Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Undetected spyware redirecting search results


  • This topic is locked This topic is locked
37 replies to this topic

#16 fahari06

fahari06
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 26 August 2009 - 06:14 AM

Hello,

OK, I ran MBAM and it found 2 infected objects. See log below. There have been some new developments though. Combofix would not run, even with the new instructions. It still disappeared shortly after saying "combofix is preparing to start". I left the computer on overnight to see if it would continue to scan and this morning there was no activity and no log.

I am still getting re-directed, HOWEVER, when Firefox redirects now, the page always comes up as one of those pages that says your computer is seriously infected, running scan now (kind of like what started the virus in the first place), but AVG immediately pops up a window that says "threat is detected" and calls it an "exploit-search" something (I can't fully remember and I had to shut down firefox so the box disappeared). In Internet Explorer, I get redirected but the redirected page never loads, it just stays blank.

This just in...now Firefox redirects again, which leads me to believe I am re-infected. :thumbup2:(

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.40
Database version: 2697
Windows 5.1.2600 Service Pack 2

8/25/2009 11:37:21 PM
mbam-log-2009-08-25 (23-37-21).txt

Scan type: Quick Scan
Objects scanned: 147782
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\TrayCommonRes.dll (Adware.NaviPromo) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\TrayCommonRes.dll (Adware.NaviPromo) -> Delete on reboot.

Like you, I will be going out of town for the weekend beginning Thursday night (8/27/09) so you may not hear much from me between Thurs evening and Monday evening, but I will be here this evening.

Thank You

BC AdBot (Login to Remove)

 


#17 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 26 August 2009 - 10:10 AM

Hi.

Navigate to your C:\Qoobox folder

In there, find the log file called Combofix-quarantine-files.txt. Post back with the content of that log in your next reply.


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#18 fahari06

fahari06
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 26 August 2009 - 05:29 PM

Oops sorry, here it is:

2009-08-20 02:40:03 . 2009-08-20 02:40:04 171 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{AE6B2A89-3C7C-A8B1-71FC-D93207D6B2B3}.reg.dat
2009-08-20 02:39:59 . 2009-08-20 02:39:59 171 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{2E1C2C6C-6214-4D5B-9393-00542D481890}.reg.dat
2009-08-20 02:34:52 . 2004-02-11 23:58:16 24,613 -c--a-w- C:\Qoobox\Quarantine\C\DOCUME~1\SUNSPO~1.000\LOCALS~1\temp\IadHide5.dll.vir
2009-08-20 02:34:45 . 2009-08-20 02:34:45 53,248 -c--a-w- C:\Qoobox\Quarantine\C\DOCUME~1\SUNSPO~1.000\LOCALS~1\temp\catchme.dll.vir
2009-08-07 14:40:48 . 2009-08-07 14:40:48 20 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\KBBAR.DLL.vir
2009-08-06 20:47:17 . 2009-08-06 20:47:17 308 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{5ACD64C9-F108-218D-DF24-09AC80BB164B}.reg.dat
2009-08-06 19:57:20 . 2009-08-06 19:57:20 3,358 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\Service_Ias.reg.dat
2009-08-06 19:57:15 . 2009-08-06 19:57:15 1,034 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_NETCARD.reg.dat
2009-08-06 19:57:14 . 2009-08-06 19:57:14 1,048 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_IAS.reg.dat
2009-08-06 19:55:05 . 2009-08-20 02:21:21 8,589 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-08-06 18:31:25 . 2009-08-20 01:39:11 510 -c--a-w- C:\Qoobox\Quarantine\catchme.log
2009-08-04 22:06:08 . 2008-11-21 20:57:34 119 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\wt3.gif.vir
2009-08-04 22:06:08 . 2008-11-27 22:34:20 1,912 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\w3.jpg.vir
2009-08-04 22:06:08 . 2008-11-21 20:57:06 176 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\wt1.gif.vir
2009-08-04 22:06:08 . 2008-11-21 20:57:20 51 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\wt2.gif.vir
2009-08-04 22:06:08 . 2008-11-27 22:30:14 3,430 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\w3.gif.vir
2009-08-04 22:06:08 . 2008-11-21 20:56:20 47 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\w2.gif.vir
2009-08-04 22:06:08 . 2008-11-21 20:29:00 696 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\up2.gif.vir
2009-08-04 22:06:08 . 2008-11-21 20:56:02 3,028 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\w1.gif.vir
2009-08-04 22:06:08 . 2008-11-21 21:08:10 3,431 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\w11.gif.vir
2009-08-04 22:06:08 . 2008-11-21 21:17:00 1,015 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\t2.gif.vir
2009-08-04 22:06:08 . 2008-11-21 20:28:46 5,568 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\up1.gif.vir
2009-08-04 22:06:08 . 2008-11-21 20:47:12 621 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\t1.gif.vir
2009-08-04 22:06:08 . 2008-11-21 21:40:38 105 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\jj3.gif.vir
2009-08-04 22:06:08 . 2008-11-21 20:39:28 3,749 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\l1.gif.vir
2009-08-04 22:06:08 . 2008-11-21 20:39:46 92 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\l2.gif.vir
2009-08-04 22:06:08 . 2008-11-21 20:40:00 468 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\l3.gif.vir
2009-08-04 22:06:08 . 2008-11-21 21:44:38 70 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\pix.gif.vir
2009-08-04 22:06:08 . 2008-11-21 21:12:54 47 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\j2.gif.vir
2009-08-04 22:06:08 . 2008-11-27 22:33:30 3,857 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\j3.gif.vir
2009-08-04 22:06:08 . 2008-11-21 21:14:28 114 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\jj1.gif.vir
2009-08-04 22:06:08 . 2008-11-21 21:14:40 48 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\jj2.gif.vir
2009-08-04 22:06:08 . 2008-11-21 21:17:36 1,689 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\i3.gif.vir
2009-08-04 22:06:08 . 2008-11-21 21:12:38 3,957 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\j1.gif.vir
2009-08-04 22:06:08 . 2008-11-21 21:17:12 1,744 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\i1.gif.vir
2009-08-04 22:06:08 . 2008-11-21 21:17:24 1,663 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\images\i2.gif.vir
2009-08-03 18:01:41 . 2009-08-03 18:36:54 4 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\FONTS\mlog.vir
2006-03-06 02:24:11 . 2005-10-12 03:09:00 7,628 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\FONTS\enervate.ttf.vir
2003-10-20 07:19:42 . 2003-10-20 07:19:42 8,592,384 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\238f02.msi.vir
2003-07-01 05:59:16 . 2003-10-08 10:15:46 2,417 -c--a-w- C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
2002-09-03 13:00:00 . 2002-09-03 13:00:00 273 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Install.txt.vir

#19 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 27 August 2009 - 03:41 PM

Hello.

Combofix was update again recently. Delete the Combofix you currently have. Re-download it from one of those two links and try running it again. Make sure your security programs are disabled!

If it still doesn't work, let me know.

Run a scan with OTL and followed by a new scan with GMER. Instructions on running GMER can be found in Post #13.

Download and run OTL
  • Download OTL by OldTimer and save it to your desktop.
  • Double click on the Posted Image icon on your desktop. If you are using Vista, please right-click and select run as administrator
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • It will now begin to scan, please be paitent while it scans.
  • Two reports will open once it's done.
  • Please copy and paste them in your next reply:
  • OTL.txt <-- Will be opened
  • Extras.txt <-- Will be minimized

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#20 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 31 August 2009 - 05:58 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#21 fahari06

fahari06
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 31 August 2009 - 07:26 PM

Hello EB,

I am still here. i got back into town this morning before work. Will send post later this evening after following your instructions.

Thank You

#22 fahari06

fahari06
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 31 August 2009 - 09:25 PM

Hello EB,

I followed the instructions from your last post. There is some progress. I still get redirected, but not every single search result. I get directed with 2 results:

1. I get directed to this URL - hxxp://www.shellysellsbuttons.com
OR

2. I get this message: Bad Request (Invalid Hostname)

The logs are attached in this order:
1. ComboFix
2. OTL txt
3. OTL extras
4. GMER

Attached Files


Edited by extremeboy, 01 September 2009 - 11:14 AM.
Deactivate link


#23 fahari06

fahari06
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 31 August 2009 - 11:19 PM

Quick update,

After running all of the programs and logs, the redirecting seems to stall as mentioned above, or the redirect will lead to a page that cannot be loaded, or is identified as a threat by the spyware blockers, but the redirect still occurs kind of. Now, if I RESTART, the redirecting happens all over again as if nothing has happened (removal or detection) on virtually all of my search results. Is the bug restarting with the comp?

#24 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 01 September 2009 - 11:23 AM

Hello.

Please delete the copy of Combofix you have. Re-download it from one of those 2 links and save it to your desktop.

Run it again and post back with the new log

Then, please re-run GMER again and post back with the GMER log as well.

