Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

still infected


  • This topic is locked This topic is locked
36 replies to this topic

#1 thisheregirafFe

thisheregirafFe

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 02 September 2009 - 06:01 PM

Hello all, I'd really appreciate any help you can give...

first off symptoms - slow internet connection, slow computer, and goggle results hijacked and rerouted to all sorts of crap... oh also, there is the whole issue of a broken mouse and tourette's like outbursts... but that could just be me..

i've run AVG, malwarebyte's, adaware, spyware S&D, and CounterSpy.. still having problems.



anyhow, here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:22 PM, on 9/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Notepad.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" -startup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SpywareCease.exe] C:\Program Files\Spyware Cease\SpywareCease.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: sdyjlbdll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8828 bytes

BC AdBot (Login to Remove)

 


#2 thisheregirafFe

thisheregirafFe
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 17 September 2009 - 06:07 PM

hey not to be a jerkface, and not to bump.. but i'm still getting re-directed from my google searches. while i've done quite a bit to fix it, i'm still having trouble. can re-post a new HJT report....

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:49 AM

Posted 18 September 2009 - 09:00 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#4 thisheregirafFe

thisheregirafFe
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 18 September 2009 - 06:04 PM

Thank you for your help!!!

Really the only problems I am having are google searches being re-directed to spammy sites, and a fairly slow internet connection (when it used to be quite fast)

I have run malwarebytes and come up clean, updated activex/java, run spyware s&d, adaware, removeit pro, and super antispyware... all say i'm clean

Here is DDS report and file is attached (i couldn't compress, apparently .rar isnt accepted :( ) -


DDS (Ver_09-07-30.01) - NTFSx86
Run by OK Computer at 17:56:30.73 on Fri 09/18/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2382 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\explorer.exe
svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\OK Computer\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
mWinlogon: Shell=explorer.exe
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\isuspm.exe" -startup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\okcomp~1\applic~1\mozilla\firefox\profiles\ad9uwlm4.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\google\google updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {1DE586B0-00CB-4802-B9CA-E4467CBAA1E0} - c:\documents and settings\ok computer\local settings\application data\{1de586b0-00cb-4802-b9ca-e4467cbaa1e0}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-20 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-28 130936]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-9-3 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-8-18 132168]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-8-18 25160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-1-18 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-8-20 142592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-9-3 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-9-3 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-9-3 55656]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [2009-5-5 1051136]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-8-18 715392]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-8-28 348752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-31 24652]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2007-9-29 3376704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 cdrmkaun;cdrmkaun; [x]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-1-18 79880]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-1-18 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-1-18 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-1-18 40552]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-8-28 1097096]

=============== Created Last 30 ================

2009-09-10 22:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-09-10 22:46 <DIR> --d----- c:\program files\common files\DivX Shared
2009-09-08 23:31 153,088 -------- c:\windows\system32\dllcache\triedit.dll
2009-09-06 11:13 <DIR> --d----- c:\program files\InCode Solutions
2009-09-03 20:21 <DIR> a-dshr-- C:\cmdcons
2009-09-03 20:19 161,792 a------- c:\windows\SWREG.exe
2009-09-03 20:19 98,816 a------- c:\windows\sed.exe
2009-09-03 20:05 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-03 20:04 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-03 17:38 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-09-03 17:38 <DIR> --d----- c:\program files\Avira
2009-09-03 17:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-09-01 18:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-09-01 17:59 116 a------- c:\windows\system32\SpywareCease.lie
2009-09-01 17:57 42 a------- c:\windows\system32\scud.udf
2009-09-01 17:46 <DIR> --d----- c:\program files\uTorrent
2009-09-01 17:45 <DIR> --d----- c:\docume~1\okcomp~1\applic~1\uTorrent
2009-08-28 16:53 0 a------- C:\rollback.ini
2009-08-28 16:31 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-08-28 16:15 <DIR> --d----- c:\program files\Trend Micro
2009-08-28 16:11 <DIR> --d----- c:\program files\Bazooka Scanner
2009-08-28 15:41 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-08-28 15:41 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-08-28 15:41 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-28 15:41 <DIR> --d----- c:\program files\common files\PC Tools
2009-08-28 15:41 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-08-28 15:41 <DIR> --d----- c:\docume~1\okcomp~1\applic~1\PC Tools
2009-08-28 15:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-08-28 15:31 120 a------- c:\windows\Lveqewateb.dat
2009-08-23 10:46 <DIR> --d--r-- c:\program files\Skype
2009-08-22 21:24 <DIR> --d----- c:\program files\Spyware Doctor
2009-08-20 20:55 142,592 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-08-20 20:55 <DIR> --d----- c:\docume~1\okcomp~1\applic~1\Spyware Terminator
2009-08-20 20:55 <DIR> --d----- c:\program files\Spyware Terminator
2009-08-20 20:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-08-20 18:36 496 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-08-20 18:36 7,752 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-20 18:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-08-20 18:29 <DIR> --d----- c:\program files\common files\iS3
2009-08-20 18:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-08-20 17:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-20 17:52 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-20 17:52 <DIR> --d----- c:\docume~1\okcomp~1\applic~1\SUPERAntiSpyware.com
2009-08-20 17:52 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-03 21:51 13,312 a------- c:\windows\system32\dllcache\lsass.exe
2009-09-03 21:51 13,312 -------- c:\windows\system32\lsass.exe
2009-09-03 21:38 179,792 a------- c:\windows\system32\guard32.dll
2009-09-03 21:37 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-09-03 21:37 132,168 a------- c:\windows\system32\drivers\cmdguard.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 08:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 08:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-07-03 12:09 915,456 -------- c:\windows\system32\wininet.dll
2009-07-03 12:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 12:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 12:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 12:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 12:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 12:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 12:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 12:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 12:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 12:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 12:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 06:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 03:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 03:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 03:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 03:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 03:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 03:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 06:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-22 01:44 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2008-10-19 14:03 113 a------- c:\docume~1\okcomp~1\applic~1\netstat.bat

============= FINISH: 17:57:41.43 ===============

Attached Files


Edited by thisheregirafFe, 18 September 2009 - 06:43 PM.


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:49 AM

Posted 19 September 2009 - 04:28 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
, My name is Elise. I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • All of my posts need to be checked by my coach, so please be patient while I attempt to remove your malware.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#6 thisheregirafFe

thisheregirafFe
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 19 September 2009 - 11:35 AM

sounds good. and thank you again.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:49 AM

Posted 20 September 2009 - 08:58 AM

Hello thisheregirafFe,

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Since you already ran the tool, I need to see the log it created. Please locate this file C:\Combofix.txt and include its contents in your next reply.


P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


TWO ANTIVIRUS PROGRAMS
---------------------------------------
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Comodo. In this case I recommend you to uninstall AVG and leave Comodo internet Security enabled (both Antivirus and Firewall) otherwise you will need to install a separate firewall.


UNINSTALL PROGRAMS
--------------------------------
Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.
  • Java 2 Runtime Environment, SE v1.4.2_03
  • Viewpoint Media Player
If you are unsure of how to use Add or Remove Programs, then please see this tutorial:
How To Remove An Installed Program From Your Computer


Poker Program WARNING

Your logs show that you have been visiting online poker sites with applets installed on your computer. I know that you may use these programs on a regular basis but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programs yourself on purpose.
There are so many online poker games out there these days that it is close to impossible to keep track of whether a program is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this. Should you decide to uninstall the program, then you can do so by following the below steps:
  • Go to Start > Control Panel > Add or Remove Programs.
  • Remove the following poker programs (if they are present):
  • Full Tilt Poker
  • Full Tilt Poker.Org
  • PokerStars

If you are unsure of how to use Add or Remove Programs, the please see this tutorial


ROOTREPEAL
-------------
We need to check for rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
In your next reply, please include the following:
  • Combofix.txt
  • RootRepeal.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#8 thisheregirafFe

thisheregirafFe
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 20 September 2009 - 10:13 AM

Okay - All set with your recco's. One thing I noticed, I have already uninstalled AVG when i switched over to Avira - I looked in the add/remove programs and don't see AVG in there anywhere...

Anyhow here are the logs you've requested (also attached):

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/20 10:00
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB0489000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA600000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP6842
Image Path: \Driver\PCI_PNP6842
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAD723000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spfy.sys
Image Path: spfy.sys
Address: 0xB9EAA000 Size: 1036288 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8b092a80

#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xb9d8b514

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9d7a282

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xb9d7a474

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba7670a4

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xb9d8bd00

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9d8bfb8

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spfy.sys" at address 0xb9ec8ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spfy.sys" at address 0xb9ec9030

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba7670c2

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xb9d8a3fa

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xba767090

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba767095

#: 160 Function Name: NtQueryKey
Status: Hooked by "spfy.sys" at address 0xb9ec9108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spfy.sys" at address 0xb9ec8f88

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x8b092af8

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x8b092990

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xb9d8c422

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba7670cc

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba7670c7

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8b092be8

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x8b141250

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8b092e40

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8b092c60

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9d8b7d8

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8b092dc8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8b092b70

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9d79f32

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8b092cd8

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8b092a08

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8b1461f8 Size: 121

Object: Hidden Code [Driver: axij3oue؅ఈ灐畳ꤰ, IRP_MJ_CREATE]
Process: System Address: 0x8acf5500 Size: 121

Object: Hidden Code [Driver: axij3oue؅ఈ灐畳ꤰ, IRP_MJ_CLOSE]
Process: System Address: 0x8acf5500 Size: 121

Object: Hidden Code [Driver: axij3oue؅ఈ灐畳ꤰ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8acf5500 Size: 121

Object: Hidden Code [Driver: axij3oue؅ఈ灐畳ꤰ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8acf5500 Size: 121

