Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probable Skynet Rootkit


  • This topic is locked This topic is locked
13 replies to this topic

#1 aocvirek

aocvirek

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota - U.S.
  • Local time:01:42 AM

Posted 27 August 2009 - 01:50 AM

I have been getting browser redirects for the last couple weeks, ever since resolving a previous malware issue.

The redirect symptom was the only one that remained, but all scans from MBAM, BitDefender, Super Anti-Spyware, and Spybot S&D, have come back clean.

I figured it was a Rootkit and ran RR. The RR report is attached. As you can see, several Skynet modules are listed, so I assume this is the issue.

I have heard that ComboFix can deal with this, but I wanted some trustworthy advice, considering I have never attempted a Rootkit removal before.

Thank you, in advance, for your help.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 0:23:09.75 on Thu 08/27/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1919.1233 [GMT -5:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bruce\My Documents\Temporary Files\AV removal tools\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6528
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [CHotkey] zHotkey.exe
dRun: [Power2GoExpress] NA
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\widamibo.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\tr3ko19f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.startup.homepage - hxxp://us.mg1.mail.yahoo.com/dc/launch?.gx=0&.rand=5ee1lfr8pfjsc
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\tr3ko19f.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
RUnknown xdskm;xdskm; [x]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 IKFileFlt;File Filter Driver;c:\windows\system32\drivers\ikfileflt.sys [2007-4-16 39376]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-4-16 53840]
S3 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-4-16 57424]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-4-16 83024]
S3 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2007-4-16 708688]
S3 sdCoreService;Spyware Doctor Service;c:\program files\spyware doctor\swdsvc.exe [2007-4-16 1309264]

=============== Created Last 30 ================

2009-08-12 19:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-12 19:19 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-12 19:19 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-08-12 19:17 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-12 05:18 <DIR> --d----- c:\program files\Secrethiddenname
2009-08-11 11:39 <DIR> a-d----- c:\windows\system32\images
2009-08-10 22:46 552 a------- c:\windows\system32\d3d8caps.dat
2009-07-29 17:10 30,172 a------- c:\windows\system32\kjnd

==================== Find3M ====================

2009-08-25 15:10 81,984 a------- c:\windows\system32\bdod.bin
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2007-03-21 16:04 28 a------- c:\docume~1\alluse~1\applic~1\TEST-acu.dat
2007-03-21 16:01 29 a------- c:\docume~1\alluse~1\applic~1\Owner-acu.dat
2007-03-21 15:15 519 a------- c:\docume~1\alluse~1\applic~1\TEST-acopts.dat
2007-03-21 15:15 49 a------- c:\docume~1\alluse~1\applic~1\TEST-acfw.dat
2007-03-21 14:48 186 ----h--- c:\docume~1\alluse~1\applic~1\Owner-acopts.dat
2009-04-24 20:40 1,982 a--sh--- c:\windows\system32\limeruyi.dll
2009-04-24 08:40 1,982 a--sh--- c:\windows\system32\modufime.dll
2009-04-23 20:41 1,982 a--sh--- c:\windows\system32\muguvora.dll
2009-01-30 09:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009013020090131\index.dat

============= FINISH: 0:24:36.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:42 AM

Posted 10 September 2009 - 01:35 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 aocvirek

aocvirek
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota - U.S.
  • Local time:01:42 AM

Posted 12 September 2009 - 04:05 AM

Hi thcbytes,

Thanks for the reply, and don't worry about the delay, I know you guys have been getting slammed recently.

Since it is an office computer, I coudn't wait for assistance to get it running again. The boss wanted it working by last Wednesday, so I ended up going it solo. (The alternative was format and reinstall, which I really wasn't in the mood to suffer through.) I ran ComboFix and removed all of the items RR found, then finished up with sweeps of Mbam, SAS, and RR.

Everything shows clean, and none of the issues have reemerged, but as I said, this was my first experience with a rootkit, so I would appreciate a second set of eyes to go over the DDS log and let me know if I missed anything.

I don't have access to that machine again until Tuesday evening (I work Tue & Wed 5:00pm-6am CST at that station.) I will edit this with a new DDS log at that time. Let me know if there are any other logs you would like to see, including those generated during my cleaning attempt.

Once again, thanks for the reply. I appreciate your assistance with further cleaning, or confirmation that I got it all (fingers crossed).

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:42 AM

Posted 14 September 2009 - 09:50 AM

Hello aocvirek,

My name is Syler, I will be helping you to solve your Malware issues.

Thanks for leting me no that you have been running combofix, as you are proberbly aware this tool should not be run unassisted, so I should warn you about doing
so, not just for your sake but also for anyone else that might see this topic. I would like to see the log that combofix produced if you have not removed it, along with
the DDS log.

ComboFix should not be run unless requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Post the contents of C:\ComboFix.txt along with your new DDS log in your next reply.

Thanks
Syler

unite.jpg


#5 aocvirek

aocvirek
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota - U.S.
  • Local time:01:42 AM

Posted 15 September 2009 - 08:28 PM

Hello Syler, thanks for picking this up.

Thanks for the note. I am indeed aware of the potential hazards of ComboFix use, which is the main reason I posted here really.
(For any other users who may read this thread: I do not take the disclaimers against unassisted ComboFix use lightly, and neither should you. My choice to proceed without assistance was based solely on an imminent deadline for repair, the knowledge that the station would be replaced if not made functional by that time, and an informed understanding of the potential complications of using ComboFix. Were it not for these extraordinary circumstances, I would not have used it without assistance.)

CURRENT DDS LOG:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 19:57:50.51 on Tue 09/15/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1919.1307 [GMT -5:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\zstatus.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6528
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [CHotkey] zHotkey.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [Power2GoExpress] NA
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\tr3ko19f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.startup.homepage - hxxp://us.mg1.mail.yahoo.com/dc/launch?.gx=0&.rand=5ee1lfr8pfjsc|http://www.calhountower.com/Availability.htm
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\tr3ko19f.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 IKFileFlt;File Filter Driver;c:\windows\system32\drivers\ikfileflt.sys [2007-4-16 39376]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-4-16 53840]
S3 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-4-16 57424]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-4-16 83024]
S3 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2007-4-16 708688]
S3 sdCoreService;Spyware Doctor Service;c:\program files\spyware doctor\swdsvc.exe [2007-4-16 1309264]