Refer to my previous posts for additional information/instructions.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#25 fahari06

fahari06
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 02 September 2009 - 05:38 AM

Hello,

Here are the 2 logs:

COMBOFIX

ComboFix 09-09-01.04 - Sunspot 09/02/2009 0:25.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.639.324 [GMT -4:00]
Running from: c:\documents and settings\Sunspot.RA.000\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-08-23 04:11 . 2009-08-26 02:29 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\ArcSoft
2009-08-23 03:20 . 2009-08-23 03:20 -------- dc----w- c:\program files\Common Files\Skype
2009-08-23 03:20 . 2009-08-23 03:20 -------- dc----r- c:\program files\Skype
2009-08-23 03:13 . 2009-09-01 03:46 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Skype
2009-08-23 01:35 . 2005-02-23 18:58 11776 -c--a-w- c:\windows\system32\drivers\afc.sys
2009-08-23 01:32 . 2009-08-23 01:32 -------- dc----w- c:\program files\Common Files\ArcSoft
2009-08-23 01:31 . 2004-05-04 15:53 1645320 -c--a-w- c:\windows\system32\gdiplus.dll
2009-08-23 01:31 . 2009-08-23 01:31 -------- dc----w- c:\program files\ArcSoft
2009-08-23 01:31 . 1995-08-01 08:44 212480 -c--a-w- c:\windows\PCDLIB32.DLL
2009-08-23 00:52 . 2004-08-04 05:07 59264 -c--a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-08-23 00:52 . 2004-08-04 05:07 59264 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-08-23 00:45 . 2007-09-06 20:56 98304 -c--a-w- c:\windows\amcap.exe
2009-08-23 00:45 . 2008-02-21 21:15 3968 -c--a-w- c:\windows\system32\drivers\DeNoise.sys
2009-08-23 00:45 . 2007-03-10 18:43 270336 -c--a-w- c:\windows\tsnpstd3.exe
2009-08-23 00:45 . 2006-09-19 13:07 827392 -c--a-w- c:\windows\vsnpstd3.exe
2009-08-23 00:45 . 2007-03-26 18:46 10252544 -c--a-w- c:\windows\system32\drivers\snpstd3.sys
2009-08-23 00:45 . 2009-08-23 00:56 -------- dc----w- c:\program files\Common Files\snpstd3
2009-08-23 00:45 . 2007-03-12 15:41 61440 -c--a-w- c:\windows\system32\vsnpstd3.dll
2009-08-23 00:45 . 2007-02-09 18:13 172032 -c--a-w- c:\windows\system32\rsnpstd3.dll
2009-08-23 00:45 . 2005-11-23 17:55 53248 -c--a-w- c:\windows\system32\csnpstd3.dll
2009-08-23 00:45 . 2005-11-23 17:55 53248 -c--a-w- c:\windows\csnpstd3.dll
2009-08-23 00:45 . 2009-08-23 00:45 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\InstallShield
2009-08-22 00:59 . 2009-08-22 00:59 56 -c-ha-w- c:\windows\system32\ezsidmv.dat
2009-08-22 00:59 . 2009-09-01 02:26 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\skypePM
2009-08-22 00:43 . 2000-01-19 15:45 65536 -c--a-r- c:\windows\system32\SPDecode.DLL
2009-08-20 02:03 . 2009-08-22 18:55 117760 -c--a-w- c:\documents and settings\Sunspot.RA.000\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-20 02:02 . 2009-08-20 02:02 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\SUPERAntiSpyware.com
2009-08-13 19:34 . 2009-08-13 19:34 254976 -c--a-w- c:\documents and settings\Weldon.RA\Application Data\Azureus\updates\inst_1\Azureus.exe
2009-08-13 19:34 . 2009-08-13 19:34 77824 -c--a-w- c:\documents and settings\Weldon.RA\Application Data\Azureus\updates\inst_1\aereg.dll
2009-08-13 18:38 . 2005-12-31 00:18 180224 -c--a-w- c:\windows\system32\xvidvfw.dll
2009-08-13 18:38 . 2005-12-31 00:10 761856 -c--a-w- c:\windows\system32\xvidcore.dll
2009-08-13 17:12 . 2009-08-13 17:12 -------- dc----w- c:\program files\WinAVI MP4 Converter
2009-08-13 17:07 . 2009-08-13 17:07 -------- dc----w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\WinAVI
2009-08-13 14:26 . 2009-08-13 14:26 7114736 -c--a-w- c:\documents and settings\Weldon.RA\Application Data\Azureus\plugins\azemp\azmplay.exe
2009-08-13 14:23 . 2009-08-13 20:17 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\Azureus
2009-08-13 13:28 . 2009-08-13 13:28 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\vlc
2009-08-13 11:59 . 2009-08-13 12:17 -------- dcs---w- C:\Combo-Fix.exe
2009-08-12 20:57 . 2009-08-05 02:50 2061592 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgcorex.dll
2009-08-12 20:57 . 2009-08-05 02:50 3476760 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgui.exe
2009-08-12 20:57 . 2009-08-05 02:50 2000152 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgtray.exe
2009-08-12 20:57 . 2009-08-05 02:50 1213720 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgfrw.exe
2009-08-12 20:57 . 2009-08-05 02:50 2295576 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgfwui.dll
2009-08-12 20:54 . 2009-08-05 02:50 1471768 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgupd.dll
2009-08-12 20:54 . 2009-08-05 02:50 1126168 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgupd.exe
2009-08-12 20:54 . 2009-08-05 02:50 758040 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avginet.dll
2009-08-07 23:48 . 2009-08-07 23:48 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\AdobeUM
2009-08-07 23:48 . 2009-08-07 23:48 -------- dc----w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\Adobe
2009-08-06 21:55 . 2009-08-06 21:55 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\Apple Computer
2009-08-06 17:30 . 2009-08-06 17:30 -------- dc----w- c:\program files\CCleaner
2009-08-05 22:55 . 2009-08-13 18:50 117760 -c--a-w- c:\documents and settings\Weldon.RA\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-05 22:54 . 2009-08-05 22:54 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-08-05 22:54 . 2009-08-07 14:54 -------- dc----w- c:\program files\SUPERAntiSpyware
2009-08-05 22:54 . 2009-08-05 22:54 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\SUPERAntiSpyware.com
2009-08-05 22:27 . 2009-08-05 22:27 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\Malwarebytes
2009-08-05 21:20 . 2009-08-05 21:20 -------- dc----w- c:\windows\system32\NtmsData
2009-08-05 21:02 . 2009-08-05 21:02 -------- dc----w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\Mozilla
2009-08-05 21:01 . 2009-08-06 21:55 -------- dc----w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\Apple Computer
2009-08-05 16:54 . 2009-08-05 16:54 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Azureus
2009-08-05 06:26 . 2009-08-05 06:27 -------- dc----w- c:\program files\iTunes
2009-08-05 06:26 . 2009-08-05 06:27 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-05 06:23 . 2009-08-05 06:23 -------- dc----w- c:\program files\Bonjour
2009-08-05 06:16 . 2009-07-09 16:16 2060288 -c--a-w- c:\windows\system32\usbaaplrc.dll
2009-08-05 06:11 . 2009-08-05 06:11 75040 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-05 03:35 . 2009-08-25 16:55 -------- dc-h--w- C:\$AVG8.VAULT$
2009-08-05 02:51 . 2009-08-05 02:51 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Downloaded Installations
2009-08-05 02:50 . 2009-08-05 02:50 11952 -c--a-w- c:\windows\system32\avgrsstx.dll
2009-08-05 02:50 . 2009-08-05 02:50 12552 -c--a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-08-05 02:50 . 2009-08-05 02:50 108552 -c--a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-05 02:50 . 2009-08-05 02:50 335240 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 02:50 . 2009-08-05 02:50 27784 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 02:50 . 2009-09-02 01:37 -------- dc----w- c:\windows\system32\drivers\Avg
2009-08-05 02:48 . 2009-08-05 02:48 50968 -c--a-w- c:\windows\system32\avgfwdx.dll
2009-08-05 02:48 . 2009-08-05 02:48 29208 -c--a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-08-05 02:48 . 2009-08-05 02:48 -------- dc----w- c:\program files\AVG
2009-08-05 02:48 . 2009-08-05 02:48 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-08-03 19:25 . 2009-08-03 19:25 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Malwarebytes
2009-08-03 19:25 . 2009-08-03 17:36 38160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 19:25 . 2009-08-26 03:26 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 19:25 . 2009-08-03 19:25 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-08-03 19:25 . 2009-08-03 17:36 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-08-03 18:40 . 2009-08-05 01:23 -------- dc--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-08-03 18:39 . 2009-08-03 18:39 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Simply Super Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-23 03:20 . 2005-03-05 08:53 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2009-08-23 01:31 . 2001-01-11 19:40 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-08-20 03:36 . 2004-01-12 00:37 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-08-13 20:40 . 2004-10-30 03:44 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Apple Computer
2009-08-13 20:20 . 2007-07-04 12:58 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2009-08-13 20:18 . 2004-11-20 19:00 -------- dc----w- c:\program files\Azureus
2009-08-13 18:38 . 2003-06-24 12:55 -------- dc----w- c:\program files\XviD
2009-08-07 17:02 . 2002-05-18 02:57 -------- dc----w- c:\program files\Opera
2009-08-07 13:39 . 2004-11-20 18:41 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Azureus
2009-08-05 22:54 . 2003-02-09 19:36 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-05 22:49 . 2003-11-03 22:34 -------- dc----w- c:\program files\InterActual
2009-08-05 21:00 . 2009-08-05 21:00 52112 -c--a-w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 12:27 . 2004-01-12 00:37 -------- dc----w- c:\program files\Spybot - Search & Destroy
2009-08-05 09:11 . 2005-01-08 03:15 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 06:30 . 2004-09-09 23:44 52112 -c--a-w- c:\documents and settings\Sunspot.RA.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 06:26 . 2004-10-30 03:43 -------- dc----w- c:\program files\iPod
2009-08-05 06:26 . 2007-07-04 12:58 -------- dc----w- c:\program files\Common Files\Apple
2009-08-05 06:22 . 2001-01-15 00:13 -------- dc----w- c:\program files\QuickTime
2009-08-05 04:25 . 2007-10-03 01:26 -------- dc----w- c:\program files\filesubmit
2009-07-22 21:23 . 2009-07-22 21:23 74760 -c--a-w- c:\windows\system32\drivers\UniversalDD.sys
2009-07-22 21:23 . 2009-07-22 21:23 25608 -c--a-w- c:\windows\system32\drivers\AVGIDSErHr.sys
2009-07-17 18:55 . 2002-09-03 13:00 58880 -c--a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-11 05:45 286720 -c--a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 16:16 . 2008-09-03 21:19 39424 -c--a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-26 16:18 . 2004-12-07 21:37 659456 -c----w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 07:56 81920 -c----w- c:\windows\system32\ieencode.dll
2009-06-16 14:55 . 2002-09-03 13:00 82432 -c--a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2002-09-03 13:00 119808 -c--a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2002-09-03 13:00 76288 -c--a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2002-09-03 13:00 84992 -c--a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2002-09-03 13:00 132096 -c--a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2003-08-12 00:03 655872 -c--a-w- c:\windows\system32\mstscax.dll
2001-10-05 11:53 . 2003-02-27 03:36 21866 -c--a-w- c:\program files\Common Files\tppupd2k.dll
2001-03-19 00:11 . 2001-01-11 19:24 21952 -c-ha-w- c:\program files\folder.htt
2001-10-24 17:45 . 2002-05-18 02:57 28672 -c--a-w- c:\program files\opera\program\plugins\PlugDef.dll
2008-04-25 18:32 . 2008-04-25 18:32 5817064 -c--a-w- c:\program files\opera\program\plugins\ScorchPDFWrapper.dll
2005-05-07 16:05 . 2004-09-22 00:47 10646 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-09-01_01.36.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\SYSTEM32\tzchange.exe
- 2008-02-14 06:49 . 2008-07-08 13:02 17272 c:\windows\SYSTEM32\spmsg.dll
+ 2008-02-14 06:49 . 2009-05-26 11:40 17272 c:\windows\SYSTEM32\spmsg.dll
+ 2003-08-12 00:10 . 2009-09-02 04:22 49152 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2003-08-12 00:10 . 2009-09-01 01:06 49152 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2003-08-12 00:10 . 2009-09-01 01:06 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2003-08-12 00:10 . 2009-09-02 04:22 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2003-08-12 00:10 . 2009-09-02 04:22 32768 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2003-08-12 00:10 . 2009-09-01 01:06 32768 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-07-12 4112384]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-12 81920]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2003-04-07 118784]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-07-28 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-12 2007832]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-07-22 1600008]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-10 270336]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2004-07-12 843776]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-1-15 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
Outlook Plugin.lnk - c:\program files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe [2008-2-22 888987]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-05 02:50 11952 -c--a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"Yahoo! Pager"=1

