Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with annoying search engine redirect malware possibly Olmarik.JU trojan


  • This topic is locked This topic is locked
15 replies to this topic

#1 besouro

besouro

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 06 August 2009 - 07:31 AM

Hi all, I'm really hoping somebody here can help me...

I've been struggling with this for quite a while now.

I use ESET Smart Security and it detected a malware called geyekrqtpqnlvq.dll and the 'reason' it gave was Win32/Olmarik.JU trojan however when it tried to delete it or 'clean' it it couldn't.

Also often when I click on a link from google (or other search engines) I get redirected to a random site (different sites not just one), while it's redirecting me the favicon displays as a green wireframe sphere (not sure if this helps you to diagnose or not).

I am not 100% sure that these two issues are related however they did appear at roughly the same time.

I have tried using malwarebytes anti-malware and Super Anti Spyware but they didn't solve the problem. I have read your 'Preparation Guide For Use Before Using HijackThis and other Malware Removal Tools, Instructions for receiving help in cleaning your computer' and am now following the steps, it has instructed me to paste the contents of my DDS.txt so here it is...


DDS (Ver_09-07-30.01) - NTFSx86
Run by Tintisha XP5 at 12:37:00.39 on 06/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.779 [GMT 1:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\IntelliAdmin3\Agent\Agent32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Unforgettable!\Unforgettable.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Corel\Corel GuideMenu\GuideMenu.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Documents and Settings\Tintisha XP5\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Sizer\sizer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Spotify\spotify.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\Adobe\Adobe Illustrator CS4\Support Files\Contents\Windows\Illustrator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\FileZilla FTP Client\filezilla.exe
C:\Program Files\Adobe\Adobe Dreamweaver CS4\dreamweaver.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tintisha XP5\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [mount.exe] c:\program files\gipo@utilities\fileutilities.3\mount.exe /z
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\tintisha xp5\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [AdobeBridge]
uRun: [YouSendIt.exe] c:\program files\yousendit\express\YouSendIt.exe -ui none
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Clone]
mRun: [Unforgettable!] c:\program files\unforgettable!\Unforgettable.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~2\server\bin\VERSIO~2.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [GuideMenu] c:\program files\corel\corel guidemenu\GuideMenu.exe -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\tintis~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\tintis~1\startm~1\programs\startup\sizer(~1.lnk - c:\program files\sizer\sizer.exe
StartupFolder: c:\docume~1\tintis~1\startm~1\programs\startup\workrave.lnk - c:\program files\workrave\lib\Workrave.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\phase-~1.lnk - c:\program files\phase-6\phase-6\reminder\reminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sizer.lnk - c:\program files\sizer\sizer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\thunde~1.lnk - c:\windows\installer\{6af0b3ac-6a6b-4a47-a37e-e2e26e3019d7}\IconC4E8602E.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} - hxxp://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tintis~1\applic~1\mozilla\firefox\profiles\167kyjud.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en&source=iglk
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-08-03 17:13 <DIR> --d----- C:\ComboFix
2009-08-03 17:13 389,120 a------- c:\windows\system32\CF25281.exe
2009-08-03 17:09 389,120 a------- c:\windows\system32\cmd.execf
2009-08-03 14:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-03 14:12 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-03 14:12 <DIR> --d----- c:\docume~1\tintis~1\applic~1\SUPERAntiSpyware.com
2009-08-03 14:10 1,343,651 a------- C:\MGtools.exe
2009-08-03 14:07 <DIR> --d----- C:\downloads
2009-08-03 13:58 <DIR> --d----- c:\windows\pss
2009-08-03 13:52 <DIR> --d----- c:\program files\CCleaner
2009-08-03 13:48 1,033,448 a------- c:\program files\ccsetup222_slim.exe
2009-07-17 13:52 <DIR> --d----- c:\docume~1\tintis~1\applic~1\Malwarebytes
2009-07-17 13:52 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-17 13:52 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-17 13:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 13:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-17 09:24 <DIR> --d----- c:\docume~1\tintis~1\applic~1\Messenger

==================== Find3M ====================

2009-07-31 13:44 153,920 a------- c:\docume~1\tintis~1\applic~1\GDIPFONTCACHEV1.DAT
2009-07-22 12:21 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-30 11:10 73,312 a------- c:\windows\system32\drivers\adfs.sys
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-08 13:01 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-08 13:01 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_silabser_01005.Wdf
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2007-04-25 09:49 328 -------- c:\program files\GuideMenuSetup.iss
2007-04-06 04:28 1,237 -------- c:\program files\WinDVDSetup.iss
2008-04-18 11:04 81 ---shr-- c:\windows\CT5PRET.BIN
2006-05-03 10:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2007-12-17 12:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-10-02 13:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100220081003\index.dat

============= FINISH: 12:39:43.09 ===============

Thank you very much in advance for any help you can offer.

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:46 AM

Posted 15 August 2009 - 06:46 AM

Hello, besouro.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • Log.txt
  • info.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 besouro

besouro
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 17 August 2009 - 03:47 AM

Hello aommaster,

Thank you for your reply, I really appreciate any help you can give me.
I have attached the two requested files to this post.

Over the last few days the search engine redirect problem seems to have resolved itself, I have no idea how but it doesn't seem to be happening anymore.
The other problem is still happening, eset smart security shows
\\?\globalroot\systemroot\system32\geyekrqtpqnlvq.dll Win32/Olmarik.JU trojan error while cleaning

Thank you for your help with this

Attached Files

  • Attached File  info.txt   35.44KB   10 downloads
  • Attached File  log.txt   37.83KB   10 downloads


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:46 AM

Posted 18 August 2009 - 11:25 AM

Hello, besouro.
I see that Combofix has been run on the system. Please post the contents of C:\Combofix.txt. If you cannot find it, please do NOT run the program again.

