Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Clicker.AAFT Win32.Delf.rtk Win32.Agent.atta


  • This topic is locked This topic is locked
15 replies to this topic

#1 Jim bob

Jim bob

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 11 July 2009 - 02:34 PM

According to AVG I'm infected with Clicker.AAFT which appears as c:\windows\fonts\services.exe. Task Manager always has at least 2 of these additional services.exe running.

I used to have Norton antivirus running but the virus broke it and i couldn't re-install it. I bought the Kaspersky Labs virus scanner but that to would not install. it looks like this virus has changed the "rights" of some objects. The only virus scanner that would install and work was AVG.

I tried to re-install service pack 3 thinking it would possibly overwrite some of the virus infected files but I got an "access denied" when I tried to start installing... ARRRRRRRGGGGHHHH!!!!

Any help would be much appreciated!

/Blair :thumbup2:

Here's my DDS log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Blair at 15:18:10.15 on 2009-07-11
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2127 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Blair\Local Settings\Temporary Internet Files\Content.IE5\SS3QE0DO\dds[1].scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Page_URL = hxxp://www.msn.com
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uWindows: load=c:\windows\system32\mszpfbw.exe
uWindows: run=c:\windows\system32\mswya.exe
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [trueimagemonitor.exe] c:\program files\acronis\trueimageechoworkstation\TrueImageMonitor.exe
mRun: [tkbellexe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [sunjavaupdatesched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [rthdcpl] RTHDCPL.EXE
mRun: [retroexpress] c:\progra~1\retros~1\retros~1.1\RetroExpress.exe /h
mRun: [registrymechanic]
mRun: [quicktime task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [psqllauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [nvrotatesystray] rundll32.exe c:\windows\system32\nvsysrot.dll,Enable
mRun: [nvcpldaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mxobg] c:\documents and settings\blair\local settings\temp\{231f68f4-70e4-41a6-beda-7e7934169b54}\MXOALDR.EXE
mRun: [media codec update service] c:\program files\essentials codec pack\update.exe -silent
mRun: [maxtoronetouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [ituneshelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [isusscheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [isuspm startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [iomega automatic backup 1.0.1] c:\program files\iomega\iomega automatic backup\ibackup.exe
mRun: [intelzeroconfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [drag'n'drop_autolaunch] "c:\program files\iomega\iomega hotburn pro\Autolaunch.exe"
mRun: [ddwmon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [avp] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [avg8_tray] c:\progra~1\avg\avg8\avgtray.exe
mRun: [apoint] c:\program files\apoint2k\Apoint.exe
mRun: [aniwzcs2service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [alcmtr] ALCMTR.EXE
mRun: [adobe reader speed launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [acronistimountermonitor] c:\program files\acronis\trueimageechoworkstation\TimounterMonitor.exe
mRun: [acronis scheduler2 service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [00thotkey] c:\windows\system32\00THotkey.exe
mRun: [000stthk] 000StTHK.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mExplorerRun: [exec] c:\windows\system32\mswoiii.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicc~1.lnk - c:\program files\common files\sonic shared\CineTray.exe
IE: &Subscribe with ArchosLink - file://c:\program files\archos\archoslink\\script.js
IE: Add to WebSite-Watcher - c:\documents and settings\blair\application data\aignes\website-watcher\config\settings\wswie.htm
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {1f460357-8a94-4d71-9ca3-aa4acf32ed8e} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15030/CTSUEng.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Family%20Feud%202/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/16.16/uploader2.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168293675843
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172977841171
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - hxxp://www.installengine.com/engine/isetup.cab
DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://vpn.synersolutions.com/sslvpn.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {cafeefac-0016-0000-0014-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://freetrial.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15030/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: TosBtNP - TosBtNP.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau relog_ap
LSA: Notification Packages = scecli psqlpwd

============= SERVICES / DRIVERS ===============

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528]
R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-10 327688]
R1 avgmfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-10 27784]
R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-10 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-10 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-10 298776]
R2 avp;avp;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-11-7 11113]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2008-6-20 36384]
S2 ccsetmgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon --> c:\program files\common files\symantec shared\ccSvcHst.exe [?]
S2 gupdate1c996faa23d5a50;Google Update Service (gupdate1c996faa23d5a50);c:\program files\google\update\GoogleUpdate.exe [2009-2-24 133104]
S3 ATIXPGAA;ATIXPGAA;c:\dell\drivers\r101342\ATIXPGAA.SYS [2007-8-30 12032]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-1-8 87936]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-11-7 216459]
S3 MaplomL;MaplomL; [x]
S3 pcmstub;pcmstub;c:\windows\system32\pcmstub.sys [2004-8-12 2304]
S4 FortiSslvpnDaemon;FortiSslvpnDaemon;c:\windows\system32\FortiSslvpnDaemon.exe [2009-4-13 510496]
S4 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2004-8-12 14336]

=============== Created Last 30 ================

2009-07-11 01:57 19,569 a------- c:\windows\000007_.tmp
2009-07-11 01:09 7 a------- c:\windows\system32\comsa32.sys
2009-07-10 23:56 128,000 a---h--- c:\windows\system32\msrztpjc.exe
2009-07-10 23:56 128,000 a---h--- c:\windows\system32\msobdvbt.exe
2009-07-10 23:56 128,000 a---h--- c:\windows\system32\mskprrli.exe
2009-07-10 23:56 128,000 a---h--- c:\windows\system32\msjzk.exe
2009-07-10 23:52 19,569 a------- c:\windows\000006_.tmp
2009-07-10 23:36 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-10 23:33 <DIR> --d----- c:\program files\Safer Networking
2009-07-10 23:31 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-10 23:31 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-10 23:30 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-10 23:30 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-10 23:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-07-10 23:28 <DIR> --d----- C:\VundoFix Backups
2009-07-10 23:26 5,804 a------- c:\windows\system32\tmp.reg
2009-07-10 22:19 <DIR> --d----- C:\pstools
2009-07-10 22:11 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-07-10 22:11 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-07-10 22:10 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-07-10 22:10 26,640 a------- c:\windows\system32\drivers\klfltdev.sys
2009-07-10 22:09 <DIR> --d----- c:\program files\Trend Micro
2009-07-10 22:09 <DIR> --d----- c:\program files\Kaspersky Lab
2009-07-10 22:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-07-10 21:08 <DIR> --d----- c:\program files\AVG
2009-07-10 21:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-10 20:55 155,136 a------- c:\windows\PEV.exe
2009-07-10 20:46 19,569 a------- c:\windows\000005_.tmp
2009-07-10 20:35 527 a------- C:\reset.cmd
2009-07-10 20:33 <DIR> --d----- c:\program files\Windows Resource Kits
2009-07-10 20:30 19,569 a------- c:\windows\000004_.tmp
2009-07-10 20:21 331,805,736 a------- C:\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-07-10 16:56 10,752 a------- c:\windows\system32\smtpapi.dll
2009-07-10 16:56 9,728 a------- c:\windows\system32\rwnh.dll
2009-07-10 16:55 19,569 a------- c:\windows\000003_.tmp
2009-07-10 16:49 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-07-10 16:31 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-10 16:31 <DIR> --d----- c:\program files\Lavasoft
2009-07-10 16:18 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-10 16:18 <DIR> --d----- c:\program files\Spyware Doctor
2009-07-10 16:05 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-10 14:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-07-10 13:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-07-10 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-07-10 10:20 49,118,664 a------- C:\NIS2007EN_1und1US.EXE
2009-07-10 02:01 552 a------- c:\windows\system32\d3d8caps.dat
2009-07-09 23:10 <DIR> --d----- c:\program files\%windir%
2009-07-09 23:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\10515934
2009-07-06 20:12 102,400 a------- c:\windows\system32\drivers\52d06e74.sys
2009-07-06 09:41 <DIR> --d----- c:\docume~1\blair\applic~1\BlamGames
2009-07-04 17:52 <DIR> --d----- c:\docume~1\blair\applic~1\Enlightenus
2009-06-25 08:14 <DIR> --d----- c:\docume~1\blair\applic~1\Ludia
2009-06-25 08:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ludia
2009-06-25 08:10 <DIR> --d----- c:\program files\The Price is Right
2009-06-24 19:53 48,640 a------- C:\dse.exe
2009-06-22 21:42 47,800 a------- C:\art1.jpg
2009-06-21 17:20 23,767 a------- C:\green3.jpg
2009-06-21 17:19 16,019 a------- C:\green2.jpg
2009-06-21 17:16 17,864 a------- C:\green.jpg
2009-06-20 20:29 <DIR> --d----- C:\a
2009-06-14 14:47 94,518 a------- C:\delivery.jpg

