25 18:16 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-25 18:15 <DIR> --d----- c:\program files\Lavasoft
2009-06-25 14:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-25 14:21 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-25 14:21 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-06-25 13:55 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-06-25 13:54 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-25 13:54 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-25 13:54 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-25 13:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-25 03:34 190 a------- C:\Shortcut to WD Passport (E).lnk
2009-06-23 18:25 <DIR> --d----- c:\program files\Project64 1.6
2009-06-19 13:27 <DIR> --d----- C:\adaptec
2009-06-18 19:26 45,056 a------- c:\windows\system32\Wnaspi32.dll
2009-06-18 19:26 16,877 a------- c:\windows\system32\drivers\Aspi32.sys
2009-06-18 19:26 4,455 a------- c:\windows\system\Winaspi.dll
2009-06-18 19:26 3,535 a------- c:\windows\system\Wowpost.exe
2009-06-18 18:11 <DIR> --d----- c:\docume~1\admini~1\applic~1\fltk.org
2009-06-17 22:06 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-06-17 22:04 <DIR> --d----- c:\windows\system32\LogFiles
2009-06-12 00:51 <DIR> --d-h--- c:\windows\PIF
2009-06-10 18:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-06-10 18:35 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-06-10 18:35 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-06-10 18:28 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-06-10 18:28 <DIR> --d----- c:\docume~1\admini~1\applic~1\DAEMON Tools Lite
2009-06-10 02:56 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 02:56 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 02:56 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-06-10 02:55 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-06-09 15:00 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_androidusb_01005.Wdf
2009-06-09 15:00 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-09 14:59 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-06-09 14:59 32,128 a------- c:\windows\system32\dllcache\usbccgp.sys
2009-06-09 14:57 1,419,232 a------- c:\windows\system32\wdfcoinstaller01005.dll
2009-06-09 14:57 25,728 a------- c:\windows\system32\drivers\androidusb.sys
2009-06-09 14:57 9,472 a------- c:\windows\system32\drivers\pnetmdm.sys
2009-06-09 02:53 <DIR> --dsh--- c:\documents and settings\administrator\IECompatCache
2009-06-06 12:01 <DIR> --d----- c:\windows\system32\scripting
2009-06-06 12:01 <DIR> --d----- c:\windows\l2schemas
2009-06-06 12:01 <DIR> --d----- c:\windows\system32\en
2009-06-06 12:01 <DIR> --d----- c:\windows\system32\bits
2009-06-06 11:58 <DIR> --d----- c:\windows\ServicePackFiles
2009-06-06 11:54 <DIR> --d----- c:\windows\network diagnostic
2009-06-06 11:42 <DIR> --dsh--- c:\documents and settings\administrator\PrivacIE
2009-06-06 11:35 <DIR> --dsh--- c:\documents and settings\administrator\IETldCache
2009-06-06 11:31 <DIR> --d----- c:\windows\ie8updates
2009-06-06 11:31 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-06 11:28 <DIR> -cd-h--- c:\windows\ie8
2009-06-06 02:43 <DIR> --d-h--- c:\windows\system32\WLANProfiles
2009-06-06 02:43 <DIR> --d-h--- C:\Settings
2009-06-06 02:43 516 a------- C:\Settings.ini
2009-06-05 03:20 <DIR> --d----- c:\program files\MSXML 4.0

==================== Find3M ====================

2009-06-06 12:06 88,375 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-03 19:29 110,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-03 19:29 48,768 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-03 19:29 8,014 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-03 19:29 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll

============= FINISH: 17:04:36.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 06 July 2009 - 09:51 PM

Hello CavMac05,

The system remains infected. Let's run a repair/scan then check after.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 456out.com, then click the renamed 456out.com to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
Ad eundum quo no duck ante iit

#3 CavMac05

CavMac05
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 07 July 2009 - 09:23 AM

Hi Jintan,

Thanks a lot for responding to my problem. Out of curiosity, how could ComboFix find the problems that all the other virus scans couldn't find? Here's the log:


