Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

still have windows antivirus pro, no sys admin, no firewall, no dds


  • This topic is locked This topic is locked
22 replies to this topic

#1 betsy018

betsy018

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ohio
  • Local time:05:53 AM

Posted 20 August 2009 - 10:35 AM

I ran mbam and avg scans several times. Had to use your fixtm file. Sometimes the svhast file was in task manager. Not usually. One time Windows Antiviurs Pro showed up in task manager. Not usually. One time I found Windows Antivirus Pro somewhere in a windows file. I deleted it. But I still have it.

I couldn't run the dds program, so I went ahead and ran the root repeal. I have attached that file.

AVG found 48 problems, but I could only fix about 10. You had to log in a system administrator and I am locked out. MBAM found about 14 and let me delete them. Then I ran it again and had more- maybe 30. I did see the words vendu worm in there. I had keyboard blaster show up once, but it may have been the antivirus pro that said that, I can't remember for sure. I have been fighting this off and on for a couple of weeks.

Betsy

Attached Files

  • Attached File  ark.txt   9.08KB   7 downloads

Edited by Orange Blossom, 24 August 2009 - 08:33 PM.
Restored topic. ~ OB


BC AdBot (Login to Remove)

 


#2 betsy018

betsy018
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ohio
  • Local time:05:53 AM

Posted 25 August 2009 - 08:14 PM

I have run mbam, root repeal, atf, stopzilla (by mistake) and superantispyware multiple times. The last two things run were root repeal on a higher level and then sas. I will post the mbam, the last two root repeal, then the last two sas.

After the last sas scan, I rebooted and stopzilla immediately identified 5 threats. (I did not delete them)
windows/svtai77043.exe
windows\adbho00265.exe
windows\system3geyekerajbw...
c\doc and settings\owner\ (i think hijacker) two in this category, i couldn't read the whole thing, no report

then windows popped up two messages
hpqtra08.exe is corrupt or unreadable
reader_sl.exe is corrupt or unreadable

I can now get into some control panel functions, there are no restore points,

Would love some help

===========

Hello

Please note: you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a few more days to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/25 18:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5FD2000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A67000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF33BD000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 59
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\geyekruxthqoivnn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrajbwsmgk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekraomxpjao.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrlog.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrlqwuhsro.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\geyekrusragsay.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\geyekrjkdjmvud.sys
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: geyekrajbwsmgk.dll]
Process: svchost.exe (PID: 1056) Address: 0x10000000 Size: 53248

==EOF==

Malwarebytes' Anti-Malware 1.40
Database version: 2691
Windows 5.1.2600 Service Pack 3

8/24/2009 7:00:07 PM
mbam-log-2009-08-24 full scan (18-59-52).txt

Scan type: Quick Scan
Objects scanned: 111899
Time elapsed: 6 minute(s), 43 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 4
Registry Keys Infected: 0
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\WINDOWS\system32\wiwow64.exe (Backdoor.Bot) -> No action taken.

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrusragsay.dll (Trojan.TDSS) -> No action taken.
c:\WINDOWS\system32\evdoserver.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\Iasex.dll (Backdoor.Bot) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrusragsay.dll (Trojan.TDSS) -> No action taken.
c:\WINDOWS\system32\evdoserver.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wiwow64.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\Iasex.dll (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\sofatnet.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> No action taken.

Attached Files


Edited by PropagandaPanda, 04 September 2009 - 09:54 PM.


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:53 AM

Posted 31 August 2009 - 05:46 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 betsy018

betsy018
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ohio
  • Local time:05:53 AM

Posted 01 September 2009 - 10:00 PM

I still can't run dds. I have stopzilla and avg on my computer. I think both are disabled, maybe not. The dds box opens up for a minute, then disappears. Nothing opens in notepad.

#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:53 AM

Posted 04 September 2009 - 10:44 PM

Hello betsy018,
  • Welcome to Bleeping Computer.
  • Sorry for delayed response. Forums have been really busy.
  • My name is fireman4it and I will be helping you with your Malware problem.
  • As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.
Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
Now to the fix!