==================== Find3M ====================

2009-07-11 15:18 4 ----h--- c:\windows\fonts\mlog
2009-05-10 19:28 34 a------- c:\documents and settings\blair\jagex_runescape_preferences.dat
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-03-01 09:21 0 a------- c:\program files\temp01
2008-02-13 20:26 87,608 a------- c:\docume~1\blair\applic~1\inst.exe
2008-02-13 20:26 47,360 a------- c:\docume~1\blair\applic~1\pcouffin.sys
2007-12-26 23:36 22,328 a------- c:\docume~1\blair\applic~1\PnkBstrK.sys
2007-08-31 20:53 88 a--shr-- c:\windows\system32\12A1A5A2AC.sys
2007-07-14 23:40 80 a--shr-- c:\windows\system32\ACA2A5A112.dll
2007-08-31 20:53 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-01-07 00:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122920090105\index.dat
2009-01-07 00:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010620090107\index.dat
2008-09-22 20:42 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-09-22 20:42 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-09-22 20:42 49,152 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 15:19:53.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Jim bob

Jim bob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 11 July 2009 - 02:49 PM

I just noticed that I'm also infected with Virtumonde in :thumbup2:
C:\WINDOWS\system32\sopidkc.exe

/Blair

#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,499 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:00 PM

Posted 19 July 2009 - 08:52 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 Jim bob

Jim bob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 20 July 2009 - 04:07 PM

I think i got rid of most of my problems but I still think I have the Skynet trojan that redirects google search results in IE.

Here's my latest DDS logfile...


DDS (Ver_09-06-26.01) - NTFSx86
Run by Blair at 17:02:29.93 on 2009-07-20
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2189 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Blair\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [1&1 EasyLogin] c:\program files\1&1\1&1 easylogin\EasyLogin.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [trueimagemonitor.exe] c:\program files\acronis\trueimageechoworkstation\TrueImageMonitor.exe
mRun: [rthdcpl] RTHDCPL.EXE
mRun: [psqllauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [nvrotatesystray] rundll32.exe c:\windows\system32\nvsysrot.dll,Enable
mRun: [ituneshelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ddwmon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [apoint] c:\program files\apoint2k\Apoint.exe
mRun: [alcmtr] ALCMTR.EXE
mRun: [adobe reader speed launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [acronistimountermonitor] c:\program files\acronis\trueimageechoworkstation\TimounterMonitor.exe
mRun: [acronis scheduler2 service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [00thotkey] c:\windows\system32\00THotkey.exe
mRun: [000stthk] 000StTHK.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicc~1.lnk - c:\program files\common files\sonic shared\CineTray.exe
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15030/CTSUEng.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Family%20Feud%202/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/16.16/uploader2.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168293675843
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172977841171
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - hxxp://www.installengine.com/engine/isetup.cab
DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://vpn.synersolutions.com/sslvpn.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {cafeefac-0016-0000-0014-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://freetrial.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15030/CTPID.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: TosBtNP - TosBtNP.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau relog_ap
LSA: Notification Packages = scecli psqlpwd

============= SERVICES / DRIVERS ===============

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-12 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-12 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-12 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-12 55640]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-11-7 11113]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2008-6-20 36384]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S1 52d06e74;52d06e74;c:\windows\system32\drivers\52d06e74.sys --> c:\windows\system32\drivers\52d06e74.sys [?]
S2 gupdate1c996faa23d5a50;Google Update Service (gupdate1c996faa23d5a50);c:\program files\google\update\GoogleUpdate.exe [2009-2-24 133104]
S3 ATIXPGAA;ATIXPGAA;c:\dell\drivers\r101342\ATIXPGAA.SYS [2007-8-30 12032]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-1-8 87936]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-11-7 216459]
S3 MaplomL;MaplomL; [x]
S4 FortiSslvpnDaemon;FortiSslvpnDaemon;c:\windows\system32\FortiSslvpnDaemon.exe [2009-4-13 510496]

=============== Created Last 30 ================

2009-07-19 15:53 <DIR> --d----- c:\program files\Symantec
2009-07-19 15:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-07-18 23:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-18 23:21 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-18 23:21 <DIR> --d----- c:\docume~1\blair\applic~1\SUPERAntiSpyware.com
2009-07-14 22:42 <DIR> --dsh--- c:\documents and settings\blair\IECompatCache
2009-07-13 00:06 <DIR> --d----- c:\program files\SmartFTP Client 3.0 Setup Files
2009-07-12 22:46 <DIR> --d----- c:\docume~1\blair\applic~1\htmlapp
2009-07-12 22:46 <DIR> --d----- c:\program files\htmlapp
2009-07-12 16:34 <DIR> --d----- c:\program files\Avira
2009-07-12 16:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-12 11:55 <DIR> --d----- c:\docume~1\blair\applic~1\Malwarebytes
2009-07-12 11:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-12 11:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-10 23:33 <DIR> --d----- c:\program files\Safer Networking
2009-07-10 22:09 <DIR> --d----- c:\program files\Trend Micro
2009-07-10 21:08 <DIR> --d----- c:\program files\AVG
2009-07-10 20:33 <DIR> --d----- c:\program files\Windows Resource Kits
2009-07-10 16:18 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-10 16:18 <DIR> --d----- c:\program files\Spyware Doctor
2009-07-10 14:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-07-10 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-07-09 23:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\10515934
2009-07-06 09:41 <DIR> --d----- c:\docume~1\blair\applic~1\BlamGames
2009-07-04 17:52 <DIR> --d----- c:\docume~1\blair\applic~1\Enlightenus
2009-06-25 08:14 <DIR> --d----- c:\docume~1\blair\applic~1\Ludia
2009-06-25 08:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ludia
2009-06-25 08:10 <DIR> --d----- c:\program files\The Price is Right

==================== Find3M ====================

2007-08-31 20:53 88 a--shr-- c:\windows\system32\12A1A5A2AC.sys
2007-07-14 23:40 80 a--shr-- c:\windows\system32\ACA2A5A112.dll
2007-08-31 20:53 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-01-07 00:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122920090105\index.dat
2009-01-07 00:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010620090107\index.dat

============= FINISH: 17:03:50.59 ===============

Attached Files



#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,679 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:00 AM

Posted 23 July 2009 - 08:54 AM

Hello and welcome to the BleepingComputer.com! :thumbup2:

I will be helping you today. :) If you still need help, please let me know by replying to this thread. :)

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#6 Jim bob

Jim bob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 23 July 2009 - 11:31 AM

I provided a new DDS logfile as instructed by Fireman4it on July 19th.................

Blair

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,679 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:00 AM

Posted 23 July 2009 - 11:36 AM

Hi,

thanks, just wanted to make sure, you were still with us. :thumbup2:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Please also run gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Post back the 2 logs in your next reply. :)
If you are having any problems running these tools, please let me know,

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#8 Jim bob

Jim bob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 23 July 2009 - 10:02 PM

Here's the two logs...

Malwarebytes' Anti-Malware 1.39
Database version: 2492
Windows 5.1.2600 Service Pack 3

2009-07-23 08:30:09 PM
mbam-log-2009-07-23 (20-29-56).txt

Scan type: Quick Scan
Objects scanned: 114338
Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (Trojan.TDSS) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (Trojan.TDSS) -> No action taken.