NEXT:

We need to run a Jotti scan

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
  • Go to the Jotti website
  • When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

    C:\Program Files\Unforgettable!\Unforgettable.exe
    C:\Program Files\Sizer\sizer.exe


  • Please post back the results of the scan in your next post.
**Note:If Jotti is busy, try the same at Virustotal
**Note: No logs will be produced. You can either copy/paste the results into your reply, or you can state the infection found (if any) and the scanner that found it


NEXT:

We need to run a GMER scan
  • Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
NEXT:

Please answer the following questions

Do you know anything about these programs:
Unforgettable!
Sizer

In your next reply, please include the following:
  • Jotti Log(s)
  • gmer.txt
  • Answers to my questions above
  • Combofix Log (if found)

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 besouro

besouro
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 20 August 2009 - 03:31 AM

Hi aommaster, I didn't actually go through with the combofix scan, I got to the stage where it asked me to deactivate my antivirus software otherwise it could cause problems, I couldn't work out how to disable my antivirus so I aborted the scan.


Jotti scan for Unforgettable.exe

[ArcaVir]
2009-08-18 Found nothing
[G DATA]
2009-08-19 Found nothing
[A-Squared]
2009-08-19 Found nothing
[Ikarus]
2009-08-19 Found nothing
[Avast! antivirus]
2009-08-18 Found nothing
[Kaspersky Anti-Virus]
2009-08-19 Found nothing
[Grisoft AVG Anti-Virus]
2009-08-18 Found nothing
[ESET NOD32]
2009-08-18 Found nothing
[Avira AntiVir]
2009-08-19 Found nothing
[Norman Virus Control]
2009-08-18 Found nothing
[Softwin BitDefender]
2009-08-19 Found nothing
[Panda Antivirus]
2009-08-18 Found nothing
[ClamAV]
2009-08-19 Found nothing
[Quick Heal]
2009-08-18 Found nothing
[CPsecure]
2009-08-19 Found nothing
[Sophos]
2009-08-19 Found nothing
[Dr.Web]
2009-08-19 Found nothing
[VirusBlokAda VBA32]
2009-08-18 Found nothing
[Frisk F-Prot Antivirus]
2009-08-18 Found nothing
[VirusBuster]
2009-08-18 Found nothing
[F-Secure Anti-Virus]
2009-08-19 Found nothing


Jotti scan for sizer.exe

[ArcaVir]
2009-08-18 Found nothing
[G DATA]
2009-08-19 Found nothing
[A-Squared]
2009-08-19 Found nothing
[Ikarus]
2009-08-19 Found nothing
[Avast! antivirus]
2009-08-18 Found nothing
[Kaspersky Anti-Virus]
2009-08-19 Found nothing
[Grisoft AVG Anti-Virus]
2009-08-18 Found nothing
[ESET NOD32]
2009-08-18 Found nothing
[Avira AntiVir]
2009-08-19 Found nothing
[Norman Virus Control]
Operation timed out
[Softwin BitDefender]
2009-08-19 Found nothing
[Panda Antivirus]
2009-08-18 Found nothing
[ClamAV]
2009-08-19 Found nothing
[Quick Heal]
2009-08-18 Found nothing
[CPsecure]
2009-08-19 Found nothing
[Sophos]
2009-08-19 Found nothing
[Dr.Web]
2009-08-19 Found nothing
[VirusBlokAda VBA32]
2009-08-18 Found nothing
[Frisk F-Prot Antivirus]
2009-08-18 Found nothing
[VirusBuster]
2009-08-18 Found nothing
[F-Secure Anti-Virus]
2009-08-19 Found nothing

Sizer is a peice of software that allows me to resize windows to specific sizes (mostly so I can see what people with smaller monitors would see when building websites)

Unforgettable is a peice of software like a calendar which you can set to give yourself reminders.

I've attached the gmer log to this reply

Thanks again for your help

Attached Files



#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:46 AM

Posted 20 August 2009 - 12:01 PM

Hello, besouro.
For future reference, please copy and paste logs into your reply rather than attaching them, as it makes it easier for me to read through them.

You can disable your antivirus program by referring to this thread:
http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

NEXT:

We need to download and run ComboFix (by sUBs)
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  • Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log
  • Description of any remaining problems

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:46 AM

Posted 23 August 2009 - 01:05 PM

Hello besouro
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#8 besouro

besouro
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 24 August 2009 - 03:58 AM

Hi, I'm still here, I apologise for not responding sooner I have been away for the weekend.

Here is my combofix log text...