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\SYSTEM32\DRIVERS\AVGIDSErHr.sys [7/22/2009 5:23 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [8/4/2009 10:50 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [8/4/2009 10:50 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [8/4/2009 10:50 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/28/2009 10:53 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 74480]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/4/2009 10:50 PM 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [8/4/2009 10:50 PM 1370488]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [7/22/2009 5:23 PM 5641736]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [7/22/2009 5:23 PM 571912]
R3 Avgfwdx;Avgfwdx;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [8/4/2009 10:48 PM 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [7/22/2009 5:23 PM 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [7/22/2009 5:23 PM 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [7/22/2009 5:23 PM 27232]
R3 dfmirage;dfmirage;c:\windows\SYSTEM32\DRIVERS\dfmirage.sys [11/25/2005 6:43 PM 31896]
S2 Ca536av;FashionCam Video Camera Device;c:\windows\SYSTEM32\DRIVERS\Ca536av.sys [2/3/2008 9:40 PM 514859]
S3 Avgfwfd;AVG network filter service;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [8/4/2009 10:48 PM 29208]
S3 PL-40R;CASIO USB MIDI;c:\windows\SYSTEM32\DRIVERS\pl40rwdm.sys [12/8/2007 12:08 PM 18118]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 7408]
S3 SPCA508A;Micro WebCam;c:\windows\SYSTEM32\DRIVERS\SPCA508A.SYS [4/23/2001 1:23 PM 98073]
S3 USBCamera;FashionCam Digital Still Camera Device;c:\windows\SYSTEM32\DRIVERS\Bulk536.sys [2/3/2008 9:40 PM 11048]
.
Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-02 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-02-17 13:53]
.
.
------- Supplementary Scan -------
.
mSearch Bar =
uInternet Settings,ProxyServer = sas.se1.attbb.net:8000
uInternet Settings,ProxyOverride = 127.0.0.1;*sas.se1.attbb.net;<local>;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - hxxp://download.divx.com/player/DivXPlayerInstaller.exe
FF - ProfilePath - c:\documents and settings\Sunspot.RA.000\Application Data\Mozilla\Firefox\Profiles\8tllm4r8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2009-09-02 1:00
ComboFix-quarantined-files.txt 2009-09-02 05:00
ComboFix2.txt 2009-09-01 01:45
ComboFix3.txt 2009-08-20 02:48
ComboFix4.txt 2009-08-06 20:55

Pre-Run: 7,507,816,448 bytes free
Post-Run: 7,497,732,096 bytes free

279 --- E O F --- 2009-09-01 04:21


GMER LOG

GMER 1.0.15.15077 [7qom40ec.exe] - http://www.gmer.net
Rootkit scan 2009-09-02 06:32:50
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F37EA16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F37E9FC2

Code 836C0878 ZwEnumerateKey
Code 836C03E0 ZwFlushInstructionCache
Code 8374968E ZwSaveKey
Code 836C08AE ZwSaveKeyEx
Code 837496C6 IofCallDriver
Code 83279B96 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 837651E8

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )

Device \FileSystem\Fastfat \FatCdrom 834A62A0

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{205AF3C1-D698-4D57-BE78-DC6D28102072} 83275790
Device \Driver\usbuhci \Device\USBPDO-0 835741E8
Device \Driver\usbuhci \Device\USBPDO-1 835741E8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\PCI_NTPNP7168 \Device\00000057 sptd.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 837661E8
Device \Driver\atapi \Device\Ide\IdePort0 837661E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 837661E8
Device \Driver\atapi \Device\Ide\IdePort1 837661E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 837661E8
Device \Driver\USBSTOR \Device\00000074 830C2790
Device \Driver\USBSTOR \Device\00000076 830C2790
Device \Driver\NetBT \Device\NetBt_Wins_Export 83275790
Device \Driver\NetBT \Device\NetbiosSmb 83275790

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 835741E8
Device \Driver\usbuhci \Device\USBFDO-1 835741E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8323C790
Device 8323C790
Device \Driver\Ftdisk \Device\FtControl 837D61E8
Device \Driver\atqvwth1 \Device\Scsi\atqvwth11Port2Path0Target0Lun0 8352D1E8
Device \Driver\atqvwth1 \Device\Scsi\atqvwth11 8352D1E8
Device 834A62A0
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 834A33B8
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\vsfoceethkyiud.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [4004] 0x10000000

---- EOF - GMER 1.0.15 ----


Does GMER delete the rootkit activity that it finds? How can I get rid of this "globalroot" thing?

I know you are probably going to kill me, but the redirecting is still there. :thumbup2:(

Thank You

#26 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 02 September 2009 - 12:00 PM

Hello.

The rootkit may still be active. I still see hooks in the GMER log. Not sure if that file is indeed still there however.

Please do the following.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    KillAll::
    
    Rootkit::
    C:\Windows\system32\vsfoceethkyiud.dll
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and Run SysProt Anti-Rootkit

Please download SysProt Antirootkit v1.0.1.0 from one of the links below in this link and save it to your desktop.
  • Please extract the SysProt.zip file to your desktop. Unzip/extract the file to its own folder by Right-clicking on it and selecting Extract All.... (Click here for information on how to do this if not sure. Win 2000 users click here.). Follow the prompts to finish extracting it.
  • Open the extracted folder and double-click the Sysprot.exe program to run it. (If you are using Vista, pelase right-click and select run as administrator)
  • Click on the Log tab.
  • Under the Write to log box select all 7 items referring to the diagram below
    Posted Image
  • Now push the Posted Image button near the bottom.
  • Another window shall appear soon. Please be paitent while it collects some information.
  • Once the new windows appears, please select the Scan Root Drive option.
  • Now press the Posted Image button.
  • It will now begin to scan. Please be paitent until the scan is complete.
  • Once the scan is complete, a new window will appear notifying you that is complete.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the Sysprot folder and in there you should see the SysProtLog.txt log.

Please attach the contents of that log here in your next reply.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#27 fahari06

fahari06
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 02 September 2009 - 10:42 PM

Hello EB,

Here is the ComboFix Log:

ComboFix 09-09-01.04 - Sunspot 09/02/2009 21:01.6.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.639.323 [GMT -4:00]
Running from: c:\documents and settings\Sunspot.RA.000\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sunspot.RA.000\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sunspot.RA.000\Local Settings\Application Data\{321B8FCD-F38D-4135-B005-BB307F4F20E4}
c:\documents and settings\Sunspot.RA.000\Local Settings\Application Data\{321B8FCD-F38D-4135-B005-BB307F4F20E4}\chrome.manifest
c:\documents and settings\Sunspot.RA.000\Local Settings\Application Data\{321B8FCD-F38D-4135-B005-BB307F4F20E4}\chrome\content\_cfg.js
c:\documents and settings\Sunspot.RA.000\Local Settings\Application Data\{321B8FCD-F38D-4135-B005-BB307F4F20E4}\chrome\content\overlay.xul
c:\documents and settings\Sunspot.RA.000\Local Settings\Application Data\{321B8FCD-F38D-4135-B005-BB307F4F20E4}\install.rdf
c:\windows\ajazuzeqijiw.dll
c:\windows\cousbje.dll