=============== Created Last 30 ================

2009-09-02 02:18 <DIR> -cd----- c:\windows\system32\dllcache\cache

==================== Find3M ====================

2009-09-15 05:45 81,984 a------- c:\windows\system32\bdod.bin
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2007-03-21 16:04 28 a------- c:\docume~1\alluse~1\applic~1\TEST-acu.dat
2007-03-21 16:01 29 a------- c:\docume~1\alluse~1\applic~1\Owner-acu.dat
2007-03-21 15:15 519 a------- c:\docume~1\alluse~1\applic~1\TEST-acopts.dat
2007-03-21 15:15 49 a------- c:\docume~1\alluse~1\applic~1\TEST-acfw.dat
2007-03-21 14:48 186 ----h--- c:\docume~1\alluse~1\applic~1\Owner-acopts.dat
2009-04-24 20:40 1,982 a--sh--- c:\windows\system32\limeruyi.dll
2009-04-24 08:40 1,982 a--sh--- c:\windows\system32\modufime.dll
2009-04-23 20:41 1,982 a--sh--- c:\windows\system32\muguvora.dll
2009-01-30 09:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009013020090131\index.dat

============= FINISH: 19:58:37.00 ===============


=================================================================

ComboFix Log:

ComboFix 09-09-01.04 - Owner 09/02/2009 2:10.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1919.1543 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\10b26.msp
c:\windows\Installer\1324b.msi
c:\windows\Installer\d9a7b.msi
c:\windows\system32\drivers\SKYNETboxtudri.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\SKYNETgippxnsr.dll
c:\windows\system32\SKYNETiwablrss.dat
c:\windows\system32\SKYNETknodqqpf.dat
c:\windows\system32\SKYNETkwbljhba.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETkrjlqjoo
-------\Legacy_SKYNETkrjlqjoo