ComboFix 09-08-22.06 - Tintisha XP5 24/08/2009 8:59.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1275 [GMT 1:00]
Running from: c:\documents and settings\Tintisha XP5\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1526033000-2754854776-3994660042-1003
c:\windows\Installer\1117697.msp
c:\windows\Installer\12312a31.msp
c:\windows\Installer\12c0ec02.msp
c:\windows\Installer\130811e0.msp
c:\windows\Installer\132d188.msp
c:\windows\Installer\1367f1c3.msp
c:\windows\Installer\1493ecaf.msp
c:\windows\Installer\1757867f.msp
c:\windows\Installer\17e74785.msp
c:\windows\Installer\182e71a9.msp
c:\windows\Installer\188e4b61.msp
c:\windows\Installer\19ba48ce.msp
c:\windows\Installer\1abfe29.msp
c:\windows\Installer\1b1c47e.msp
c:\windows\Installer\1c05011.msp
c:\windows\Installer\1ce45fa.msp
c:\windows\Installer\1d0da599.msp
c:\windows\Installer\1d52f34.msp
c:\windows\Installer\1d54cc03.msp
c:\windows\Installer\22340509.msp
c:\windows\Installer\227b2f08.msp
c:\windows\Installer\23acb0.msp
c:\windows\Installer\24af9.msp
c:\windows\Installer\2526b.msp
c:\windows\Installer\2532721.msp
c:\windows\Installer\27a125e5.msp
c:\windows\Installer\297d77b.msp
c:\windows\Installer\29fd707.msp
c:\windows\Installer\2be199c.msp
c:\windows\Installer\2cc784b4.msp
c:\windows\Installer\3037e13.msp
c:\windows\Installer\307640f.msp
c:\windows\Installer\31eddd2a.msp
c:\windows\Installer\3369ed2.msp
c:\windows\Installer\34dd7d3.msp
c:\windows\Installer\357dc47.msp
c:\windows\Installer\3711129.msp
c:\windows\Installer\371439c6.msp
c:\windows\Installer\3950042.msp
c:\windows\Installer\3c3a973d.msp
c:\windows\Installer\3ce9bc1.msp
c:\windows\Installer\3d49367.msp
c:\windows\Installer\3d535b2.msp
c:\windows\Installer\3d7833c.msp
c:\windows\Installer\3d9b7a0.msp
c:\windows\Installer\3d9dcad.msp
c:\windows\Installer\3da3f01.msp
c:\windows\Installer\3efa575.msp
c:\windows\Installer\3f02a93.msp
c:\windows\Installer\3f2b536.msp
c:\windows\Installer\3f4ddd2.msp
c:\windows\Installer\4160f476.msp
c:\windows\Installer\51b2c0c.msp
c:\windows\Installer\51e4041.msp
c:\windows\Installer\520dae1.msp
c:\windows\Installer\5573bf6.msp
c:\windows\Installer\606c538.msp
c:\windows\Installer\6dba32d.msp
c:\windows\Installer\6e39cdd.msp
c:\windows\Installer\7c8053b.msp
c:\windows\Installer\7e46ffe.msp
c:\windows\Installer\85cf8af.msp
c:\windows\Installer\87434dd.msp
c:\windows\Installer\87e39de.msp
c:\windows\Installer\8bb5db9.msp
c:\windows\Installer\9009bcc.msp
c:\windows\Installer\9160175.msp
c:\windows\Installer\9168616.msp
c:\windows\Installer\91910d8.msp
c:\windows\Installer\91b3723.msp
c:\windows\Installer\9e64a5.msp
c:\windows\Installer\a2c3955.msp
c:\windows\Installer\a449471.msp
c:\windows\Installer\a4734de.msp
c:\windows\Installer\a55a7b8.msp
c:\windows\Installer\d0acbcf.msp
c:\windows\Installer\d9a8fa5.msp
c:\windows\Installer\da69ae5.msp
c:\windows\Installer\de1b479.msp
c:\windows\Installer\e3c5dd3.msp
c:\windows\Installer\e3ce0ed.msp
c:\windows\Installer\e4179ee.msp
c:\windows\Installer\e419b94.msp
c:\windows\Installer\f6aefb5.msp
c:\windows\Installer\f6d9264.msp
c:\windows\jestertb.dll
c:\windows\system32\drivers\geyekrhokvufds.sys
c:\windows\system32\geyekrlhrmobww.dat
c:\windows\system32\geyekrytvbwdie.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_geyekrsaghslru
-------\Service_geyekrsaghslru


((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))
.