.
((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-09-03 00:38 . 2009-09-03 00:38 120 -c--a-w- c:\windows\Sdunana.dat
2009-08-23 04:11 . 2009-08-26 02:29 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\ArcSoft
2009-08-23 03:20 . 2009-08-23 03:20 -------- dc----w- c:\program files\Common Files\Skype
2009-08-23 03:20 . 2009-08-23 03:20 -------- dc----r- c:\program files\Skype
2009-08-23 03:13 . 2009-09-01 03:46 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Skype
2009-08-23 01:35 . 2005-02-23 18:58 11776 -c--a-w- c:\windows\system32\drivers\afc.sys
2009-08-23 01:32 . 2009-08-23 01:32 -------- dc----w- c:\program files\Common Files\ArcSoft
2009-08-23 01:31 . 2004-05-04 15:53 1645320 -c--a-w- c:\windows\system32\gdiplus.dll
2009-08-23 01:31 . 2009-08-23 01:31 -------- dc----w- c:\program files\ArcSoft
2009-08-23 01:31 . 1995-08-01 08:44 212480 -c--a-w- c:\windows\PCDLIB32.DLL
2009-08-23 00:52 . 2004-08-04 05:07 59264 -c--a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-08-23 00:52 . 2004-08-04 05:07 59264 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-08-23 00:45 . 2007-09-06 20:56 98304 -c--a-w- c:\windows\amcap.exe
2009-08-23 00:45 . 2008-02-21 21:15 3968 -c--a-w- c:\windows\system32\drivers\DeNoise.sys
2009-08-23 00:45 . 2007-03-10 18:43 270336 -c--a-w- c:\windows\tsnpstd3.exe
2009-08-23 00:45 . 2006-09-19 13:07 827392 -c--a-w- c:\windows\vsnpstd3.exe
2009-08-23 00:45 . 2007-03-26 18:46 10252544 -c--a-w- c:\windows\system32\drivers\snpstd3.sys
2009-08-23 00:45 . 2009-08-23 00:56 -------- dc----w- c:\program files\Common Files\snpstd3
2009-08-23 00:45 . 2007-03-12 15:41 61440 -c--a-w- c:\windows\system32\vsnpstd3.dll
2009-08-23 00:45 . 2007-02-09 18:13 172032 -c--a-w- c:\windows\system32\rsnpstd3.dll
2009-08-23 00:45 . 2005-11-23 17:55 53248 -c--a-w- c:\windows\system32\csnpstd3.dll
2009-08-23 00:45 . 2005-11-23 17:55 53248 -c--a-w- c:\windows\csnpstd3.dll
2009-08-23 00:45 . 2009-08-23 00:45 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\InstallShield
2009-08-22 00:59 . 2009-08-22 00:59 56 -c-ha-w- c:\windows\system32\ezsidmv.dat
2009-08-22 00:59 . 2009-09-01 02:26 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\skypePM
2009-08-22 00:43 . 2000-01-19 15:45 65536 -c--a-r- c:\windows\system32\SPDecode.DLL
2009-08-20 02:03 . 2009-08-22 18:55 117760 -c--a-w- c:\documents and settings\Sunspot.RA.000\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-20 02:02 . 2009-08-20 02:02 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\SUPERAntiSpyware.com
2009-08-13 19:34 . 2009-08-13 19:34 254976 -c--a-w- c:\documents and settings\Weldon.RA\Application Data\Azureus\updates\inst_1\Azureus.exe
2009-08-13 19:34 . 2009-08-13 19:34 77824 -c--a-w- c:\documents and settings\Weldon.RA\Application Data\Azureus\updates\inst_1\aereg.dll
2009-08-13 18:38 . 2005-12-31 00:18 180224 -c--a-w- c:\windows\system32\xvidvfw.dll
2009-08-13 18:38 . 2005-12-31 00:10 761856 -c--a-w- c:\windows\system32\xvidcore.dll
2009-08-13 17:12 . 2009-08-13 17:12 -------- dc----w- c:\program files\WinAVI MP4 Converter
2009-08-13 17:07 . 2009-08-13 17:07 -------- dc----w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\WinAVI
2009-08-13 14:26 . 2009-08-13 14:26 7114736 -c--a-w- c:\documents and settings\Weldon.RA\Application Data\Azureus\plugins\azemp\azmplay.exe
2009-08-13 14:23 . 2009-08-13 20:17 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\Azureus
2009-08-13 13:28 . 2009-08-13 13:28 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\vlc
2009-08-13 11:59 . 2009-08-13 12:17 -------- dcs---w- C:\Combo-Fix.exe
2009-08-12 20:57 . 2009-08-05 02:50 2061592 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgcorex.dll
2009-08-12 20:57 . 2009-08-05 02:50 3476760 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgui.exe
2009-08-12 20:57 . 2009-08-05 02:50 2000152 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgtray.exe
2009-08-12 20:57 . 2009-08-05 02:50 1213720 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgfrw.exe
2009-08-12 20:57 . 2009-08-05 02:50 2295576 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgfwui.dll
2009-08-12 20:54 . 2009-08-05 02:50 1471768 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgupd.dll
2009-08-12 20:54 . 2009-08-05 02:50 1126168 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgupd.exe
2009-08-12 20:54 . 2009-08-05 02:50 758040 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avginet.dll
2009-08-07 23:48 . 2009-08-07 23:48 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\AdobeUM
2009-08-07 23:48 . 2009-08-07 23:48 -------- dc----w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\Adobe
2009-08-06 21:55 . 2009-08-06 21:55 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\Apple Computer
2009-08-06 17:30 . 2009-08-06 17:30 -------- dc----w- c:\program files\CCleaner
2009-08-05 22:55 . 2009-08-13 18:50 117760 -c--a-w- c:\documents and settings\Weldon.RA\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-05 22:54 . 2009-08-05 22:54 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-08-05 22:54 . 2009-08-07 14:54 -------- dc----w- c:\program files\SUPERAntiSpyware
2009-08-05 22:54 . 2009-08-05 22:54 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\SUPERAntiSpyware.com
2009-08-05 22:27 . 2009-08-05 22:27 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\Malwarebytes
2009-08-05 21:20 . 2009-08-05 21:20 -------- dc----w- c:\windows\system32\NtmsData
2009-08-05 21:02 . 2009-08-05 21:02 -------- dc----w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\Mozilla
2009-08-05 21:01 . 2009-08-06 21:55 -------- dc----w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\Apple Computer
2009-08-05 16:54 . 2009-08-05 16:54 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Azureus
2009-08-05 06:26 . 2009-08-05 06:27 -------- dc----w- c:\program files\iTunes
2009-08-05 06:26 . 2009-08-05 06:27 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-05 06:23 . 2009-08-05 06:23 -------- dc----w- c:\program files\Bonjour
2009-08-05 06:16 . 2009-07-09 16:16 2060288 -c--a-w- c:\windows\system32\usbaaplrc.dll
2009-08-05 06:11 . 2009-08-05 06:11 75040 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-05 03:35 . 2009-08-25 16:55 -------- dc-h--w- C:\$AVG8.VAULT$
2009-08-05 02:51 . 2009-08-05 02:51 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Downloaded Installations
2009-08-05 02:50 . 2009-08-05 02:50 11952 -c--a-w- c:\windows\system32\avgrsstx.dll
2009-08-05 02:50 . 2009-08-05 02:50 12552 -c--a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-08-05 02:50 . 2009-08-05 02:50 108552 -c--a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-05 02:50 . 2009-08-05 02:50 335240 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 02:50 . 2009-08-05 02:50 27784 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 02:50 . 2009-09-03 00:36 -------- dc----w- c:\windows\system32\drivers\Avg
2009-08-05 02:48 . 2009-08-05 02:48 50968 -c--a-w- c:\windows\system32\avgfwdx.dll
2009-08-05 02:48 . 2009-08-05 02:48 29208 -c--a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-08-05 02:48 . 2009-08-05 02:48 -------- dc----w- c:\program files\AVG
2009-08-05 02:48 . 2009-08-05 02:48 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 03:26 . 2009-08-03 19:25 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-23 03:20 . 2005-03-05 08:53 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2009-08-23 01:31 . 2001-01-11 19:40 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-08-20 03:36 . 2004-01-12 00:37 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-08-13 20:40 . 2004-10-30 03:44 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Apple Computer
2009-08-13 20:20 . 2007-07-04 12:58 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2009-08-13 20:18 . 2004-11-20 19:00 -------- dc----w- c:\program files\Azureus
2009-08-13 18:38 . 2003-06-24 12:55 -------- dc----w- c:\program files\XviD
2009-08-07 17:02 . 2002-05-18 02:57 -------- dc----w- c:\program files\Opera
2009-08-07 13:39 . 2004-11-20 18:41 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Azureus
2009-08-05 22:54 . 2003-02-09 19:36 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-05 22:49 . 2003-11-03 22:34 -------- dc----w- c:\program files\InterActual
2009-08-05 21:00 . 2009-08-05 21:00 52112 -c--a-w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 12:27 . 2004-01-12 00:37 -------- dc----w- c:\program files\Spybot - Search & Destroy
2009-08-05 09:11 . 2005-01-08 03:15 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 06:30 . 2004-09-09 23:44 52112 -c--a-w- c:\documents and settings\Sunspot.RA.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 06:26 . 2004-10-30 03:43 -------- dc----w- c:\program files\iPod
2009-08-05 06:26 . 2007-07-04 12:58 -------- dc----w- c:\program files\Common Files\Apple
2009-08-05 06:22 . 2001-01-15 00:13 -------- dc----w- c:\program files\QuickTime
2009-08-05 04:25 . 2007-10-03 01:26 -------- dc----w- c:\program files\filesubmit
2009-08-05 01:23 . 2009-08-03 18:40 -------- dc--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-08-03 19:25 . 2009-08-03 19:25 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Malwarebytes
2009-08-03 19:25 . 2009-08-03 19:25 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-08-03 18:39 . 2009-08-03 18:39 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Simply Super Software
2009-08-03 17:36 . 2009-08-03 19:25 38160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-08-03 19:25 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-07-22 21:23 . 2009-07-22 21:23 74760 -c--a-w- c:\windows\system32\drivers\UniversalDD.sys
2009-07-22 21:23 . 2009-07-22 21:23 25608 -c--a-w- c:\windows\system32\drivers\AVGIDSErHr.sys
2009-07-17 18:55 . 2002-09-03 13:00 58880 -c--a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-11 05:45 286720 -c--a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 16:16 . 2008-09-03 21:19 39424 -c--a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-26 16:18 . 2004-12-07 21:37 659456 -c----w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 07:56 81920 -c----w- c:\windows\system32\ieencode.dll
2009-06-16 14:55 . 2002-09-03 13:00 82432 -c--a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2002-09-03 13:00 119808 -c--a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2002-09-03 13:00 76288 -c--a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2002-09-03 13:00 84992 -c--a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2002-09-03 13:00 132096 -c--a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2003-08-12 00:03 655872 -c--a-w- c:\windows\system32\mstscax.dll
2001-10-05 11:53 . 2003-02-27 03:36 21866 -c--a-w- c:\program files\Common Files\tppupd2k.dll
2001-03-19 00:11 . 2001-01-11 19:24 21952 -c-ha-w- c:\program files\folder.htt
2001-10-24 17:45 . 2002-05-18 02:57 28672 -c--a-w- c:\program files\opera\program\plugins\PlugDef.dll
2008-04-25 18:32 . 2008-04-25 18:32 5817064 -c--a-w- c:\program files\opera\program\plugins\ScorchPDFWrapper.dll
2005-05-07 16:05 . 2004-09-22 00:47 10646 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-09-01_01.36.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-03 01:30 . 2009-09-03 01:30 40960 c:\windows\temp\rtdrvmon.exe
+ 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2008-02-14 06:49 . 2009-05-26 11:40 17272 c:\windows\SYSTEM32\spmsg.dll
- 2008-02-14 06:49 . 2008-07-08 13:02 17272 c:\windows\SYSTEM32\spmsg.dll
+ 2003-08-12 00:10 . 2009-09-03 00:53 65536 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-02 10:38 . 2009-09-02 10:38 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009090220090903\index.dat
- 2003-08-12 00:10 . 2009-09-01 01:06 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2003-08-12 00:10 . 2009-09-03 00:53 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2003-08-12 00:10 . 2009-09-03 00:53 32768 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2003-08-12 00:10 . 2009-09-01 01:06 32768 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2009-09-02 10:38 . 2009-09-02 10:38 53637 c:\windows\SYSTEM32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\UserCache.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-07-12 4112384]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-12 81920]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2003-04-07 118784]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-07-28 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-12 2007832]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-07-22 1600008]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-10 270336]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2004-07-12 843776]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-1-15 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
Outlook Plugin.lnk - c:\program files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe [2008-2-22 888987]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-05 02:50 11952 -c--a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"Yahoo! Pager"=1