Object: Hidden Code [Driver: axij3oue؅ఈ灐畳ꤰ, IRP_MJ_POWER]
Process: System Address: 0x8acf5500 Size: 121

Object: Hidden Code [Driver: axij3oue؅ఈ灐畳ꤰ, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8acf5500 Size: 121

Object: Hidden Code [Driver: axij3oue؅ఈ灐畳ꤰ, IRP_MJ_PNP]
Process: System Address: 0x8acf5500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8ad271f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8ad271f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8ad271f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8ad271f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ad271f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ad271f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ad271f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ad271f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8ad271f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ad271f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8ad271f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8ad641f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8ad641f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ad641f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ad641f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8ad641f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ad641f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8ad641f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8b0d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8b0d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8b0d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b0d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b0d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8b0d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b0d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8b0d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8b0d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8b0d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8b0d81f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8a87b430 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8a87b430 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a87b430 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a87b430 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8a87b430 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8a87b430 Size: 121

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x8a7693d0 Size: 3121

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8adbbd40 Size: 705

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x8a84a7b8 Size: 2120

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x8a7f3610 Size: 442

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x8adc1ef0 Size: 272

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a613b90 Size: 1137

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8af73070 Size: 3985

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x8abcfcb0 Size: 848

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x8ac3e648 Size: 127

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ac44500 Size: 451

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8ac67380 Size: 3201

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8ac93e08 Size: 505

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8acebc48 Size: 411

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8adebe08 Size: 505

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ae319f8 Size: 1545

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ae227c0 Size: 599

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ab88d40 Size: 705

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8ae056f8 Size: 2313

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x8a7fc4c0 Size: 855

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a7f9a28 Size: 1047

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a836298 Size: 294

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8adf4b28 Size: 329

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x8a665168 Size: 2967

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a6410c8 Size: 195

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a710218 Size: 1662

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a708290 Size: 294

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a71e0f8 Size: 3853

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x8a6c70d0 Size: 3888

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8ad351f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8ad351f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ad351f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ad351f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8ad351f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ad351f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8ad351f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8a6b7500 Size: 121

Object: Hidden Code [Driver: Cdfs؅浍瑓؁ః瑎て, IRP_MJ_CREATE]
Process: System Address: 0x8a7ae500 Size: 121

Object: Hidden Code [Driver: Cdfs؅浍瑓؁ః瑎て, IRP_MJ_CLOSE]
Process: System Address: 0x8a7ae500 Size: 121

Object: Hidden Code [Driver: Cdfs؅浍瑓؁ః瑎て, IRP_MJ_READ]
Process: System Address: 0x8a7ae500 Size: 121

Object: Hidden Code [Driver: Cdfs؅浍瑓؁ః瑎て, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a7ae500 Size: 121

Object: Hidden Code [Driver: Cdfs؅浍瑓؁ః瑎て, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a7ae500 Size: 121

Object: Hidden Code [Driver: Cdfs؅浍瑓؁ః瑎て, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a7ae500 Size: 121

Object: Hidden Code [Driver: Cdfs؅浍瑓؁ః瑎て, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a7ae500 Size: 121

Object: Hidden Code [Driver: Cdfs؅浍瑓؁ః瑎て, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7ae500 Size: 121

Object: Hidden Code [Driver: Cdfs؅浍瑓؁ః瑎て, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7ae500 Size: 121

Object: Hidden Code [Driver: Cdfs؅浍瑓؁ః瑎て, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a7ae500 Size: 121

Object: Hidden Code [Driver: Cdfs؅浍瑓؁ః瑎て, IRP_MJ_CLEANUP]
Process: System Address: 0x8a7ae500 Size: 121

Object: Hidden Code [Driver: Cdfs؅浍瑓؁ః瑎て, IRP_MJ_PNP]
Process: System Address: 0x8a7ae500 Size: 121

Hidden Services
-------------------
Service Name: Viewpoint Manager Service
Image Path: "C:\Program Files\Viewpoint\Common\ViewpointService.exe"

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x8a7fbbb8

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x8a7fa490

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x8a6df0c8

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x8a6020c8

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x8a87ea50

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x8a812c48

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x8aaa7510

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x8affa0d0

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x8ae96e48

==EOF==

combolog below ____________________________________________________________

ComboFix 09-09-05.02 - OK Computer 09/05/2009 19:22.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2345 [GMT -5:00]
Running from: c:\documents and settings\OK Computer\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-04 01:04 . 2009-09-04 01:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-03 22:38 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-03 22:38 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-03 22:38 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-03 22:38 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-03 22:38 . 2009-09-03 22:38 -------- d-----w- c:\program files\Avira
2009-09-03 22:38 . 2009-09-03 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-02 23:16 . 2009-09-02 23:16 -------- d-----w- c:\program files\Windows Defender
2009-09-01 23:22 . 2009-09-01 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-09-01 22:46 . 2009-09-01 22:46 -------- d-----w- c:\program files\uTorrent
2009-09-01 22:45 . 2009-09-06 00:18 -------- d-----w- c:\documents and settings\OK Computer\Application Data\uTorrent
2009-08-28 21:31 . 2009-08-28 21:32 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-28 21:15 . 2009-08-28 21:15 -------- d-----w- c:\program files\Trend Micro
2009-08-28 21:11 . 2009-08-28 21:11 -------- d-----w- c:\program files\Bazooka Scanner
2009-08-28 20:58 . 2009-08-28 20:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-08-28 20:41 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-28 20:41 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-28 20:41 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-28 20:41 . 2009-08-28 20:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-28 20:41 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-28 20:41 . 2009-08-28 20:41 -------- d-----w- c:\documents and settings\OK Computer\Application Data\PC Tools
2009-08-28 20:41 . 2009-08-28 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-28 20:31 . 2009-08-28 20:31 120 ----a-w- c:\windows\Lveqewateb.dat
2009-08-28 20:12 . 2009-08-28 20:12 -------- d-----w- c:\documents and settings\OK Computer\Local Settings\Application Data\{1DE586B0-00CB-4802-B9CA-E4467CBAA1E0}
2009-08-23 15:46 . 2009-08-23 15:46 -------- d-----w- c:\program files\Common Files\Skype
2009-08-23 15:46 . 2009-08-23 15:46 -------- d-----r- c:\program files\Skype
2009-08-23 02:24 . 2009-08-28 20:55 -------- d-----w- c:\program files\Spyware Doctor
2009-08-23 01:50 . 2009-08-23 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-21 02:54 . 2009-08-21 02:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-21 01:55 . 2009-08-23 02:10 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Spyware Terminator
2009-08-21 01:55 . 2009-08-21 01:55 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-08-21 01:55 . 2009-08-23 02:13 -------- d-----w- c:\program files\Spyware Terminator
2009-08-21 01:55 . 2009-08-21 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-08-20 23:30 . 2009-08-20 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-20 23:29 . 2009-08-21 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-20 23:29 . 2009-08-20 23:29 -------- d-----w- c:\program files\Common Files\iS3
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\documents and settings\OK Computer\Application Data\SUPERAntiSpyware.com
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-19 01:08 . 2009-08-19 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-08-19 01:08 . 2009-09-04 02:38 179792 ----a-w- c:\windows\system32\guard32.dll
2009-08-19 01:08 . 2009-09-04 02:37 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-08-19 01:08 . 2009-09-04 02:37 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-08-19 01:08 . 2009-09-04 02:37 132168 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-08-19 00:54 . 2009-08-19 00:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-19 00:19 . 2009-08-19 01:08 -------- d-----w- c:\program files\COMODO
2009-08-18 23:01 . 2009-08-18 23:19 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Auslogics
2009-08-18 23:01 . 2009-08-18 23:01 -------- d-----w- c:\program files\Auslogics
2009-08-18 22:46 . 2009-08-18 22:46 -------- d-----w- c:\program files\CCleaner
2009-08-17 17:44 . 2009-09-02 03:33 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-17 17:24 . 2009-09-04 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-17 17:20 . 2009-08-17 17:20 -------- d-----w- c:\documents and settings\OK Computer\Application Data\AVG8
2009-08-17 17:13 . 2009-08-17 17:13 -------- d-----w- c:\program files\ESET
2009-08-17 17:09 . 2009-08-17 17:10 -------- d-----w- c:\documents and settings\OK Computer\.housecall6.6
2009-08-17 16:36 . 2009-08-17 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2009-08-17 15:36 . 2009-08-17 15:36 -------- d--h--w- c:\windows\PIF
2009-08-17 00:31 . 2009-08-17 00:31 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-16 22:03 . 2009-08-16 22:03 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-16 22:01 . 2009-08-16 22:01 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Webroot
2009-08-12 05:54 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 02:51 . 2004-08-10 17:51 13312 ----a-w- c:\windows\system32\lsass.exe
2009-09-04 01:04 . 2006-07-13 16:00 -------- d-----w- c:\program files\Java
2009-09-01 23:08 . 2006-08-05 17:12 -------- d-----w- c:\program files\BitComet
2009-08-29 13:44 . 2007-11-14 00:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-26 02:15 . 2008-07-03 02:35 -------- d-----w- c:\program files\PokerStars
2009-08-23 15:46 . 2008-11-25 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-23 01:50 . 2006-12-20 06:38 -------- d-----w- c:\program files\Google
2009-08-21 13:00 . 2008-11-25 01:00 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Skype
2009-08-21 01:09 . 2009-08-20 23:36 7752 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-20 23:37 . 2009-08-20 23:36 496 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-08-18 22:51 . 2008-11-25 01:00 -------- d-----w- c:\documents and settings\OK Computer\Application Data\skypePM
2009-08-18 22:51 . 2006-07-13 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-18 22:50 . 2006-07-13 16:10 -------- d-----w- c:\program files\McAfee.com
2009-08-18 22:37 . 2009-06-13 16:38 -------- d-----w- c:\program files\SlySoft
2009-08-18 22:36 . 2009-05-12 02:14 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Move Networks
2009-08-18 22:34 . 2006-07-13 16:04 -------- d-----w- c:\program files\Dell
2009-08-18 03:35 . 2009-01-21 23:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-15 23:00 . 2007-04-06 22:29 -------- d-----w- c:\program files\Full Tilt Poker
2009-08-10 23:36 . 2007-12-31 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-08-10 23:36 . 2007-12-31 22:09 -------- d-----w- c:\documents and settings\OK Computer\Application Data\ZoomBrowser EX
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 18:36 . 2009-01-21 23:33 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-01-21 23:33 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-30 22:35 . 2009-05-31 02:22 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-27 23:32 . 2009-07-10 23:24 -------- d-----w- c:\program files\DVDneXtCOPY 3
2009-07-27 23:32 . 2009-07-27 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\DShield
2009-07-27 23:32 . 2009-07-10 23:24 -------- d-----w- c:\program files\Common Files\DistributeShield
2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 17:51 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-20 06:13 . 2009-06-20 06:23 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-20 06:13 . 2009-06-20 06:15 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 02:35 . 2006-07-25 03:44 80880 ----a-w- c:\documents and settings\OK Computer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-12 12:31 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-12 03:52 . 2009-06-12 03:52 716272 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-10 14:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2008-09-10 19:49 . 2008-09-10 19:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