2009-08-23 02:03 . 2009-08-23 02:03 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-23 02:03 . 2009-08-23 02:03 -------- d-----w- c:\program files\MSBuild
2009-08-23 02:03 . 2009-08-23 02:03 -------- d-----w- c:\program files\Reference Assemblies
2009-08-23 02:03 . 2009-08-23 02:03 -------- d-----w- C:\6531f54fc87b6418e6b592d3e6c5
2009-08-23 02:03 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-23 02:03 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-23 02:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-23 02:03 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-23 02:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-23 02:03 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-23 02:03 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 13:35 . 2009-08-21 13:35 -------- d-----w- c:\program files\NCH Software
2009-08-21 13:33 . 2009-08-21 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-08-21 13:33 . 2009-08-21 13:36 -------- d-----w- c:\program files\NCH Swift Sound
2009-08-21 13:33 . 2009-08-21 13:33 -------- d-----w- c:\documents and settings\Tintisha XP5\Application Data\NCH Swift Sound
2009-08-21 13:17 . 2009-08-21 13:18 -------- d-----w- c:\program files\HooTech
2009-08-21 11:50 . 2009-08-21 11:50 -------- d-----w- c:\documents and settings\Tintisha XP5\Local Settings\Application Data\MagicSoftware
2009-08-21 11:50 . 2009-08-21 11:50 -------- d-----w- c:\program files\MagicDVDRipper
2009-08-21 10:02 . 2009-08-21 10:04 -------- d-----w- c:\program files\QuickMediaConverter
2009-08-21 08:15 . 2009-08-21 08:15 -------- d-----w- C:\DVD_VIDEO
2009-08-20 07:41 . 2009-08-20 07:41 3309072 ----a-w- c:\documents and settings\Tintisha XP5\Application Data\YouSendIt\Downloads\YouSendIt_Express.exe
2009-08-19 09:41 . 2009-08-19 09:41 -------- d-----w- c:\program files\ColorDetector200
2009-08-17 08:00 . 2009-08-17 08:00 -------- d-----w- C:\rsit
2009-08-17 08:00 . 2009-08-17 08:00 -------- d-----w- c:\program files\trend micro
2009-08-13 09:18 . 2009-08-13 09:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2009-08-12 22:10 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 13:11 . 2009-08-11 13:11 -------- d-----w- c:\program files\MP3 to AIFF
2009-08-10 15:28 . 2009-08-10 15:28 -------- d-----w- c:\program files\RocketDock
2009-08-10 15:26 . 2009-08-10 15:27 6463660 ----a-w- c:\program files\RocketDock-v1.3.5.exe
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 13:14 . 2009-08-24 08:09 117760 ----a-w- c:\documents and settings\Tintisha XP5\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-03 13:12 . 2009-08-03 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-03 13:12 . 2009-08-03 13:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-03 13:12 . 2009-08-03 13:12 -------- d-----w- c:\documents and settings\Tintisha XP5\Application Data\SUPERAntiSpyware.com
2009-08-03 13:10 . 2009-08-03 13:10 1343651 ----a-w- C:\MGtools.exe
2009-08-03 13:07 . 2009-08-03 13:10 -------- d-----w- C:\downloads
2009-08-03 12:52 . 2009-08-03 12:52 -------- d-----w- c:\program files\CCleaner
2009-08-03 12:48 . 2009-08-03 12:48 1033448 ----a-w- c:\program files\ccsetup222_slim.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-24 08:08 . 2007-12-06 15:00 -------- d-----w- c:\program files\lg_fwupdate
2009-08-24 07:36 . 2009-06-02 09:45 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-23 20:50 . 2009-02-10 13:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-23 02:14 . 2008-01-14 11:51 155568 ----a-w- c:\documents and settings\Tintisha XP5\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-21 15:24 . 2008-05-01 10:18 -------- d-----w- c:\documents and settings\Tintisha XP5\Application Data\FileZilla
2009-08-20 07:41 . 2009-06-15 09:54 -------- d-----w- c:\documents and settings\Tintisha XP5\Application Data\YouSendIt
2009-08-13 13:10 . 2008-01-14 15:37 -------- d-----w- c:\program files\FileZilla FTP Client
2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 13:12 . 2008-04-28 16:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-22 11:21 . 2009-03-12 09:14 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 11:21 . 2009-07-17 13:20 152576 ----a-w- c:\documents and settings\Tintisha XP5\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-17 19:01 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 13:21 . 2008-01-14 15:02 -------- d-----w- c:\program files\Java
2009-07-17 13:20 . 2009-07-17 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-17 13:13 . 2009-07-17 08:24 -------- d-----w- c:\documents and settings\Tintisha XP5\Application Data\Messenger
2009-07-17 12:52 . 2009-07-17 12:52 -------- d-----w- c:\documents and settings\Tintisha XP5\Application Data\Malwarebytes
2009-07-17 12:52 . 2009-07-17 12:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 12:52 . 2009-07-17 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-16 11:10 . 2008-04-30 10:36 1878984 ----a-w- c:\documents and settings\Tintisha XP5\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-07-16 10:27 . 2009-04-24 12:31 -------- d-----w- c:\documents and settings\Tintisha XP5\Application Data\Spotify
2009-07-13 22:43 . 2006-02-28 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 12:36 . 2009-07-17 12:52 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 12:36 . 2009-07-17 12:52 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-03 17:09 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-30 10:10 . 2008-08-14 07:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-06-26 09:24 . 2009-06-26 09:24 -------- d-----w- c:\documents and settings\Tintisha XP5\Application Data\LiveCycleCafe.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2006-02-28 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2006-02-28 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2007-12-06 14:25 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2006-02-28 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-28 09:05 . 2009-05-28 09:07 10368 ----a-w- c:\windows\system32\drivers\iviaspi.sys
2009-05-26 13:29 . 2008-12-05 13:33 38208 ----a-w- c:\documents and settings\Tintisha XP5\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2007-04-25 08:49 . 2009-05-28 09:04 328 ------w- c:\program files\GuideMenuSetup.iss
2007-04-06 03:28 . 2009-05-28 09:07 1237 ------w- c:\program files\WinDVDSetup.iss
2008-04-18 10:04 . 2008-04-18 10:04 81 --sh--r- c:\windows\CT5PRET.BIN
2008-11-19 14:06 . 2008-11-19 14:04 24 --sh--w- c:\windows\S7C246B6C.tmp
2006-05-03 09:06 . 2008-10-29 15:46 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2008-10-29 15:46 31232 --sh--r- c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 374272]
"Google Update"="c:\documents and settings\Tintisha XP5\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"YouSendIt.exe"="c:\program files\YouSendIt\Express\YouSendIt.exe" [2009-06-30 82432]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-28 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-01-14 249856]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-14 185896]
"Unforgettable!"="c:\program files\Unforgettable!\Unforgettable.exe" [2008-01-12 1652736]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"GuideMenu"="c:\program files\Corel\Corel GuideMenu\GuideMenu.exe" [2007-08-07 1282048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-22 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-02 1630208]

c:\documents and settings\Tintisha XP5\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Sizer (2).lnk - c:\program files\Sizer\sizer.exe [2002-12-8 18944]
Workrave.lnk - c:\program files\Workrave\lib\Workrave.exe [2007-9-14 2925568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
phase-6 Reminder.lnk - c:\program files\phase-6\phase-6\reminder\reminder.exe [2009-1-7 1028096]
Sizer.lnk - c:\program files\Sizer\sizer.exe [2002-12-8 18944]
Thunder Screenreader.lnk - c:\windows\Installer\{6AF0B3AC-6A6B-4A47-A37E-E2E26E3019D7}\IconC4E8602E.exe [2008-10-7 97792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot System]
@="1205153088 (0x47d52d40)"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\IntelliAdmin3\\Agent\\Agent32.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28/07/2009 10:53 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/07/2009 10:53 72944]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [11/01/2008 18:50 30312]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21/12/2007 09:21 468224]
R2 IntelliAdminRC3;IntelliAdmin Remote Control;c:\program files\IntelliAdmin3\Agent\Agent32.exe [09/01/2009 14:43 2279904]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/07/2009 10:53 7408]
S2 gupdate1c98b80bfcbdf36;Google Update Service (gupdate1c98b80bfcbdf36);c:\program files\Google\Update\GoogleUpdate.exe [10/02/2009 14:09 133104]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 06:46 288112]
S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [10/01/2008 13:39 303616]
S3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [01/11/2006 06:01 3328]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 23:31 29263712]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [08/06/2009 13:00 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [08/06/2009 13:00 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-08-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-10 09:39]

2009-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 13:09]