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\SYSTEM32\DRIVERS\AVGIDSErHr.sys [7/22/2009 5:23 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [8/4/2009 10:50 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [8/4/2009 10:50 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [8/4/2009 10:50 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/28/2009 10:53 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 74480]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/4/2009 10:50 PM 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [8/4/2009 10:50 PM 1370488]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [7/22/2009 5:23 PM 5641736]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [7/22/2009 5:23 PM 571912]
R3 Avgfwdx;Avgfwdx;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [8/4/2009 10:48 PM 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [7/22/2009 5:23 PM 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [7/22/2009 5:23 PM 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [7/22/2009 5:23 PM 27232]
R3 dfmirage;dfmirage;c:\windows\SYSTEM32\DRIVERS\dfmirage.sys [11/25/2005 6:43 PM 31896]
S2 Ca536av;FashionCam Video Camera Device;c:\windows\SYSTEM32\DRIVERS\Ca536av.sys [2/3/2008 9:40 PM 514859]
S3 Avgfwfd;AVG network filter service;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [8/4/2009 10:48 PM 29208]
S3 PL-40R;CASIO USB MIDI;c:\windows\SYSTEM32\DRIVERS\pl40rwdm.sys [12/8/2007 12:08 PM 18118]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 7408]
S3 SPCA508A;Micro WebCam;c:\windows\SYSTEM32\DRIVERS\SPCA508A.SYS [4/23/2001 1:23 PM 98073]
S3 USBCamera;FashionCam Digital Still Camera Device;c:\windows\SYSTEM32\DRIVERS\Bulk536.sys [2/3/2008 9:40 PM 11048]
.
Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-03 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-02-17 13:53]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Ttehenoguqu - c:\windows\ajazuzeqijiw.dll


.
------- Supplementary Scan -------
.
mSearch Bar =
uInternet Settings,ProxyServer = sas.se1.attbb.net:8000
uInternet Settings,ProxyOverride = 127.0.0.1;*sas.se1.attbb.net;<local>;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - hxxp://download.divx.com/player/DivXPlayerInstaller.exe
FF - ProfilePath - c:\documents and settings\Sunspot.RA.000\Application Data\Mozilla\Firefox\Profiles\8tllm4r8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3100)
c:\docume~1\SUNSPO~1.000\LOCALS~1\Temp\IadHide5.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTIntrfc.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSHK.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSRES.DLL
c:\progra~1\MICROS~4\Office10\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\devldr32.exe
c:\program files\Lexmark 3100 Series\lxbrbmon.exe
c:\program files\Lexmark 3100 Series\lxbrcmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-03 21:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-03 01:47
ComboFix2.txt 2009-09-02 05:00
ComboFix3.txt 2009-09-01 01:45
ComboFix4.txt 2009-08-20 02:48
ComboFix5.txt 2009-09-03 00:47

Pre-Run: 7,557,521,408 bytes free
Post-Run: 7,550,382,080 bytes free

326 --- E O F --- 2009-09-02 11:04


AND HERE IS THE SYSPROT LOG:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\smss.exe
PID: 816
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\csrss.exe
PID: 868
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\winlogon.exe
PID: 892
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 940
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\lsass.exe
PID: 952
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1108
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1212
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1272
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1372
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1420
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\LEXBCES.EXE
PID: 1572
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\spoolsv.exe
PID: 1604
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\LEXPPS.EXE
PID: 1620
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
PID: 1652
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1936
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 2008
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
PID: 2024
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgfws8.exe
PID: 180
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
PID: 224
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 264
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
PID: 304
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\nvsvc32.exe
PID: 384
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 512
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
PID: 620
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgam.exe
PID: 692
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 708
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
PID: 716
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\alg.exe
PID: 1848
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe
PID: 2732
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\wscntfy.exe
PID: 2840
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\hpztsb09.exe
PID: 3512
Hidden: No
Window Visible: No

Name: C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
PID: 3524
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\devldr32.exe
PID: 3616
Hidden: No
Window Visible: No

Name: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PID: 3624
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
PID: 3656
Hidden: No
Window Visible: No

Name: C:\WINDOWS\MXOALDR.EXE
PID: 3684
Hidden: No
Window Visible: No

Name: C:\Program Files\BroadJump\Client Foundation\CFD.exe
PID: 3716
Hidden: No
Window Visible: No

Name: C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
PID: 3736
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\LEXMAR~1\lxbrksk.exe
PID: 3752
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgtray.exe
PID: 3760
Hidden: No
Window Visible: No

Name: C:\Program Files\QuickTime\QTTask.exe
PID: 3780
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\wuauclt.exe
PID: 3816
Hidden: No
Window Visible: No

Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 3832
Hidden: No
Window Visible: No

Name: C:\WINDOWS\tsnpstd3.exe
PID: 3876
Hidden: No
Window Visible: No

Name: C:\Program Files\DAEMON Tools\daemon.exe
PID: 3920
Hidden: No
Window Visible: No

Name: C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
PID: 3936
Hidden: No
Window Visible: No

Name: C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
PID: 4072
Hidden: No
Window Visible: No

Name: C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
PID: 392
Hidden: No
Window Visible: No

Name: C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
PID: 444
Hidden: No
Window Visible: No

Name: C:\Program Files\iPod\bin\iPodService.exe
PID: 2484
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 3100
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\notepad.exe
PID: 2672
Hidden: No
Window Visible: Yes

Name: C:\Documents and Settings\Sunspot.RA.000\Desktop\SysProt\SysProt\SysProt.exe
PID: 904
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\vsfoceetlwasbl.sys
Service Name: vsfocegoxuwbiv
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \??\C:\Documents and Settings\Sunspot.RA.000\Desktop\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: ED7D6000
Module End: ED7E1000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806EB580
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806EC000
Module End: 806FFD80
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F8E70000
Module End: F8E72000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F8D80000
Module End: F8D83000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sptd.sys
Service Name: sptd
Module Base: F8865000
Module End: F894F000
Hidden: No

Module Name: \WINDOWS\System32\Drivers\WMILIB.SYS
Service Name: ---
Module Base: F8E72000
Module End: F8E74000
Hidden: No

Module Name: \WINDOWS\System32\Drivers\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: F884D000
Module End: F8865000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F881F000
Module End: F884D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F880E000
Module End: F881F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F8970000
Module End: F897F000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F8980000
Module End: F898D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F8990000
Module End: F8999000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: F8E74000
Module End: F8E76000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F8BF0000
Module End: F8BF7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F89A0000
Module End: F89AB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F87EF000
Module End: F880E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F8BF8000
Module End: F8BFD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F89B0000
Module End: F89BD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F87D7000
Module End: F87EF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F89C0000
Module End: F89C9000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F89D0000
Module End: F89DD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F87B7000
Module End: F87D7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F87A5000
Module End: F87B7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F89E0000
Module End: F89EC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F878E000
Module End: F87A5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F8701000
Module End: F878E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F86D4000
Module End: F8701000
Hidden: No