ComboFix 09-07-06.03 - Student 07/07/2009 10:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.110 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\456out.com
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-971303533-2244319892-4214783452-500
c:\windows\Installer\WinRMSrv.msi
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\SKYNETwegvnkth.sys
c:\windows\system32\SKYNETasnqelwb.dll
c:\windows\system32\SKYNETfuxindte.dll
c:\windows\system32\SKYNETwexgmkyx.dat
c:\windows\system32\SKYNETwmtnkfjp.dat
E:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETrdllrmeh


((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-06 06:50 . 2009-07-06 06:50 -------- d-----w- c:\windows\Sun
2009-07-04 20:05 . 2009-07-04 20:05 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-07-04 19:56 . 2009-07-04 19:56 -------- d-----w- c:\windows\ERUNT
2009-07-04 19:46 . 2009-07-04 20:21 -------- d-----w- C:\SDFix
2009-07-02 21:39 . 2009-07-02 21:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks
2009-07-02 21:39 . 2009-03-09 15:34 971776 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tds94tx5.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
2009-06-30 06:03 . 2009-06-30 21:27 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-30 06:01 . 2009-06-30 06:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-30 05:58 . 2009-06-30 05:58 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-30 05:58 . 2009-06-30 05:58 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-30 03:59 . 2009-06-30 03:59 -------- d-----w- c:\program files\CCleaner
2009-06-25 23:05 . 2009-06-25 22:23 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-25 22:23 . 2009-06-25 22:22 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-25 22:23 . 2009-07-02 22:24 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-25 22:23 . 2009-07-06 22:25 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-25 22:23 . 2009-06-25 22:23 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-25 22:23 . 2009-07-02 22:24 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-25 22:23 . 2009-07-02 22:24 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-25 22:23 . 2009-07-02 22:24 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-25 22:23 . 2009-07-02 22:24 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-25 22:23 . 2009-07-06 22:25 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-25 22:22 . 2009-07-02 22:24 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-25 22:22 . 2009-07-02 22:24 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-25 22:22 . 2009-06-25 22:22 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-25 22:22 . 2009-07-02 22:24 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-25 22:22 . 2009-07-02 22:24 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-25 22:22 . 2009-07-02 22:24 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-25 22:22 . 2009-07-02 22:24 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-25 22:22 . 2009-07-06 22:24 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-25 22:22 . 2009-07-02 22:23 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-25 22:22 . 2009-07-02 22:23 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-25 22:22 . 2009-07-02 22:23 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-25 22:16 . 2009-06-25 22:16 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-25 22:16 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-25 22:15 . 2009-06-25 22:15 -------- d-----w- c:\program files\Lavasoft
2009-06-25 22:15 . 2009-06-25 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-25 18:21 . 2009-06-25 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-25 18:21 . 2009-06-30 06:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-25 18:21 . 2009-06-30 06:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-06-25 17:55 . 2009-06-25 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-25 17:54 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-25 17:54 . 2009-06-25 17:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-25 17:54 . 2009-06-25 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-25 17:54 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-24 00:24 . 2009-06-24 00:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-23 22:25 . 2009-06-23 22:25 8854 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2009-06-23 22:25 . 2009-06-23 22:25 40960 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2009-06-23 22:25 . 2009-06-23 22:25 40960 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2009-06-23 22:25 . 2009-06-23 22:26 -------- d-----w- c:\program files\Project64 1.6
2009-06-20 17:43 . 2009-06-20 17:43 -------- d-----w- c:\program files\7-Zip
2009-06-19 17:27 . 2009-06-19 17:27 -------- d-----w- C:\adaptec
2009-06-18 23:26 . 2002-07-17 20:22 3535 ----a-w- c:\windows\system\Wowpost.exe
2009-06-18 23:26 . 2002-07-17 20:22 4455 ----a-w- c:\windows\system\Winaspi.dll
2009-06-18 23:26 . 2002-07-17 13:20 45056 ----a-w- c:\windows\system32\Wnaspi32.dll
2009-06-18 23:26 . 2002-07-17 12:53 16877 ----a-w- c:\windows\system32\drivers\Aspi32.sys
2009-06-18 22:11 . 2009-06-18 22:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\fltk.org
2009-06-18 02:07 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-06-18 02:06 . 2009-06-18 02:06 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-18 02:04 . 2009-06-30 04:04 -------- d-----w- c:\windows\system32\LogFiles