1.
Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

2.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


3.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Things to include in your next reply:
MBR log
RSIT logs

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:53 AM

Posted 05 September 2009 - 11:08 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :thumbup2:

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 betsy018

betsy018
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ohio
  • Local time:05:53 AM

Posted 06 September 2009 - 04:10 PM

I am still here. I travel a lot so I don't get to work on things right away. I tried running both of the scans. Neither one would run. They just come up and say computer error, then close. I was going to run my stopzilla scan first, then try them again.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:53 AM

Posted 07 September 2009 - 09:06 AM

Hello betsy018,

I am still here. I travel a lot so I don't get to work on things right away. I tried running both of the scans. Neither one would run. They just come up and say computer error, then close. I was going to run my stopzilla scan first, then try them again.


I understand you travel alot when topics are not answered it is standard practice to close a topic within 5-7 days with all the people needing help. Let's try something a bit different to see if we can make some headway. First please don't run any tools or make any changes other than I suggest doing so could slow down the process of cleaning your machine.

1. Delete any copy of COMBOFIX you have from your desktop before proceeding.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
We want to rename it svchost.exe instead of Combo-fix.exe

Link 1
Link 2


Posted Image


Posted Image
--------------------------------------------------------------------

Double click on svchost.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

*NOTE: IF this doesn't work try renaming it ComboFix.scr
*Note: Please write down any error message you receive while trying to run this program.
*Note: If none of the above work try running both renamed in SAFEMODE.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 betsy018

betsy018
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ohio
  • Local time:05:53 AM

Posted 07 September 2009 - 06:11 PM

OK, I did not run stopzilla. I couldn't run in regular mode, so I ran combo fix in safemode, then I rebooted and I THINK it scanned again. Anyway, the file is attached.

I did get a message saying to save the following info about files that had problems
C://system 32\drivers\geyekrjkdjntud.sys
\geyekrajbwsmgk.dll
\geyekraomxpjao.dat
\geyekrusragsay.dll
\geyekrlgwuhsro.dat

Maybe we are making progress. I've been on the internet for several minutes now with no pop-ups. I will shut the computer down until I hear back from you tho.

Also, I read the warnings about this computer may never be safe again for banking, credit cards etc. That's OK. We can designate this for homework and games only. But I do have a question.

If this computer was infected, are the computers that share the wireless router at risk???