Module Name: Combo-Fix.sys
Service Name: ---
Module Base: F89F0000
Module End: F89FF000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\sbp2port.sys
Service Name: sbp2port
Module Base: F8A00000
Module End: F8A0B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F86B9000
Module End: F86D4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\avgrkx86.sys
Service Name: AvgRkx86
Module Base: F8E76000
Module End: F8E78000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\AVGIDSErHr.sys
Service Name: AVGIDSErHr
Module Base: F8A10000
Module End: F8A19000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: F8A20000
Module End: F8A2B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\processr.sys
Service Name: Processor
Module Base: F8B20000
Module End: F8B29000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys
Service Name: nv
Module Base: F7110000
Module End: F7369000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F70FC000
Module End: F7110000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F8B30000
Module End: F8B40000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\emu10k1m.sys
Service Name: emu10k
Module Base: F70B6000
Module End: F70FC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F7092000
Module End: F70B6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F8B40000
Module End: F8B4F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ks.sys
Service Name: ---
Module Base: F706F000
Module End: F7092000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sfmanm.sys
Service Name: sfman
Module Base: F8B50000
Module End: F8B59000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ctlfacem.sys
Service Name: emu10k1
Module Base: F8EB0000
Module End: F8EB2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ctljystk.sys
Service Name: ctljystk
Module Base: F90C3000
Module End: F90C4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\gameenum.sys
Service Name: gameenum
Module Base: F8E38000
Module End: F8E3B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HCF_MSFT.sys
Service Name: HCF_MSFT
Module Base: F6F91000
Module End: F706F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F8CD8000
Module End: F8CE0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\el90xbc5.sys
Service Name: EL90XBC
Module Base: F6F80000
Module End: F6F91000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F8B60000
Module End: F8B6D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F8CE8000
Module End: F8CEE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F8CF0000
Module End: F8CF6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F8B70000
Module End: F8B80000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F8E3C000
Module End: F8E40000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F6F6C000
Module End: F6F80000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Afc.sys
Service Name: Afc
Module Base: F8CF8000
Module End: F8D00000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\AFS2K.SYS
Service Name: AFS2K
Module Base: F8B80000
Module End: F8B89000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F8B90000
Module End: F8B9D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F8BA0000
Module End: F8BAF000
Hidden: No

Module Name: C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: F8BB0000
Module End: F8BBA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F8BC0000
Module End: F8BCB000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F8D00000
Module End: F8D05000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F6F49000
Module End: F6F6C000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\ax1m446r.SYS
Service Name: ---
Module Base: F6EE2000
Module End: F6F49000
Hidden: Yes

Module Name: C:\WINDOWS\system32\DRIVERS\dfmirage.sys
Service Name: dfmirage
Module Base: F8BD0000
Module End: F8BDC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
Service Name: Avgfwdx
Module Base: F8D68000
Module End: F8D6E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F8F72000
Module End: F8F73000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F8BE0000
Module End: F8BED000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F867C000
Module End: F867F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F6E17000
Module End: F6E2E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F8A40000
Module End: F8A4B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F8A50000
Module End: F8A5C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F8D70000
Module End: F8D75000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F6E06000
Module End: F6E17000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F8A70000
Module End: F8A79000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F8D78000
Module End: F8D7D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F8C10000
Module End: F8C15000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Pcouffin.sys
Service Name: Pcouffin
Module Base: F7F9E000
Module End: F7FA7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F73F9000
Module End: F7403000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F8EB8000
Module End: F8EBA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\update.sys
Service Name: Update
Module Base: F6D80000
Module End: F6DD9000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F8664000
Module End: F8668000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F73E9000
Module End: F73F3000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F8AA0000
Module End: F8AAF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F8EF0000
Module End: F8EF2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: F8C60000
Module End: F8C65000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F8EF4000
Module End: F8EF6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F8FCE000
Module End: F8FCF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F8EF6000
Module End: F8EF8000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F8C70000
Module End: F8C77000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F8C78000
Module End: F8C7E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F8EFA000
Module End: F8EFC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F8EFC000
Module End: F8EFE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F8C80000
Module End: F8C85000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F8C88000
Module End: F8C90000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F7D8C000
Module End: F7D8F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: F52C0000
Module End: F52D3000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: F5268000
Module End: F52C0000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgtdix.sys
Service Name: AvgTdiX
Module Base: F524F000
Module End: F5268000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: F5227000
Module End: F524F000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: F5205000
Module End: F5227000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F8AD0000
Module End: F8AD9000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
Service Name: SbcpHid
Module Base: F8C98000
Module End: F8C9E000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Service Name: SASKUTIL
Module Base: F5190000
Module End: F51B5000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Service Name: SASDIFSV
Module Base: F8CA0000
Module End: F8CA6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: F5165000
Module End: F5190000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: F50F6000
Module End: F5165000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F8AE0000
Module End: F8AE9000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: F50D5000
Module End: F50F6000
Hidden: No

Module Name: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Service Name: eeCtrl
Module Base: F504A000
Module End: F50AD000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: F8CB0000
Module End: F8CB6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: F4FF9000
Module End: F504A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: F8CB8000
Module End: F8CC0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\snpstd3.sys
Service Name: SNPSTD3
Module Base: F4631000
Module End: F4FF9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\STREAM.SYS
Service Name: ---
Module Base: F5994000
Module End: F59A0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\usbaudio.sys
Service Name: usbaudio
Module Base: F5984000
Module End: F5993000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F7FDE000
Module End: F7FE7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: F7FCE000
Module End: F7FDD000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbscan.sys
Service Name: usbscan
Module Base: F5A5E000
Module End: F5A62000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: F8CC0000
Module End: F8CC7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: F8CC8000
Module End: F8CCF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F7F5E000
Module End: F7F6E000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EF519000
Module End: EF531000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F2FD4000
Module End: F2FD6000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: EFD91000
Module End: EFD94000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F8D38000
Module End: F8D3D000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F9054000
Module End: F9055000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: F7DB0000
Module End: F7DB4000
Hidden: No

Module Name: \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys
Service Name: AVGIDSShim
Module Base: F51DD000
Module End: F51E2000
Hidden: No

Module Name: \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys
Service Name: AVGIDSFilter
Module Base: F7F6E000
Module End: F7F78000
Hidden: No

Module Name: \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys
Service Name: AVGIDSDriver
Module Base: EDB88000
Module End: EDBB0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: EDAE4000
Module End: EDB10000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\Haspnt.sys
Service Name: Haspnt
Module Base: F7369000
Module End: F7375000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F8F34000
Module End: F8F36000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\SENTINEL.SYS
Service Name: Sentinel
Module Base: EDA82000
Module End: EDA94000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\aspi32.sys
Service Name: Aspi32
Module Base: F3561000
Module End: F3566000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\hardlock.sys
Service Name: hardlock
Module Base: ED99B000
Module End: EDA0A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: ED978000
Module End: ED99B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\srv.sys
Service Name: Srv
Module Base: ED886000
Module End: ED8D8000
Hidden: No

Module Name: \??\C:\WINDOWS\System32\drivers\PfModNT.sys
Service Name: PfModNT
Module Base: EDA62000
Module End: EDA66000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\secdrv.sys
Service Name: Secdrv
Module Base: F2339000
Module End: F2343000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: ED3C1000
Module End: ED3D6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: ED8E8000
Module End: ED8F7000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: ECFD7000
Module End: ED018000
Hidden: No

Module Name: \??\C:\ComboFix\catchme.sys
Service Name: catchme
Module Base: F8D10000
Module End: F8D18000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Service Name: ---
Module Base: F8EA0000
Module End: F8EA2000
Hidden: Yes

Module Name: C:\WINDOWS\System32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F8CE0000
Module End: F8CE7000
Hidden: No

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8064C287
Jump To: 83672932
Module Name: _unknown_

Hooked Function: ZwSaveKey
At Address: 8064C1EF
Jump To: 834563AA
Module Name: _unknown_

Hooked Function: ZwFlushInstructionCache
At Address: 80576A6A
Jump To: 83457514
Module Name: _unknown_

Hooked Function: ZwEnumerateKey
At Address: 8056EF30
Jump To: 836728FC
Module Name: _unknown_

Hooked Function: IofCompleteRequest
At Address: 804E3BF6
Jump To: 832980A3
Module Name: _unknown_

Hooked Function: IofCallDriver
At Address: 804E37C5
Jump To: 832AA863
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
IRP Hooks:
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 837661E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 837661E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 837661E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 837661E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 837661E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 837661E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 8325A790
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8325A790
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_READ
Jump To: 8325A790
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_WRITE
Jump To: 8325A790
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8325A790
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8325A790
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 8325A790
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8325A790
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8354F1E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8354F1E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8354F1E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8354F1E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8354F1E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8354F1E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 837D61E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_READ
Jump To: 837D61E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 837D61E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 837D61E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 837D61E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 837D61E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 837D61E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 837D61E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 837D61E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 837D61E8
Hooking Module: _unknown_

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_CREATE
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_CLOSE
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_READ
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_WRITE
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_SET_EA
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_CLEANUP
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_POWER
Jump To: F8875EA8
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: F88992C8
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: \Driver\PCI_NTPNP5632
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: F889CB0E
Hooking Module: C:\WINDOWS\system32\drivers\sptd.sys

Hooked Module: C:\WINDOWS\System32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 83298790
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 83298790
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 83298790
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 83298790
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 83298790
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 835671E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 835671E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_READ
Jump To: 835671E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 835671E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 835671E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 835671E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 835671E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 835671E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 835671E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 835671E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 837D41E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 837D41E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 837D41E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 837D41E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 837D41E8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 837D41E8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ax1m446r.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 835341E8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ax1m446r.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 835341E8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ax1m446r.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 835341E8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ax1m446r.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 835341E8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ax1m446r.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 835341E8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ax1m446r.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 835341E8
Hooking Module: _unknown_

******************************************************************************************
******************************************************************************************
Ports:
Local Address: RA:27015
Remote Address: LOCALHOST:1045
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: ESTABLISHED

Local Address: RA:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: RA:18080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: RA:13128
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: RA:10080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: RA:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: RA:1045
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Program Files\iTunes\iTunesHelper.exe
State: ESTABLISHED

Local Address: RA:1027
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\SYSTEM32\alg.exe
State: LISTENING

Local Address: RA:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\SYSTEM32\LEXPPS.EXE
State: LISTENING

Local Address: RA:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: RA:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\SYSTEM32\svchost.exe
State: LISTENING

Local Address: RA:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: RA:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\SYSTEM32\svchost.exe
State: NA

Local Address: RA:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\SYSTEM32\svchost.exe
State: NA

Local Address: RA:9370
Remote Address: NA
Type: UDP
Process: C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
State: NA

Local Address: RA:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\SYSTEM32\lsass.exe
State: NA

Local Address: RA:1026
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: RA:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\SYSTEM32\lsass.exe
State: NA

Local Address: RA:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
No hidden files/folders found


And now for the moment of truth...