((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-08-28 10:13 . 2009-08-28 10:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-08-13 00:20 . 2009-09-02 00:17 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-13 00:19 . 2009-08-13 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-13 00:19 . 2009-08-13 00:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-13 00:19 . 2009-08-13 00:19 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-08-13 00:17 . 2009-08-13 00:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-12 10:18 . 2009-08-12 10:39 -------- d-----w- c:\program files\Secrethiddenname
2009-08-11 03:46 . 2009-08-11 03:46 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-08-05 07:26 . 2009-08-05 07:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-08-05 07:24 . 2009-03-09 16:34 971776 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tr3ko19f.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 07:08 . 2009-01-29 16:24 81984 ----a-w- c:\windows\system32\bdod.bin
2009-09-01 22:34 . 2007-04-16 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-12 22:46 . 2009-04-22 05:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-03 18:36 . 2009-04-25 23:46 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-04-25 23:46 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 17:09 . 2009-06-01 12:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-23 03:41 . 2009-07-23 00:37 -------- d-----w- c:\program files\mwqdha
2009-04-01 22:42 . 2008-10-30 23:34 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-04-25 01:40 . 2009-01-25 01:40 1982 --sha-w- c:\windows\system32\limeruyi.dll
2009-04-24 13:40 . 2009-01-24 13:40 1982 --sha-w- c:\windows\system32\modufime.dll
2009-04-24 01:41 . 2009-01-24 01:41 1982 --sha-w- c:\windows\system32\muguvora.dll
2009-04-21 21:44 . 2009-04-21 21:44 1409819 --sh--w- c:\windows\system32\olobubep.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-04-29_04.44.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-26 18:40 . 2006-10-26 18:40 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80KOR.dll
+ 2006-10-26 18:40 . 2006-10-26 18:40 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80JPN.dll
+ 2006-10-26 18:40 . 2006-10-26 18:40 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ITA.dll
+ 2006-10-26 18:40 . 2006-10-26 18:40 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80FRA.dll
+ 2006-10-26 18:40 . 2006-10-26 18:40 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ESP.dll
+ 2006-10-26 18:40 . 2006-10-26 18:40 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ENU.dll
+ 2006-10-26 18:40 . 2006-10-26 18:40 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80DEU.dll
+ 2006-10-26 18:40 . 2006-10-26 18:40 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHT.dll
+ 2006-10-26 18:40 . 2006-10-26 18:40 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHS.dll
+ 2006-10-26 18:40 . 2006-10-26 18:40 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80u.dll
+ 2006-10-26 18:40 . 2006-10-26 18:40 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80.dll
+ 2006-10-26 18:40 . 2006-10-26 18:40 95744 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841\ATL80.dll
+ 2006-07-24 15:50 . 2006-07-24 15:50 47920 c:\windows\system32\VBAME.DLL
+ 2006-07-24 15:50 . 2006-07-24 15:50 39728 c:\windows\system32\SCP32.DLL
+ 2006-10-26 19:10 . 2006-10-26 19:10 33088 c:\windows\system32\FM20ENU.DLL
+ 2009-09-01 22:40 . 2009-09-01 23:28 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009090120090902\index.dat
+ 2009-08-28 10:01 . 2009-08-28 10:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009082820090829\index.dat
+ 2004-08-26 18:07 . 2009-09-02 00:16 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-26 18:07 . 2009-09-02 00:16 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-08-28 10:05 . 2009-08-28 10:05 55683 c:\windows\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\UserCache.bin
+ 2007-04-26 21:58 . 2007-04-26 21:58 88576 c:\windows\Installer\c34ad.msi
+ 2009-06-01 12:38 . 2009-06-01 12:38 48128 c:\windows\Installer\57be55.msi
+ 2009-06-07 17:02 . 2009-06-07 17:02 24064 c:\windows\Installer\407e0.msi
+ 2009-08-13 00:19 . 2009-08-13 00:19 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-08-13 00:19 . 2009-08-13 00:19 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-06-01 12:51 . 2009-06-01 12:51 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-06-01 12:51 . 2009-06-01 12:51 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-06-01 12:51 . 2009-06-01 12:51 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-05-29 21:08 . 2009-05-29 21:08 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-05-14 05:59 . 2009-05-14 05:59 10134 c:\windows\Installer\{13515135-48BB-4184-8C1F-2FAE0138E200}\ARPPRODUCTICON.exe
+ 2007-03-21 23:58 . 2007-03-21 23:58 24416 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\WRD12EXE.EXE
+ 2007-03-22 00:00 . 2007-03-22 00:00 72096 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\PXBCOM.EXE
+ 2004-08-26 16:11 . 2004-08-04 19:00 66048 c:\windows\I386\WINNT32.MSI
+ 2009-04-29 05:03 . 2009-04-29 05:03 53248 c:\windows\E5431FB5B3EB46C88275F6447131C98A.TMP\WiseCustomCalla.dll
+ 2009-06-01 12:46 . 2009-06-01 12:46 11544 c:\windows\assembly\GAC\Policy.11.0.office\12.0.0.0__71e9bce111e9429c\Policy.11.0.Office.dll
+ 2009-06-01 12:46 . 2009-06-01 12:46 12080 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.dll
+ 2009-06-01 12:47 . 2009-06-01 12:47 12096 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.dll
+ 2009-06-01 12:46 . 2009-06-01 12:46 12104 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.SmartTag\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.SmartTag.dll
+ 2009-06-01 12:47 . 2009-06-01 12:47 12104 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Publisher\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Publisher.dll
+ 2009-06-01 12:47 . 2009-06-01 12:47 12112 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.PowerPoint.dll
+ 2009-06-01 12:47 . 2009-06-01 12:47 12632 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl.dll
+ 2009-06-01 12:47 . 2009-06-01 12:47 12104 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Outlook\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Outlook.dll
+ 2009-06-01 12:46 . 2009-06-01 12:46 12096 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Graph\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Graph.dll
+ 2009-06-01 12:45 . 2009-06-01 12:45 12096 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Excel.dll
+ 2009-06-01 12:45 . 2009-06-01 12:45 12104 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Access\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Access.dll
+ 2009-06-01 12:46 . 2009-06-01 12:46 64288 c:\windows\assembly\GAC\Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2009-06-01 12:47 . 2009-06-01 12:47 13312 c:\windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll
+ 2009-06-01 12:46 . 2009-06-01 12:46 20280 c:\windows\assembly\GAC\Microsoft.Office.Interop.SmartTag\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.SmartTag.dll
+ 2009-06-01 12:46 . 2009-06-01 12:46 35648 c:\windows\assembly\GAC\Microsoft.Office.Interop.OutlookViewCtl\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.OutlookViewCtl.dll
+ 2009-06-01 12:45 . 2009-06-01 12:45 80696 c:\windows\assembly\GAC\Microsoft.Office.Interop.Access.Dao\12.0.0.0__71e9bce111e9429c\Microsoft.Office.interop.access.dao.dll
+ 2009-06-01 12:47 . 2009-06-01 12:47 4608 c:\windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\extensibility.dll
+ 2005-09-23 04:48 . 2005-09-23 04:48 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
+ 2005-09-23 04:48 . 2005-09-23 04:48 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
+ 2005-09-23 04:48 . 2005-09-23 04:48 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2006-10-26 18:45 . 2006-10-26 18:45 293376 c:\windows\system32\WISPTIS.EXE
+ 2006-10-26 18:45 . 2006-10-26 18:45 207360 c:\windows\system32\INKED.DLL
+ 2004-08-26 10:54 . 2009-06-01 13:04 319544 c:\windows\system32\FNTCACHE.DAT
+ 2008-11-07 05:23 . 2004-08-04 19:00 366080 c:\windows\ServicePackFiles\i386\digreqex.msi
+ 2008-11-07 05:23 . 2004-08-04 19:00 863232 c:\windows\ServicePackFiles\i386\digopt.msi
+ 2004-08-26 18:24 . 2004-08-26 18:24 285696 c:\windows\Installer\e8d68.msi
+ 2006-01-31 15:43 . 2006-01-31 15:43 506880 c:\windows\Installer\abf6.msi
+ 2006-01-31 15:38 . 2006-01-31 15:38 980992 c:\windows\Installer\abc4.msi
+ 2006-01-31 15:37 . 2006-01-31 15:37 227840 c:\windows\Installer\abb7.msi
+ 2009-05-29 21:04 . 2009-05-29 21:04 355328 c:\windows\Installer\a5ee0e.msi
+ 2007-07-12 14:30 . 2007-07-12 14:30 907264 c:\windows\Installer\89aec.msi
+ 2009-05-14 05:59 . 2009-05-14 05:59 902656 c:\windows\Installer\7cbf55.msi
+ 2009-06-01 12:39 . 2009-06-01 12:39 501248 c:\windows\Installer\57be97.msi
+ 2009-06-01 12:39 . 2009-06-01 12:39 501248 c:\windows\Installer\57be7f.msi
+ 2009-06-01 12:39 . 2009-06-01 12:39 506880 c:\windows\Installer\57be79.msi
+ 2009-06-01 12:38 . 2009-06-01 12:38 516608 c:\windows\Installer\57be71.msi
+ 2009-06-01 12:38 . 2009-06-01 12:38 513024 c:\windows\Installer\57be61.msi
+ 2009-06-01 12:37 . 2009-06-01 12:37 501248 c:\windows\Installer\57be38.msi
+ 2007-08-15 21:22 . 2007-08-15 21:22 431104 c:\windows\Installer\30f635.msi
+ 2006-11-15 21:47 . 2006-11-15 21:47 428544 c:\windows\Installer\21388f6.msi
+ 2008-11-24 04:10 . 2008-11-24 04:10 432640 c:\windows\Installer\153d362.msi
+ 2004-08-26 18:09 . 2004-08-26 18:09 264704 c:\windows\Installer\13246.msi
+ 2009-06-01 12:51 . 2009-06-01 12:51 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-06-01 12:51 . 2009-06-01 12:51 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-06-01 12:51 . 2009-06-01 12:51 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-06-01 12:51 . 2009-06-01 12:51 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-06-01 12:51 . 2009-06-01 12:51 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2009-06-01 12:55 . 2009-06-01 12:55 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2007-05-10 14:04 . 2007-05-10 14:04 846248 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OICE.EXE
+ 2006-10-27 01:12 . 2006-10-27 01:12 396592 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\MOC.EXE
+ 2006-01-31 15:20 . 2004-07-22 22:02 156672 c:\windows\I386\DRV\MOD\modem assistant.msi
+ 2009-06-01 12:46 . 2009-06-01 12:46 416544 c:\windows\assembly\GAC\office\12.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2009-06-01 12:46 . 2009-06-01 12:46 371496 c:\windows\assembly\GAC\Microsoft.Vbe.Interop.Forms\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.Forms.dll
+ 2009-06-01 12:46 . 2009-06-01 12:46 781104 c:\windows\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll
+ 2009-06-01 12:46 . 2009-06-01 12:46 232248 c:\windows\assembly\GAC\Microsoft.Office.Interop.Publisher\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Publisher.dll
+ 2009-06-01 12:46 . 2009-06-01 12:46 248632 c:\windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
+ 2009-06-01 12:46 . 2009-06-01 12:46 920376 c:\windows\assembly\GAC\Microsoft.Office.Interop.Outlook\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Outlook.dll
+ 2009-06-01 12:46 . 2009-06-01 12:46 150320 c:\windows\assembly\GAC\Microsoft.Office.Interop.Graph\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Graph.dll
+ 2006-10-26 18:40 . 2006-10-26 18:40 1079808 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80u.dll
+ 2006-10-26 18:40 . 2006-10-26 18:40 1093632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80.dll
+ 2004-08-26 16:12 . 2004-08-04 19:00 1326080 c:\windows\system32\webfldrs.msi
+ 2006-10-26 19:10 . 2006-10-26 19:10 1190688 c:\windows\system32\FM20.DLL
+ 2008-11-07 05:27 . 2004-08-04 19:00 1326080 c:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2008-11-07 05:25 . 2004-08-04 19:00 5080576 c:\windows\ServicePackFiles\i386\msnmsgs.msi
+ 2007-05-25 18:08 . 2007-05-25 18:08 9609728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp
+ 2006-01-31 15:42 . 2006-01-31 15:42 4537344 c:\windows\Installer\abde.msi
+ 2006-01-31 15:41 . 2006-01-31 15:41 2124800 c:\windows\Installer\abd9.msi
+ 2006-01-31 15:40 . 2006-01-31 15:40 1019392 c:\windows\Installer\abcf.msi
+ 2006-01-31 15:38 . 2006-01-31 15:38 3270656 c:\windows\Installer\abbd.msi
+ 2007-11-15 14:42 . 2007-11-15 14:42 3555328 c:\windows\Installer\9b1ec.msi
+ 2009-08-13 00:19 . 2009-08-13 00:19 1516544 c:\windows\Installer\6139c8.msi
+ 2009-06-01 12:39 . 2009-06-01 12:39 1652736 c:\windows\Installer\57be91.msi
+ 2009-06-01 12:39 . 2009-06-01 12:39 1652736 c:\windows\Installer\57be8b.msi
+ 2009-06-01 12:39 . 2009-06-01 12:39 1652736 c:\windows\Installer\57be85.msi
+ 2009-06-01 12:38 . 2009-06-01 12:38 1640960 c:\windows\Installer\57be4b.msi
+ 2009-06-01 12:38 . 2009-06-01 12:38 2022912 c:\windows\Installer\57be45.msi
+ 2009-06-01 12:38 . 2009-06-01 12:38 1713152 c:\windows\Installer\57be3e.msi
+ 2009-06-01 12:37 . 2009-06-01 12:37 2397184 c:\windows\Installer\57be32.msi
+ 2006-01-31 15:25 . 2006-01-31 15:25 3443712 c:\windows\Installer\2c91d.msi
+ 2009-01-29 16:11 . 2009-01-29 16:11 5117440 c:\windows\Installer\12399e.msi
+ 2009-06-01 12:51 . 2009-06-01 12:51 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-06-01 12:51 . 2009-06-01 12:51 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2007-03-21 23:58 . 2007-03-21 23:58 4145520 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\WRD12CNV.DLL
+ 2007-05-10 15:11 . 2007-05-10 15:11 1767256 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\PPCNV.DLL
+ 2006-10-27 20:18 . 2006-10-27 20:18 1658152 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OGL.DLL
+ 2007-03-21 23:56 . 2007-03-21 23:56 8425856 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OARTCONV.DLL
+ 2006-01-31 15:41 . 2006-01-31 15:41 2316800 c:\windows\Downloaded Installations\{92DFCBB1-F8E2-4C8E-94E8-E135A105B02A}\Digital Media Reader.msi
+ 2009-06-01 12:46 . 2009-06-01 12:46 1276720 c:\windows\assembly\GAC\Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Excel.dll
+ 2009-06-01 12:46 . 2009-06-01 12:46 1612592 c:\windows\assembly\GAC\Microsoft.Office.Interop.Access\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Access.dll
+ 2009-06-01 12:47 . 2009-06-01 12:47 8007680 c:\windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll
+ 2009-05-13 03:25 . 2009-05-07 05:16 24699336 c:\windows\system32\MRT.exe
+ 2006-04-20 19:15 . 2006-01-31 15:37 11333632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150020}\J2SE Runtime Environment 5.0 Update 2.msi
+ 2007-10-14 23:33 . 2007-10-14 23:33 26646016 c:\windows\Installer\a5ee25.msp
+ 2009-06-01 12:51 . 2009-06-01 12:51 12836352 c:\windows\Installer\57ce1e.msi
+ 2007-12-03 10:05 . 2007-12-03 10:05 15256576 c:\windows\Installer\2ba73.msp
+ 2007-12-02 04:11 . 2007-12-02 04:11 19210240 c:\windows\Installer\17e5ffb.msp
+ 2007-05-10 15:25 . 2007-05-10 15:25 14677368 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\XL12CNV.EXE
+ 2007-05-08 16:10 . 2007-05-08 16:10 16874376 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\MSO.DLL
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-08 180269]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-08-21 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-01 69632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-31 98304]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-14 14820864]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\BitDefender\\BitDefender 2009\\bdagent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [7/17/2008 1:06 PM 118784]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [4/16/2007 1:44 PM 708688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-16 09:55]