2009-06-18 02:04 . 2009-06-18 02:05 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-06-17 05:50 . 2009-06-17 05:50 1915520 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-15 16:49 . 2009-06-15 16:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-06-15 06:16 . 2009-06-15 06:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-06-13 17:10 . 2009-06-13 17:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-12 04:51 . 2009-06-12 04:51 -------- d--h--w- c:\windows\PIF
2009-06-10 22:35 . 2009-06-10 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-06-10 22:35 . 2009-06-10 22:35 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-06-10 22:35 . 2009-06-10 22:35 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-06-10 22:28 . 2009-06-10 22:28 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-10 22:28 . 2009-06-10 22:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools Lite
2009-06-10 06:56 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 06:56 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 06:56 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-06-10 06:55 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-06-10 05:34 . 2009-06-10 05:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2009-06-09 18:59 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-06-09 18:59 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-06-09 18:57 . 2008-10-20 03:00 25728 ----a-w- c:\windows\system32\drivers\androidusb.sys
2009-06-09 18:57 . 2008-10-20 03:00 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2009-06-09 18:57 . 2006-09-28 19:32 9472 ----a-w- c:\windows\system32\drivers\pnetmdm.sys
2009-06-09 06:53 . 2009-06-09 06:53 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 13:46 . 2009-06-03 23:28 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-30 05:58 . 2005-03-14 16:12 -------- d-----w- c:\program files\Java
2009-06-18 02:02 . 2005-03-22 15:37 -------- d-----w- c:\program files\Windows Media Connect
2009-06-17 20:59 . 2009-06-04 17:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-06-12 16:04 . 2009-06-04 06:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\IceChat
2009-06-09 19:00 . 2009-06-09 19:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_androidusb_01005.Wdf
2009-06-09 19:00 . 2009-06-09 19:00 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-06 16:30 . 2005-03-22 17:37 67480 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 16:06 . 2004-08-11 23:14 88375 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-05 07:20 . 2009-06-05 07:20 -------- d-----w- c:\program files\MSXML 4.0
2009-06-04 17:40 . 2009-06-04 17:40 -------- d-----w- c:\program files\iTunes
2009-06-04 17:40 . 2009-06-04 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-04 17:40 . 2009-06-04 17:40 -------- d-----w- c:\program files\iPod
2009-06-04 17:40 . 2009-06-04 17:37 -------- d-----w- c:\program files\Common Files\Apple
2009-06-04 17:40 . 2009-06-04 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-04 17:40 . 2009-06-04 17:40 -------- d-----w- c:\program files\Bonjour
2009-06-04 17:39 . 2009-06-04 17:39 -------- d-----w- c:\program files\QuickTime
2009-06-04 17:38 . 2009-06-04 17:38 -------- d-----w- c:\program files\Apple Software Update
2009-06-04 17:37 . 2009-06-04 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-04 08:01 . 2009-06-04 06:15 -------- d-----w- c:\program files\IceChat7
2009-06-04 01:55 . 2005-03-22 21:47 -------- d-----w- c:\program files\Mulberry
2009-06-03 23:29 . 2009-06-03 23:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-03 23:29 . 2009-06-03 23:28 -------- d-----w- c:\program files\Symantec
2009-06-03 23:29 . 2009-06-03 23:29 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-03 23:29 . 2009-06-03 23:29 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-03 23:29 . 2009-06-03 23:29 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-03 23:29 . 2009-06-03 23:29 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-03 23:28 . 2005-03-22 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-03 23:06 . 2009-06-03 23:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-06-03 23:02 . 2009-06-03 23:02 -------- d-----w- c:\program files\MSECache
2009-05-30 16:50 . 2009-05-30 16:50 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-29 17:36 . 2009-06-04 17:38 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-29 17:36 . 2009-06-04 17:38 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-13 05:15 . 2004-08-11 23:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-11 23:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-11 23:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-11 23:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-11-10 598016]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-02 520024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-30 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-3-14 24576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\IceChat7\\IceChat7.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"500:UDP"= 500:UDP:128.143.0.0/255.255.0.0,137.54.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.25.0.0/255.255.0.0,172.26.0.0/255.255.0.0,192.35.0.0/255.255.0.0,198.32.44.0/255.255.255.0,198.32.48.0/255.255.255.0,199.111.0.0/255.255.0.0:Enabled:CiscoVPN(ISAKMP)
"62515:UDP"= 62515:UDP:128.143.0.0/255.255.0.0,137.54.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.25.0.0/255.255.0.0,172.26.0.0/255.255.0.0,192.35.0.0/255.255.0.0,198.32.44.0/255.255.255.0,198.32.48.0/255.255.255.0,199.111.0.0/255.255.0.0:Enabled:CiscoVPN
"38293:UDP"= 38293:UDP:128.143.0.0/255.255.0.0,137.54.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.25.0.0/255.255.0.0,172.26.0.0/255.255.0.0,192.35.0.0/255.255.0.0,199.111.0.0/255.255.0.0:Enabled:SymantecManagedAVUDP38293