------- Sigcheck -------

[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[7] 2009-02-08 00:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2007-02-28 09:53 2137600 E6679C3023B17D8B78946BC5DF53FA20 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2005-06-23 00:30 2136064 5611F453C6D20AB0552956F39BCDDB88 c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[-] 2006-12-19 16:49 2137600 57B9D140E1EB8B0EA06DF927B63B0EEE c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-04-13 19:24 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

c:\windows\system32\ntoskrnl.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-09-04_01.42.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-10 17:51 . 2009-09-04 02:51 13312 c:\windows\system32\dllcache\lsass.exe
+ 2009-09-04 01:48 . 2008-10-16 20:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-09-04 01:48 . 2008-04-14 00:12 13824 c:\windows\system32\dllcache\cache\wscntfy.exe
+ 2009-09-04 01:48 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-09-04 01:48 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-09-04 01:48 . 2008-04-14 00:12 71680 c:\windows\system32\dllcache\cache\ssdpsrv.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-09-04 01:48 . 2008-04-14 00:12 59904 c:\windows\system32\dllcache\cache\regsvc.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 88576 c:\windows\system32\dllcache\cache\rasauto.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-09-04 01:48 . 2006-10-19 02:47 27136 c:\windows\system32\dllcache\cache\mspmsnsv.dll
+ 2009-09-04 01:48 . 2008-04-14 00:11 33792 c:\windows\system32\dllcache\cache\msgsvc.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-09-04 01:48 . 2008-04-14 00:11 22016 c:\windows\system32\dllcache\cache\lpk.dll
+ 2009-09-04 01:48 . 2008-04-14 00:11 19968 c:\windows\system32\dllcache\cache\linkinfo.dll
+ 2009-09-04 01:48 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-09-04 01:48 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-09-04 01:48 . 2008-04-14 00:11 56320 c:\windows\system32\dllcache\cache\eventlog.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-09-04 01:48 . 2008-04-14 00:11 62464 c:\windows\system32\dllcache\cache\cryptsvc.dll
+ 2009-09-04 01:48 . 2008-04-14 00:11 77824 c:\windows\system32\dllcache\cache\browser.dll
+ 2009-09-04 01:48 . 2008-04-13 18:57 14336 c:\windows\system32\dllcache\cache\asyncmac.sys
+ 2009-09-04 01:48 . 2004-08-04 10:00 11648 c:\windows\system32\dllcache\cache\acpiec.sys
+ 2009-09-04 01:48 . 2008-04-14 00:12 5120 c:\windows\system32\dllcache\cache\sfc.dll
+ 2009-09-04 01:48 . 2004-08-04 10:00 2944 c:\windows\system32\dllcache\cache\null.sys
+ 2009-09-04 01:48 . 2004-08-04 10:00 4224 c:\windows\system32\dllcache\cache\beep.sys
+ 2009-09-04 01:48 . 2008-04-14 00:12 129024 c:\windows\system32\dllcache\cache\xmlprov.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-09-04 01:48 . 2009-07-03 17:09 915456 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 185856 c:\windows\system32\dllcache\cache\upnphost.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-09-04 01:48 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-09-04 01:48 . 2008-04-14 00:12 249856 c:\windows\system32\dllcache\cache\tapisrv.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 171008 c:\windows\system32\dllcache\cache\srsvc.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 135168 c:\windows\system32\dllcache\cache\shsvcs.dll
+ 2009-09-04 01:48 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-09-04 01:48 . 2008-04-14 00:12 192512 c:\windows\system32\dllcache\cache\schedsvc.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 181248 c:\windows\system32\dllcache\cache\scecli.dll
+ 2009-09-04 01:48 . 2009-02-09 12:10 401408 c:\windows\system32\dllcache\cache\rpcss.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 409088 c:\windows\system32\dllcache\cache\qmgr.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 435200 c:\windows\system32\dllcache\cache\ntmssvc.dll
+ 2009-09-04 01:48 . 2008-04-13 19:15 574976 c:\windows\system32\dllcache\cache\ntfs.sys
+ 2009-09-04 01:48 . 2008-04-14 00:12 198144 c:\windows\system32\dllcache\cache\netman.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 407040 c:\windows\system32\dllcache\cache\netlogon.dll
+ 2009-09-04 01:48 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-09-04 01:48 . 2008-06-20 17:46 245248 c:\windows\system32\dllcache\cache\mswsock.dll
+ 2009-09-04 01:48 . 2008-04-14 00:11 927504 c:\windows\system32\dllcache\cache\mfc40u.dll
+ 2009-09-04 01:48 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-09-04 01:48 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-09-04 01:48 . 2008-07-07 20:26 253952 c:\windows\system32\dllcache\cache\es.dll
+ 2009-09-04 01:48 . 2008-04-14 00:11 792064 c:\windows\system32\dllcache\cache\comres.dll
+ 2009-09-04 01:48 . 2008-04-14 00:11 617472 c:\windows\system32\dllcache\cache\comctl32.dll
+ 2009-09-04 01:48 . 2008-04-13 16:39 142592 c:\windows\system32\dllcache\cache\aec.sys
+ 2009-09-04 01:48 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-09-04 01:48 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-09-04 01:48 . 2009-07-19 13:18 5937152 c:\windows\system32\dllcache\cache\mshtml.dll
+ 2009-09-04 01:48 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 196608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"snp2std"="c:\windows\vsnp2std.exe" [2005-08-13 348160]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-04 149280]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-09-04 1796368]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-24 113664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trojan Guarder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trojan Guarder.lnk
backup=c:\windows\pss\Trojan Guarder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sienzo\\DMM\\DMM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9903:TCP"= 9903:TCP:BitComet 9903 TCP
"9903:UDP"= 9903:UDP:BitComet 9903 UDP
"26148:TCP"= 26148:TCP:BitComet 26148 TCP
"26148:UDP"= 26148:UDP:BitComet 26148 UDP
"11548:TCP"= 11548:TCP:BitComet 11548 TCP
"11548:UDP"= 11548:UDP:BitComet 11548 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/20/2009 1:15 AM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/28/2009 3:41 PM 130936]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/18/2009 8:08 PM 132168]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [8/18/2009 8:08 PM 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [8/20/2009 8:55 PM 142592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/3/2009 5:38 PM 108289]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [5/5/2009 6:55 PM 1051136]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/28/2009 3:41 PM 348752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/31/2007 6:33 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456]
S3 cdrmkaun;cdrmkaun; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:42]

2009-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-09-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-23 01:50]

2009-09-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\OK Computer\Application Data\Mozilla\Firefox\Profiles\ad9uwlm4.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {1DE586B0-00CB-4802-B9CA-E4467CBAA1E0} - c:\documents and settings\OK Computer\Local Settings\Application Data\{1DE586B0-00CB-4802-B9CA-E4467CBAA1E0}\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 19:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1136)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'lsass.exe'(1208)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(17820)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-06 19:32
ComboFix-quarantined-files.txt 2009-09-06 00:32
ComboFix2.txt 2009-09-04 01:50

Pre-Run: 13,010,350,080 bytes free
Post-Run: 12,971,601,920 bytes free

Current=2 Default=2 Failed=4 LastKnownGood=1 Sets=1,2,3,4
348 --- E O F --- 2009-09-04 23:35

Attached Files



#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:49 AM

Posted 20 September 2009 - 10:44 AM

One thing I noticed, I have already uninstalled AVG when i switched over to Avira - I looked in the add/remove programs and don't see AVG in there anywhere...

Sorry I have confused you here. I didnt mean AVG, but Avira. Right now you have Comodo Internet Security and Avira as Antivirus applications installed. As explained in my previous post, you should have only one, otherwise they will interfere with eachother.

In this case you have two options.
You can remove the Antivirus component of Comodo Internet Security by clicking Start > All Programs, Go to your Comodo folder there and select Repair Installation. This should give you an option to modify Comodo and remove the Antivirus component.
You can also uninstall Avira using Add/Remove programs.

I will check your logs and come back with a reply later.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:49 AM

Posted 20 September 2009 - 04:13 PM

Hello thisheregirafFe,

Please make sure you read also my previous post :(

COMBOFIX
---------------
Please delete your old copy of Combofix and download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


I also want to see the very first Combofix log (not the one you posted in your last post, the one from the first Combofix run). This should be located here C:\Qoobox\Combofix2.txt (if you look this up after running Combofix on my instructions the file might be named Combofix3.txt. Make sure you post the oldest log).