2006-04-20 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]

2006-04-20 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]

2009-07-10 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-04-20 03:42]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6528
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tr3ko19f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.startup.homepage - hxxp://us.mg1.mail.yahoo.com/dc/launch?.gx=0&.rand=5ee1lfr8pfjsc
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tr3ko19f.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 02:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-09-02 2:22
ComboFix-quarantined-files.txt 2009-09-02 07:22
ComboFix2.txt 2009-04-29 04:51

Pre-Run: 142,564,634,624 bytes free
Post-Run: 142,866,919,424 bytes free

321 --- E O F --- 2009-06-02 08:00


_______________________________________________________________

I appreciate your time and effort. On that note, I know it takes some time to look over these, so don't rush yourself. The station is functional now and no sensitive business, or confidential information, is conducted or stored on this machine. Thanks again for looking into this for me.

Attached Files



#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:42 AM

Posted 16 September 2009 - 12:43 AM

Hi aocvirek,

Can you tell me if you no wht the following folders are for?

c:\program files\mwqdhac
c:\program files\Secrethiddenname


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Next

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Files
    c:\docume~1\alluse~1\applic~1\TEST-acu.dat
    c:\docume~1\alluse~1\applic~1\Owner-acu.dat
    c:\docume~1\alluse~1\applic~1\TEST-acopts.dat
    c:\docume~1\alluse~1\applic~1\TEST-acfw.dat
    c:\docume~1\alluse~1\applic~1\Owner-acopts.dat
    c:\windows\system32\limeruyi.dll
    c:\windows\system32\modufime.dll
    c:\windows\system32\muguvora.dll
    :Commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following logs:
  • OTM results
  • log.txt
  • info.txt
Thanks

unite.jpg


#7 aocvirek

aocvirek
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota - U.S.
  • Local time:01:42 AM

Posted 16 September 2009 - 09:42 PM

Hi Sylar,

Concerning the two mystery files...

c:\program files\mwqdhac - Unknown and useless. Created July 22nd, but it is empty. Size and disk usage is 0 bytes, and contains no folders or files. Deleted.

c:\program files\Secrethiddenname - Legitimate, 2nd Copy of MBAM. This was the folder name I assigned for a copy of MBAM I downloaded while the rootkit was blocking the one already installed on the drive. I never removed it afterwords, hoping it would save me some trouble should a relapse emerge. Which it did.

As for Viewpoint, thanks for the article link. I talked to the director and they don't use it. The Viewpoint Media Player program was the only one in the list. Removed/Uninstalled it.