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/25/2009 6:23 PM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/3/2009 7:33 PM 101936]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/14/2005 11:43 AM 80384]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [6/9/2009 2:57 PM 25728]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [6/9/2009 2:57 PM 9472]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tds94tx5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.virginia.edu/
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tds94tx5.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 10:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-568527204-1085935450-1258443041-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,81,72,29,ad,0a,fc,a9,4a,98,1b,bf,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,81,72,29,ad,0a,fc,a9,4a,98,1b,bf,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2009-07-07 10:14
ComboFix-quarantined-files.txt 2009-07-07 14:14

Pre-Run: 46,246,354,944 bytes free
Post-Run: 46,426,025,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

261 --- E O F --- 2009-06-22 15:31

#4 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 07 July 2009 - 10:51 AM

The author of ComboFix is a highly skilled person who is also one of the leads in the field of malware analysis and removal. And stays very active in the work that we do, which is quite a plus. But ComboFix is not to be considered as a program to just run whenever problems occur, and should only be used when suggested in a guided repair setting, such as these forums.

Let's do more repairs then check after.


Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Also disconnect from net access anytime you run ComboFix, reconnecting after it has completed it's scan.


Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

KillAll::
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
Reglock::
[HKEY_USERS\S-1-5-21-568527204-1085935450-1258443041-500\Software\Microsoft\Internet Explorer\User Preferences]

Save this to your desktop as CFScript.txt


You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

--------

Open and update Malwarebytes.

* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform quick scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

----------

Post back that log and the C:\ComboFix.txt log please.
Ad eundum quo no duck ante iit

#5 CavMac05

CavMac05
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 08 July 2009 - 01:19 AM

It seems like my search redirect virus has gone away. My google links for search results haven't produced any random search sites as of lately (since I used ComboFix). However, I admittedly forgot to log off the internet each time I used ComboFix. Why must I log off the internet while I run ComboFix?

Thanks again for your assistance!

Here's the second log for ComboFix:


ComboFix 09-07-07.A2 - Student 07/08/2009 1:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.318 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\456out.com
Command switches used :: c:\docume~1\ADMINI~1\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-08 00:39 . 2009-07-08 00:39 23204 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.dll
2009-07-06 06:50 . 2009-07-06 06:50 -------- d-----w- c:\windows\Sun
2009-07-04 20:05 . 2009-07-04 20:05 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-07-04 19:56 . 2009-07-04 19:56 -------- d-----w- c:\windows\ERUNT
2009-07-04 19:46 . 2009-07-04 20:21 -------- d-----w- C:\SDFix
2009-07-02 21:39 . 2009-07-02 21:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks
2009-07-02 21:39 . 2009-03-09 15:34 971776 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tds94tx5.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
2009-06-30 06:03 . 2009-06-30 21:27 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-30 06:01 . 2009-06-30 06:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-30 05:58 . 2009-06-30 05:58 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-30 05:58 . 2009-06-30 05:58 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-30 03:59 . 2009-06-30 03:59 -------- d-----w- c:\program files\CCleaner
2009-06-25 23:05 . 2009-06-25 22:23 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-25 22:23 . 2009-06-25 22:22 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-25 22:23 . 2009-07-02 22:24 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-25 22:23 . 2009-07-06 22:25 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-25 22:23 . 2009-06-25 22:23 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-25 22:23 . 2009-07-02 22:24 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-25 22:23 . 2009-07-02 22:24 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-25 22:23 . 2009-07-02 22:24 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-25 22:23 . 2009-07-02 22:24 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-25 22:23 . 2009-07-06 22:25 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-25 22:22 . 2009-07-02 22:24 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-25 22:22 . 2009-07-02 22:24 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-25 22:22 . 2009-06-25 22:22 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-25 22:22 . 2009-07-02 22:24 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-25 22:22 . 2009-07-02 22:24 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-25 22:22 . 2009-07-02 22:24 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-25 22:22 . 2009-07-02 22:24 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-25 22:22 . 2009-07-06 22:24 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-25 22:22 . 2009-07-02 22:23 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-25 22:22 . 2009-07-02 22:23 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-25 22:22 . 2009-07-02 22:23 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-25 22:16 . 2009-06-25 22:16 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-25 22:16 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-25 22:15 . 2009-06-25 22:15 -------- d-----w- c:\program files\Lavasoft
2009-06-25 22:15 . 2009-06-25 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-25 18:21 . 2009-06-25 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-25 18:21 . 2009-06-30 06:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-25 18:21 . 2009-06-30 06:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-06-25 17:55 . 2009-06-25 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-25 17:54 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-25 17:54 . 2009-06-25 17:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-25 17:54 . 2009-06-25 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-25 17:54 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-24 00:24 . 2009-06-24 00:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-23 22:25 . 2009-06-23 22:25 8854 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2009-06-23 22:25 . 2009-06-23 22:25 40960 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2009-06-23 22:25 . 2009-06-23 22:25 40960 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2009-06-23 22:25 . 2009-06-23 22:26 -------- d-----w- c:\program files\Project64 1.6
2009-06-20 17:43 . 2009-06-20 17:43 -------- d-----w- c:\program files\7-Zip
2009-06-19 17:27 . 2009-06-19 17:27 -------- d-----w- C:\adaptec
2009-06-18 23:26 . 2002-07-17 20:22 3535 ----a-w- c:\windows\system\Wowpost.exe
2009-06-18 23:26 . 2002-07-17 20:22 4455 ----a-w- c:\windows\system\Winaspi.dll
2009-06-18 23:26 . 2002-07-17 13:20 45056 ----a-w- c:\windows\system32\Wnaspi32.dll
2009-06-18 23:26 . 2002-07-17 12:53 16877 ----a-w- c:\windows\system32\drivers\Aspi32.sys
2009-06-18 22:11 . 2009-06-18 22:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\fltk.org
2009-06-18 02:07 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-06-18 02:06 . 2009-06-18 02:06 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-18 02:04 . 2009-06-30 04:04 -------- d-----w- c:\windows\system32\LogFiles
2009-06-18 02:04 . 2009-06-18 02:05 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-06-17 05:50 . 2009-06-17 05:50 1915520 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-15 16:49 . 2009-06-15 16:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-06-15 06:16 . 2009-06-15 06:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-06-13 17:10 . 2009-06-13 17:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-12 04:51 . 2009-06-12 04:51 -------- d--h--w- c:\windows\PIF