GMER.LOG

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-23 22:58:14
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x62 ? 8B609BF8
INT 0x63 ? 8B43CBF8
INT 0x73 ? 8B43CBF8
INT 0x74 ? 8B43CBF8
INT 0x82 ? 8B609BF8
INT 0x83 ? 8B43CBF8
INT 0x84 ? 8B43CBF8
INT 0x84 ? 8B43CBF8
INT 0x84 ? 8B43CBF8

Code 8B3F1250 ZwEnumerateKey
Code 8B3FB348 ZwFlushInstructionCache
Code 8B27F1B6 IofCallDriver
Code 8B42E516 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 8B27F1BB
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8B42E51B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 8B3FB34C
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 4 Bytes JMP 8B3F1254
? spbr.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B94578AC 5 Bytes JMP 8B43C1D8

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Apoint2K\Apntex.exe[540] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0090000A
.text C:\WINDOWS\System32\svchost.exe[572] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\System32\svchost.exe[720] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\ctfmon.exe[804] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 008E000A
.text C:\WINDOWS\System32\svchost.exe[824] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spbr.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spbr.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spbr.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spbr.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spbr.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spbr.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B6081F8
Device \FileSystem\Udfs \UdfsCdRom 8B287500
Device \FileSystem\Udfs \UdfsDisk 8B287500
Device \Driver\usbuhci \Device\USBPDO-0 8B43B1F8
Device \Driver\usbuhci \Device\USBPDO-1 8B43B1F8
Device \Driver\usbehci \Device\USBPDO-2 8B4301F8
Device \Driver\usbuhci \Device\USBPDO-3 8B43B1F8
Device \Driver\usbuhci \Device\USBPDO-4 8B43B1F8
Device \Driver\usbuhci \Device\USBPDO-5 8B43B1F8
Device \Driver\usbehci \Device\USBPDO-6 8B4301F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8B59A1F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\NetBT \Device\NetBt_Wins_Export 8B2953A0
Device \Driver\NetBT \Device\NetbiosSmb 8B2953A0
Device \Driver\usbuhci \Device\USBFDO-0 8B43B1F8
Device \Driver\usbuhci \Device\USBFDO-1 8B43B1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8B276500
Device \Driver\usbehci \Device\USBFDO-2 8B4301F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8B276500
Device \Driver\usbuhci \Device\USBFDO-3 8B43B1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B6A7CD84-7F0A-4F5D-A771-CDBAF8A948F7} 8B2953A0
Device \Driver\usbuhci \Device\USBFDO-4 8B43B1F8
Device \Driver\Ftdisk \Device\FtControl 8B59A1F8
Device \Driver\usbuhci \Device\USBFDO-5 8B43B1F8
Device \Driver\usbehci \Device\USBFDO-6 8B4301F8
Device \FileSystem\Cdfs \Cdfs 8AF1C500
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [332] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Apoint2K\Apntex.exe [540] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [572] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [676] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [720] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [804] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [824] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe [940] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [972] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1112] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Avira\AntiVir Desktop\sched.exe [1176] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Avira\AntiVir Desktop\avguard.exe [1188] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Apoint2K\HidFind.exe [1208] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [1220] 0x003F0000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [1240] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1284] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\msdtc.exe [1368] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [1452] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [1500] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [1512] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\agrsmsvc.exe [1576] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [1612] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1700] 0x00EF0000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1764] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1796] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1844] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1888] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1904] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\imapi.exe [1984] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2132] 0x04CB0000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\nvsvc32.exe [2252] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Common Files\Sonic Shared\CineTray.exe [2404] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\PSIService.exe [2416] 0x00820000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe [2480] 0x003D0000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\RTHDCPL.EXE [2488] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\locator.exe [2596] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\rundll32.exe [2644] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe [2668] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2732] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [2844] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe [2860] 0x003D0000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\dllhost.exe [2916] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\TODDSrv.exe [2992] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\System32\vssvc.exe [3028] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Apoint2K\Apoint.exe [3168] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\dllhost.exe [3228] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Documents and Settings\Blair\Desktop\dtwl7bin.exe [3300] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Protector Suite QL\psqltray.exe [3364] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3440] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [3604] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\system32\00THotkey.exe [3612] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\iPod\bin\iPodService.exe [3940] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [4060] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [4528] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\Common Files\Real\Update_OB\realsched.exe [4804] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiccraohmf.dll (*** hidden *** ) @ C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe [5060] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\hjgruiypebyfsf.sys (*** hidden *** ) [SYSTEM] hjgruiqypdkwuq <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq@imagepath \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq\main
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq\main@aid 10099
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq\main\connections
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq\main\delete
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq\main\injector
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq\main\tasks
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq\modules
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq\modules@hjgruicmd.dll \systemroot\system32\hjgruiavktkhee.dll
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq\modules@hjgruilog.dat \systemroot\system32\hjgruiqborvlul.dat
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq\modules@hjgruiwsp.dll \systemroot\system32\hjgruiccraohmf.dll
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruiqypdkwuq\modules@hjgrui.dat \systemroot\system32\hjgruivdyybiai.dat
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq@start 1
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq@type 1
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq@group file system
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq@imagepath \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq\main
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq\main@aid 10099
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq\main@sid 0
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq\main@cmddelay 14400
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq\main\connections
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq\main\delete
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq\main\injector
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq\main\tasks
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq\modules
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq\modules@hjgruicmd.dll \systemroot\system32\hjgruiavktkhee.dll
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq\modules@hjgruilog.dat \systemroot\system32\hjgruiqborvlul.dat
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq\modules@hjgruiwsp.dll \systemroot\system32\hjgruiccraohmf.dll
Reg HKLM\SYSTEM\controlset002\Services\hjgruiqypdkwuq\modules@hjgrui.dat \systemroot\system32\hjgruivdyybiai.dat
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq@imagepath \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq\main
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq\main@aid 10099
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq\main\connections
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq\main\delete
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq\main\tasks
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq\modules
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq\modules@hjgruicmd.dll \systemroot\system32\hjgruiavktkhee.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq\modules@hjgruilog.dat \systemroot\system32\hjgruiqborvlul.dat
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq\modules@hjgruiwsp.dll \systemroot\system32\hjgruiccraohmf.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiqypdkwuq\modules@hjgrui.dat \systemroot\system32\hjgruivdyybiai.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq@imagepath \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq\main@aid 10099
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq\main\connections
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq\modules@hjgruicmd.dll \systemroot\system32\hjgruiavktkhee.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq\modules@hjgruilog.dat \systemroot\system32\hjgruiqborvlul.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq\modules@hjgruiwsp.dll \systemroot\system32\hjgruiccraohmf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruiqypdkwuq\modules@hjgrui.dat \systemroot\system32\hjgruivdyybiai.dat
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq@imagepath \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq\main
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq\main@aid 10099
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq\main@sid 0
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq\main\connections
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq\main\delete
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq\main\injector
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq\main\tasks
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq\modules
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq\modules@hjgruicmd.dll \systemroot\system32\hjgruiavktkhee.dll
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq\modules@hjgruilog.dat \systemroot\system32\hjgruiqborvlul.dat
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq\modules@hjgruiwsp.dll \systemroot\system32\hjgruiccraohmf.dll
Reg HKLM\SYSTEM\ControlSet005\Services\hjgruiqypdkwuq\modules@hjgrui.dat \systemroot\system32\hjgruivdyybiai.dat
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq@start 1
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq@type 1
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq@group file system
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq@imagepath \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq\main
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq\main@aid 10099
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq\main@sid 0
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq\main@cmddelay 14400
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq\main\connections
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq\main\delete
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq\main\injector
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq\main\tasks
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq\modules
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq\modules@hjgruicmd.dll \systemroot\system32\hjgruiavktkhee.dll
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq\modules@hjgruilog.dat \systemroot\system32\hjgruiqborvlul.dat
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq\modules@hjgruiwsp.dll \systemroot\system32\hjgruiccraohmf.dll
Reg HKLM\SYSTEM\controlset006\Services\hjgruiqypdkwuq\modules@hjgrui.dat \systemroot\system32\hjgruivdyybiai.dat
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq@start 1
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq@type 1
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq@group file system
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq@imagepath \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq\main
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq\main@aid 10099
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq\main@sid 0
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq\main@cmddelay 14400
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq\main\connections
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq\main\delete
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq\main\injector
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq\main\tasks
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq\modules
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq\modules@hjgruicmd.dll \systemroot\system32\hjgruiavktkhee.dll
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq\modules@hjgruilog.dat \systemroot\system32\hjgruiqborvlul.dat
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq\modules@hjgruiwsp.dll \systemroot\system32\hjgruiccraohmf.dll
Reg HKLM\SYSTEM\controlset007\Services\hjgruiqypdkwuq\modules@hjgrui.dat \systemroot\system32\hjgruivdyybiai.dat
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq@start 1
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq@type 1
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq@group file system
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq@imagepath \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq\main
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq\main@aid 10099
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq\main@sid 0
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq\main@cmddelay 14400
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq\main\connections
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq\main\delete
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq\main\injector
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq\main\tasks
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq\modules
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq\modules@hjgruicmd.dll \systemroot\system32\hjgruiavktkhee.dll
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq\modules@hjgruilog.dat \systemroot\system32\hjgruiqborvlul.dat
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq\modules@hjgruiwsp.dll \systemroot\system32\hjgruiccraohmf.dll
Reg HKLM\SYSTEM\controlset008\Services\hjgruiqypdkwuq\modules@hjgrui.dat \systemroot\system32\hjgruivdyybiai.dat
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq@start 1
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq@type 1
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq@group file system
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq@imagepath \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq\main
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq\main@aid 10099
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq\main@sid 0
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq\main@cmddelay 14400
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq\main\connections
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq\main\delete
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq\main\injector
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq\main\tasks
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq\modules
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiypebyfsf.sys
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq\modules@hjgruicmd.dll \systemroot\system32\hjgruiavktkhee.dll
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq\modules@hjgruilog.dat \systemroot\system32\hjgruiqborvlul.dat
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq\modules@hjgruiwsp.dll \systemroot\system32\hjgruiccraohmf.dll
Reg HKLM\SYSTEM\controlset009\Services\hjgruiqypdkwuq\modules@hjgrui.dat \systemroot\system32\hjgruivdyybiai.dat