OTM Results Log:

All processes killed
========== FILES ==========
c:\docume~1\alluse~1\applic~1\TEST-acu.dat moved successfully.
c:\docume~1\alluse~1\applic~1\Owner-acu.dat moved successfully.
c:\docume~1\alluse~1\applic~1\TEST-acopts.dat moved successfully.
c:\docume~1\alluse~1\applic~1\TEST-acfw.dat moved successfully.
c:\docume~1\alluse~1\applic~1\Owner-acopts.dat moved successfully.
LoadLibrary failed for c:\windows\system32\limeruyi.dll
c:\windows\system32\limeruyi.dll NOT unregistered.
c:\windows\system32\limeruyi.dll moved successfully.
LoadLibrary failed for c:\windows\system32\modufime.dll
c:\windows\system32\modufime.dll NOT unregistered.
c:\windows\system32\modufime.dll moved successfully.
LoadLibrary failed for c:\windows\system32\muguvora.dll
c:\windows\system32\muguvora.dll NOT unregistered.
c:\windows\system32\muguvora.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: CT SECURITY
->Temp folder emptied: 3395 bytes
->Temporary Internet Files folder emptied: 192791 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32969 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: Owner
->Temp folder emptied: 1249079 bytes
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 50152292 bytes
->Java cache emptied: 7236443 bytes
->FireFox cache emptied: 53895399 bytes

User: TEST
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 345164 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\E5431FB5B3EB46C88275F6447131C98A.TMP folder deleted successfully.
%systemroot% .tmp files removed: 80707 bytes
%systemroot%\System32 .tmp files removed: 1412396 bytes
Windows Temp folder emptied: 697 bytes
RecycleBin emptied: 616 bytes

Total Files Cleaned = 109.42 mb


OTM by OldTimer - Version 3.0.0.6 log created on 09162009_205959

Files moved on Reboot...

Registry entries deleted on Reboot...


RSIT Log.txt

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-09-16 21:06:58
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 137 GB (92%) free of 148 GB
Total RAM: 1919 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:07 PM, on 9/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T6528
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.206.201.9 system-guard2009.microsoft.com
O1 - Hosts: 91.206.201.9 system-guard2009.com
O1 - Hosts: 91.206.201.9 www.system-guard2009.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4284077b-145c-4109-9b15-a20ac426d550} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 7431 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\Norton Security Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4284077b-145c-4109-9b15-a20ac426d550}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-07 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-24 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-06-07 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - c:\windows\system32\BAE.dll [2006-02-01 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{381FFDE8-2394-4f90-B10D-FC6124A40F8C} - BitDefender Toolbar - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll [2009-04-01 95536]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-07 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-01-12 32768]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2005-09-18 86016]
"readericon"=C:\Program Files\Digital Media Reader\readericon45G.exe [2005-08-27 139264]
"Reminder"=C:\WINDOWS\Creator\Remind_XP.exe [2005-02-25 966656]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-09-08 180269]
"BDAgent"=C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe [2009-08-21 782336]
"BitDefender Antiphishing Helper"=C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe [2009-04-01 69632]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-09-18 7204864]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-09-14 14820864]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-14 212992]
"nwiz"=nwiz.exe /install []
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAShCut.exe [2005-01-07 61952]
"CHotkey"=C:\WINDOWS\zHotkey.exe [2004-12-08 550912]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-01-31 98304]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-09-08 1994480]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2009-09-08 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe:*:Enabled:PDVDServ"
"C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe:*:Enabled:TeaTimer"
"C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"="C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe:*:Enabled:bdagent"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-09-16 21:06:58 ----D---- C:\rsit
2009-09-16 20:59:59 ----D---- C:\_OTM
2009-09-03 02:52:40 ----SHD---- C:\RECYCLER
2009-09-02 02:30:34 ----A---- C:\RootRepeal report 09-02-09 (02-30-34).txt
2009-09-02 02:22:51 ----A---- C:\ComboFix.txt
2009-09-01 20:07:11 ----A---- C:\RootRepeal report 09-01-09 (20-07-11).txt
2009-08-27 00:32:41 ----A---- C:\RootRepeal report 08-27-09 (00-32-41).txt

======List of files/folders modified in the last 1 months======

2009-09-16 21:07:07 ----D---- C:\WINDOWS\Prefetch
2009-09-16 21:07:05 ----D---- C:\WINDOWS\Temp
2009-09-16 21:07:00 ----D---- C:\Program Files\trend micro
2009-09-16 21:04:02 ----D---- C:\Program Files\Mozilla Firefox
2009-09-16 21:03:55 ----D---- C:\WINDOWS\system32
2009-09-16 21:03:24 ----D---- C:\WINDOWS\system32\Lang
2009-09-16 21:02:30 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-16 21:02:24 ----SD---- C:\WINDOWS\Tasks
2009-09-16 21:01:14 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-16 21:00:14 ----D---- C:\WINDOWS
2009-09-16 20:48:28 ----RD---- C:\Program Files
2009-09-16 20:45:42 ----D---- C:\WINDOWS\system32\drivers
2009-09-16 05:14:32 ----D---- C:\Furoca Security
2009-09-15 21:04:18 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-09-14 15:43:29 ----A---- C:\WINDOWS\bdagent.INI
2009-09-08 09:36:58 ----D---- C:\Program Files\SUPERAntiSpyware
2009-09-06 15:34:32 ----D---- C:\Documents and Settings\Owner\Application Data\Real
2009-09-03 02:45:53 ----D---- C:\Documents and Settings
2009-09-03 02:38:39 ----SHD---- C:\WINDOWS\Installer
2009-09-03 02:38:36 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-09-03 02:38:36 ----D---- C:\Program Files\Web Publish
2009-09-02 02:22:54 ----D---- C:\Qoobox
2009-09-02 02:18:30 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-09-02 02:17:45 ----A---- C:\WINDOWS\system.ini
2009-09-02 02:15:30 ----D---- C:\WINDOWS\AppPatch
2009-09-02 02:15:29 ----D---- C:\Program Files\Common Files
2009-09-02 02:09:36 ----SHD---- C:\System Volume Information
2009-09-02 02:09:36 ----D---- C:\WINDOWS\system32\Restore

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 bdftdif;bdftdif; \??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys []
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2004-11-10 44288]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2004-11-10 24832]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 bdfm;BDFM; C:\WINDOWS\system32\drivers\bdfm.sys [2008-09-18 111112]
R3 bdfsfltr;bdfsfltr; C:\WINDOWS\system32\drivers\bdfsfltr.sys [2008-12-10 242184]
R3 BDSelfPr;BDSelfPr; \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-03-17 1033600]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2005-03-17 221440]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-09-14 3856896]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-09-18 3493984]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-03-17 705280]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2008-04-13 42752]
S3 catchme;catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys []
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver; C:\WINDOWS\system32\DRIVERS\mxnic.sys [2001-08-17 19968]
S3 Profos;Profos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys []
S3 Trufos;Trufos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys []
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 LIVESRV;BitDefender Desktop Update Service; C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe [2009-04-01 415024]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-09-18 131139]
R2 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2006-01-31 172032]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R2 VSSERV;BitDefender Virus Shield; C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe [2009-08-21 1642360]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 183280]
S3 Arrakis3;BitDefender Arrakis Server; C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 scan;BitDefender Threat Scanner; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