2009-06-10 22:35 . 2009-06-10 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-06-10 22:35 . 2009-06-10 22:35 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-06-10 22:35 . 2009-06-10 22:35 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-06-10 22:28 . 2009-06-10 22:28 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-10 22:28 . 2009-06-10 22:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools Lite
2009-06-10 06:56 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 06:56 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 06:56 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-06-10 06:55 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-06-10 05:34 . 2009-06-10 05:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2009-06-09 18:59 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-06-09 18:59 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-06-09 18:57 . 2008-10-20 03:00 25728 ----a-w- c:\windows\system32\drivers\androidusb.sys
2009-06-09 18:57 . 2008-10-20 03:00 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2009-06-09 18:57 . 2006-09-28 19:32 9472 ----a-w- c:\windows\system32\drivers\pnetmdm.sys
2009-06-09 06:53 . 2009-06-09 06:53 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 13:46 . 2009-06-03 23:28 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-30 05:58 . 2005-03-14 16:12 -------- d-----w- c:\program files\Java
2009-06-18 02:02 . 2005-03-22 15:37 -------- d-----w- c:\program files\Windows Media Connect
2009-06-17 20:59 . 2009-06-04 17:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-06-12 16:04 . 2009-06-04 06:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\IceChat
2009-06-09 19:00 . 2009-06-09 19:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_androidusb_01005.Wdf
2009-06-09 19:00 . 2009-06-09 19:00 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-06 16:30 . 2005-03-22 17:37 67480 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 16:06 . 2004-08-11 23:14 88375 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-05 07:20 . 2009-06-05 07:20 -------- d-----w- c:\program files\MSXML 4.0
2009-06-04 17:40 . 2009-06-04 17:40 -------- d-----w- c:\program files\iTunes
2009-06-04 17:40 . 2009-06-04 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-04 17:40 . 2009-06-04 17:40 -------- d-----w- c:\program files\iPod
2009-06-04 17:40 . 2009-06-04 17:37 -------- d-----w- c:\program files\Common Files\Apple
2009-06-04 17:40 . 2009-06-04 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-04 17:40 . 2009-06-04 17:40 -------- d-----w- c:\program files\Bonjour
2009-06-04 17:39 . 2009-06-04 17:39 -------- d-----w- c:\program files\QuickTime
2009-06-04 17:38 . 2009-06-04 17:38 -------- d-----w- c:\program files\Apple Software Update
2009-06-04 17:37 . 2009-06-04 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-04 08:01 . 2009-06-04 06:15 -------- d-----w- c:\program files\IceChat7
2009-06-04 01:55 . 2005-03-22 21:47 -------- d-----w- c:\program files\Mulberry
2009-06-03 23:29 . 2009-06-03 23:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-03 23:29 . 2009-06-03 23:28 -------- d-----w- c:\program files\Symantec
2009-06-03 23:29 . 2009-06-03 23:29 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-03 23:29 . 2009-06-03 23:29 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-03 23:29 . 2009-06-03 23:29 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-03 23:29 . 2009-06-03 23:29 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-03 23:28 . 2005-03-22 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-03 23:06 . 2009-06-03 23:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-06-03 23:02 . 2009-06-03 23:02 -------- d-----w- c:\program files\MSECache
2009-05-30 16:50 . 2009-05-30 16:50 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-29 17:36 . 2009-06-04 17:38 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-29 17:36 . 2009-06-04 17:38 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-13 05:15 . 2004-08-11 23:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-11 23:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-11 23:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-11 23:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-07_14.12.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-08 05:42 . 2009-07-08 05:42 16384 c:\windows\temp\Perflib_Perfdata_314.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-11-10 598016]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-02 520024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-30 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-3-14 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\IceChat7\\IceChat7.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"500:UDP"= 500:UDP:128.143.0.0/255.255.0.0,137.54.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.25.0.0/255.255.0.0,172.26.0.0/255.255.0.0,192.35.0.0/255.255.0.0,198.32.44.0/255.255.255.0,198.32.48.0/255.255.255.0,199.111.0.0/255.255.0.0:Enabled:CiscoVPN(ISAKMP)
"62515:UDP"= 62515:UDP:128.143.0.0/255.255.0.0,137.54.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.25.0.0/255.255.0.0,172.26.0.0/255.255.0.0,192.35.0.0/255.255.0.0,198.32.44.0/255.255.255.0,198.32.48.0/255.255.255.0,199.111.0.0/255.255.0.0:Enabled:CiscoVPN
"38293:UDP"= 38293:UDP:128.143.0.0/255.255.0.0,137.54.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.25.0.0/255.255.0.0,172.26.0.0/255.255.0.0,192.35.0.0/255.255.0.0,199.111.0.0/255.255.0.0:Enabled:SymantecManagedAVUDP38293