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,679 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:00 AM

Posted 24 July 2009 - 01:45 AM

Hi,

you do indeed still have the active rootkit on your system.

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • rename it to fun.exe
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#10 Jim bob

Jim bob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 24 July 2009 - 08:17 PM

Here's the combofix log file....

ComboFix 09-07-23.04 - Blair 2009-07-24 20:48.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2658 [GMT -4:00]
Running from: c:\documents and settings\Blair\Desktop\fun.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Blair\Application Data\inst.exe
c:\temp\FT62
c:\temp\FT62\teTU.log
c:\windows\Fonts\mlog
c:\windows\Install.txt
c:\windows\Installer\1f08f2.msi
c:\windows\Installer\c56d3.msi
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\drivers\hjgruiypebyfsf.sys
c:\windows\system32\hjgruiavktkhee.dll
c:\windows\system32\hjgruiccraohmf.dll
c:\windows\system32\hjgruiqborvlul.dat
c:\windows\system32\hjgruivdyybiai.dat
c:\windows\system32\m1
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiqypdkwuq
-------\Legacy_6to4
-------\Legacy_pcmstub
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2009-06-25 to 2009-07-25 )))))))))))))))))))))))))))))))
.

2009-07-24 21:01 . 2009-07-24 21:01 -------- d-----w- c:\program files\Midnight Mysteries - The Edgar Allan Poe Conspiracy
2009-07-24 03:42 . 2009-07-25 00:45 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-24 03:42 . 2009-07-25 00:45 1247264 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-24 03:37 . 2009-07-25 00:33 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-07-24 03:37 . 2009-07-25 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-07-24 00:22 . 2009-07-24 00:22 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-23 12:02 . 2009-07-23 12:02 -------- d-----w- c:\documents and settings\Blair\Application Data\Wireshark
2009-07-23 03:58 . 2009-07-23 03:59 -------- d-----w- c:\program files\WinPcap
2009-07-23 03:58 . 2009-07-23 03:59 -------- d-----w- c:\program files\Wireshark
2009-07-19 19:53 . 2009-07-19 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-19 03:22 . 2009-07-24 04:42 117760 ----a-w- c:\documents and settings\Blair\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-19 03:21 . 2009-07-19 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-19 03:21 . 2009-07-19 03:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-19 03:21 . 2009-07-19 03:21 -------- d-----w- c:\documents and settings\Blair\Application Data\SUPERAntiSpyware.com
2009-07-17 22:21 . 2009-07-17 22:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-07-15 02:42 . 2009-07-15 02:42 -------- d-sh--w- c:\documents and settings\Blair\IECompatCache
2009-07-15 02:37 . 2009-07-15 02:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-15 02:30 . 2009-07-15 02:32 -------- dc-h--w- c:\windows\ie8
2009-07-14 22:17 . 2008-04-14 10:42 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-07-14 22:17 . 2001-08-18 03:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-07-14 22:17 . 2008-04-14 10:42 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-07-14 22:17 . 2001-08-18 03:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-07-14 22:17 . 2001-08-18 03:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-07-14 22:17 . 2001-08-18 03:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2009-07-14 22:15 . 2008-04-14 03:04 33599 ----a-w- c:\windows\system32\dllcache\watv04nt.sys
2009-07-14 22:14 . 2001-08-17 18:28 794654 ----a-w- c:\windows\system32\dllcache\usr1801.sys
2009-07-14 22:13 . 2001-08-17 19:56 440576 ----a-w- c:\windows\system32\dllcache\tridkb.dll
2009-07-14 22:12 . 2001-08-17 18:52 7040 ----a-w- c:\windows\system32\dllcache\tandqic.sys
2009-07-14 22:11 . 2008-04-14 00:12 46592 ----a-w- c:\windows\system32\dllcache\sspifilt.dll
2009-07-14 22:10 . 2008-04-14 05:06 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys
2009-07-14 22:09 . 2001-08-17 17:51 98080 ----a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2009-07-14 22:08 . 2001-08-18 03:36 62496 ----a-w- c:\windows\system32\dllcache\s3mtrio.dll
2009-07-14 22:07 . 2001-08-18 03:36 41472 ----a-w- c:\windows\system32\dllcache\qvusd.dll
2009-07-14 22:06 . 2001-08-17 19:04 173696 ----a-w- c:\windows\system32\dllcache\philcam2.sys
2009-07-14 22:05 . 2001-08-17 19:05 351616 ----a-w- c:\windows\system32\dllcache\ovcodek2.sys
2009-07-14 22:04 . 2008-04-14 03:05 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys
2009-07-14 22:03 . 2008-04-14 05:09 5504 ----a-w- c:\windows\system32\dllcache\mstee.sys
2009-07-14 22:02 . 2001-08-17 17:12 164586 ----a-w- c:\windows\system32\dllcache\mdgndis5.sys
2009-07-14 22:01 . 2004-08-04 12:00 6144 ----a-w- c:\windows\system32\dllcache\kbdth3.dll
2009-07-14 22:00 . 2008-04-14 00:09 716856 ----a-w- c:\windows\system32\dllcache\imjpcus.dll
2009-07-14 21:59 . 2008-04-14 00:09 13463552 ----a-w- c:\windows\system32\dllcache\hwxjpn.dll
2009-07-14 21:58 . 2001-08-18 03:36 31232 ----a-w- c:\windows\system32\dllcache\hpgt42tk.dll
2009-07-14 21:57 . 2001-08-17 17:15 442240 ----a-w- c:\windows\system32\dllcache\fpnpbase.sys
2009-07-14 21:56 . 2001-08-18 03:36 61952 ----a-w- c:\windows\system32\dllcache\eqnloop.exe
2009-07-14 21:55 . 2001-08-18 03:36 236060 ----a-w- c:\windows\system32\dllcache\ditrace.exe
2009-07-14 21:54 . 2001-08-17 17:13 21533 ----a-w- c:\windows\system32\dllcache\cpqndis5.sys
2009-07-14 21:53 . 2001-08-17 18:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-07-14 21:52 . 2007-04-02 18:26 19456 ----a-w- c:\windows\system32\dllcache\agt040d.dll
2009-07-14 21:51 . 2008-04-14 00:12 16439 ----a-w- c:\windows\system32\dllcache\author.exe
2009-07-14 21:51 . 2008-04-14 00:11 20540 ----a-w- c:\windows\system32\dllcache\author.dll
2009-07-14 21:51 . 2008-04-14 00:11 290816 ----a-w- c:\windows\system32\dllcache\adsiis51.dll
2009-07-14 21:51 . 2008-04-14 00:12 16439 ----a-w- c:\windows\system32\dllcache\admin.exe
2009-07-14 21:51 . 2008-04-14 00:11 43520 ----a-w- c:\windows\system32\dllcache\admwprox.dll
2009-07-14 21:51 . 2008-04-14 00:11 20540 ----a-w- c:\windows\system32\dllcache\admin.dll
2009-07-14 05:09 . 2009-07-14 05:09 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-14 05:09 . 2009-07-14 05:09 -------- d-----w- c:\program files\MSBuild
2009-07-14 05:09 . 2009-07-14 05:09 -------- d-----w- c:\program files\Reference Assemblies
2009-07-14 05:09 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-14 05:09 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-14 05:09 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-14 05:09 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-14 05:09 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-14 05:09 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-14 05:09 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-14 05:08 . 2009-07-14 05:16 -------- d-----w- c:\windows\SxsCaPendDel
2009-07-13 04:06 . 2009-07-13 04:06 -------- d-----w- c:\program files\SmartFTP Client 3.0 Setup Files
2009-07-13 03:22 . 2009-07-13 03:21 6216032 ----a-w- C:\WindowsUpdateAgent30-x86.exe
2009-07-13 02:46 . 2009-07-13 02:46 -------- d-----w- c:\documents and settings\Blair\Application Data\htmlapp
2009-07-13 02:46 . 2009-07-13 02:46 -------- d-----w- c:\program files\htmlapp
2009-07-13 02:24 . 2009-07-13 02:24 2189 ----a-w- C:\updatesfix.cmd
2009-07-12 20:34 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-12 20:34 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-12 20:34 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-12 20:34 . 2009-07-12 20:34 -------- d-----w- c:\program files\Avira
2009-07-12 20:34 . 2009-07-12 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-12 18:00 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-12 15:55 . 2009-07-12 15:55 -------- d-----w- c:\documents and settings\Blair\Application Data\Malwarebytes
2009-07-12 15:55 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-12 15:55 . 2009-07-24 00:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-12 15:55 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-12 15:55 . 2009-07-12 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-11 03:33 . 2009-07-11 03:33 -------- d-----w- c:\program files\Safer Networking
2009-07-11 03:28 . 2009-07-11 03:28 -------- d-----w- C:\VundoFix Backups
2009-07-11 02:19 . 2009-07-11 03:20 -------- d-----w- C:\pstools
2009-07-11 02:09 . 2009-07-11 02:09 -------- d-----w- c:\program files\Trend Micro
2009-07-11 01:08 . 2009-07-11 01:08 -------- d-----w- c:\program files\AVG
2009-07-11 01:05 . 2009-07-11 01:05 -------- d-----w- c:\documents and settings\admin\Application Data\1&1
2009-07-11 01:01 . 2009-07-11 15:44 20248 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-11 00:33 . 2009-07-11 00:33 -------- d-----w- c:\program files\Windows Resource Kits