RSIT Info.txt

info.txt logfile of random's system information tool 1.06 2009-09-16 21:07:13

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
AOL Coach Version 2.0(Build:20041026.5 en)-->C:\Program Files\Common Files\AolCoach\en_en\AolCInUn.exe -lang=en_en -ext=UDP
AOL You've Got Pictures Screensaver-->C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
BitDefender Antivirus 2009-->MsiExec.exe /X{5942839B-DA20-45D4-809C-D4FE5A45387E}
Browser Address Error Redirector-->regsvr32 /u /s "c:\windows\system32\BAE.dll"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Digital Media Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875} /l1033
DVD Solution-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Google Photos Screensaver-->MsiExec.exe /X{A52415E5-CA1E-44DE-9EDC-D412F31D271C}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_9DE96A29E721D90A.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
hp LaserJet 1000-->zuninst.exe
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Malwarebytes' Anti-Malware-->"C:\Program Files\Secrethiddenname\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Digital Image Starter Edition 2006-->"C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Money 2006-->"C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROR /dll OSETUP.DLL
Microsoft Office Professional 2007-->MsiExec.exe /X{91120000-0014-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Web Publishing Wizard 1.52-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (3.0.14)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Multimedia Keyboard Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}\Setup.exe" -l0x9
Napster Burn Engine-->MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
Napster-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\setup.exe" -l0x9
Norton Security Scan-->MsiExec.exe /I{E5431FB5-B3EB-46C8-8275-F6447131C98A}
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Power2Go 4.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Serif DrawPlus 3.0-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Serif\dp30\DrawPlus_uninst.isu"
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDRSLSM5K.inf
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TBS WMP Plug-in-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{13515135-48BB-4184-8C1F-2FAE0138E200}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB953356)-->"C:\WINDOWS\$NtUninstallKB953356$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Windows Backup Utility-->MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Hosts File======

127.0.0.1 localhost
::1 localhost
91.206.201.9 system-guard2009.microsoft.com
91.206.201.9 system-guard2009.com
91.206.201.9 www.system-guard2009.com
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com

======Security center information======

AV: BitDefender Antivirus

======System event log======

Computer Name: RM
Event Code: 6
Message: Printer hp LaserJet 1000 (Copy 2) was paused.

Record Number: 32470
Source Name: Print
Time Written: 20090726195309.000000-300
Event Type: warning
User: RM\Owner

Computer Name: RM
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 32469
Source Name: Tcpip
Time Written: 20090726195014.000000-300
Event Type: warning
User:

Computer Name: RM
Event Code: 2511
Message: The server service was unable to recreate the share temp because the directory C:\temp no longer exists. Please run "net share temp /delete" to delete the share, or recreate the directory C:\temp.

Record Number: 32446
Source Name: Server
Time Written: 20090726170353.000000-300
Event Type: warning
User:

Computer Name: RM
Event Code: 2511
Message: The server service was unable to recreate the share temp because the directory C:\temp no longer exists. Please run "net share temp /delete" to delete the share, or recreate the directory C:\temp.

Record Number: 32418
Source Name: Server
Time Written: 20090725215122.000000-300
Event Type: warning
User:

Computer Name: RM
Event Code: 16
Message: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Record Number: 32411
Source Name: Windows Update Agent
Time Written: 20090725170201.000000-300
Event Type: error
User:

=====Application event log=====

Computer Name: RM
Event Code: 2002
Message: The MOF file created for the Outlook service could not be loaded. The
error code returned by the MOF Compiler is contained in the Record Data.
Before the performance counters of this service can be collected by WMI
the MOF file will need to be loaded manually. Contact the vendor of this
service for additional information.

Record Number: 17
Source Name: LoadPerf
Time Written: 20060420153043.000000-300
Event Type: warning
User:

Computer Name: RM
Event Code: 5603
Message: A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 11
Source Name: WinMgmt
Time Written: 20060420144412.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: RM
Event Code: 5603
Message: A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 10
Source Name: WinMgmt
Time Written: 20060420144412.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: RM
Event Code: 5603
Message: A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 9
Source Name: WinMgmt
Time Written: 20060420144412.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: RM
Event Code: 5603
Message: A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 8
Source Name: WinMgmt
Time Written: 20060420144412.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2f02
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Thanks!

Edited by aocvirek, 16 September 2009 - 09:43 PM.


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:42 AM

Posted 16 September 2009 - 11:53 PM

Good work :thumbup2: look like we are getting there now, can you tell me how things are running in your next reply.


Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Posted Image

Next

Download the HostsXpert
  • Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 4.3 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Next

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post back here with the following logs:
  • MBAM results
  • New Rsit log
Thanks

unite.jpg


#9 aocvirek

aocvirek
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota - U.S.
  • Local time:01:42 AM

Posted 17 September 2009 - 02:03 AM

Sylar,

I already removed Combofix after using it, so nothing is detected for removal.

Updated and ran MBAM and RSIT. Logs as follows...

MBAM:

Malwarebytes' Anti-Malware 1.41
Database version: 2814
Windows 5.1.2600 Service Pack 3

9/17/2009 1:42:37 AM
mbam-log-2009-09-17 (01-42-37).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 153622
Time elapsed: 55 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

RSIT Log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-09-17 01:43:40
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 137 GB (92%) free of 148 GB
Total RAM: 1919 MB (61% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:52 AM, on 9/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T6528
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4284077b-145c-4109-9b15-a20ac426d550} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 7350 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\Norton Security Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4284077b-145c-4109-9b15-a20ac426d550}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-07 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-24 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-06-07 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - c:\windows\system32\BAE.dll [2006-02-01 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{381FFDE8-2394-4f90-B10D-FC6124A40F8C} - BitDefender Toolbar - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll [2009-04-01 95536]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-07 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-01-12 32768]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2005-09-18 86016]
"readericon"=C:\Program Files\Digital Media Reader\readericon45G.exe [2005-08-27 139264]
"Reminder"=C:\WINDOWS\Creator\Remind_XP.exe [2005-02-25 966656]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-09-08 180269]
"BDAgent"=C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe [2009-08-21 782336]
"BitDefender Antiphishing Helper"=C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe [2009-04-01 69632]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-09-18 7204864]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-09-14 14820864]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-14 212992]
"nwiz"=nwiz.exe /install []
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAShCut.exe [2005-01-07 61952]
"CHotkey"=C:\WINDOWS\zHotkey.exe [2004-12-08 550912]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-01-31 98304]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-09-10 420176]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-09-08 1994480]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2009-09-08 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe:*:Enabled:PDVDServ"
"C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe:*:Enabled:TeaTimer"
"C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"="C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe:*:Enabled:bdagent"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-09-17 00:39:32 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-09-17 00:31:48 ----D---- C:\HostsXpert
2009-09-16 21:06:58 ----D---- C:\rsit
2009-09-16 20:59:59 ----D---- C:\_OTM
2009-09-03 02:52:40 ----SHD---- C:\RECYCLER
2009-09-02 02:30:34 ----A---- C:\RootRepeal report 09-02-09 (02-30-34).txt
2009-09-02 02:22:51 ----A---- C:\ComboFix.txt
2009-09-01 20:07:11 ----A---- C:\RootRepeal report 09-01-09 (20-07-11).txt
2009-08-27 00:32:41 ----A---- C:\RootRepeal report 08-27-09 (00-32-41).txt