DOH! Still redirects. Here are two examples of pages that I was redirected to when searching for "Apple Picking in New York". Again, the browser redirects to one of these pages first, it doesn't really load, and then subsequently another page that has to do with the subject of the preliminary redirection loads.

hXXp://aasect.com/search.php
hXXp://coomath4kids.com/search.php

**scratching head** :thumbup2:

Edited by extremeboy, 03 September 2009 - 09:02 AM.
Deactivate possibly malicious links


#28 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 03 September 2009 - 09:13 AM

Hello.

Let's continue here..

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    Driver::
    vsfocegoxuwbiv
    Rootkit::
    C:\Windows\system32\drivers\vsfoceetlwasbl.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Take a new GMER run afterward and post back with the GMER log as well.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#29 fahari06

fahari06
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 04 September 2009 - 06:30 AM

Hello EB,

Here is ComboFix:

ComboFix 09-09-03.02 - Sunspot 09/04/2009 6:50.7.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.639.424 [GMT -4:00]
Running from: c:\documents and settings\Sunspot.RA.000\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sunspot.RA.000\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-09-04 10:26 . 2009-09-04 10:26 -------- dc----w- C:\AVGTemp
2009-09-03 01:29 . 2009-09-03 01:29 17920 -c--a-w- c:\windows\system32\vsfoceethkyiud.dll
2009-09-03 00:38 . 2009-09-03 00:38 120 -c--a-w- c:\windows\Sdunana.dat
2009-08-23 04:11 . 2009-08-26 02:29 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\ArcSoft
2009-08-23 03:20 . 2009-08-23 03:20 -------- dc----w- c:\program files\Common Files\Skype
2009-08-23 03:20 . 2009-08-23 03:20 -------- dc----r- c:\program files\Skype
2009-08-23 03:13 . 2009-09-04 08:47 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Skype
2009-08-23 01:35 . 2005-02-23 18:58 11776 -c--a-w- c:\windows\system32\drivers\afc.sys
2009-08-23 01:32 . 2009-08-23 01:32 -------- dc----w- c:\program files\Common Files\ArcSoft
2009-08-23 01:31 . 2004-05-04 15:53 1645320 -c--a-w- c:\windows\system32\gdiplus.dll
2009-08-23 01:31 . 2009-08-23 01:31 -------- dc----w- c:\program files\ArcSoft
2009-08-23 01:31 . 1995-08-01 08:44 212480 -c--a-w- c:\windows\PCDLIB32.DLL
2009-08-23 00:52 . 2004-08-04 05:07 59264 -c--a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-08-23 00:52 . 2004-08-04 05:07 59264 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-08-23 00:45 . 2007-09-06 20:56 98304 -c--a-w- c:\windows\amcap.exe
2009-08-23 00:45 . 2008-02-21 21:15 3968 -c--a-w- c:\windows\system32\drivers\DeNoise.sys
2009-08-23 00:45 . 2007-03-10 18:43 270336 -c--a-w- c:\windows\tsnpstd3.exe
2009-08-23 00:45 . 2006-09-19 13:07 827392 -c--a-w- c:\windows\vsnpstd3.exe
2009-08-23 00:45 . 2007-03-26 18:46 10252544 -c--a-w- c:\windows\system32\drivers\snpstd3.sys
2009-08-23 00:45 . 2009-08-23 00:56 -------- dc----w- c:\program files\Common Files\snpstd3
2009-08-23 00:45 . 2007-03-12 15:41 61440 -c--a-w- c:\windows\system32\vsnpstd3.dll
2009-08-23 00:45 . 2007-02-09 18:13 172032 -c--a-w- c:\windows\system32\rsnpstd3.dll
2009-08-23 00:45 . 2005-11-23 17:55 53248 -c--a-w- c:\windows\system32\csnpstd3.dll
2009-08-23 00:45 . 2005-11-23 17:55 53248 -c--a-w- c:\windows\csnpstd3.dll
2009-08-23 00:45 . 2009-08-23 00:45 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\InstallShield
2009-08-22 00:59 . 2009-08-22 00:59 56 -c-ha-w- c:\windows\system32\ezsidmv.dat
2009-08-22 00:59 . 2009-09-04 01:47 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\skypePM
2009-08-22 00:43 . 2000-01-19 15:45 65536 -c--a-r- c:\windows\system32\SPDecode.DLL
2009-08-20 02:02 . 2009-08-20 02:02 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\SUPERAntiSpyware.com
2009-08-13 18:38 . 2005-12-31 00:18 180224 -c--a-w- c:\windows\system32\xvidvfw.dll
2009-08-13 18:38 . 2005-12-31 00:10 761856 -c--a-w- c:\windows\system32\xvidcore.dll
2009-08-13 17:12 . 2009-08-13 17:12 -------- dc----w- c:\program files\WinAVI MP4 Converter
2009-08-13 17:07 . 2009-08-13 17:07 -------- dc----w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\WinAVI
2009-08-13 14:23 . 2009-08-13 20:17 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\Azureus
2009-08-13 13:28 . 2009-08-13 13:28 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\vlc
2009-08-13 11:59 . 2009-08-13 12:17 -------- dcs---w- C:\Combo-Fix.exe
2009-08-07 23:48 . 2009-08-07 23:48 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\AdobeUM
2009-08-07 23:48 . 2009-08-07 23:48 -------- dc----w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\Adobe
2009-08-06 21:55 . 2009-08-06 21:55 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\Apple Computer
2009-08-06 17:30 . 2009-08-06 17:30 -------- dc----w- c:\program files\CCleaner
2009-08-05 22:54 . 2009-08-05 22:54 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-08-05 22:54 . 2009-08-07 14:54 -------- dc----w- c:\program files\SUPERAntiSpyware
2009-08-05 22:54 . 2009-08-05 22:54 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\SUPERAntiSpyware.com
2009-08-05 22:27 . 2009-08-05 22:27 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\Malwarebytes
2009-08-05 21:20 . 2009-08-05 21:20 -------- dc----w- c:\windows\system32\NtmsData
2009-08-05 21:02 . 2009-08-05 21:02 -------- dc----w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\Mozilla
2009-08-05 21:01 . 2009-08-06 21:55 -------- dc----w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\Apple Computer
2009-08-05 16:54 . 2009-08-05 16:54 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Azureus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 11:07 . 2009-08-03 17:58 177928 -c--a-w- c:\windows\system32\vsfoceogkbaqpm.dat
2009-09-04 10:40 . 2009-08-03 18:21 43 -c--a-w- c:\windows\system32\vsfocejboroyiv.dat
2009-09-04 10:08 . 2009-08-05 02:48 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-08-26 03:26 . 2009-08-03 19:25 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-23 03:20 . 2005-03-05 08:53 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2009-08-23 01:31 . 2001-01-11 19:40 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-08-20 03:36 . 2004-01-12 00:37 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-08-13 20:40 . 2004-10-30 03:44 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Apple Computer
2009-08-13 20:20 . 2007-07-04 12:58 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2009-08-13 20:18 . 2004-11-20 19:00 -------- dc----w- c:\program files\Azureus
2009-08-13 18:38 . 2003-06-24 12:55 -------- dc----w- c:\program files\XviD
2009-08-07 17:02 . 2002-05-18 02:57 -------- dc----w- c:\program files\Opera
2009-08-07 13:39 . 2004-11-20 18:41 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Azureus
2009-08-05 22:54 . 2003-02-09 19:36 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-05 22:49 . 2003-11-03 22:34 -------- dc----w- c:\program files\InterActual
2009-08-05 21:00 . 2009-08-05 21:00 52112 -c--a-w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 12:27 . 2004-01-12 00:37 -------- dc----w- c:\program files\Spybot - Search & Destroy
2009-08-05 09:11 . 2005-01-08 03:15 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 06:30 . 2004-09-09 23:44 52112 -c--a-w- c:\documents and settings\Sunspot.RA.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 06:27 . 2009-08-05 06:26 -------- dc----w- c:\program files\iTunes
2009-08-05 06:27 . 2009-08-05 06:26 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-05 06:26 . 2004-10-30 03:43 -------- dc----w- c:\program files\iPod
2009-08-05 06:26 . 2007-07-04 12:58 -------- dc----w- c:\program files\Common Files\Apple
2009-08-05 06:23 . 2009-08-05 06:23 -------- dc----w- c:\program files\Bonjour
2009-08-05 06:22 . 2001-01-15 00:13 -------- dc----w- c:\program files\QuickTime
2009-08-05 04:25 . 2007-10-03 01:26 -------- dc----w- c:\program files\filesubmit
2009-08-05 02:51 . 2009-08-05 02:51 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Downloaded Installations
2009-08-05 02:48 . 2009-08-05 02:48 -------- dc----w- c:\program files\AVG
2009-08-05 01:23 . 2009-08-03 18:40 -------- dc--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-08-03 19:25 . 2009-08-03 19:25 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Malwarebytes
2009-08-03 19:25 . 2009-08-03 19:25 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-08-03 18:39 . 2009-08-03 18:39 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Simply Super Software
2009-08-03 17:58 . 2009-08-03 17:58 39936 -c--a-w- c:\windows\system32\vsfocehrqjlknb.dll
2009-08-03 17:36 . 2009-08-03 19:25 38160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-08-03 19:25 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 18:55 . 2002-09-03 13:00 58880 -c--a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-11 05:45 286720 -c--a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 16:16 . 2009-08-05 06:16 2060288 -c--a-w- c:\windows\system32\usbaaplrc.dll
2009-07-09 16:16 . 2008-09-03 21:19 39424 -c--a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-26 16:18 . 2004-12-07 21:37 659456 -c----w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 07:56 81920 -c----w- c:\windows\system32\ieencode.dll
2009-06-16 14:55 . 2002-09-03 13:00 82432 -c--a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2002-09-03 13:00 119808 -c--a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2002-09-03 13:00 76288 -c--a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2002-09-03 13:00 84992 -c--a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2002-09-03 13:00 132096 -c--a-w- c:\windows\system32\wkssvc.dll
2001-10-05 11:53 . 2003-02-27 03:36 21866 -c--a-w- c:\program files\Common Files\tppupd2k.dll
2001-03-19 00:11 . 2001-01-11 19:24 21952 -c-ha-w- c:\program files\folder.htt
2001-10-24 17:45 . 2002-05-18 02:57 28672 -c--a-w- c:\program files\opera\program\plugins\PlugDef.dll
2008-04-25 18:32 . 2008-04-25 18:32 5817064 -c--a-w- c:\program files\opera\program\plugins\ScorchPDFWrapper.dll
2005-05-07 16:05 . 2004-09-22 00:47 10646 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-09-01_01.36.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-04 11:13 . 2009-09-04 11:13 40960 c:\windows\temp\rtdrvmon.exe
+ 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2008-02-14 06:49 . 2009-05-26 11:40 17272 c:\windows\SYSTEM32\spmsg.dll
- 2008-02-14 06:49 . 2008-07-08 13:02 17272 c:\windows\SYSTEM32\spmsg.dll
+ 2003-08-12 00:10 . 2009-09-04 10:46 65536 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-02 10:38 . 2009-09-02 10:38 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009090220090903\index.dat
- 2003-08-12 00:10 . 2009-09-01 01:06 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2003-08-12 00:10 . 2009-09-04 10:46 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2003-08-12 00:10 . 2009-09-04 10:46 32768 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2003-08-12 00:10 . 2009-09-01 01:06 32768 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2009-09-02 10:38 . 2009-09-02 10:38 53637 c:\windows\SYSTEM32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\UserCache.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-07-12 4112384]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-12 81920]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2003-04-07 118784]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-07-28 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-10 270336]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2004-07-12 843776]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-1-15 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
Outlook Plugin.lnk - c:\program files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe [2008-2-22 888987]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"Yahoo! Pager"=1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/28/2009 10:53 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 74480]
R3 dfmirage;dfmirage;c:\windows\SYSTEM32\DRIVERS\dfmirage.sys [11/25/2005 6:43 PM 31896]
S2 Ca536av;FashionCam Video Camera Device;c:\windows\SYSTEM32\DRIVERS\Ca536av.sys [2/3/2008 9:40 PM 514859]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
S3 PL-40R;CASIO USB MIDI;c:\windows\SYSTEM32\DRIVERS\pl40rwdm.sys [12/8/2007 12:08 PM 18118]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 7408]
S3 SPCA508A;Micro WebCam;c:\windows\SYSTEM32\DRIVERS\SPCA508A.SYS [4/23/2001 1:23 PM 98073]
S3 USBCamera;FashionCam Digital Still Camera Device;c:\windows\SYSTEM32\DRIVERS\Bulk536.sys [2/3/2008 9:40 PM 11048]
.
Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-04 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-02-17 13:53]
.
.
------- Supplementary Scan -------
.
mSearch Bar =
uInternet Settings,ProxyServer = sas.se1.attbb.net:8000
uInternet Settings,ProxyOverride = 127.0.0.1;*sas.se1.attbb.net;<local>;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - hxxp://download.divx.com/player/DivXPlayerInstaller.exe
FF - ProfilePath - c:\documents and settings\Sunspot.RA.000\Application Data\Mozilla\Firefox\Profiles\8tllm4r8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vsfocegoxuwbiv]
"imagepath"="\systemroot\system32\drivers\vsfoceetlwasbl.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vsfocegoxuwbiv]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\vsfoceetlwasbl.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(420)
c:\docume~1\SUNSPO~1.000\LOCALS~1\Temp\IadHide5.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTIntrfc.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSHK.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSRES.DLL
c:\progra~1\MICROS~4\Office10\msohev.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\program files\Lexmark 3100 Series\lxbrbmon.exe
c:\program files\Lexmark 3100 Series\lxbrcmon.exe
c:\windows\SYSTEM32\devldr32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-04 7:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-04 11:18
ComboFix2.txt 2009-09-03 01:48
ComboFix3.txt 2009-09-02 05:00
ComboFix4.txt 2009-09-01 01:45
ComboFix5.txt 2009-09-04 10:40