2009-07-11 00:25 . 2009-07-11 00:25 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\Google
2009-07-10 20:56 . 2008-04-14 09:42 189440 -c--a-w- c:\windows\system32\dllcache\smtpadm.dll
2009-07-10 20:56 . 2008-04-14 09:42 10752 -c--a-w- c:\windows\system32\dllcache\smtpapi.dll
2009-07-10 20:56 . 2008-04-14 09:42 10752 ----a-w- c:\windows\system32\smtpapi.dll
2009-07-10 20:56 . 2008-04-14 09:42 9728 -c--a-w- c:\windows\system32\dllcache\rwnh.dll
2009-07-10 20:56 . 2008-04-14 09:42 9728 ----a-w- c:\windows\system32\rwnh.dll
2009-07-10 20:56 . 2008-04-14 09:42 221696 -c--a-w- c:\windows\system32\dllcache\seo.dll
2009-07-10 20:49 . 2009-07-10 20:49 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-07-10 20:31 . 2009-07-13 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-10 20:18 . 2009-07-11 02:08 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-10 20:18 . 2009-07-11 02:08 -------- d-----w- c:\program files\Spyware Doctor
2009-07-10 20:05 . 2009-07-10 20:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-10 20:05 . 2009-07-10 20:05 152576 ----a-w- c:\documents and settings\Blair\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-10 18:31 . 2009-07-10 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-07-10 14:43 . 2009-07-10 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-10 14:20 . 2009-07-10 14:22 49118664 ----a-w- C:\NIS2007EN_1und1US.EXE
2009-07-10 06:01 . 2009-07-10 06:01 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-10 03:09 . 2009-07-10 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\10515934
2009-07-07 00:10 . 2009-07-07 00:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-07-06 13:41 . 2009-07-06 13:41 -------- d-----w- c:\documents and settings\Blair\Application Data\BlamGames
2009-07-04 21:52 . 2009-07-04 21:52 -------- d-----w- c:\documents and settings\Blair\Application Data\Enlightenus
2009-06-25 12:14 . 2009-06-25 12:14 -------- d-----w- c:\documents and settings\Blair\Application Data\Ludia
2009-06-25 12:14 . 2009-06-25 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Ludia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-25 00:45 . 2009-07-24 03:42 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-25 00:45 . 2009-07-24 03:42 17780 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-25 00:34 . 2007-05-12 01:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-24 20:52 . 2007-05-27 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-07-23 02:16 . 2009-01-03 20:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-23 02:16 . 2007-05-20 16:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-19 03:21 . 2007-01-11 04:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-14 23:26 . 2007-01-18 02:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-14 22:53 . 2007-01-18 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-14 05:16 . 2007-01-16 06:13 20248 ----a-w- c:\documents and settings\Blair\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-13 04:07 . 2007-03-06 18:01 -------- d-----w- c:\program files\SmartFTP Client 2.0
2009-07-11 20:17 . 2008-10-18 17:47 -------- d-----w- c:\program files\Apoint2K
2009-07-11 19:08 . 2007-01-08 22:09 -------- d-----w- c:\program files\Google
2009-07-11 04:00 . 2008-04-03 02:37 -------- d-----w- c:\program files\Windows Live
2009-07-11 00:22 . 2009-07-11 00:21 331805736 ----a-w- C:\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-07-10 20:05 . 2007-01-08 22:41 -------- d-----w- c:\program files\Java
2009-07-10 18:22 . 2009-04-25 15:30 -------- d-----w- c:\program files\RealArcade
2009-07-10 18:20 . 2009-05-15 01:27 -------- d-----w- c:\program files\Family Feud
2009-06-24 23:53 . 2009-06-24 23:53 48640 ----a-w- C:\dse.exe
2009-06-24 01:12 . 2008-01-05 00:01 -------- d-----w- c:\program files\PowerArchiver
2009-06-24 01:11 . 2007-02-04 22:39 -------- d-----w- c:\documents and settings\Blair\Application Data\dvdcss
2009-06-16 14:36 . 2004-08-12 13:30 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-12 13:19 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2004-08-12 13:26 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 23:45 . 2009-06-02 23:45 390664 ----a-w- c:\documents and settings\Blair\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-06-01 00:57 . 2009-06-01 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Slapdash Games
2009-05-31 23:50 . 2007-05-12 01:38 -------- d-----w- c:\program files\bfgclient
2009-05-30 01:42 . 2007-07-14 18:30 -------- d-----w- c:\documents and settings\Blair\Application Data\NewsLeecher
2009-05-30 01:39 . 2007-07-14 18:29 -------- d-----w- c:\program files\NewsLeecher
2009-05-27 00:27 . 2009-05-27 00:27 -------- d-----w- c:\documents and settings\Blair\Application Data\SecondLife
2009-05-19 22:10 . 2009-05-19 22:10 143864 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\midnight-mysteries-edgar-allan-poe-conspiracy_s1_l1_gF5126T1L1_d588584529[1].exe
2009-05-13 05:15 . 2004-08-12 13:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-10 23:28 . 2008-08-27 14:33 34 ----a-w- c:\documents and settings\Blair\jagex_runescape_preferences.dat
2009-05-07 15:32 . 2004-08-12 13:21 345600 ----a-w- c:\windows\system32\localspl.dll
2008-03-01 13:21 . 2008-03-01 13:21 0 ----a-w- c:\program files\temp01
2007-09-01 15:29 . 2007-09-01 15:29 24 --sha-w- c:\windows\S6EC61B6B.tmp
2007-09-01 00:53 . 2007-07-14 21:08 88 --sha-r- c:\windows\system32\12A1A5A2AC.sys
2007-07-15 03:40 . 2007-07-15 03:39 80 --sha-r- c:\windows\system32\ACA2A5A112.dll
2007-09-01 00:53 . 2007-07-14 21:08 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-03 21:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-03 21:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1&1 EasyLogin"="c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe" [2009-03-19 2200064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-11 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"trueimagemonitor.exe"="c:\program files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe" [2008-09-26 1285400]
"psqllauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-12-03 49168]
"nvrotatesystray"="c:\windows\system32\nvsysrot.dll" [2007-07-21 49152]
"ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ddwmon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-13 311296]
"apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"adobe reader speed launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"acronistimountermonitor"="c:\program files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe" [2008-09-26 884696]
"acronis scheduler2 service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-09-26 140568]
"00thotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 258048]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-11 122368]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-12 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-21 8433664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"rthdcpl"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-12 16132608]
"000stthk"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-7-25 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 20:50 90112 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2006-07-21 23:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau relog_ap
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@=""
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\program files\1&1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\program files\1&1\1&1 EasyLogin
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GoogleDesktopManager"=3 (0x3)
"ANIWZCSdService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Acronis\\TrueImageEchoWorkstation\\TrueImage.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-03-09 6528]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-06-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-06-23 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-07-12 108289]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-03-26 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-02-19 134016]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-11-07 11113]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2008-06-20 36384]
S1 52d06e74;52d06e74;c:\windows\system32\drivers\52d06e74.sys --> c:\windows\system32\drivers\52d06e74.sys [?]
S2 gupdate1c996faa23d5a50;Google Update Service (gupdate1c996faa23d5a50);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 133104]
S3 ATIXPGAA;ATIXPGAA;c:\dell\drivers\R101342\ATIXPGAA.SYS [2007-08-30 12032]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-01-08 87936]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-11-07 216459]
S3 MaplomL;MaplomL; [x]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-12-23 50704]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-06-23 7408]
S4 FortiSslvpnDaemon;FortiSslvpnDaemon;c:\windows\system32\FortiSslvpnDaemon.exe [2009-04-13 510496]