2009-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 13:09]

2009-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1802316108-2435919077-630768104-1008Core.job
- c:\documents and settings\Tintisha XP5\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 08:40]

2009-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1802316108-2435919077-630768104-1008UA.job
- c:\documents and settings\Tintisha XP5\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 08:40]

2009-08-24 c:\windows\Tasks\User_Feed_Synchronization-{9BD4DC7F-24A9-4182-B2CA-42CE9745E12A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
HKLM-Run-Clone - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} - hxxp://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
FF - ProfilePath - c:\documents and settings\Tintisha XP5\Application Data\Mozilla\Firefox\Profiles\167kyjud.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en&source=iglk
FF - plugin: c:\documents and settings\Tintisha XP5\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 09:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1802316108-2435919077-630768104-1008\Software\SecuROM\License information*]
"datasecu"=hex:01,14,06,1d,37,dc,1c,d3,73,6f,d7,26,be,74,40,b8,c7,44,d6,61,50,
5e,de,c7,9e,60,c9,b4,51,05,56,9f,51,34,b4,ab,19,34,81,83,a2,19,f0,da,a2,e7,\
"rkeysecu"=hex:60,81,b1,53,09,86,e1,51,ac,07,5e,17,e3,08,b1,59

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:ce,62,65,12,d1,52,97,2e,aa,0b,c7,95,55,59,83,78,62,52,74,c6,e8,
34,d8,b6,92,f9,35,65,9a,c3,07,d8,7e,5e,94,01,9b,7e,6c,6d,4a,f9,43,39,a8,e6,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:ce,62,65,12,d1,52,97,2e,aa,0b,c7,95,55,59,83,78,62,52,74,c6,e8,
34,d8,b6,92,f9,35,65,9a,c3,07,d8,7e,5e,94,01,9b,7e,6c,6d,4a,f9,43,39,a8,e6,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1488)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSENG.DLL
c:\program files\Sizer\sizer.dll
c:\windows\system32\nvwddi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\documents and settings\Tintisha XP5\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2009-08-24 9:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-24 08:28

Pre-Run: 292,588,793,856 bytes free
Post-Run: 292,810,788,864 bytes free

382 --- E O F --- 2009-08-24 02:00


...and here is my new hijackthis log...

Logfile of random's system information tool 1.06 (written by random/random)
Run by Tintisha XP5 at 2009-08-24 09:48:34
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 279 GB (59%) free of 477 GB
Total RAM: 2047 MB (72% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:48:39, on 24/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\IntelliAdmin3\Agent\Agent32.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Unforgettable!\Unforgettable.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Corel\Corel GuideMenu\GuideMenu.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\YouSendIt\Express\YouSendIt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Documents and Settings\Tintisha XP5\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Sizer\sizer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Tintisha XP5\Desktop\RSIT.exe
C:\Program Files\trend micro\Tintisha XP5.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Unforgettable!] C:\Program Files\Unforgettable!\Unforgettable.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GuideMenu] C:\Program Files\Corel\Corel GuideMenu\GuideMenu.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Tintisha XP5\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [YouSendIt.exe] C:\Program Files\YouSendIt\Express\YouSendIt.exe -ui none
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Sizer (2).lnk = C:\Program Files\Sizer\sizer.exe
O4 - Startup: Workrave.lnk = C:\Program Files\Workrave\lib\Workrave.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: phase-6 Reminder.lnk = C:\Program Files\phase-6\phase-6\reminder\reminder.exe
O4 - Global Startup: Sizer.lnk = C:\Program Files\Sizer\sizer.exe
O4 - Global Startup: Thunder Screenreader.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} (VBIRDPlayer.Player) - http://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c98b80bfcbdf36) (gupdate1c98b80bfcbdf36) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IntelliAdmin Remote Control (IntelliAdminRC3) - Unknown owner - C:\Program Files\IntelliAdmin3\Agent\Agent32.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.30\bin\mysqld.exe

--
End of file - 13415 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1802316108-2435919077-630768104-1008Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1802316108-2435919077-630768104-1008UA.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{9BD4DC7F-24A9-4182-B2CA-42CE9745E12A}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2009-02-27 61816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2009-02-27 349576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-24 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-22 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-22 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077}]
SmartSelect Class - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2009-02-27 349576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2009-02-27 349576]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2006-11-23 56928]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2006-12-05 54832]
"LGODDFU"=C:\Program Files\lg_fwupdate\fwupdate.exe [2008-01-14 249856]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-02 13529088]
"nwiz"=nwiz.exe /install []
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2006-12-18 868352]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2007-12-21 1443072]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-01-14 185896]
"Unforgettable!"=C:\Program Files\Unforgettable!\Unforgettable.exe [2008-01-12 1652736]
"Adobe Acrobat Speed Launcher"=C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [2009-02-27 38768]
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [2009-02-27 640376]
"CloneCDTray"=C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [2006-09-28 57344]
"AdobeCS4ServiceManager"=C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [2009-03-11 611712]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-08-29 61440]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-05-02 86016]
"itype"=C:\Program Files\Microsoft IntelliType Pro\itype.exe [2007-08-31 988584]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 1037736]
"Adobe_ID0ENQBO"=C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE [2008-08-15 378224]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"GuideMenu"=C:\Program Files\Corel\Corel GuideMenu\GuideMenu.exe [2007-08-07 1282048]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-22 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-06-27 152872]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"mount.exe"=C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe [2008-04-11 374272]
"Google Update"=C:\Documents and Settings\Tintisha XP5\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 133104]
"YouSendIt.exe"=C:\Program Files\YouSendIt\Express\YouSendIt.exe [2009-06-30 82432]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-07-28 1830128]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
phase-6 Reminder.lnk - C:\Program Files\phase-6\phase-6\reminder\reminder.exe
Sizer.lnk - C:\Program Files\Sizer\sizer.exe
Thunder Screenreader.lnk - C:\WINDOWS\Installer\{6AF0B3AC-6A6B-4A47-A37E-E2E26E3019D7}\IconC4E8602E.exe