Betsy

ComboFix 09-09-06.06 - Owner 09/07/2009 17:28.1.1 - NTFSx86
Running from: L:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\IEToolbar
c:\program files\Windows Antivirus Pro
c:\program files\Windows Antivirus Pro\msvcm80.dll
c:\program files\Windows Antivirus Pro\msvcp80.dll
c:\program files\Windows Antivirus Pro\msvcr80.dll
c:\program files\Windows Antivirus Pro\tmp\dbsinit.exe
c:\program files\Windows Antivirus Pro\tmp\images\i1.gif
c:\program files\Windows Antivirus Pro\tmp\images\i2.gif
c:\program files\Windows Antivirus Pro\tmp\images\i3.gif
c:\program files\Windows Antivirus Pro\tmp\images\j1.gif
c:\program files\Windows Antivirus Pro\tmp\images\j2.gif
c:\program files\Windows Antivirus Pro\tmp\images\j3.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj1.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj2.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj3.gif
c:\program files\Windows Antivirus Pro\tmp\images\l1.gif
c:\program files\Windows Antivirus Pro\tmp\images\l2.gif
c:\program files\Windows Antivirus Pro\tmp\images\l3.gif
c:\program files\Windows Antivirus Pro\tmp\images\pix.gif
c:\program files\Windows Antivirus Pro\tmp\images\t1.gif
c:\program files\Windows Antivirus Pro\tmp\images\t2.gif
c:\program files\Windows Antivirus Pro\tmp\images\up1.gif
c:\program files\Windows Antivirus Pro\tmp\images\up2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w1.gif
c:\program files\Windows Antivirus Pro\tmp\images\w11.gif
c:\program files\Windows Antivirus Pro\tmp\images\w2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.jpg
c:\program files\Windows Antivirus Pro\tmp\images\wt1.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt2.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt3.gif
c:\program files\Windows Antivirus Pro\tmp\wispex.html
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\tmp\dbsinit.exe
c:\program files\Windows Police Pro\tmp\images\i1.gif
c:\program files\Windows Police Pro\tmp\images\i2.gif
c:\program files\Windows Police Pro\tmp\images\i3.gif
c:\program files\Windows Police Pro\tmp\images\j1.gif
c:\program files\Windows Police Pro\tmp\images\j2.gif
c:\program files\Windows Police Pro\tmp\images\j3.gif
c:\program files\Windows Police Pro\tmp\images\jj1.gif
c:\program files\Windows Police Pro\tmp\images\jj2.gif
c:\program files\Windows Police Pro\tmp\images\jj3.gif
c:\program files\Windows Police Pro\tmp\images\l1.gif
c:\program files\Windows Police Pro\tmp\images\l2.gif
c:\program files\Windows Police Pro\tmp\images\l3.gif
c:\program files\Windows Police Pro\tmp\images\pix.gif
c:\program files\Windows Police Pro\tmp\images\t1.gif
c:\program files\Windows Police Pro\tmp\images\t2.gif
c:\program files\Windows Police Pro\tmp\images\up1.gif
c:\program files\Windows Police Pro\tmp\images\up2.gif
c:\program files\Windows Police Pro\tmp\images\w1.gif
c:\program files\Windows Police Pro\tmp\images\w11.gif
c:\program files\Windows Police Pro\tmp\images\w2.gif
c:\program files\Windows Police Pro\tmp\images\w3.gif
c:\program files\Windows Police Pro\tmp\images\w3.jpg
c:\program files\Windows Police Pro\tmp\images\wt1.gif
c:\program files\Windows Police Pro\tmp\images\wt2.gif
c:\program files\Windows Police Pro\tmp\images\wt3.gif
c:\program files\Windows Police Pro\tmp\wispex.html
c:\program files\Windows Police Pro\windows Police Pro.exe
c:\recycler\S-1-5-21-2188594674-2050804960-538061660-1003
c:\recycler\S-1-5-21-956590800-3215133168-1371147136-1003
c:\windows\Install.txt
c:\windows\Installer\118fa.msi
c:\windows\Installer\1330eb57.msp
c:\windows\Installer\14c539.msi
c:\windows\Installer\14d00a00.msi
c:\windows\Installer\1875737b.msi
c:\windows\Installer\1966fd59.msi
c:\windows\Installer\19e62e5.msi
c:\windows\Installer\1b94d8cb.msi
c:\windows\Installer\27d18.msi
c:\windows\Installer\2b1377.msi
c:\windows\Installer\399cb6d.msi
c:\windows\Installer\399cb8c.msi
c:\windows\Installer\3acff.msi
c:\windows\Installer\3ad05.msi
c:\windows\Installer\3ad0b.msi
c:\windows\Installer\3ad11.msi
c:\windows\Installer\3ad17.msi
c:\windows\Installer\3ad1d.msi
c:\windows\Installer\3ad23.msi
c:\windows\Installer\3ad29.msi
c:\windows\Installer\3ad2f.msi
c:\windows\Installer\3ad36.msi
c:\windows\Installer\3ad3c.msi
c:\windows\Installer\3ad42.msi
c:\windows\Installer\3ad48.msi
c:\windows\Installer\3ad52.msi
c:\windows\Installer\3ad59.msi
c:\windows\Installer\3ad64.msi
c:\windows\Installer\3ad6a.msi
c:\windows\Installer\52f5b5c9.msi
c:\windows\Installer\a4af5.msp
c:\windows\Installer\a4c0ac5.msi
c:\windows\Installer\a4c0acb.msi
c:\windows\Installer\e7fbc.msi
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\svchasts.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\6to4v32.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\bennuar.old
c:\windows\system32\bincd32.dat
c:\windows\system32\certstore.dat
c:\windows\system32\dddesot.dll
c:\windows\system32\desote.exe
c:\windows\system32\disk.exe
c:\windows\system32\drivers\geyekrjkdjmvud.sys
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\geyekrajbwsmgk.dll
c:\windows\system32\geyekraomxpjao.dat
c:\windows\system32\geyekrlog.dat
c:\windows\system32\geyekrlqwuhsro.dat
c:\windows\system32\geyekrusragsay.dll
c:\windows\system32\Ijl11.dll
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\Install.txt
c:\windows\system32\netsdk.sys
c:\windows\system32\onhelp.htm
c:\windows\system32\ps2.bat
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\web.exe
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe
c:\windows\TEMP\mta118011.dll
D:\Autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_geyekrsluelnsl
-------\Legacy_geyekrsluelnsl
-------\Legacy_6TO4
-------\Legacy_ANTIPPRO2009_100
-------\Legacy_IAS
-------\Legacy_NETSDK
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_6to4
-------\Service_AntipPro2009_100
-------\Service_netsdk