--- Other Services/Drivers In Memory ---

*Deregistered* - Udfs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-25 03:39]

2009-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-25 03:39]

2009-07-24 c:\windows\Tasks\User_Feed_Synchronization-{1CA66850-13A6-418E-BB6F-8F9F18DC1EC6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://vpn.synersolutions.com/sslvpn.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-24 21:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-220523388-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:6f,c0,c7,d3,f0,2e,f7,da,64,b2,ed,c0,c3,69,f6,0b,4a,4d,1c,19,07,
32,66,18,67,87,c4,5a,ef,a5,a7,2d,95,3d,cd,07,9c,24,12,c4,e7,8f,63,a8,67,58,\
"rkeysecu"=hex:a5,fc,d4,e1,6b,6c,7f,32,bf,d6,4c,ed,71,5c,26,5a
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1600)
c:\windows\system32\vrlogon.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
c:\program files\Protector Suite QL\biokmd.dll

- - - - - - - > 'lsass.exe'(1656)
c:\windows\system32\relog_ap.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'explorer.exe'(2664)
c:\windows\system32\WININET.dll
c:\program files\SmartFTP Client 2.0\en-US\sfShellTools.dll.mui
c:\program files\Protector Suite QL\farchns.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\windows\system32\imapi.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\windows\system32\PSIService.exe
c:\windows\system32\locator.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\TODDSrv.exe
c:\windows\system32\vssvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\rundll32.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\DDWMon.exe
c:\program files\Apoint2K\hidfind.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-25 21:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-25 01:12

Pre-Run: 32,728,694,784 bytes free
Post-Run: 33,016,483,840 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6,7,8,9
401 --- E O F --- 2009-07-22 07:00

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,679 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:00 AM

Posted 25 July 2009 - 04:04 AM

Hi,

well that doesn't look to bad. :thumbup2: How is your PC doing now?

There is a couple of things left to do, please run Combofix again:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\52d06e74.sys
Folder::
c:\documents and settings\All Users\Application Data\10515934
Driver::
52d06e74
MaplomL


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#12 Jim bob

Jim bob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 25 July 2009 - 01:16 PM

PC is doin a lot better now! :thumbup2: thanx to your help..

Here's the latest Combofix log...Do things look clean?

ComboFix 09-07-24.01 - Blair 07/25/2009 12:29.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2060 [GMT -4:00]
Running from: c:\documents and settings\Blair\Desktop\combofix.exe
Command switches used :: c:\documents and settings\Blair\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point

FILE ::
"c:\windows\system32\drivers\52d06e74.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\10515934
c:\documents and settings\All Users\Application Data\10515934\10515934

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_52d06e74
-------\Service_MaplomL


((((((((((((((((((((((((( Files Created from 2009-06-25 to 2009-07-25 )))))))))))))))))))))))))))))))
.