In your next reply, please include the following:
  • Combofix.txt
  • Combofix3.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 thisheregirafFe

thisheregirafFe
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 20 September 2009 - 05:43 PM

Yup got your last message :(. I only use comodo for the firewall (all other features are disabled).

Here is my newest combofix report:

ComboFix 09-09-18.02 - OK Computer 09/20/2009 17:25.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2391 [GMT -5:00]
Running from: c:\documents and settings\OK Computer\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-11 03:47 . 2009-05-01 21:03 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-11 03:46 . 2009-09-11 03:46 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-09 04:31 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 16:13 . 2009-09-06 16:13 -------- d-----w- c:\program files\InCode Solutions
2009-09-06 00:45 . 2009-09-06 00:45 -------- d-----w- c:\documents and settings\OK Computer\Local Settings\Application Data\G DATA
2009-09-04 01:04 . 2009-09-04 01:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-03 22:38 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-03 22:38 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-03 22:38 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-03 22:38 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-03 22:38 . 2009-09-03 22:38 -------- d-----w- c:\program files\Avira
2009-09-03 22:38 . 2009-09-03 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-02 23:16 . 2009-09-02 23:16 -------- d-----w- c:\program files\Windows Defender
2009-09-01 23:22 . 2009-09-01 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-09-01 22:46 . 2009-09-01 22:46 -------- d-----w- c:\program files\uTorrent
2009-09-01 22:45 . 2009-09-18 12:53 -------- d-----w- c:\documents and settings\OK Computer\Application Data\uTorrent
2009-08-28 21:31 . 2009-08-28 21:32 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-28 21:15 . 2009-08-28 21:15 -------- d-----w- c:\program files\Trend Micro
2009-08-28 21:11 . 2009-08-28 21:11 -------- d-----w- c:\program files\Bazooka Scanner
2009-08-28 20:58 . 2009-08-28 20:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-08-28 20:41 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-28 20:41 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-28 20:41 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-28 20:41 . 2009-08-28 20:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-28 20:41 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-28 20:41 . 2009-08-28 20:41 -------- d-----w- c:\documents and settings\OK Computer\Application Data\PC Tools
2009-08-28 20:41 . 2009-08-28 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-28 20:31 . 2009-08-28 20:31 120 ----a-w- c:\windows\Lveqewateb.dat
2009-08-28 20:12 . 2009-08-28 20:12 -------- d-----w- c:\documents and settings\OK Computer\Local Settings\Application Data\{1DE586B0-00CB-4802-B9CA-E4467CBAA1E0}
2009-08-23 15:46 . 2009-08-23 15:46 -------- d-----w- c:\program files\Common Files\Skype
2009-08-23 15:46 . 2009-08-23 15:46 -------- d-----r- c:\program files\Skype
2009-08-23 02:24 . 2009-08-28 20:55 -------- d-----w- c:\program files\Spyware Doctor
2009-08-23 01:50 . 2009-08-23 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 15:19 . 2006-09-07 23:52 -------- d-----w- c:\program files\Full Tilt Poker.Org
2009-09-20 15:19 . 2006-07-13 16:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-20 15:18 . 2007-04-06 22:29 -------- d-----w- c:\program files\Full Tilt Poker
2009-09-20 14:59 . 2006-07-13 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-17 01:36 . 2007-11-14 00:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-16 22:07 . 2009-08-18 23:01 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Auslogics
2009-09-15 23:30 . 2009-01-21 23:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 22:48 . 2006-07-25 03:44 80096 ----a-w- c:\documents and settings\OK Computer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 15:20 . 2009-05-31 02:22 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 03:47 . 2006-08-07 04:05 -------- d-----w- c:\program files\DivX
2009-09-10 19:54 . 2009-01-21 23:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-01-21 23:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 02:51 . 2004-08-10 17:51 13312 ------w- c:\windows\system32\lsass.exe
2009-09-04 02:38 . 2009-08-19 01:08 179792 ----a-w- c:\windows\system32\guard32.dll
2009-09-04 02:37 . 2009-08-19 01:08 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-09-04 02:37 . 2009-08-19 01:08 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-09-04 02:37 . 2009-08-19 01:08 132168 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-09-04 01:04 . 2006-07-13 16:00 -------- d-----w- c:\program files\Java
2009-09-04 00:54 . 2009-08-17 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-01 23:08 . 2006-08-05 17:12 -------- d-----w- c:\program files\BitComet
2009-08-26 02:15 . 2008-07-03 02:35 -------- d-----w- c:\program files\PokerStars
2009-08-23 15:46 . 2008-11-25 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-23 02:13 . 2009-08-21 01:55 -------- d-----w- c:\program files\Spyware Terminator
2009-08-23 02:10 . 2009-08-21 01:55 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Spyware Terminator
2009-08-23 01:50 . 2006-12-20 06:38 -------- d-----w- c:\program files\Google
2009-08-21 22:24 . 2009-08-21 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-08-21 13:00 . 2008-11-25 01:00 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Skype
2009-08-21 02:54 . 2009-08-21 02:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-21 01:55 . 2009-08-21 01:55 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-08-21 01:47 . 2009-08-20 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-21 01:09 . 2009-08-20 23:36 7752 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-20 23:37 . 2009-08-20 23:36 496 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-08-20 23:30 . 2009-08-20 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-20 23:29 . 2009-08-20 23:29 -------- d-----w- c:\program files\Common Files\iS3
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\documents and settings\OK Computer\Application Data\SUPERAntiSpyware.com
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-19 01:10 . 2009-08-19 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-08-19 01:08 . 2009-08-19 00:19 -------- d-----w- c:\program files\COMODO
2009-08-18 23:01 . 2009-08-18 23:01 -------- d-----w- c:\program files\Auslogics
2009-08-18 22:51 . 2008-11-25 01:00 -------- d-----w- c:\documents and settings\OK Computer\Application Data\skypePM
2009-08-18 22:51 . 2006-07-13 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-18 22:50 . 2006-07-13 16:10 -------- d-----w- c:\program files\McAfee.com
2009-08-18 22:46 . 2009-08-18 22:46 -------- d-----w- c:\program files\CCleaner
2009-08-18 22:37 . 2009-06-13 16:38 -------- d-----w- c:\program files\SlySoft
2009-08-18 22:36 . 2009-05-12 02:14 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Move Networks
2009-08-18 22:34 . 2006-07-13 16:04 -------- d-----w- c:\program files\Dell
2009-08-17 17:20 . 2009-08-17 17:20 -------- d-----w- c:\documents and settings\OK Computer\Application Data\AVG8
2009-08-17 17:13 . 2009-08-17 17:13 -------- d-----w- c:\program files\ESET
2009-08-17 16:36 . 2009-08-17 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2009-08-16 22:01 . 2009-08-16 22:01 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Webroot
2009-08-10 23:36 . 2007-12-31 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-08-10 23:36 . 2007-12-31 22:09 -------- d-----w- c:\documents and settings\OK Computer\Application Data\ZoomBrowser EX
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-27 23:32 . 2009-07-10 23:24 -------- d-----w- c:\program files\DVDneXtCOPY 3
2009-07-27 23:32 . 2009-07-27 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\DShield
2009-07-27 23:32 . 2009-07-10 23:24 -------- d-----w- c:\program files\Common Files\DistributeShield
2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 17:51 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2008-09-10 19:49 . 2008-09-10 19:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2009-02-08 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\ntoskrnl.exe
[7] 2008-08-14 . 31914172342BFF330063F343AC6958FE . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 . F6F8245B3A2E9CA834DD318E7AE0C6D0 . 2145280 . . [5.1.2600.5657] . . c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2008-04-13 . 40F8880122A030A7E9E1FEDEA833B33D . 2145280 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2007-02-28 . E6679C3023B17D8B78946BC5DF53FA20 . 2137600 . . [5.1.2600.3093] . . c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2006-12-19 . 57B9D140E1EB8B0EA06DF927B63B0EEE . 2137600 . . [5.1.2600.3051] . . c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[-] 2005-06-23 . 5611F453C6D20AB0552956F39BCDDB88 . 2136064 . . [5.1.2600.2705] . . c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[-] 2005-03-02 . 28187802B7C368C0D3AEF7D4C382AABB . 2179456 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe

c:\windows\system32\ntoskrnl.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot_2009-09-06_00.29.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-12 06:00 . 2009-05-01 21:03 88824 c:\windows\system32\vxblock.dll
+ 2006-12-31 04:15 . 2009-05-01 21:03 64760 c:\windows\system32\pxinsa64.exe
+ 2006-12-31 04:15 . 2009-05-01 21:03 72440 c:\windows\system32\pxhpinst.exe
+ 2006-12-31 04:15 . 2009-05-01 21:03 66296 c:\windows\system32\pxcpya64.exe
+ 2005-01-26 07:03 . 2009-05-01 21:03 43528 c:\windows\system32\drivers\pxhelp20.sys
+ 2009-05-01 21:02 . 2009-05-01 21:02 90112 c:\windows\system32\dpl100.dll
+ 2006-07-20 23:08 . 2009-09-09 08:02 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-07-20 23:08 . 2009-08-12 08:05 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-07-20 23:08 . 2009-08-12 08:05 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2006-07-20 23:08 . 2009-09-09 08:02 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-07-20 23:08 . 2009-08-12 08:05 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-07-20 23:08 . 2009-09-09 08:02 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-07-20 23:08 . 2009-08-12 08:05 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-07-20 23:08 . 2009-09-09 08:02 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-07-20 23:08 . 2009-09-09 08:02 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-07-20 23:08 . 2009-08-12 08:05 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-07-20 23:08 . 2009-08-12 08:05 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-07-20 23:08 . 2009-09-09 08:02 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2005-03-30 18:54 . 2006-08-25 03:47 379640 c:\windows\system32\PxWave.dll
+ 2005-03-30 18:54 . 2009-05-01 21:03 379640 c:\windows\system32\PxWave.dll
+ 2005-03-30 18:54 . 2009-05-01 21:03 187128 c:\windows\system32\PxMas.dll
+ 2006-12-31 04:15 . 2009-05-01 21:03 118520 c:\windows\system32\pxinsi64.exe
+ 2005-10-31 06:01 . 2009-05-01 21:03 518904 c:\windows\system32\pxdrv.dll
- 2006-12-31 04:15 . 2006-08-25 03:47 129784 c:\windows\system32\pxafs.dll
+ 2006-12-31 04:15 . 2009-05-01 21:03 129784 c:\windows\system32\pxafs.dll
+ 2005-03-30 18:55 . 2009-05-01 21:03 551672 c:\windows\system32\Px.dll
- 2004-08-10 17:51 . 2009-03-08 09:33 726528 c:\windows\system32\jscript.dll
+ 2004-08-10 17:51 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2004-08-10 17:57 . 2009-09-13 22:46 281336 c:\windows\system32\FNTCACHE.DAT
- 2008-05-09 10:53 . 2009-03-08 09:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-05-01 21:02 . 2009-05-01 21:02 811008 c:\windows\system32\divx_xx16.dll
+ 2009-05-01 21:02 . 2009-05-01 21:02 802816 c:\windows\system32\divx_xx11.dll
+ 2009-05-01 21:02 . 2009-05-01 21:02 823296 c:\windows\system32\divx_xx0c.dll
+ 2009-05-01 21:02 . 2009-05-01 21:02 815104 c:\windows\system32\divx_xx0a.dll
+ 2009-05-01 21:02 . 2009-05-01 21:02 823296 c:\windows\system32\divx_xx07.dll
+ 2009-05-01 21:02 . 2009-05-01 21:02 685056 c:\windows\system32\DivX.dll
+ 2009-09-11 03:46 . 2009-09-11 03:46 152576 c:\windows\Installer\16cc2462.msi
- 2006-07-20 23:08 . 2009-08-12 08:05 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-07-20 23:08 . 2009-09-09 08:02 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-07-20 23:08 . 2009-08-12 08:05 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2006-07-20 23:08 . 2009-09-09 08:02 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-07-20 23:08 . 2009-08-12 08:05 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-07-20 23:08 . 2009-09-09 08:02 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-07-20 23:08 . 2009-09-09 08:02 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-07-20 23:08 . 2009-08-12 08:05 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-07-20 23:08 . 2009-09-09 08:02 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-07-20 23:08 . 2009-08-12 08:05 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-09-09 08:01 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-09 08:01 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-09 08:01 . 2009-03-08 09:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
- 2004-08-10 17:51 . 2008-06-18 11:03 2458112 c:\windows\system32\WMVCore.dll
+ 2004-08-10 17:51 . 2009-05-20 09:56 2458112 c:\windows\system32\WMVCore.dll
+ 2005-03-30 18:58 . 2009-05-01 21:03 1628920 c:\windows\system32\PxSFS.DLL
- 2004-08-10 17:51 . 2008-06-18 11:03 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2004-08-10 17:51 . 2009-05-20 09:56 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-08-25 19:57 . 2009-08-25 19:57 5518336 c:\windows\Installer\d689935.msp
+ 2006-07-21 00:47 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe
+ 2009-09-09 08:01 . 2009-09-09 08:01 15709696 c:\windows\Installer\d689924.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"snp2std"="c:\windows\vsnp2std.exe" [2005-08-13 348160]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-09-04 1796368]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-04 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-24 113664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trojan Guarder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trojan Guarder.lnk
backup=c:\windows\pss\Trojan Guarder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sienzo\\DMM\\DMM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\InCode Solutions\\RemoveIT Pro v4 - SE\\removeit.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9903:TCP"= 9903:TCP:BitComet 9903 TCP
"9903:UDP"= 9903:UDP:BitComet 9903 UDP
"26148:TCP"= 26148:TCP:BitComet 26148 TCP
"26148:UDP"= 26148:UDP:BitComet 26148 UDP
"11548:TCP"= 11548:TCP:BitComet 11548 TCP
"11548:UDP"= 11548:UDP:BitComet 11548 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/20/2009 1:15 AM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/28/2009 3:41 PM 130936]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/18/2009 8:08 PM 132168]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [8/18/2009 8:08 PM 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [8/20/2009 8:55 PM 142592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/3/2009 5:38 PM 108289]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [5/5/2009 6:55 PM 1051136]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/28/2009 3:41 PM 348752]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456]
S3 cdrmkaun;cdrmkaun; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:42]

2009-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-09-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-23 01:50]

2009-09-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\OK Computer\Application Data\Mozilla\Firefox\Profiles\ad9uwlm4.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: XUL Cache: {1DE586B0-00CB-4802-B9CA-E4467CBAA1E0} - c:\documents and settings\OK Computer\Local Settings\Application Data\{1DE586B0-00CB-4802-B9CA-E4467CBAA1E0}\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 17:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1104)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'explorer.exe'(14876)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-20 17:36
ComboFix-quarantined-files.txt 2009-09-20 22:36
ComboFix2.txt 2009-09-06 00:32
ComboFix3.txt 2009-09-04 01:50

Pre-Run: 15,606,370,304 bytes free
Post-Run: 15,565,791,232 bytes free

Current=2 Default=2 Failed=4 LastKnownGood=1 Sets=1,2,3,4
335 --- E O F --- 2009-09-18 07:07


And here is the oldest one (combofix3) :

ComboFix 09-09-03.02 - OK Computer 09/03/2009 20:28.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2549 [GMT -5:00]
Running from: c:\documents and settings\OK Computer\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\OK Computer\My Documents\cc_20090818_174745.reg
c:\documents and settings\OK Computer\My Documents\ZbThumbnail.info
C:\Images
c:\images\nathanm.com.jpg
c:\images\Thumbs.db
c:\temp\abW9
c:\temp\sanR24
c:\windows\desktop
c:\windows\Fonts\Lndrwprt.ttf
c:\windows\Fonts\Lndrwscr.ttf
c:\windows\system32\drivers\RKHit.sys
c:\windows\system32\drivers\SKYNETwpvnxowt.sys
c:\windows\system32\rMa02yy
c:\windows\system32\SKYNETgoilmctt.dll
c:\windows\system32\SKYNETjlkrcmpw.dat
c:\windows\system32\SKYNETqpyxxurx.dat
c:\windows\system32\SKYNETusveonxo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNEToyljamwx
-------\Legacy_SKYNEToyljamwx
-------\Legacy_RKHIT