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-04 05:22 . 2009-09-04 05:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-08-25 02:37 . 2009-08-25 02:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-08-25 02:31 . 2009-08-25 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-25 02:31 . 2009-08-25 02:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-25 02:31 . 2009-08-25 02:31 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-08-24 23:19 . 2009-08-25 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-24 23:19 . 2009-08-24 23:19 -------- d-----w- c:\program files\STOPzilla!
2009-08-24 23:19 . 2009-08-24 23:19 -------- d-----w- c:\program files\Common Files\iS3
2009-08-24 23:18 . 2009-09-02 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-24 23:12 . 2009-08-24 23:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-08-24 22:48 . 2009-08-24 22:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-24 21:54 . 2009-08-24 21:54 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-20 14:55 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 17:50 . 2009-08-10 17:50 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-10 17:50 . 2009-08-10 17:50 -------- d-----w- c:\program files\MSBuild
2009-08-10 17:50 . 2009-08-10 17:50 -------- d-----w- c:\program files\Reference Assemblies
2009-08-10 17:49 . 2009-08-10 17:50 -------- d-----w- C:\85837f3037c206fca4a7f3f2e747
2009-08-10 17:49 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-10 17:49 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-10 17:49 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-10 17:49 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-10 17:49 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-10 17:49 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-10 17:49 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 18:38 . 2004-08-04 12:00 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-09-07 18:31 . 2008-05-11 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-07 18:18 . 2009-02-14 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-27 13:00 . 2009-02-05 13:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-27 13:00 . 2008-05-11 04:42 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-27 13:00 . 2008-05-11 04:42 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-10 02:46 . 2009-07-28 21:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-06 17:19 . 2009-08-06 17:19 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2009-07-28 21:35 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-07-28 21:35 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-03 03:23 . 2008-08-04 02:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-30 04:04 . 2005-01-10 00:26 -------- d-----w- c:\program files\Starcraft
2009-07-28 23:32 . 2009-07-28 23:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-28 21:35 . 2009-07-28 21:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-28 21:35 . 2009-07-28 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-20 18:57 . 2009-07-20 18:57 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-07-20 18:56 . 2009-07-20 18:56 311296 ----a-r- c:\windows\system32\SZBase5.dll
2009-07-20 18:56 . 2009-07-20 18:56 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 19:52 . 2009-07-09 19:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-07-09 19:52 . 2009-07-09 19:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-07-09 19:51 . 2009-07-09 19:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-07-09 19:51 . 2009-07-09 19:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-07-09 19:51 . 2009-07-09 19:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-07-09 19:50 . 2009-07-09 19:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-07-09 19:50 . 2009-07-09 19:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-07-09 19:50 . 2009-07-09 19:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-07-09 19:47 . 2009-07-09 19:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-06-07 22:27 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2006-01-10 22:22 . 2006-01-10 22:22 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-02-24 3026944]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-27 2007832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-02-24 753664]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-9-3 499779]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-27 13:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Netscape\\Communicator\\Program\\AIM\\aim.exe"=
"c:\\Program Files\\Activision\\Empires Dawn of the Modern World\\Empires_DMW.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\D-Link\\SharePort Utility\\Connect.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"19540:UDP"= 19540:UDP:SXUPTP