C:\Documents and Settings\Tintisha XP5\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Sizer (2).lnk - C:\Program Files\Sizer\sizer.exe
Workrave.lnk - C:\Program Files\Workrave\lib\Workrave.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-12-01 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Autodesk\3ds Max 9\3dsmax.exe"="C:\Program Files\Autodesk\3ds Max 9\3dsmax.exe:*:Enabled:Autodesk 3ds Max 9 32-bit"
"C:\Program Files\Autodesk\Backburner\monitor.exe"="C:\Program Files\Autodesk\Backburner\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\Program Files\Autodesk\Backburner\manager.exe"="C:\Program Files\Autodesk\Backburner\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\Program Files\Autodesk\Backburner\server.exe"="C:\Program Files\Autodesk\Backburner\server.exe:*:Enabled:backburner 2.3 server"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"C:\Program Files\IntelliAdmin3\Agent\Agent32.exe"="C:\Program Files\IntelliAdmin3\Agent\Agent32.exe:*:Enabled:IntelliAdmin Remote Control Agent"
"C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe"="C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe"="C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe:*:Enabled:Adobe Version Cue CS4 Server"
"C:\Program Files\Spotify\spotify.exe"="C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.js - edit - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1"
.js - open - "C:\Program Files\Adobe\Adobe Dreamweaver CS4\Dreamweaver.exe","%1"

======List of files/folders created in the last 1 months======

2009-08-24 09:29:54 ----A---- C:\ComboFix.txt
2009-08-24 08:58:40 ----SD---- C:\ComboFix
2009-08-24 08:48:59 ----A---- C:\Boot.bak
2009-08-24 08:48:53 ----D---- C:\cmdcons
2009-08-24 08:47:49 ----A---- C:\WINDOWS\zip.exe
2009-08-24 08:47:49 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-24 08:47:49 ----A---- C:\WINDOWS\SWSC.exe
2009-08-24 08:47:49 ----A---- C:\WINDOWS\SWREG.exe
2009-08-24 08:47:49 ----A---- C:\WINDOWS\sed.exe
2009-08-24 08:47:49 ----A---- C:\WINDOWS\PEV.exe
2009-08-24 08:47:49 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-24 08:47:49 ----A---- C:\WINDOWS\grep.exe
2009-08-24 03:00:22 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2009-08-23 03:03:43 ----D---- C:\WINDOWS\system32\XPSViewer
2009-08-23 03:03:42 ----D---- C:\Program Files\MSBuild
2009-08-23 03:03:38 ----D---- C:\Program Files\Reference Assemblies
2009-08-23 03:03:18 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-08-23 03:03:18 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-08-23 03:03:18 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-08-23 03:03:18 ----D---- C:\6531f54fc87b6418e6b592d3e6c5
2009-08-23 03:01:22 ----SHD---- C:\Config.Msi
2009-08-21 14:35:00 ----D---- C:\Program Files\NCH Software
2009-08-21 14:33:10 ----D---- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2009-08-21 14:33:05 ----D---- C:\Program Files\NCH Swift Sound
2009-08-21 14:33:05 ----D---- C:\Documents and Settings\Tintisha XP5\Application Data\NCH Swift Sound
2009-08-21 14:17:40 ----D---- C:\Program Files\HooTech
2009-08-21 13:58:18 ----A---- C:\WINDOWS\crackpdf.INI
2009-08-21 12:50:20 ----D---- C:\Program Files\MagicDVDRipper
2009-08-21 11:02:22 ----D---- C:\Program Files\QuickMediaConverter
2009-08-21 09:15:39 ----D---- C:\DVD_VIDEO
2009-08-19 10:41:08 ----D---- C:\Program Files\ColorDetector200
2009-08-17 09:00:17 ----D---- C:\rsit
2009-08-17 09:00:17 ----D---- C:\Program Files\trend micro
2009-08-13 03:02:50 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-13 03:02:40 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-13 03:02:37 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-13 03:02:34 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-13 03:02:31 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-13 03:02:28 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-13 03:02:24 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-13 03:02:19 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-13 03:02:14 ----A---- C:\WINDOWS\system32\MRT.INI
2009-08-13 03:00:18 ----A---- C:\WINDOWS\imsins.BAK
2009-08-13 03:00:15 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-08-11 14:11:02 ----D---- C:\Program Files\MP3 to AIFF
2009-08-10 16:28:36 ----D---- C:\Program Files\RocketDock
2009-08-10 16:26:40 ----A---- C:\Program Files\RocketDock-v1.3.5.exe
2009-08-03 17:13:42 ----D---- C:\WINDOWS\ERDNT
2009-08-03 17:09:12 ----D---- C:\Qoobox
2009-08-03 16:31:41 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-03 14:12:37 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-03 14:12:31 ----D---- C:\Program Files\SUPERAntiSpyware
2009-08-03 14:12:31 ----D---- C:\Documents and Settings\Tintisha XP5\Application Data\SUPERAntiSpyware.com
2009-08-03 14:10:41 ----A---- C:\MGtools.exe
2009-08-03 14:07:55 ----D---- C:\downloads
2009-08-03 13:58:06 ----D---- C:\WINDOWS\pss
2009-08-03 13:52:09 ----D---- C:\Program Files\CCleaner
2009-08-03 13:48:24 ----A---- C:\Program Files\ccsetup222_slim.exe