======List of files/folders modified in the last 1 months======

2009-09-17 01:43:43 ----D---- C:\Program Files\trend micro
2009-09-17 00:39:33 ----D---- C:\WINDOWS\system32\drivers
2009-09-17 00:39:32 ----RD---- C:\Program Files
2009-09-17 00:39:22 ----D---- C:\WINDOWS\Prefetch
2009-09-17 00:35:15 ----D---- C:\Program Files\Secrethiddenname
2009-09-17 00:32:24 ----D---- C:\WINDOWS\Temp
2009-09-16 22:05:37 ----SD---- C:\WINDOWS\Tasks
2009-09-16 22:05:31 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-09-16 21:04:02 ----D---- C:\Program Files\Mozilla Firefox
2009-09-16 21:03:55 ----D---- C:\WINDOWS\system32
2009-09-16 21:03:24 ----D---- C:\WINDOWS\system32\Lang
2009-09-16 21:02:30 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-16 21:01:14 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-16 21:00:14 ----D---- C:\WINDOWS
2009-09-16 05:14:32 ----D---- C:\Furoca Security
2009-09-14 15:43:29 ----A---- C:\WINDOWS\bdagent.INI
2009-09-08 09:36:58 ----D---- C:\Program Files\SUPERAntiSpyware
2009-09-06 15:34:32 ----D---- C:\Documents and Settings\Owner\Application Data\Real
2009-09-03 02:45:53 ----D---- C:\Documents and Settings
2009-09-03 02:38:39 ----SHD---- C:\WINDOWS\Installer
2009-09-03 02:38:36 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-09-03 02:38:36 ----D---- C:\Program Files\Web Publish
2009-09-02 02:22:54 ----D---- C:\Qoobox
2009-09-02 02:18:30 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-09-02 02:17:45 ----A---- C:\WINDOWS\system.ini
2009-09-02 02:15:30 ----D---- C:\WINDOWS\AppPatch
2009-09-02 02:15:29 ----D---- C:\Program Files\Common Files
2009-09-02 02:09:36 ----SHD---- C:\System Volume Information
2009-09-02 02:09:36 ----D---- C:\WINDOWS\system32\Restore

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 bdftdif;bdftdif; \??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys []
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2004-11-10 44288]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2004-11-10 24832]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 bdfm;BDFM; C:\WINDOWS\system32\drivers\bdfm.sys [2008-09-18 111112]
R3 bdfsfltr;bdfsfltr; C:\WINDOWS\system32\drivers\bdfsfltr.sys [2008-12-10 242184]
R3 BDSelfPr;BDSelfPr; \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-03-17 1033600]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2005-03-17 221440]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-09-14 3856896]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-09-18 3493984]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-03-17 705280]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2008-04-13 42752]
S3 catchme;catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys []
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver; C:\WINDOWS\system32\DRIVERS\mxnic.sys [2001-08-17 19968]
S3 Profos;Profos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys []
S3 Trufos;Trufos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys []
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 LIVESRV;BitDefender Desktop Update Service; C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe [2009-04-01 415024]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-09-18 131139]
R2 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2006-01-31 172032]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R2 VSSERV;BitDefender Virus Shield; C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe [2009-08-21 1642360]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 183280]
S3 Arrakis3;BitDefender Arrakis Server; C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 scan;BitDefender Threat Scanner; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

Nothing to report on this end. The machine is still running fine. I'll call that a good sign.

Back to you!

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:42 AM

Posted 17 September 2009 - 02:32 AM

Hey aocvirek,

I already removed Combofix after using it, so nothing is detected for removal.


You did not remove it correctly, you don't just delete combofix, you have to use the method I described in my last post. Please download
a new copy of combofix, then use the method I described in my last post, to uninstall it.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Reamove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Next

You have an outdated version of Adobe Reader, these have vulnerabilities that can be exploited by malware, to get in to your machine. Please follow these
steps to remove older versions of Adobe Reader and download the latest version.

Go to Start >> Settings >> Control Panel, double-click on Add/Remove Programs and remove any older versions of Adobe Reader.
  • Download the latest version of Adobe Acrobat Reader
  • Select your Windows version and click on Download. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
  • Close your Internet browser and open it again.
Next

Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the Posted Image button.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Please post back here with the following logs:
  • ESET report
  • New Rsit log
Thanks

unite.jpg


#11 aocvirek

aocvirek
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota - U.S.
  • Local time:01:42 AM

Posted 17 September 2009 - 04:16 AM

Combofix re-downloaded and removed through Run > C:\combofix /u. (I had to move it to C:\ and specify the path, since it was failing to find ComboFix on the desktop. Hope that is not a problem.)

Java JRE & Adobe Reader: updated to latest versions.

ESET Scan Completed: The scan showed no threats found, but did not provide an option to export to text, just to finish. I ran the scan with Firefox, and IE browsers, but the option was available on neither from a button, or a drop menu. All I could get was a screen cap of the result if you need it.