R2 Ca50xav;Digital Blue DMC2 Video Device;c:\windows\system32\Drivers\Ca50xav.sys [2005-01-28 508304]
R2 gupdate1c98e66c3a64252;Google Update Service (gupdate1c98e66c3a64252);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 133104]
R2 obdvddgu;obdvddgu;c:\windows\system32\drivers\vfcqccndfflb.sys [x]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\Drivers\Brfilt.sys [2001-08-17 2944]
R3 BrSerWDM;Brother Serial driver;c:\windows\system32\Drivers\BrSerWdm.sys [2003-03-14 61952]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\Drivers\BrUsbMdm.sys [2001-08-17 11008]
R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\Drivers\BrUsbScn.sys [2001-08-17 10368]
R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
R3 USBCamera;Digital Blue DMC2 Bulk Camera;c:\windows\system32\Drivers\Bulk50x.sys [2003-05-14 11048]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-27 335240]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-27 297752]
S2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe [2008-04-14 14336]
S2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [2004-08-04 94208]
S2 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys [2008-10-09 263944]
S2 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys [2009-05-12 61328]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - EVDOSERVER

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-14 20:43]

2009-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 05:40]

2009-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 05:40]

2009-09-05 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Owner.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2003-11-24 15:46]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKLM-Run-AutoTBar - AUTOTBAR.EXE


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: aol.com\free
TCP: {4B504110-F214-4704-B14C-1E828C58A2F7} = 4.2.2.2,4.2.3.3
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\z2cmw3nx.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJPI150_08.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPOJI610.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\np32dsw.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npaudio.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npavi32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npbeatnk.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPDocBox.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npgcplug.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npnul32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nppdf32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nppl3260.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nprfxins.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nprjplug.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nprpjplug.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPSWF32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npwmsdrm.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 17:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wiawow32.sys 40960 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.
%@ ]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.
%@ \OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**o*h%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.***l%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*“*!#]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*“*!#\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%=*g*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%=*g*\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART]
@DACL=(02 0000)
@=""
"waol.exe"=dword:00000001
"cs.exe"=dword:00000001
"wm.exe"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1656)
c:\windows\system32\WININET.dll
c:\windows\system32\nView.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brsvc01a.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\D-Link\SharePort Utility\Connect.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\TEMP\t4m0_263122168916.bk.old
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\wiawow32.sys
.
**************************************************************************
.
Completion time: 2009-09-07 17:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 21:46

Pre-Run: 157,471,133,696 bytes free
Post-Run: 157,822,373,888 bytes free

544 --- E O F --- 2009-09-02 07:01

Attached Files


Edited by PropagandaPanda, 07 September 2009 - 08:25 PM.


#10 betsy018

betsy018
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ohio
  • Local time:05:53 AM

Posted 07 September 2009 - 06:15 PM

I also meant to ask,

I noticed I have lsass.exe in my task manager running. I saw some info that said that was bad. Just thought I would mention it.

Betsy

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:53 AM

Posted 07 September 2009 - 10:19 PM

Hello betsy018,

I noticed I have lsass.exe in my task manager running. I saw some info that said that was bad. Just thought I would mention it.

Some lsass.exe can be malicious but can also be legitimate depending on where it located and what it is doing.

If this computer was infected, are the computers that share the wireless router at risk???

Yes it is possible,but if your not seeing any sign of infection they probably are not.

Now to the fix.