2009-07-25 01:18 . 2009-07-25 01:32 -------- d-s---w- C:\fun
2009-07-24 21:01 . 2009-07-24 21:01 -------- d-----w- c:\program files\Midnight Mysteries - The Edgar Allan Poe Conspiracy
2009-07-24 03:42 . 2009-07-25 00:45 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-24 03:42 . 2009-07-25 00:45 1247264 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-24 03:37 . 2009-07-25 00:33 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-07-24 03:37 . 2009-07-25 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-07-24 00:22 . 2009-07-24 00:22 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-23 12:02 . 2009-07-23 12:02 -------- d-----w- c:\documents and settings\Blair\Application Data\Wireshark
2009-07-23 03:58 . 2009-07-23 03:59 -------- d-----w- c:\program files\WinPcap
2009-07-23 03:58 . 2009-07-23 03:59 -------- d-----w- c:\program files\Wireshark
2009-07-19 19:53 . 2009-07-19 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-19 03:22 . 2009-07-25 01:34 117760 ----a-w- c:\documents and settings\Blair\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-19 03:21 . 2009-07-19 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-19 03:21 . 2009-07-19 03:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-19 03:21 . 2009-07-19 03:21 -------- d-----w- c:\documents and settings\Blair\Application Data\SUPERAntiSpyware.com
2009-07-17 22:21 . 2009-07-17 22:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-07-15 02:42 . 2009-07-15 02:42 -------- d-sh--w- c:\documents and settings\Blair\IECompatCache
2009-07-15 02:37 . 2009-07-15 02:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-15 02:30 . 2009-07-15 02:32 -------- dc-h--w- c:\windows\ie8
2009-07-14 22:17 . 2008-04-14 10:42 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-07-14 22:17 . 2001-08-18 03:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-07-14 22:17 . 2008-04-14 10:42 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-07-14 22:17 . 2001-08-18 03:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-07-14 22:17 . 2001-08-18 03:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-07-14 22:17 . 2001-08-18 03:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2009-07-14 22:15 . 2008-04-14 03:04 33599 ----a-w- c:\windows\system32\dllcache\watv04nt.sys
2009-07-14 22:14 . 2001-08-17 18:28 794654 ----a-w- c:\windows\system32\dllcache\usr1801.sys
2009-07-14 22:13 . 2001-08-17 19:56 440576 ----a-w- c:\windows\system32\dllcache\tridkb.dll
2009-07-14 22:12 . 2001-08-17 18:52 7040 ----a-w- c:\windows\system32\dllcache\tandqic.sys
2009-07-14 22:11 . 2008-04-14 00:12 46592 ----a-w- c:\windows\system32\dllcache\sspifilt.dll
2009-07-14 22:10 . 2008-04-14 05:06 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys
2009-07-14 22:09 . 2001-08-17 17:51 98080 ----a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2009-07-14 22:08 . 2001-08-18 03:36 62496 ----a-w- c:\windows\system32\dllcache\s3mtrio.dll
2009-07-14 22:07 . 2001-08-18 03:36 41472 ----a-w- c:\windows\system32\dllcache\qvusd.dll
2009-07-14 22:06 . 2001-08-17 19:04 173696 ----a-w- c:\windows\system32\dllcache\philcam2.sys
2009-07-14 22:05 . 2001-08-17 19:05 351616 ----a-w- c:\windows\system32\dllcache\ovcodek2.sys
2009-07-14 22:04 . 2008-04-14 03:05 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys
2009-07-14 22:03 . 2008-04-14 05:09 5504 ----a-w- c:\windows\system32\dllcache\mstee.sys
2009-07-14 22:02 . 2001-08-17 17:12 164586 ----a-w- c:\windows\system32\dllcache\mdgndis5.sys
2009-07-14 22:01 . 2004-08-04 12:00 6144 ----a-w- c:\windows\system32\dllcache\kbdth3.dll
2009-07-14 22:00 . 2008-04-14 00:09 716856 ----a-w- c:\windows\system32\dllcache\imjpcus.dll
2009-07-14 21:59 . 2008-04-14 00:09 13463552 ----a-w- c:\windows\system32\dllcache\hwxjpn.dll
2009-07-14 21:58 . 2001-08-18 03:36 31232 ----a-w- c:\windows\system32\dllcache\hpgt42tk.dll
2009-07-14 21:57 . 2001-08-17 17:15 442240 ----a-w- c:\windows\system32\dllcache\fpnpbase.sys
2009-07-14 21:56 . 2001-08-18 03:36 61952 ----a-w- c:\windows\system32\dllcache\eqnloop.exe
2009-07-14 21:55 . 2001-08-18 03:36 236060 ----a-w- c:\windows\system32\dllcache\ditrace.exe
2009-07-14 21:54 . 2001-08-17 17:13 21533 ----a-w- c:\windows\system32\dllcache\cpqndis5.sys
2009-07-14 21:53 . 2001-08-17 18:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-07-14 21:52 . 2007-04-02 18:26 19456 ----a-w- c:\windows\system32\dllcache\agt040d.dll
2009-07-14 21:51 . 2008-04-14 00:12 16439 ----a-w- c:\windows\system32\dllcache\author.exe
2009-07-14 21:51 . 2008-04-14 00:11 20540 ----a-w- c:\windows\system32\dllcache\author.dll
2009-07-14 21:51 . 2008-04-14 00:11 290816 ----a-w- c:\windows\system32\dllcache\adsiis51.dll
2009-07-14 21:51 . 2008-04-14 00:12 16439 ----a-w- c:\windows\system32\dllcache\admin.exe
2009-07-14 21:51 . 2008-04-14 00:11 43520 ----a-w- c:\windows\system32\dllcache\admwprox.dll
2009-07-14 21:51 . 2008-04-14 00:11 20540 ----a-w- c:\windows\system32\dllcache\admin.dll
2009-07-14 05:09 . 2009-07-14 05:09 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-14 05:09 . 2009-07-14 05:09 -------- d-----w- c:\program files\MSBuild
2009-07-14 05:09 . 2009-07-14 05:09 -------- d-----w- c:\program files\Reference Assemblies
2009-07-14 05:09 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-14 05:09 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-14 05:09 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-14 05:09 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-14 05:09 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-14 05:09 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-14 05:09 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-14 05:08 . 2009-07-14 05:16 -------- d-----w- c:\windows\SxsCaPendDel
2009-07-13 04:06 . 2009-07-13 04:06 -------- d-----w- c:\program files\SmartFTP Client 3.0 Setup Files
2009-07-13 03:22 . 2009-07-13 03:21 6216032 ----a-w- C:\WindowsUpdateAgent30-x86.exe
2009-07-13 02:46 . 2009-07-13 02:46 -------- d-----w- c:\documents and settings\Blair\Application Data\htmlapp
2009-07-13 02:46 . 2009-07-13 02:46 -------- d-----w- c:\program files\htmlapp
2009-07-13 02:24 . 2009-07-13 02:24 2189 ----a-w- C:\updatesfix.cmd
2009-07-12 20:34 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-12 20:34 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-12 20:34 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-12 20:34 . 2009-07-12 20:34 -------- d-----w- c:\program files\Avira
2009-07-12 20:34 . 2009-07-12 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-12 18:00 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-12 15:55 . 2009-07-12 15:55 -------- d-----w- c:\documents and settings\Blair\Application Data\Malwarebytes
2009-07-12 15:55 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-12 15:55 . 2009-07-24 00:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-12 15:55 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-12 15:55 . 2009-07-12 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-11 03:33 . 2009-07-11 03:33 -------- d-----w- c:\program files\Safer Networking
2009-07-11 03:28 . 2009-07-11 03:28 -------- d-----w- C:\VundoFix Backups
2009-07-11 02:19 . 2009-07-11 03:20 -------- d-----w- C:\pstools
2009-07-11 02:09 . 2009-07-11 02:09 -------- d-----w- c:\program files\Trend Micro
2009-07-11 01:08 . 2009-07-11 01:08 -------- d-----w- c:\program files\AVG
2009-07-11 01:05 . 2009-07-11 01:05 -------- d-----w- c:\documents and settings\admin\Application Data\1&1
2009-07-11 01:01 . 2009-07-11 15:44 20248 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-11 00:33 . 2009-07-11 00:33 -------- d-----w- c:\program files\Windows Resource Kits
2009-07-11 00:25 . 2009-07-11 00:25 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\Google
2009-07-10 20:56 . 2008-04-14 09:42 189440 -c--a-w- c:\windows\system32\dllcache\smtpadm.dll
2009-07-10 20:56 . 2008-04-14 09:42 10752 -c--a-w- c:\windows\system32\dllcache\smtpapi.dll
2009-07-10 20:56 . 2008-04-14 09:42 10752 ----a-w- c:\windows\system32\smtpapi.dll
2009-07-10 20:56 . 2008-04-14 09:42 9728 -c--a-w- c:\windows\system32\dllcache\rwnh.dll
2009-07-10 20:56 . 2008-04-14 09:42 9728 ----a-w- c:\windows\system32\rwnh.dll
2009-07-10 20:56 . 2008-04-14 09:42 221696 -c--a-w- c:\windows\system32\dllcache\seo.dll
2009-07-10 20:49 . 2009-07-10 20:49 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-07-10 20:31 . 2009-07-13 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-10 20:18 . 2009-07-11 02:08 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-10 20:18 . 2009-07-11 02:08 -------- d-----w- c:\program files\Spyware Doctor
2009-07-10 20:05 . 2009-07-10 20:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-10 20:05 . 2009-07-10 20:05 152576 ----a-w- c:\documents and settings\Blair\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-10 18:31 . 2009-07-10 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-07-10 14:43 . 2009-07-10 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-10 14:20 . 2009-07-10 14:22 49118664 ----a-w- C:\NIS2007EN_1und1US.EXE
2009-07-10 06:01 . 2009-07-10 06:01 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-07 00:10 . 2009-07-07 00:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-07-06 13:41 . 2009-07-06 13:41 -------- d-----w- c:\documents and settings\Blair\Application Data\BlamGames
2009-07-04 21:52 . 2009-07-04 21:52 -------- d-----w- c:\documents and settings\Blair\Application Data\Enlightenus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-25 00:45 . 2009-07-24 03:42 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-25 00:45 . 2009-07-24 03:42 17780 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-25 00:34 . 2007-05-12 01:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-24 20:52 . 2007-05-27 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-07-23 02:16 . 2009-01-03 20:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-23 02:16 . 2007-05-20 16:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-19 03:21 . 2007-01-11 04:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-14 23:26 . 2007-01-18 02:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-14 22:53 . 2007-01-18 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-14 05:16 . 2007-01-16 06:13 20248 ----a-w- c:\documents and settings\Blair\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-13 04:07 . 2007-03-06 18:01 -------- d-----w- c:\program files\SmartFTP Client 2.0
2009-07-11 20:17 . 2008-10-18 17:47 -------- d-----w- c:\program files\Apoint2K
2009-07-11 19:08 . 2007-01-08 22:09 -------- d-----w- c:\program files\Google
2009-07-11 04:00 . 2008-04-03 02:37 -------- d-----w- c:\program files\Windows Live
2009-07-11 00:22 . 2009-07-11 00:21 331805736 ----a-w- C:\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-07-10 20:05 . 2007-01-08 22:41 -------- d-----w- c:\program files\Java
2009-07-10 18:22 . 2009-04-25 15:30 -------- d-----w- c:\program files\RealArcade
2009-07-10 18:20 . 2009-05-15 01:27 -------- d-----w- c:\program files\Family Feud
2009-06-25 12:14 . 2009-06-25 12:14 -------- d-----w- c:\documents and settings\Blair\Application Data\Ludia
2009-06-25 12:14 . 2009-06-25 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Ludia
2009-06-24 23:53 . 2009-06-24 23:53 48640 ----a-w- C:\dse.exe
2009-06-24 01:12 . 2008-01-05 00:01 -------- d-----w- c:\program files\PowerArchiver
2009-06-24 01:11 . 2007-02-04 22:39 -------- d-----w- c:\documents and settings\Blair\Application Data\dvdcss
2009-06-16 14:36 . 2004-08-12 13:30 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-12 13:19 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2004-08-12 13:26 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 23:45 . 2009-06-02 23:45 390664 ----a-w- c:\documents and settings\Blair\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-06-01 00:57 . 2009-06-01 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Slapdash Games
2009-05-31 23:50 . 2007-05-12 01:38 -------- d-----w- c:\program files\bfgclient
2009-05-30 01:42 . 2007-07-14 18:30 -------- d-----w- c:\documents and settings\Blair\Application Data\NewsLeecher
2009-05-30 01:39 . 2007-07-14 18:29 -------- d-----w- c:\program files\NewsLeecher
2009-05-27 00:27 . 2009-05-27 00:27 -------- d-----w- c:\documents and settings\Blair\Application Data\SecondLife
2009-05-19 22:10 . 2009-05-19 22:10 143864 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\midnight-mysteries-edgar-allan-poe-conspiracy_s1_l1_gF5126T1L1_d588584529[1].exe
2009-05-13 05:15 . 2004-08-12 13:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-10 23:28 . 2008-08-27 14:33 34 ----a-w- c:\documents and settings\Blair\jagex_runescape_preferences.dat
2009-05-07 15:32 . 2004-08-12 13:21 345600 ----a-w- c:\windows\system32\localspl.dll
2008-03-01 13:21 . 2008-03-01 13:21 0 ----a-w- c:\program files\temp01
2007-09-01 15:29 . 2007-09-01 15:29 24 --sha-w- c:\windows\S6EC61B6B.tmp
2007-09-01 00:53 . 2007-07-14 21:08 88 --sha-r- c:\windows\system32\12A1A5A2AC.sys
2007-07-15 03:40 . 2007-07-15 03:39 80 --sha-r- c:\windows\system32\ACA2A5A112.dll
2007-09-01 00:53 . 2007-07-14 21:08 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-03 21:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-03 21:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1&1 EasyLogin"="c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe" [2009-03-19 2200064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-11 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"trueimagemonitor.exe"="c:\program files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe" [2008-09-26 1285400]
"psqllauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-12-03 49168]
"nvrotatesystray"="c:\windows\system32\nvsysrot.dll" [2007-07-21 49152]
"ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ddwmon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-13 311296]
"apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"adobe reader speed launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"acronistimountermonitor"="c:\program files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe" [2008-09-26 884696]
"acronis scheduler2 service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-09-26 140568]
"00thotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 258048]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-11 122368]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-12 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-21 8433664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"rthdcpl"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-12 16132608]
"000stthk"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-7-25 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 20:50 90112 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2006-07-21 23:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau relog_ap
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GoogleDesktopManager"=3 (0x3)
"ANIWZCSdService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Acronis\\TrueImageEchoWorkstation\\TrueImage.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 3:23 PM 6528]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/12/2009 4:34 PM 108289]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 12:22 PM 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 12:15 PM 134016]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [11/7/2008 8:58 PM 11113]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [6/20/2008 11:05 AM 36384]
S2 gupdate1c996faa23d5a50;Google Update Service (gupdate1c996faa23d5a50);c:\program files\Google\Update\GoogleUpdate.exe [2/24/2009 11:39 PM 133104]
S3 ATIXPGAA;ATIXPGAA;c:\dell\drivers\R101342\ATIXPGAA.SYS [8/30/2007 11:59 AM 12032]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [1/8/2007 5:50 PM 87936]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [11/7/2008 8:58 PM 216459]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 11:35 AM 50704]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S4 FortiSslvpnDaemon;FortiSslvpnDaemon;c:\windows\system32\FortiSslvpnDaemon.exe [4/13/2009 11:47 AM 510496]