((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-09-04 01:04 . 2009-09-04 01:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-03 22:38 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-03 22:38 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-03 22:38 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-03 22:38 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-03 22:38 . 2009-09-03 22:38 -------- d-----w- c:\program files\Avira
2009-09-03 22:38 . 2009-09-03 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-02 23:16 . 2009-09-02 23:16 -------- d-----w- c:\program files\Windows Defender
2009-09-02 00:47 . 2009-05-13 22:30 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2009-09-02 00:47 . 2009-05-13 22:30 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2009-09-01 23:23 . 2009-09-01 23:23 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Sunbelt
2009-09-01 23:22 . 2009-09-01 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-09-01 22:46 . 2009-09-01 22:46 -------- d-----w- c:\program files\uTorrent
2009-09-01 22:45 . 2009-09-01 23:05 -------- d-----w- c:\documents and settings\OK Computer\Application Data\uTorrent
2009-08-28 21:31 . 2009-08-28 21:32 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-28 21:15 . 2009-08-28 21:15 -------- d-----w- c:\program files\Trend Micro
2009-08-28 21:11 . 2009-08-28 21:11 -------- d-----w- c:\program files\Bazooka Scanner
2009-08-28 20:58 . 2009-08-28 20:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-08-28 20:41 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-28 20:41 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-28 20:41 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-28 20:41 . 2009-08-28 20:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-28 20:41 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-28 20:41 . 2009-08-28 20:41 -------- d-----w- c:\documents and settings\OK Computer\Application Data\PC Tools
2009-08-28 20:41 . 2009-08-28 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-28 20:31 . 2009-08-28 20:31 120 ----a-w- c:\windows\Lveqewateb.dat
2009-08-28 20:12 . 2009-08-28 20:12 -------- d-----w- c:\documents and settings\OK Computer\Local Settings\Application Data\{1DE586B0-00CB-4802-B9CA-E4467CBAA1E0}
2009-08-23 15:46 . 2009-08-23 15:46 -------- d-----w- c:\program files\Common Files\Skype
2009-08-23 15:46 . 2009-08-23 15:46 -------- d-----r- c:\program files\Skype
2009-08-23 02:24 . 2009-08-28 20:55 -------- d-----w- c:\program files\Spyware Doctor
2009-08-23 01:50 . 2009-08-23 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-21 02:54 . 2009-08-21 02:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-21 01:55 . 2009-08-23 02:10 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Spyware Terminator
2009-08-21 01:55 . 2009-08-21 01:55 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-08-21 01:55 . 2009-08-23 02:13 -------- d-----w- c:\program files\Spyware Terminator
2009-08-21 01:55 . 2009-08-21 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-08-20 23:30 . 2009-08-20 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-20 23:29 . 2009-08-21 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-20 23:29 . 2009-08-20 23:29 -------- d-----w- c:\program files\Common Files\iS3
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\documents and settings\OK Computer\Application Data\SUPERAntiSpyware.com
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-19 01:08 . 2009-08-19 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-08-19 01:08 . 2009-08-19 01:08 86976 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-08-19 01:08 . 2009-08-19 01:08 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-08-19 01:08 . 2009-08-19 01:08 179792 ----a-w- c:\windows\system32\guard32.dll
2009-08-19 01:08 . 2009-08-19 01:08 132040 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-08-19 00:54 . 2009-08-19 00:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-19 00:19 . 2009-08-19 01:08 -------- d-----w- c:\program files\COMODO
2009-08-18 23:01 . 2009-08-18 23:19 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Auslogics
2009-08-18 23:01 . 2009-08-18 23:01 -------- d-----w- c:\program files\Auslogics
2009-08-18 22:46 . 2009-08-18 22:46 -------- d-----w- c:\program files\CCleaner
2009-08-17 17:44 . 2009-09-02 03:33 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-17 17:24 . 2009-09-04 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-17 17:20 . 2009-08-17 17:20 -------- d-----w- c:\documents and settings\OK Computer\Application Data\AVG8
2009-08-17 17:13 . 2009-08-17 17:13 -------- d-----w- c:\program files\ESET
2009-08-17 17:09 . 2009-08-17 17:10 -------- d-----w- c:\documents and settings\OK Computer\.housecall6.6
2009-08-17 16:36 . 2009-08-17 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2009-08-17 15:36 . 2009-08-17 15:36 -------- d--h--w- c:\windows\PIF
2009-08-17 00:31 . 2009-08-17 00:31 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-16 22:03 . 2009-08-16 22:03 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-16 22:01 . 2009-08-16 22:01 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Webroot
2009-08-12 05:54 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 01:04 . 2006-07-13 16:00 -------- d-----w- c:\program files\Java
2009-09-01 23:08 . 2006-08-05 17:12 -------- d-----w- c:\program files\BitComet
2009-08-29 13:44 . 2007-11-14 00:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-26 02:15 . 2008-07-03 02:35 -------- d-----w- c:\program files\PokerStars
2009-08-23 15:46 . 2008-11-25 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-23 01:50 . 2006-12-20 06:38 -------- d-----w- c:\program files\Google
2009-08-21 13:00 . 2008-11-25 01:00 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Skype
2009-08-21 01:09 . 2009-08-20 23:36 7752 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-20 23:37 . 2009-08-20 23:36 496 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-08-18 22:51 . 2008-11-25 01:00 -------- d-----w- c:\documents and settings\OK Computer\Application Data\skypePM
2009-08-18 22:51 . 2006-07-13 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-18 22:50 . 2006-07-13 16:10 -------- d-----w- c:\program files\McAfee.com
2009-08-18 22:37 . 2009-06-13 16:38 -------- d-----w- c:\program files\SlySoft
2009-08-18 22:36 . 2009-05-12 02:14 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Move Networks
2009-08-18 22:34 . 2006-07-13 16:04 -------- d-----w- c:\program files\Dell
2009-08-18 03:35 . 2009-01-21 23:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-15 23:00 . 2007-04-06 22:29 -------- d-----w- c:\program files\Full Tilt Poker
2009-08-10 23:36 . 2007-12-31 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-08-10 23:36 . 2007-12-31 22:09 -------- d-----w- c:\documents and settings\OK Computer\Application Data\ZoomBrowser EX
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 18:36 . 2009-01-21 23:33 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-01-21 23:33 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-30 22:35 . 2009-05-31 02:22 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-27 23:32 . 2009-07-10 23:24 -------- d-----w- c:\program files\DVDneXtCOPY 3
2009-07-27 23:32 . 2009-07-27 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\DShield
2009-07-27 23:32 . 2009-07-10 23:24 -------- d-----w- c:\program files\Common Files\DistributeShield
2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-20 06:13 . 2009-06-20 06:23 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-20 06:13 . 2009-06-20 06:15 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 02:35 . 2006-07-25 03:44 80880 ----a-w- c:\documents and settings\OK Computer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-12 12:31 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-12 03:52 . 2009-06-12 03:52 716272 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-10 14:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 11:00 . 2009-06-10 11:00 68392 ----a-w- c:\windows\system32\sbbd.exe
2009-06-10 06:14 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2008-09-10 19:49 . 2008-09-10 19:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

------- Sigcheck -------

[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[7] 2009-02-08 00:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2007-02-28 09:53 2137600 E6679C3023B17D8B78946BC5DF53FA20 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2005-06-23 00:30 2136064 5611F453C6D20AB0552956F39BCDDB88 c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[-] 2006-12-19 16:49 2137600 57B9D140E1EB8B0EA06DF927B63B0EEE c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-04-13 19:24 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

c:\windows\system32\ntoskrnl.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-06-13 4608]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy2\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 196608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"snp2std"="c:\windows\vsnp2std.exe" [2005-08-13 348160]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-24 520024]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-08-19 1793808]
"SBAMTray"="c:\program files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2009-06-10 685352]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-04 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-24 113664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trojan Guarder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trojan Guarder.lnk
backup=c:\windows\pss\Trojan Guarder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sienzo\\DMM\\DMM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9903:TCP"= 9903:TCP:BitComet 9903 TCP
"9903:UDP"= 9903:UDP:BitComet 9903 UDP
"26148:TCP"= 26148:TCP:BitComet 26148 TCP
"26148:UDP"= 26148:UDP:BitComet 26148 UDP
"11548:TCP"= 11548:TCP:BitComet 11548 TCP
"11548:UDP"= 11548:UDP:BitComet 11548 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/20/2009 1:15 AM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/28/2009 3:41 PM 130936]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/18/2009 8:08 PM 132040]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [8/18/2009 8:08 PM 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [9/1/2009 7:47 PM 13360]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [8/20/2009 8:55 PM 142592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/3/2009 5:38 PM 108289]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [5/5/2009 6:55 PM 1051136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456]
R2 SBAMSvc;CounterSpy Antispyware;c:\program files\Sunbelt Software\CounterSpy\SBAMSvc.exe [6/10/2009 6:00 AM 980264]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [9/1/2009 7:47 PM 69936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/28/2009 3:41 PM 348752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/31/2007 6:33 PM 24652]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 cdrmkaun;cdrmkaun; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/30/2009 1:56 PM 93360]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:42]

2009-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-09-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-23 01:50]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{8ADB5953-B266-4070-8176-A1658F9291DD} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\OK Computer\Application Data\Mozilla\Firefox\Profiles\ad9uwlm4.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {1DE586B0-00CB-4802-B9CA-E4467CBAA1E0} - c:\documents and settings\OK Computer\Local Settings\Application Data\{1DE586B0-00CB-4802-B9CA-E4467CBAA1E0}\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 20:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1172)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'explorer.exe'(6152)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\COMODO\COMODO Internet Security\cfpupdat.exe
.
**************************************************************************
.
Completion time: 2009-09-04 20:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-04 01:50

Pre-Run: 34,645,979,136 bytes free
Post-Run: 34,508,783,616 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=4 LastKnownGood=1 Sets=1,2,3,4
342 --- E O F --- 2009-08-25 22:21

Attached Files



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:49 AM

Posted 21 September 2009 - 07:20 AM

Hello thisheregirafFe,

BACKDOOR WARNING
------------------------------
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


SHOW HIDDEN FILES AND FOLDERS
-------------------------------------------------
Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK


UPLOAD A FILE
--------------------
We need to check a file. Please click this link VirusTotal

When the page has finished loading, click the Choose file button and navigate to the following file and click Send file.

c:\windows\Lveqewateb.dat

If you get the message that the file has already been scanned before, please click Reanalyse file now.
Please post back the results of the scan in your next post.


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
FCopy::
c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe | c:\windows\system32\ntoskrnl.exe

DDS::
FF - HiddenExtension: XUL Cache: {1DE586B0-00CB-4802-B9CA-E4467CBAA1E0} - c:\documents and settings\OK Computer\Local Settings\Application Data\{1DE586B0-00CB-4802-B9CA-E4467CBAA1E0}\
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:
  • Scan results of the uploaded file
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 thisheregirafFe

thisheregirafFe
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 21 September 2009 - 02:21 PM

oh, this sounds bad... eek.

well i'd like to try and fix it as much as possible before doing a re-format... so i've taken the steps and here are the logs:

from the scanner:

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.21 -
AhnLab-V3 5.0.0.2 2009.09.21 -
AntiVir 7.9.1.23 2009.09.21 -
Antiy-AVL 2.0.3.7 2009.09.21 -
Authentium 5.1.2.4 2009.09.21 -
Avast 4.8.1351.0 2009.09.21 -
AVG 8.5.0.412 2009.09.21 -
BitDefender 7.2 2009.09.21 -
CAT-QuickHeal 10.00 2009.09.21 -
ClamAV 0.94.1 2009.09.21 -
Comodo 2394 2009.09.21 -
DrWeb 5.0.0.12182 2009.09.21 -
eSafe 7.0.17.0 2009.09.21 -
eTrust-Vet 31.6.6750 2009.09.21 -
F-Prot 4.5.1.85 2009.09.21 -
F-Secure 8.0.14470.0 2009.09.21 -
Fortinet 3.120.0.0 2009.09.21 -
GData 19 2009.09.21 -
Ikarus T3.1.1.72.0 2009.09.21 -
Jiangmin 11.0.800 2009.09.21 -
K7AntiVirus 7.10.850 2009.09.21 -
Kaspersky 7.0.0.125 2009.09.21 -
McAfee 5748 2009.09.21 -
McAfee+Artemis 5748 2009.09.21 -
McAfee-GW-Edition 6.8.5 2009.09.21 -
Microsoft 1.5005 2009.09.21 -
NOD32 4444 2009.09.21 -
Norman 6.01.09 2009.09.21 -
nProtect 2009.1.8.0 2009.09.21 -
Panda 10.0.2.2 2009.09.21 -
PCTools 4.4.2.0 2009.09.20 -
Prevx 3.0 2009.09.21 -
Rising 21.48.04.00 2009.09.21 -
Sophos 4.45.0 2009.09.21 -
Sunbelt 3.2.1858.2 2009.09.21 -
Symantec 1.4.4.12 2009.09.21 -
TheHacker 6.5.0.2.014 2009.09.21 -
TrendMicro 8.950.0.1094 2009.09.21 -
VBA32 3.12.10.10 2009.09.21 -
ViRobot 2009.9.21.1945 2009.09.21 -
VirusBuster 4.6.5.0 2009.09.21 -
Additional information
File size: 120 bytes
MD5...: 8efeabdeec3de81c3dc42a2801ddf461
SHA1..: 02f1032b36b1546af5815cd03befd0aa5a09b008
SHA256: 643f2d4a4311c9af9f31a361a0e827c1aaa6520328d1374e2ee4a65e6e9a2a37
ssdeep: 3:yxKdWoWgX6USwmaF5ctU0RpukCHeh2XVh:ycFWgX6LVTDUHM2Fh
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


and combofix:

ComboFix 09-09-18.02 - OK Computer 09/21/2009 14:06.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2533 [GMT -5:00]
Running from: c:\documents and settings\OK Computer\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\OK Computer\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe --> c:\windows\system32\ntoskrnl.exe
.
((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-21 19:06 . 2009-02-08 00:35 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-09-21 19:06 . 2009-02-08 00:35 2189184 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-11 03:47 . 2009-05-01 21:03 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-11 03:46 . 2009-09-11 03:46 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-09 04:31 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 16:13 . 2009-09-06 16:13 -------- d-----w- c:\program files\InCode Solutions
2009-09-06 00:45 . 2009-09-06 00:45 -------- d-----w- c:\documents and settings\OK Computer\Local Settings\Application Data\G DATA
2009-09-04 01:04 . 2009-09-04 01:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-03 22:38 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-03 22:38 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-03 22:38 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-03 22:38 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-03 22:38 . 2009-09-03 22:38 -------- d-----w- c:\program files\Avira
2009-09-03 22:38 . 2009-09-03 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-02 23:16 . 2009-09-02 23:16 -------- d-----w- c:\program files\Windows Defender
2009-09-01 23:22 . 2009-09-01 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-09-01 22:46 . 2009-09-01 22:46 -------- d-----w- c:\program files\uTorrent
2009-09-01 22:45 . 2009-09-18 12:53 -------- d-----w- c:\documents and settings\OK Computer\Application Data\uTorrent
2009-08-28 21:31 . 2009-08-28 21:32 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-28 21:15 . 2009-08-28 21:15 -------- d-----w- c:\program files\Trend Micro
2009-08-28 21:11 . 2009-08-28 21:11 -------- d-----w- c:\program files\Bazooka Scanner
2009-08-28 20:58 . 2009-08-28 20:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-08-28 20:41 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-28 20:41 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-28 20:41 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-28 20:41 . 2009-08-28 20:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-28 20:41 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-28 20:41 . 2009-08-28 20:41 -------- d-----w- c:\documents and settings\OK Computer\Application Data\PC Tools
2009-08-28 20:41 . 2009-08-28 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-28 20:31 . 2009-08-28 20:31 120 ----a-w- c:\windows\Lveqewateb.dat
2009-08-28 20:12 . 2009-08-28 20:12 -------- d-----w- c:\documents and settings\OK Computer\Local Settings\Application Data\{1DE586B0-00CB-4802-B9CA-E4467CBAA1E0}
2009-08-23 15:46 . 2009-08-23 15:46 -------- d-----w- c:\program files\Common Files\Skype
2009-08-23 15:46 . 2009-08-23 15:46 -------- d-----r- c:\program files\Skype
2009-08-23 02:24 . 2009-08-28 20:55 -------- d-----w- c:\program files\Spyware Doctor
2009-08-23 01:50 . 2009-08-23 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 15:19 . 2006-09-07 23:52 -------- d-----w- c:\program files\Full Tilt Poker.Org
2009-09-20 15:19 . 2006-07-13 16:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-20 15:18 . 2007-04-06 22:29 -------- d-----w- c:\program files\Full Tilt Poker
2009-09-20 14:59 . 2006-07-13 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-17 01:36 . 2007-11-14 00:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-16 22:07 . 2009-08-18 23:01 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Auslogics
2009-09-15 23:30 . 2009-01-21 23:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 22:48 . 2006-07-25 03:44 80096 ----a-w- c:\documents and settings\OK Computer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 15:20 . 2009-05-31 02:22 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 03:47 . 2006-08-07 04:05 -------- d-----w- c:\program files\DivX
2009-09-10 19:54 . 2009-01-21 23:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-01-21 23:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 02:51 . 2004-08-10 17:51 13312 ------w- c:\windows\system32\lsass.exe
2009-09-04 02:38 . 2009-08-19 01:08 179792 ----a-w- c:\windows\system32\guard32.dll
2009-09-04 02:37 . 2009-08-19 01:08 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-09-04 02:37 . 2009-08-19 01:08 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-09-04 02:37 . 2009-08-19 01:08 132168 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-09-04 01:04 . 2006-07-13 16:00 -------- d-----w- c:\program files\Java
2009-09-04 00:54 . 2009-08-17 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-01 23:08 . 2006-08-05 17:12 -------- d-----w- c:\program files\BitComet
2009-08-26 02:15 . 2008-07-03 02:35 -------- d-----w- c:\program files\PokerStars
2009-08-23 15:46 . 2008-11-25 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-23 02:13 . 2009-08-21 01:55 -------- d-----w- c:\program files\Spyware Terminator
2009-08-23 02:10 . 2009-08-21 01:55 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Spyware Terminator
2009-08-23 01:50 . 2006-12-20 06:38 -------- d-----w- c:\program files\Google
2009-08-21 22:24 . 2009-08-21 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-08-21 13:00 . 2008-11-25 01:00 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Skype
2009-08-21 02:54 . 2009-08-21 02:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-21 01:55 . 2009-08-21 01:55 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-08-21 01:47 . 2009-08-20 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-21 01:09 . 2009-08-20 23:36 7752 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-20 23:37 . 2009-08-20 23:36 496 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-08-20 23:30 . 2009-08-20 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-20 23:29 . 2009-08-20 23:29 -------- d-----w- c:\program files\Common Files\iS3
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\documents and settings\OK Computer\Application Data\SUPERAntiSpyware.com
2009-08-20 22:52 . 2009-08-20 22:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-19 01:10 . 2009-08-19 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-08-19 01:08 . 2009-08-19 00:19 -------- d-----w- c:\program files\COMODO
2009-08-18 23:01 . 2009-08-18 23:01 -------- d-----w- c:\program files\Auslogics
2009-08-18 22:51 . 2008-11-25 01:00 -------- d-----w- c:\documents and settings\OK Computer\Application Data\skypePM
2009-08-18 22:51 . 2006-07-13 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-18 22:50 . 2006-07-13 16:10 -------- d-----w- c:\program files\McAfee.com
2009-08-18 22:46 . 2009-08-18 22:46 -------- d-----w- c:\program files\CCleaner
2009-08-18 22:37 . 2009-06-13 16:38 -------- d-----w- c:\program files\SlySoft
2009-08-18 22:36 . 2009-05-12 02:14 -------- d-----w- c:\documents and settings\OK Computer\Application Data\Move Networks
2009-08-18 22:34 . 2006-07-13 16:04 -------- d-----w- c:\program files\Dell
2009-08-17 17:20 . 2009-08-17 17:20 -------- d-----w- c:\documents and settings\OK Computer\Application Data\AVG8
2009-08-17 17:13 . 2009-08-17 17:13 -------- d-----w- c:\program files\ESET
2009-08-17 16:36 . 2009-08-17 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2009-08-16 22:01 . 2009-08-16 22:01 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Webroot
2009-08-10 23:36 . 2007-12-31 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-08-10 23:36 . 2007-12-31 22:09 -------- d-----w- c:\documents and settings\OK Computer\Application Data\ZoomBrowser EX
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-27 23:32 . 2009-07-10 23:24 -------- d-----w- c:\program files\DVDneXtCOPY 3
2009-07-27 23:32 . 2009-07-27 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\DShield
2009-07-27 23:32 . 2009-07-10 23:24 -------- d-----w- c:\program files\Common Files\DistributeShield
2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 17:51 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2008-09-10 19:49 . 2008-09-10 19:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-09-20_22.33.30 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"snp2std"="c:\windows\vsnp2std.exe" [2005-08-13 348160]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-09-04 1796368]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-04 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-24 113664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trojan Guarder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trojan Guarder.lnk
backup=c:\windows\pss\Trojan Guarder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sienzo\\DMM\\DMM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\InCode Solutions\\RemoveIT Pro v4 - SE\\removeit.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9903:TCP"= 9903:TCP:BitComet 9903 TCP
"9903:UDP"= 9903:UDP:BitComet 9903 UDP
"26148:TCP"= 26148:TCP:BitComet 26148 TCP
"26148:UDP"= 26148:UDP:BitComet 26148 UDP
"11548:TCP"= 11548:TCP:BitComet 11548 TCP
"11548:UDP"= 11548:UDP:BitComet 11548 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/20/2009 1:15 AM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/28/2009 3:41 PM 130936]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/18/2009 8:08 PM 132168]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [8/18/2009 8:08 PM 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [8/20/2009 8:55 PM 142592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/3/2009 5:38 PM 108289]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [5/5/2009 6:55 PM 1051136]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/28/2009 3:41 PM 348752]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456]
S3 cdrmkaun;cdrmkaun; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:42]

2009-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-09-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-23 01:50]

2009-09-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\OK Computer\Application Data\Mozilla\Firefox\Profiles\ad9uwlm4.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: XUL Cache: {1DE586B0-00CB-4802-B9CA-E4467CBAA1E0} - c:\documents and settings\OK Computer\Local Settings\Application Data\{1DE586B0-00CB-4802-B9CA-E4467CBAA1E0}\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-21 14:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1108)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'explorer.exe'(12532)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-21 14:17
ComboFix-quarantined-files.txt 2009-09-21 19:17
ComboFix2.txt 2009-09-20 22:36
ComboFix3.txt 2009-09-06 00:32
ComboFix4.txt 2009-09-04 01:50

Pre-Run: 15,523,860,480 bytes free
Post-Run: 15,475,707,904 bytes free

Current=2 Default=2 Failed=4 LastKnownGood=1 Sets=1,2,3,4
270 --- E O F --- 2009-09-21 18:45

Attached Files



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:49 AM

Posted 22 September 2009 - 03:50 AM

Hi thisheregirafFe,

We are making good progress :( Just a note, there is no need to attach the requested logs if you already pasted them in the reply.