1.
Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

2.
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Things to include in your next reply:
MBR log
Rootrepeal log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 betsy018

betsy018
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ohio
  • Local time:05:53 AM

Posted 09 September 2009 - 04:59 PM

OK, I'm home tonight and tomorrow, hopefully you will see this tonight.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/09 16:31
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5F7E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF89FF000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys
Address: 0xF2F67000 Size: 11776 File Visible: No Signed: -
Status: -

Name: rootrepeal[1].sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal[1].sys
Address: 0xF2C2F000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Install.txt
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Prefetch\WIAWOW32.SYS-111E3A8D.pf
Status: Size mismatch (API: 60650, Raw: 59460)

Path: C:\WINDOWS\Temp\HPSLPS006.log
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\system32\Install.txt
Status: Size mismatch (API: 234, Raw: 227)

Path: C:\Documents and Settings\Owner\Local Settings\temp\~DF7E19.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Owner\Local Settings\temp\~DFF0A8.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\61E3A0J8\portal[1].htm
Status: Allocation size mismatch (API: 12288, Raw: 16384)

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\61E3A0J8\global[1].css
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\61E3A0J8\header_bg[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\61E3A0J8\slideshow[1].css
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GL0GYWUH\ad_js[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GL0GYWUH\Cobalt_728x90[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GL0GYWUH\logo[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\L3GP0FP1\footer_bg[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\L3GP0FP1\search[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\L3GP0FP1\search_button[1].gif
Status: Visible to the Windows API, but not on disk.

Attached Files

  • Attached File  mbr.log   195bytes   3 downloads


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:53 AM

Posted 09 September 2009 - 07:50 PM

Hello betsy018,

1.
One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

2.
Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
3.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\sofatnet.exe
c:\windows\system32\drivers\vfcqccndfflb.sys
c:\windows\TEMP\t4m0_263122168916.bk.old

Rootkit::
c:\windows\system32\wiawow32.sys

Driver::
obdvddgu
sofatnet


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Things to include in your next reply:
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 betsy018

betsy018
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ohio
  • Local time:05:53 AM

Posted 09 September 2009 - 09:54 PM

Things seem to be running pretty well, but I have been shutting the machine off each time immediatly after I did whatever scan you advised. I will leave it up and running tonight and post another reply tomorrow afternoon.
I haven't gotten any Antivirus Pro or Windows Police pop-ups while I've been on, and the reboots are going faster each time.
I have the combofix log and report attached.

ComboFix 09-09-09.04 - Owner 09/09/2009 22:28.2.1 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

FILE ::
"c:\windows\system32\drivers\vfcqccndfflb.sys"
"c:\windows\system32\sofatnet.exe"
"c:\windows\TEMP\t4m0_263122168916.bk.old"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\Installer\1106a28.msp
c:\windows\Installer\b65df9.msp
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\sofatnet.exe
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe
c:\windows\TEMP\mta75645.dll
c:\windows\TEMP\t4m0_263122168916.bk.old

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OBDVDDGU
-------\Legacy_SOFATNET
-------\Service_obdvddgu
-------\Service_sofatnet