New RSIT Log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-09-17 04:07:25
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 136 GB (92%) free of 148 GB
Total RAM: 1919 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:33 AM, on 9/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T6528
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {4284077b-145c-4109-9b15-a20ac426d550} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /Get1noarp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 7968 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\Norton Security Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4284077b-145c-4109-9b15-a20ac426d550}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-09-17 256112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll [2009-09-17 761840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll [2009-09-17 458736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - c:\windows\system32\BAE.dll [2006-02-01 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-09-17 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-09-17 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{381FFDE8-2394-4f90-B10D-FC6124A40F8C} - BitDefender Toolbar - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll [2009-04-01 95536]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-09-17 256112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-01-12 32768]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2005-09-18 86016]
"readericon"=C:\Program Files\Digital Media Reader\readericon45G.exe [2005-08-27 139264]
"Reminder"=C:\WINDOWS\Creator\Remind_XP.exe [2005-02-25 966656]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-09-08 180269]
"BDAgent"=C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe [2009-08-21 782336]
"BitDefender Antiphishing Helper"=C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe [2009-04-01 69632]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-09-18 7204864]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-09-14 14820864]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-14 212992]
"nwiz"=nwiz.exe /install []
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAShCut.exe [2005-01-07 61952]
"CHotkey"=C:\WINDOWS\zHotkey.exe [2004-12-08 550912]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-01-31 98304]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-09-17 149280]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Uninstall Adobe Download Manager"=C:\Program Files\NOS\bin\getPlus_Helper.dll [2009-09-03 48368]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-09-08 1994480]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2009-09-08 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe:*:Enabled:PDVDServ"
"C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe:*:Enabled:TeaTimer"
"C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"="C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe:*:Enabled:bdagent"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-09-17 03:53:08 ----D---- C:\Program Files\ESET
2009-09-17 03:48:50 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-09-17 03:47:49 ----D---- C:\Program Files\NOS
2009-09-17 03:47:49 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-09-17 03:29:17 ----A---- C:\WINDOWS\system32\javaws.exe
2009-09-17 03:29:17 ----A---- C:\WINDOWS\system32\javaw.exe
2009-09-17 03:29:17 ----A---- C:\WINDOWS\system32\java.exe
2009-09-17 03:29:17 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-09-17 03:28:54 ----D---- C:\Program Files\Java
2009-09-17 03:15:41 ----SD---- C:\ComboFix
2009-09-17 03:14:26 ----A---- C:\WINDOWS\system32\CF25205.exe
2009-09-17 00:39:32 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-09-17 00:31:48 ----D---- C:\HostsXpert
2009-09-16 21:06:58 ----D---- C:\rsit
2009-09-16 20:59:59 ----D---- C:\_OTM
2009-09-03 02:52:40 ----SHD---- C:\RECYCLER
2009-09-02 02:30:34 ----A---- C:\RootRepeal report 09-02-09 (02-30-34).txt
2009-09-02 02:22:51 ----A---- C:\ComboFix.txt
2009-09-01 20:07:11 ----A---- C:\RootRepeal report 09-01-09 (20-07-11).txt
2009-08-27 00:32:41 ----A---- C:\RootRepeal report 08-27-09 (00-32-41).txt

======List of files/folders modified in the last 1 months======

2009-09-17 04:07:27 ----D---- C:\Program Files\trend micro
2009-09-17 04:06:28 ----SD---- C:\WINDOWS\Tasks
2009-09-17 04:06:16 ----SHD---- C:\WINDOWS\Installer
2009-09-17 04:06:16 ----D---- C:\Program Files\Mozilla Firefox
2009-09-17 04:06:15 ----D---- C:\WINDOWS\Temp
2009-09-17 04:06:08 ----D---- C:\WINDOWS\system32
2009-09-17 03:53:08 ----RD---- C:\Program Files
2009-09-17 03:50:11 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-09-17 03:49:49 ----D---- C:\Program Files\Common Files\Adobe
2009-09-17 03:49:31 ----D---- C:\Program Files\Adobe
2009-09-17 03:48:55 ----D---- C:\Documents and Settings\Owner\Application Data\Adobe
2009-09-17 03:48:50 ----D---- C:\Program Files\Common Files
2009-09-17 03:39:18 ----D---- C:\WINDOWS\system32\Lang
2009-09-17 03:38:32 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-17 03:35:05 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-17 03:33:39 ----D---- C:\WINDOWS\WinSxS
2009-09-17 03:15:56 ----D---- C:\WINDOWS
2009-09-17 03:15:45 ----SHD---- C:\System Volume Information
2009-09-17 03:15:45 ----D---- C:\WINDOWS\system32\Restore
2009-09-17 03:15:42 ----D---- C:\WINDOWS\ERDNT
2009-09-17 03:13:25 ----D---- C:\WINDOWS\Prefetch
2009-09-17 00:39:33 ----D---- C:\WINDOWS\system32\drivers
2009-09-17 00:35:15 ----D---- C:\Program Files\Secrethiddenname
2009-09-16 22:05:31 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-09-16 05:14:32 ----D---- C:\Furoca Security
2009-09-14 15:43:29 ----A---- C:\WINDOWS\bdagent.INI
2009-09-08 09:36:58 ----D---- C:\Program Files\SUPERAntiSpyware
2009-09-06 15:34:32 ----D---- C:\Documents and Settings\Owner\Application Data\Real
2009-09-03 02:45:53 ----D---- C:\Documents and Settings
2009-09-03 02:38:36 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-09-03 02:38:36 ----D---- C:\Program Files\Web Publish
2009-09-02 02:18:30 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-09-02 02:17:45 ----A---- C:\WINDOWS\system.ini
2009-09-02 02:15:30 ----D---- C:\WINDOWS\AppPatch

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 bdftdif;bdftdif; \??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys []
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2004-11-10 44288]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2004-11-10 24832]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 bdfm;BDFM; C:\WINDOWS\system32\drivers\bdfm.sys [2008-09-18 111112]
R3 bdfsfltr;bdfsfltr; C:\WINDOWS\system32\drivers\bdfsfltr.sys [2008-12-10 242184]
R3 BDSelfPr;BDSelfPr; \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-03-17 1033600]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2005-03-17 221440]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-09-14 3856896]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-09-18 3493984]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-03-17 705280]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2008-04-13 42752]
S3 catchme;catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys []
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver; C:\WINDOWS\system32\DRIVERS\mxnic.sys [2001-08-17 19968]
S3 Profos;Profos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys []
S3 Trufos;Trufos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys []
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-09-17 153376]
R2 LIVESRV;BitDefender Desktop Update Service; C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe [2009-04-01 415024]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-09-18 131139]
R2 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2006-01-31 172032]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R2 VSSERV;BitDefender Virus Shield; C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe [2009-08-21 1642360]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 183280]
S3 Arrakis3;BitDefender Arrakis Server; C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 getPlusHelper;getPlus® Helper; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 scan;BitDefender Threat Scanner; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

I will be on for another 2hrs periodically.

Thanks.

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:42 AM

Posted 17 September 2009 - 06:01 AM

aocvirek,

That all looks fine to me, so we can wrap it up now :)

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Congratulations! You now appear clean! :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates is always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install a Firewall
I can not stress how important it is that you use a third party Firewall on your computer. Without a firewall your computer is
succeptible to being hacked and taken over. Windows firewall is good for blocking inbound connections but it does not block
outbound connections. So if Malware manages to get onto your computer it will be able to send data out when it wants.
Here are some free firewalls I would recomend, only install one of these.

Zone Alarm
comodo..........Note: Only Install the Firewall as a standalone if you already have an AntiVirus installed on your computer.

After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing :)
Syler

unite.jpg


#13 aocvirek

aocvirek
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota - U.S.
  • Local time:01:42 AM

Posted 17 September 2009 - 06:25 AM

Thanks Syler.

My shift is over, so I will not have time to finish today, but I will do the cleanup and perform the security updates as soon as I get back.

Thanks again for all the help, and good luck getting caught up on all the other threads.

You guys don't get enough thanks for volunteering your time here. :) :thumbup2:

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:42 AM

Posted 17 September 2009 - 07:34 AM

Thanks alot and you're welcome :thumbup2:

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users