Please read and follow all these instructions very carefully.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
In your next reply, please include the following
  • Goored.txt
  • A new DDS log
  • Please let me know if the redirects are gone and how everything else is running

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#15 thisheregirafFe

thisheregirafFe
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 22 September 2009 - 05:30 PM

WOW. web pages seem to be loading MUCH faster, not laggy at all. ... and redirects appear to be gone !!! holy crap.

Okie dokie. here is goored log:

GooredFix by jpshortstuff (12.07.09)
Log created at 07:40 on 22/09/2009 (OK Computer)
Firefox version 3.5.3 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{1DE586B0-00CB-4802-B9CA-E4467CBAA1E0} -> Success!
Deleting C:\Documents and Settings\OK Computer\Local Settings\Application Data\{1DE586B0-00CB-4802-B9CA-E4467CBAA1E0} -> Success!

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [03:43 05/12/2006]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [01:05 04/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [01:04 04/09/2009]

-=E.O.F=-


and new DDS:


DDS (Ver_09-07-30.01) - NTFSx86
Run by OK Computer at 17:28:05.79 on Tue 09/22/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2237 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Windows Defender\MsMpEng.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\DivX\DivX Codec\divxsm.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\OK Computer\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\isuspm.exe" -startup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\okcomp~1\applic~1\mozilla\firefox\profiles\ad9uwlm4.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\google\google updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-20 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-28 130936]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-9-3 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-8-18 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-8-18 25160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-1-18 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-8-20 142592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-9-3 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-9-3 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-9-3 55656]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [2009-5-5 1051136]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-8-18 723632]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-8-28 348752]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2007-9-29 3376704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-21 38224]
S3 cdrmkaun;cdrmkaun; [x]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-1-18 79880]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-1-18 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-1-18 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-1-18 40552]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-8-28 1097096]

=============== Created Last 30 ================

2009-09-21 14:06 2,189,184 a------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-21 14:06 2,189,184 -------- c:\windows\system32\ntoskrnl.exe
2009-09-20 17:24 229,888 a------- c:\windows\PEV.exe
2009-09-10 22:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-09-10 22:46 <DIR> --d----- c:\program files\common files\DivX Shared
2009-09-08 23:31 153,088 -------- c:\windows\system32\dllcache\triedit.dll
2009-09-06 11:13 <DIR> --d----- c:\program files\InCode Solutions
2009-09-03 20:21 <DIR> a-dshr-- C:\cmdcons
2009-09-03 20:19 161,792 a------- c:\windows\SWREG.exe
2009-09-03 20:19 98,816 a------- c:\windows\sed.exe
2009-09-03 20:05 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-03 20:04 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-03 17:38 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-09-03 17:38 <DIR> --d----- c:\program files\Avira
2009-09-03 17:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-09-01 18:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-09-01 17:59 116 a------- c:\windows\system32\SpywareCease.lie
2009-09-01 17:57 42 a------- c:\windows\system32\scud.udf
2009-09-01 17:46 <DIR> --d----- c:\program files\uTorrent
2009-09-01 17:45 <DIR> --d----- c:\docume~1\okcomp~1\applic~1\uTorrent
2009-08-28 16:53 0 a------- C:\rollback.ini
2009-08-28 16:31 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-08-28 16:15 <DIR> --d----- c:\program files\Trend Micro
2009-08-28 16:11 <DIR> --d----- c:\program files\Bazooka Scanner
2009-08-28 15:41 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-08-28 15:41 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-08-28 15:41 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-28 15:41 <DIR> --d----- c:\program files\common files\PC Tools
2009-08-28 15:41 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-08-28 15:41 <DIR> --d----- c:\docume~1\okcomp~1\applic~1\PC Tools
2009-08-28 15:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-08-28 15:31 120 a------- c:\windows\Lveqewateb.dat

==================== Find3M ====================

2009-09-21 17:28 179,792 a------- c:\windows\system32\guard32.dll
2009-09-21 17:28 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-09-21 17:28 132,296 a------- c:\windows\system32\drivers\cmdguard.sys
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-03 21:51 13,312 a------- c:\windows\system32\dllcache\lsass.exe
2009-09-03 21:51 13,312 -------- c:\windows\system32\lsass.exe
2009-08-20 20:55 142,592 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-08-20 20:09 7,752 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-20 18:37 496 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 08:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 08:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-07-03 12:09 915,456 -------- c:\windows\system32\wininet.dll
2009-07-03 12:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 12:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 12:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 12:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 12:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 12:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 12:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 12:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 12:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 12:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 12:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 06:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 03:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 03:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 03:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 03:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 03:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 03:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2008-10-19 14:03 113 a------- c:\docume~1\okcomp~1\applic~1\netstat.bat

============= FINISH: 17:29:05.45 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/19/2006 1:53:20 PM
System Uptime: 9/21/2009 5:20:06 PM (24 hours ago)

Motherboard: Dell Inc. | | 0HJ054
Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 230 GiB total, 14.359 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 9/3/2009 8:28:20 PM - ComboFix created restore point
RP2: 9/3/2009 9:26:42 PM - Removed CounterSpy.
RP3: 9/3/2009 9:30:53 PM - nhnhn
RP4: 9/4/2009 6:35:33 PM - Software Distribution Service 3.0
RP5: 9/5/2009 8:32:28 PM - System Checkpoint
RP6: 9/7/2009 12:56:51 AM - System Checkpoint
RP7: 9/8/2009 2:42:40 AM - System Checkpoint
RP8: 9/8/2009 5:22:34 AM - Software Distribution Service 3.0
RP9: 9/9/2009 3:00:22 AM - Software Distribution Service 3.0
RP10: 9/10/2009 5:25:46 PM - Software Distribution Service 3.0
RP11: 9/11/2009 8:05:19 PM - System Checkpoint
RP12: 9/13/2009 8:55:20 PM - System Checkpoint
RP13: 9/14/2009 11:42:09 AM - Software Distribution Service 3.0
RP14: 9/15/2009 12:27:01 PM - System Checkpoint
RP15: 9/16/2009 5:30:14 PM - System Checkpoint
RP16: 9/17/2009 6:34:57 PM - System Checkpoint
RP17: 9/18/2009 2:07:15 AM - Software Distribution Service 3.0
RP18: 9/19/2009 3:16:32 AM - System Checkpoint
RP19: 9/20/2009 4:04:32 AM - System Checkpoint
RP20: 9/20/2009 9:58:28 AM - Removed Java 2 Runtime Environment, SE v1.4.2_03
RP21: 9/20/2009 10:17:57 AM - Removed Full Tilt Poker
RP22: 9/20/2009 10:18:59 AM - Removed Full Tilt Poker.Org
RP23: 9/21/2009 1:45:37 PM - Software Distribution Service 3.0
RP24: 9/22/2009 2:24:36 PM - System Checkpoint

==== Installed Programs ======================

µTorrent
A-Ray Scanner 2.0.2.3
AC3Filter 1.61b
Acoustica Audio Converter Pro
Ad-Aware
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0.1
AOLIcon
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
Auslogics BoostSpeed
Avira AntiVir Personal - Free Antivirus
Bazooka Scanner
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
CinepPlayer 30 Update
COMODO Internet Security
Counter-Strike: Condition Zero
Critical Update for Windows Media Player 11 (KB959772)
dBpowerAMP FLAC Codec
dBpowerAMP Music Converter
dBpoweramp Windows Media Audio 10 Codec
Dell CinePlayer
Dell Driver Reset Tool
Dell Media Experience
Digital Content Portal
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
dMC Power Pack
DMM Uninstall
Documentation & Support Launcher
EarthLink setup files
EducateU
ELIcon
ESET Online Scanner v3
FairUse4WM 1.3
Games, Music, & Photos Launcher
Google Earth
Google Updater
Guitar Pro 5.2
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
HUE HD Webcam
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
iTunes
Java™ 6 Update 16
Learn2 Player (Uninstall Only)
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Small Business Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.3)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Netflix Movie Viewer
PokerStars
Psychonauts Demo
QuickTime
RealPlayer
RemoveIT Pro v4 - SE
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
SBaGen 1.4.4
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sibelius Scorch (Firefox, Opera, Netscape only)
Skypeâ„¢ 4.0
Sonic Activation Module
Spy Sweeper
Spybot - Search & Destroy
Spyware Terminator
Steam
SUPERAntiSpyware Free Edition
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
URL Assistant
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.5
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vodei Multimedia Processor 2.00
WebcamMax
WebCyberCoach 3.2 Dell
WebFldrs XP
WebShot
Windows Defender
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WordPerfect Office 12
XviD Media Codec 1.1.1

==== Event Viewer Messages From Past Week ========

9/20/2009 9:59:02 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
9/20/2009 5:25:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
9/20/2009 5:25:16 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/16/2009 4:01:35 PM, error: Service Control Manager [7034] - The StarWind AE Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

Edited by thisheregirafFe, 22 September 2009 - 05:32 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users