======List of files/folders modified in the last 1 months======

2009-08-24 09:46:47 ----D---- C:\WINDOWS\Temp
2009-08-24 09:46:30 ----D---- C:\Program Files\lg_fwupdate
2009-08-24 09:46:27 ----A---- C:\WINDOWS\lgfwup.ini
2009-08-24 09:46:24 ----SD---- C:\WINDOWS\Tasks
2009-08-24 09:45:07 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-24 09:29:56 ----D---- C:\WINDOWS\system32\drivers
2009-08-24 09:29:56 ----D---- C:\WINDOWS\system32
2009-08-24 09:27:37 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-24 09:27:17 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-24 09:09:42 ----D---- C:\WINDOWS
2009-08-24 09:09:29 ----A---- C:\WINDOWS\system.ini
2009-08-24 09:06:26 ----D---- C:\WINDOWS\system32\config
2009-08-24 09:05:07 ----SHD---- C:\WINDOWS\Installer
2009-08-24 09:02:32 ----D---- C:\WINDOWS\AppPatch
2009-08-24 09:02:31 ----D---- C:\Program Files\Common Files
2009-08-24 08:56:25 ----D---- C:\Program Files\Mozilla Firefox
2009-08-24 08:48:59 ----RASH---- C:\boot.ini
2009-08-24 08:44:43 ----SHD---- C:\System Volume Information
2009-08-24 08:44:43 ----D---- C:\WINDOWS\system32\Restore
2009-08-24 08:44:02 ----D---- C:\WINDOWS\Prefetch
2009-08-24 08:36:15 ----D---- C:\Program Files\Mozilla Thunderbird
2009-08-24 03:02:16 ----D---- C:\WINDOWS\system32\CatRoot
2009-08-24 03:00:42 ----HD---- C:\WINDOWS\inf
2009-08-23 21:50:13 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-08-23 03:23:48 ----D---- C:\WINDOWS\Microsoft.NET
2009-08-23 03:23:30 ----RSD---- C:\WINDOWS\assembly
2009-08-23 03:12:46 ----D---- C:\WINDOWS\SxsCaPendDel
2009-08-23 03:05:42 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-08-23 03:05:35 ----D---- C:\WINDOWS\WinSxS
2009-08-23 03:03:42 ----RD---- C:\Program Files
2009-08-23 03:03:42 ----D---- C:\WINDOWS\system32\en-US
2009-08-23 03:03:40 ----RSD---- C:\WINDOWS\Fonts
2009-08-23 03:03:26 ----D---- C:\WINDOWS\system32\spool
2009-08-23 03:01:30 ----D---- C:\Program Files\Internet Explorer
2009-08-21 16:24:24 ----D---- C:\Documents and Settings\Tintisha XP5\Application Data\FileZilla
2009-08-21 14:37:24 ----A---- C:\WINDOWS\NeroDigital.ini
2009-08-20 08:41:47 ----D---- C:\WINDOWS\Downloaded Installations
2009-08-20 08:41:21 ----D---- C:\Documents and Settings\Tintisha XP5\Application Data\YouSendIt
2009-08-13 14:10:33 ----D---- C:\Program Files\FileZilla FTP Client
2009-08-13 03:02:33 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-13 03:02:25 ----D---- C:\Program Files\Outlook Express
2009-08-13 03:00:23 ----D---- C:\WINDOWS\Debug
2009-08-07 10:58:55 ----D---- C:\WINDOWS\Minidump
2009-08-05 10:01:48 ----A---- C:\WINDOWS\system32\mswebdvd.dll
2009-08-03 16:31:58 ----D---- C:\Documents and Settings
2009-08-03 14:12:08 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-08-03 13:58:23 ----A---- C:\WINDOWS\win.ini
2009-07-30 01:49:14 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-06-19 36864]
R1 BANTExt;Belarc SMBios Access; C:\WINDOWS\System32\Drivers\BANTExt.sys [2008-02-27 3840]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2007-12-21 30216]
R1 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2007-08-07 25160]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2007-12-21 53768]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 adfs;adfs; C:\WINDOWS\system32\drivers\adfs.sys [2009-06-30 73312]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2007-12-21 39944]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2007-12-21 71176]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2007-01-16 293888]
R3 AEAudio;AE Audio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2006-08-06 93952]
R3 ElbyCDFL;ElbyCDFL; C:\WINDOWS\System32\Drivers\ElbyCDFL.sys [2007-02-16 34760]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2007-12-21 30728]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2009-05-28 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2006-02-28 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-02 6554496]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2007-08-21 21760]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2006-03-17 392960]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-12-01 3452928]
S3 Belkin700F;Belkin Wireless G Desktop Card Service v7; C:\WINDOWS\system32\DRIVERS\BLKWGDv7.sys [2006-10-19 303616]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 HdAudAddService;ATI Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\AtiHdAud.sys [2006-12-28 84992]
S3 mirrorv3;mirrorv3; C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 3328]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-07-11 57856]
S3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-07-11 20480]
S3 RTHDMIAzAudService;Service for HDMI; C:\WINDOWS\system32\drivers\RtHDMI.sys [2008-08-26 3684352]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver; C:\WINDOWS\system32\DRIVERS\silabenm.sys [2007-11-02 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver; C:\WINDOWS\system32\DRIVERS\silabser.sys [2007-11-02 61440]
S3 slabbus;CP210x USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\slabbus.sys []
S3 slabser;CP210x USB to UART Bridge Controller Drivers; C:\WINDOWS\system32\DRIVERS\slabser.sys []
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-12-01 598016]
R2 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2008-03-04 72704]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service; C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R2 IntelliAdminRC3;IntelliAdmin Remote Control; C:\Program Files\IntelliAdmin3\Agent\Agent32.exe [2009-01-05 2279904]
R2 IviRegMgr;IviRegMgr; C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [2007-01-04 112152]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-22 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-02 159812]
R2 ProtexisLicensing;ProtexisLicensing; C:\Program Files\Common Files\Protexis\License Service\PSIService.exe [2006-11-02 174656]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2005-08-08 167936]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-24 87904]
R2 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2006-06-14 61440]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-12-01 593920]
S2 gupdate1c98b80bfcbdf36;Google Update Service (gupdate1c98b80bfcbdf36); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-10 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 183280]
S2 mi-raysat_3dsmax9_32;mental ray 3.5 Satellite (32-bit); C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe [2006-09-29 65536]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-04-18 72704]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2009-08-11 288112]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2007-12-21 19200]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-11-24 655624]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-06-29 800040]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 wampapache;wampapache; c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe [2008-12-10 24636]
S3 wampmysqld;wampmysqld; c:\wamp\bin\mysql\mysql5.1.30\bin\mysqld.exe [2008-11-15 6447744]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


I think the problem has been solved now, I have not had any warnings from my antivirus recently, so I think it has been a success. Unless of course you see anything in the above logs that suggests otherwise.