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/25/2009 6:23 PM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/3/2009 7:33 PM 101936]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/14/2005 11:43 AM 80384]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [6/9/2009 2:57 PM 25728]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [6/9/2009 2:57 PM 9472]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tds94tx5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.virginia.edu/
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tds94tx5.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 01:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2348)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\BAsfIpM.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-08 1:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-08 05:48
ComboFix2.txt 2009-07-07 14:14

Pre-Run: 46,409,310,208 bytes free
Post-Run: 46,386,462,720 bytes free

270 --- E O F --- 2009-06-22 15:31



Here's the Malwarebyte's Anti-Malware log:


Malwarebytes' Anti-Malware 1.38
Database version: 2390
Windows 5.1.2600 Service Pack 3

7/8/2009 1:58:46 AM
mbam-log-2009-07-08 (01-58-46).txt

Scan type: Quick Scan
Objects scanned: 91631
Time elapsed: 4 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 09 July 2009 - 06:50 AM

Looks very good now. Let's make some additional corrections then run an additional scan to make sure nothing got left behind.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Go to Start Settings Control Panel. Click on Add/Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on Remove. Then close the Control Panel.

DAEMON Tools Toolbar - Adware, see here

Also uninstall these older and more vulnerable Java versions (but leave the latest, 6 Update 14):
J2SE Runtime Environment 5.0 Update 2
Java 2 Runtime Environment, SE v1.4.2_03


Some of those may just be remnant listings by now, or in the case of Daemon, scans may have already removed the uninstall files. If so just let me know in your next reply.

-------------------

Then Go here and run the Kaspersky online scan, and post back the log it creates.

To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top if needed to allow this). Once the Database download is completed, under Scan in the left column click My Computer to start the scan. This may take a very long time, so allow the scan to run and perhaps find something else to do.

When the scan completes click View Scan Report. Then click Save Report As, and using the dropdown box save the report as "Files of Type: -> Text file (.txt)" to a location where you can find it again. Use any name you wish for the log.

Then locate that log and copy/paste those contents back here please.

The scan requires a good bit of database downloading and can take quite a while to complete.
Ad eundum quo no duck ante iit

#7 CavMac05

CavMac05
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 11 July 2009 - 12:43 AM

It seems like everything is back on the right track. Thanks a lot for your help!

Here's the log for the Kaspersky Scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 10, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 10, 2009 02:39:28
Records in database: 2453139
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 77697
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:31:42

No malware has been detected. The scan area is clean.

The selected area was scanned.

#8 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 17 July 2009 - 03:30 PM

Ah shoot CavMac05, I absolutely wandered off on your's and one other thread here - truly not intentional. And yes, with that clean Kaspersky log things are (were) looking pretty good there. There are a few last steps we would do to wrap things up, so if you would post back how things are running now please.
Ad eundum quo no duck ante iit

#9 CavMac05

CavMac05
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 19 July 2009 - 11:30 AM

That was ok. I haven't had any problems with my computer since. What would those last few steps be?

#10 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 20 July 2009 - 08:35 AM

Very good - just need to clean up what our work added there to wrap things up.


Installed softwares like Kaspersky, if you don't plan to use it again, uninstalls through Add/Remove Programs.


You can also at this time delete the files/folders of the tools we used. To assist with some of that download OTM.exe by OldTimer to your desktop. This will help by automatically removing some of the tools we used.

Click OTM.exe to run it and click on Cleanup. You'll be asked if you want to begin cleanup process? Select Yes.

OTM will search for and delete/uninstall many of the tools that we have used to fix your problems and all their backup folders and then delete itself when you next reboot. At the end of the run you will receive a prompt to reboot, but save that for the next step resetting Restore.

---------

Then reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.


In addition, I like to recommend reviewing the information Here to make sure you stay malware free.
Ad eundum quo no duck ante iit

#11 CavMac05

CavMac05
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 22 July 2009 - 03:14 PM

Everything is in order. Thanks again for the help! :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users