Pre-Run: 7,771,455,488 bytes free
Post-Run: 7,758,684,160 bytes free

281 --- E O F --- 2009-09-02 11:04


AND HERE IS GMER:

GMER 1.0.15.15077 [7qom40ec.exe] - http://www.gmer.net
Rootkit scan 2009-09-04 07:23:04
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xF88660D0]
SSDT sptd.sys ZwEnumerateKey [0xF886BFB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF886C340]
SSDT sptd.sys ZwOpenKey [0xF88660B0]
SSDT sptd.sys ZwQueryKey [0xF886C418]
SSDT sptd.sys ZwQueryValueKey [0xF886C298]
SSDT sptd.sys ZwSetValueKey [0xF886C4AA]

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EF4B916D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EF4B8FC2

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 837D51E8
Device \FileSystem\Fastfat \FatCdrom 835AE1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{205AF3C1-D698-4D57-BE78-DC6D28102072} 83303790
Device \Driver\usbuhci \Device\USBPDO-0 8354D1E8
Device \Driver\usbuhci \Device\USBPDO-1 8354D1E8
Device \Driver\Cdrom \Device\CdRom0 8356C1E8
Device \Driver\Cdrom \Device\CdRom1 8356C1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 837D61E8
Device \Driver\atapi \Device\Ide\IdePort0 837D61E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 837D61E8
Device \Driver\atapi \Device\Ide\IdePort1 837D61E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 837D61E8
Device \Driver\Cdrom \Device\CdRom2 8356C1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 83303790
Device \Driver\NetBT \Device\NetbiosSmb 83303790
Device \Driver\PCI_NTPNP0864 \Device\0000004d sptd.sys
Device \Driver\USBSTOR \Device\0000006a 832C44D8
Device \Driver\usbuhci \Device\USBFDO-0 8354D1E8
Device \Driver\USBSTOR \Device\0000006c 832C44D8
Device \Driver\usbuhci \Device\USBFDO-1 8354D1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 832DD1E8
Device 832DD1E8
Device \Driver\Ftdisk \Device\FtControl 837681E8
Device \Driver\a32tx1yj \Device\Scsi\a32tx1yj1 834DE1E8
Device \Driver\a32tx1yj \Device\Scsi\a32tx1yj1Port2Path0Target0Lun0 834DE1E8
Device 835AE1E8
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 835D11E8

---- Services - GMER 1.0.15 ----

Service system32\drivers\vsfoceetlwasbl.sys (*** hidden *** ) [SYSTEM] vsfocegoxuwbiv <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

I had to remove AVG because the trial period was up. That was a whole issue in itself and everytime I tried to uninstall AVG, combofix still detected AVG as running. Anywho.

FINALLY MY BROWSER HAS STOPPED REDIRECTING!!! Thank you so so much for your patience and your assistance. I am much relieved and know that you probably are too. Again, thank you so much. Have a wonderful Holiday Weekend.

Diamonds 415 (fahari06's fiance)

#30 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 04 September 2009 - 10:29 AM

Hello.

Glad it's gone now. From the GMER log, the rootkits' "hooks" are also gone, so the rootkit is inactive now. :thumbup2:

Let's remove the leftovers of it...

First...

Run the AVG Removal tool.

Please download the AVG removal tool from here: http://www.avg.com/filedir/util/avg_arm_su.../avgremover.exe

Save it to your desktop.
Then run the tool.
Follow the prompts to uninstall it completely.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/247340/undetected-spyware-redirecting-search-results/
    Collect::[68]
    c:\windows\system32\vsfoceethkyiud.dll
    c:\windows\system32\vsfocejboroyiv.dat
    c:\windows\system32\vsfoceogkbaqpm.dat
    c:\windows\system32\vsfocehrqjlknb.dll
    C:\Windows\system32\drivers\vsfoceetlwasbl.sys
    SecCenter::
    {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    {8decf618-9569-4340-b34a-d78d28969b66}
    File::
    c:\windows\system32\DRIVERS\avgfwdx.sys 
    c:\windows\system32\DRIVERS\avgfwdx.sys
    Folder::
    c:\progra~1\AVG
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "AVG8_TRAY"=-
    RegLock::
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vsfocegoxuwbiv]
    Driver::
    vsfocegoxuwbiv
    Avgfwdx
    Avgfwfd
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • Please post the contents of the Combofix log in your next reply.
Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".
**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.
Let me know how it goes and if the upload went successfully or not in your next reply.

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

You should now install an anti-virus software...

Install Antivirus

An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a (ONE) free anti-virus program from one of the links below:Update It after the installation is complete please.

Post back with both logs in your next reply. Let me know which anti-virus software you installed too.

We'll almost done here. Stick with me please. :)

With Regards,
Extremeboy

Edited by extremeboy, 04 September 2009 - 10:30 AM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users