((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-09-09 02:12 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-04 05:22 . 2009-09-04 05:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-08-25 02:37 . 2009-08-25 02:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-08-25 02:31 . 2009-08-25 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-25 02:31 . 2009-08-25 02:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-25 02:31 . 2009-08-25 02:31 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-08-24 23:19 . 2009-08-25 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-24 23:19 . 2009-08-24 23:19 -------- d-----w- c:\program files\STOPzilla!
2009-08-24 23:19 . 2009-08-24 23:19 -------- d-----w- c:\program files\Common Files\iS3
2009-08-24 23:18 . 2009-09-02 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-24 23:12 . 2009-08-24 23:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-08-24 22:48 . 2009-08-24 22:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-24 21:54 . 2009-08-24 21:54 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-20 14:55 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 02:15 . 2008-05-11 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-09 10:29 . 2008-08-04 02:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 02:05 . 2009-02-14 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-07 21:37 . 2005-06-06 18:50 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-09-07 18:38 . 2004-08-04 12:00 56320 ------w- c:\windows\system32\eventlog.dll
2009-08-27 13:00 . 2009-02-05 13:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-27 13:00 . 2008-05-11 04:42 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-27 13:00 . 2008-05-11 04:42 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-10 17:50 . 2009-08-10 17:50 -------- d-----w- c:\program files\MSBuild
2009-08-10 17:50 . 2009-08-10 17:50 -------- d-----w- c:\program files\Reference Assemblies
2009-08-10 02:46 . 2009-07-28 21:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-06 17:19 . 2009-08-06 17:19 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2009-07-28 21:35 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-07-28 21:35 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-30 04:04 . 2005-01-10 00:26 -------- d-----w- c:\program files\Starcraft
2009-07-28 23:32 . 2009-07-28 23:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-28 21:35 . 2009-07-28 21:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-28 21:35 . 2009-07-28 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-20 18:57 . 2009-07-20 18:57 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-07-20 18:56 . 2009-07-20 18:56 311296 ----a-r- c:\windows\system32\SZBase5.dll
2009-07-20 18:56 . 2009-07-20 18:56 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 19:52 . 2009-07-09 19:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-07-09 19:52 . 2009-07-09 19:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-07-09 19:51 . 2009-07-09 19:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-07-09 19:51 . 2009-07-09 19:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-07-09 19:51 . 2009-07-09 19:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-07-09 19:50 . 2009-07-09 19:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-07-09 19:50 . 2009-07-09 19:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-07-09 19:50 . 2009-07-09 19:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-07-09 19:47 . 2009-07-09 19:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2006-01-10 22:22 . 2006-01-10 22:22 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-07_21.41.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-05-12 11:19 . 2009-08-20 15:53 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2004-05-12 11:19 . 2009-09-09 07:02 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2004-05-12 11:19 . 2009-09-09 07:02 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2004-05-12 11:19 . 2009-08-20 15:53 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2004-05-12 11:19 . 2009-08-20 15:53 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2004-05-12 11:19 . 2009-09-09 07:02 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2004-05-12 11:19 . 2009-08-20 15:53 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2004-05-12 11:19 . 2009-09-09 07:02 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2004-05-12 11:19 . 2009-08-20 15:53 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2004-05-12 11:19 . 2009-09-09 07:02 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2004-08-04 12:00 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
- 2004-08-04 12:00 . 2009-03-08 08:33 726528 c:\windows\system32\jscript.dll
+ 2004-08-04 12:00 . 2004-08-04 12:00 132096 c:\windows\system32\dvdpaly.exe
- 2008-05-09 10:53 . 2009-03-08 08:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2004-05-12 11:19 . 2009-09-09 07:02 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2004-05-12 11:19 . 2009-08-20 15:53 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2004-05-12 11:19 . 2009-09-09 07:02 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2004-05-12 11:19 . 2009-08-20 15:53 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2004-05-12 11:19 . 2009-09-09 07:02 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2004-05-12 11:19 . 2009-08-20 15:53 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2004-05-12 11:19 . 2009-09-09 07:02 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2004-05-12 11:19 . 2009-08-20 15:53 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2004-05-12 11:19 . 2009-08-20 15:53 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2004-05-12 11:19 . 2009-09-09 07:02 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-09-09 07:01 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-09 07:01 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-09 07:01 . 2009-03-08 08:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2009-09-10 02:43 . 2009-07-03 17:09 1208832 c:\windows\Temp\x1c56698.dll
+ 2009-09-10 02:40 . 2009-07-03 17:09 1208832 c:\windows\Temp\mta98045.dll
+ 2009-09-10 02:44 . 2009-07-03 17:09 1208832 c:\windows\Temp\mta60345.dll
- 2009-09-07 21:42 . 2009-07-03 17:09 1208832 c:\windows\Temp\mta13187.dll
+ 2009-09-10 02:44 . 2009-07-03 17:09 1208832 c:\windows\Temp\mta13187.dll
+ 2004-08-04 12:00 . 2009-05-26 20:53 2174976 c:\windows\system32\WMVCore.dll
- 2004-08-04 12:00 . 2008-11-07 21:45 2174976 c:\windows\system32\WMVCore.dll
- 2004-08-04 12:00 . 2008-11-07 21:45 2174976 c:\windows\system32\dllcache\WMVCore.dll
+ 2004-08-04 12:00 . 2009-05-26 20:53 2174976 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-08-25 18:57 . 2009-08-25 18:57 5518336 c:\windows\Installer\1106a3f.msp
+ 2005-09-13 00:53 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-02-24 3026944]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-27 2007832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-02-24 753664]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-9-3 499779]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-27 13:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Netscape\\Communicator\\Program\\AIM\\aim.exe"=
"c:\\Program Files\\Activision\\Empires Dawn of the Modern World\\Empires_DMW.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\D-Link\\SharePort Utility\\Connect.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"19540:UDP"= 19540:UDP:SXUPTP