Thank you so much for your help with this.

#9 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:46 AM

Posted 24 August 2009 - 02:34 PM

Hello, besouro.
No problem! Glad to be of help :thumbup2:

We need to run a batch file
  • Copy the following into notepad (Start>Run>"notepad"). Do not copy the word "code".
    dir C:\6531f54fc87b6418e6b592d3e6c5 /a:-d /o:-d >files.txt
    cls
    exit
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.bat
  • Hit OK.
  • Double click fix.bat. You will see a black command prompt window open then close. It might seem like nothing is happening, but the script is running.

NEXT:

We need to update your version of Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

NEXT:

We need to run a Panda Active Scan
  • Please go here to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
In your next reply, please include the following:
  • ActiveScan Report

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#10 besouro

besouro
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 25 August 2009 - 07:23 AM

Hi Aommaster,

I ran the batch file as requested, the black command prompt window opened very briefly then closed again.

I have updated my version of Java.

I have run a Panda Active scan, I had 21 threats and 3 suspicious files! I had no idea... anyway the log is below

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-25 13:15:20
PROTECTIONS: 1
MALWARE: 21
SUSPECTS: 3
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
ESET Smart Security 3.0 3.0 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@doubleclick[3].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@atdmt[3].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@tradedoubler[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@fastclick[2].txt
00160377 Adware/Ucmore Adware No 0 Yes No C:\Documents and Settings\Tintisha XP5\Favorites\NCH Software Download.lnk
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@xiti[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@statcounter[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@ad.yieldmanager[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@bs.serving-sys[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@advertising[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha xp5@statse.webtrendslive[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@overture[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Tintisha XP5\Cookies\tintisha_xp5@zedo[2].txt
02442098 Exploit/SoD Virus/Trojan No 0 Yes No C:\Tintisha backup\Resources\VL - Flash 8\flash presentation\pres.swf
02442098 Exploit/SoD Virus/Trojan No 0 Yes No C:\Tintisha backup\trashbox\Richard\VL - Flash 8\flash presentation\pres.swf
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{A8FC1E70-4B8B-44AE-83E9-2E9B36013649}\RP1\A0000159.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\Tintisha XP5\Desktop\DUMP\fileutil.exe
03378620 Generic Trojan Virus/Trojan No 0 Yes No C:\Tintisha backup\Software\Premiere CS3\Crack\Keygen1.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location 
;===================================================================================================================================================================================
No C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\geyekrhokvufds.sys.vir 
No C:\System Volume Information\_restore{A8FC1E70-4B8B-44AE-83E9-2E9B36013649}\RP1\A0000072.exe 
No C:\System Volume Information\_restore{A8FC1E70-4B8B-44AE-83E9-2E9B36013649}\RP1\A0000153.sys 
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 
;===================================================================================================================================================================================
;===================================================================================================================================================================================

#11 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:46 AM

Posted 25 August 2009 - 11:45 AM

Hi!

My bad, the batch file was supposed to create a text file called files.txt in the same folder the batch file was run. Please post the contents of that.

Thanks!

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#12 besouro

besouro
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 26 August 2009 - 02:44 AM

Sorry should have realised.

Contents of files.txt is below...
-----------------------------------

Volume in drive C has no label.
Volume Serial Number is F6D5-30AA

Directory of C:\6531f54fc87b6418e6b592d3e6c5

------------------------------------

Is there supposed to be more text than this?

#13 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:46 AM

Posted 26 August 2009 - 04:21 AM

Hi!

Well, if the folder in question (C:\6531f54fc87b6418e6b592d3e6c5) is empty, then it's fine. From the looks of the batch file, it is. Please verify that?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#14 besouro

besouro
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 26 August 2009 - 04:32 AM

Hi,
That folder isn't empty it contains 2 folders, one called amd64 and one called i386.
Both of these folders seem to contain the same files which I've listed below...

filterpipelineprintproc.dll
msxpsdrv.cat
msxpsdrv.inf
msxpsinc.gpd
msxpsinc.ppd
mxdwdrv.dll
xpssvcs.dll

#15 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:46 AM

Posted 28 August 2009 - 02:46 PM

Hello, besouro.
My apologies for the delay in response.

Please navigate through and delete the following files:
C:\Documents and Settings\Tintisha XP5\Desktop\DUMP\fileutil.exe
C:\Tintisha backup\Software\Premiere CS3\Crack\Keygen1.exe

(May I remind you that cracks/keygens and other forms of Warez are not only illegal, but come bundled with all forms of malware, some of which can render your machine irreparable)

NEXT:

We need to uninstall Combofix
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
NEXT:

We need to run OTC
  • Download OTC from here & save it to your desktop.
  • Double click on OTC.exe. Click on CleanUp!.
  • You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
  • It will restart your computer automatically. If it doesn't, please restart your computer manually.



Your Log looks Clean please take the time to read below to secure your machine and take the necessary steps to keep it Clean :thumbup2:



One of the most common questions found when cleaning Spyware or other Malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are going to sites that you are not practicing Safe Internet, you are not running the proper security software, and that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer so that you will not be infected again in the future.


Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.
    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
Visit Microsoft's Windows Update Site Frequently
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Make Internet Explorer 6 and below more secure
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt

      When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.



Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users