--- Other Services/Drivers In Memory ---

*Deregistered* - Udfs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-25 03:39]

2009-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-25 03:39]

2009-07-25 c:\windows\Tasks\User_Feed_Synchronization-{1CA66850-13A6-418E-BB6F-8F9F18DC1EC6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://vpn.synersolutions.com/sslvpn.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-25 12:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-220523388-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:6f,c0,c7,d3,f0,2e,f7,da,64,b2,ed,c0,c3,69,f6,0b,4a,4d,1c,19,07,
32,66,18,67,87,c4,5a,ef,a5,a7,2d,95,3d,cd,07,9c,24,12,c4,e7,8f,63,a8,67,58,\
"rkeysecu"=hex:a5,fc,d4,e1,6b,6c,7f,32,bf,d6,4c,ed,71,5c,26,5a
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1600)
c:\windows\system32\vrlogon.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
c:\program files\Protector Suite QL\biokmd.dll
c:\windows\system32\rtutils.dll

- - - - - - - > 'lsass.exe'(1656)
c:\windows\system32\relog_ap.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'explorer.exe'(2356)
c:\windows\system32\WININET.dll
c:\program files\SmartFTP Client 2.0\en-US\sfShellTools.dll.mui
c:\program files\Protector Suite QL\farchns.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\windows\system32\imapi.exe
c:\windows\system32\msiexec.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\windows\system32\PSIService.exe
c:\windows\system32\locator.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\TODDSrv.exe
c:\windows\system32\vssvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\rundll32.exe
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\DDWMon.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\Apoint2K\hidfind.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-25 12:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-25 16:53
ComboFix2.txt 2009-07-25 01:31
ComboFix3.txt 2009-07-25 01:13

Pre-Run: 34,084,765,696 bytes free
Post-Run: 34,123,141,120 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6,7,8,9
372 --- E O F --- 2009-07-22 07:00

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,679 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:00 AM

Posted 25 July 2009 - 02:26 PM

Hi,

yes things are looking pretty clean. :thumbup2:

Just to be safe, I would like to ask you to run an online scan with Eset:
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Uncheck remove known threats
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Post back the log from Eset in your next reply.

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#14 Jim bob

Jim bob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 26 July 2009 - 07:11 PM

Here's the results of the ESET online scan..

C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruiccraohmf.dll.vir Win32/Olmarik.JU trojan
C:\System Volume Information\_restore{F6A0463F-F482-43EA-81F5-1D24B3267F1B}\RP0\A0000003.dll Win32/Olmarik.JU trojan

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,679 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:00 AM

Posted 27 July 2009 - 01:53 AM

Heya,

that looks good. :thumbup2: The files found are located in backups of our removal tools and system restore. :)

As your logs seem clean I would now ask you to bring your PC up to date:

You have a couple of old Java versions installed, as well, as the latest one. I would advise, that you uninstall the older versions:

Go to Start > Control Panel > Add or Remove Programs.
Remove the following two Java versions:
  • Java 2 Runtime Environment, SE v1.4.2_13
  • Java™ 6 Update 2
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:
How To Remove An Installed Program From Your Computer

Please also uninstall your version of Adobe Reader: Adobe Reader 8.1.0 and download and install the latest version from adobe: http://get.adobe.com/reader/
Note please uncheck all Toolbars proposed by Adobe unless you really want them.


Do you have any problems with your PC?
regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users