R2 Ca50xav;Digital Blue DMC2 Video Device;c:\windows\system32\Drivers\Ca50xav.sys [2005-01-28 508304]
R2 gupdate1c98e66c3a64252;Google Update Service (gupdate1c98e66c3a64252);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 133104]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\Drivers\Brfilt.sys [2001-08-17 2944]
R3 BrSerWDM;Brother Serial driver;c:\windows\system32\Drivers\BrSerWdm.sys [2003-03-14 61952]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\Drivers\BrUsbMdm.sys [2001-08-17 11008]
R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\Drivers\BrUsbScn.sys [2001-08-17 10368]
R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
R3 USBCamera;Digital Blue DMC2 Bulk Camera;c:\windows\system32\Drivers\Bulk50x.sys [2003-05-14 11048]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-27 335240]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-27 297752]
S2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe [2008-04-14 14336]
S2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [2004-08-04 93184]
S2 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys [2008-10-09 263944]
S2 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys [2009-05-12 61328]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - EVDOSERVER
*NewlyCreated* - SOFATNET

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-14 20:43]

2009-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 05:40]

2009-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 05:40]

2009-09-05 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Owner.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2003-11-24 15:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: aol.com\free
TCP: {4B504110-F214-4704-B14C-1E828C58A2F7} = 4.2.2.2,4.2.3.3
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\z2cmw3nx.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJPI150_08.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPOJI610.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\np32dsw.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npaudio.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npavi32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npbeatnk.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPDocBox.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npgcplug.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npnul32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nppdf32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nppl3260.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nprfxins.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nprjplug.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nprpjplug.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPSWF32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npwmsdrm.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 22:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\sofatnet.exe 93184 bytes executable
c:\windows\system32\wiawow32.sys 40960 bytes executable
c:\windows\system32\FInstall.sys 8 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.
%@]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.
%@\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*?o*h%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*?*l%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*??!#]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*??!#\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%=*g*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3674748877-1601628603-1363834207-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%=*g*\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART]
@DACL=(02 0000)
@=""
"waol.exe"=dword:00000001
"cs.exe"=dword:00000001
"wm.exe"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3480)
c:\windows\system32\WININET.dll
c:\windows\system32\nView.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\webcheck.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brsvc01a.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\D-Link\SharePort Utility\Connect.exe
c:\program files\iPod\bin\iPodService.exe
c:\qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\wiawow32.sys
.
**************************************************************************
.
Completion time: 2009-09-10 22:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-10 02:47
ComboFix2.txt 2009-09-07 21:46

Pre-Run: 157,598,973,952 bytes free
Post-Run: 157,566,271,488 bytes free

425 --- E O F --- 2009-09-09 10:29

Attached Files


Edited by PropagandaPanda, 10 September 2009 - 06:42 AM.


#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:53 AM

Posted 10 September 2009 - 05:20 PM

Hello betsy018,

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Driver::
sofatnet
EvdoServer

Rootkit::
c:\windows\system32\sofatnet.exe
c:\windows\system32\wiawow32.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\wiawow32.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Things to include in your next reply:
Combofix.txt
Gmer.log
How is your machine running?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users