Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Antispyware 2010 pop-up 'Your computer is infected!' followed by automatic downloads


  • This topic is locked This topic is locked
15 replies to this topic

#1 walty666

walty666

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 03 September 2009 - 02:51 AM

Hello,
On Sunday I clicked on a malicious link in Facebook which downloaded various malware. I've been running AVG for ages but it sliced through that undetected. I've since downloaded MBAM, Spybot, Ad-Aware and SUPER AntiSpyware, all of which are finding things everytime I run them, typically:

Rogue.Installer
Worm.Koobface
Rogue.PC_Antispyware2010
Trojan.Agent
Trojan.KillAV
Trojan.FakeAlert
Malware.Trace
Fake.Beep.sys
Rogue.AntiVirusPro
Trojan.Downloader
etc, etc.

The latest few runs of MBAM are not showing anything but I still have the annoying 'Your computer is infected!' pop-up which periodically starts an automatic download of PC Antispyware 2010. I've tried to clear the process (braviax.exe) and delete the associate files but it keeps coming back on reboot.
AVG has also recently found cru629.dat, figaro.sys and agp440.sys. the latter of which is white-lined and can't be removed(?). All-in-all a bit of mess that I don't possess the know-how to handle... Your help would be much appreciated. Please see logs below (had to run RSIT as dds.scr kept being recognised as an AutoCAD script):


Logfile of random's system information tool 1.06 (written by random/random)
Run by windows user at 2009-09-03 08:09:35
Microsoft Windows XP Professional Service Pack 3
System drive C: has 101 GB (55%) free of 185 GB
Total RAM: 1023 MB (45% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:09:56, on 03/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\updater\explorer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Activ Software\Activdriver\ActivControl2.exe
C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\ir_ext_temp_113\autorun.exe
C:\WINDOWS\system32\sys32_nov.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Documents and Settings\windows user\sys32_nov.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\windows user\sys32_nov.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Activ Software\Activdriver\activmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\Program Files\Common Files\SMART Technologies Inc\SMART Product Update\SmartProductUpdate.exe
C:\Documents and Settings\windows user\Desktop\RSIT.exe
C:\Program Files\trend micro\windows user.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Updater] C:\WINDOWS\system32\updater\explorer.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ActivFilter] C:\Program Files\Activ Software\Activdriver\ActivFilter.exe
O4 - HKLM\..\Run: [ActivControl] C:\Program Files\Activ Software\Activdriver\ActivControl2.exe
O4 - HKLM\..\Run: [sys32_nov] C:\WINDOWS\system32\sys32_nov.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PC Antispyware 2010] "C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [sys32_nov] C:\Documents and Settings\windows user\sys32_nov.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.travelblog.org/Admin/PhotoUploa...geUploader5.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1246879750932
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1246879695573
O16 - DPF: {96816368-C1E3-414D-A193-63C3CC921990} (MJPEGRender Control) - http://doubleoverhead-porthcawl.remotemana...MJPEGRender.ocx
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/activ...nfosFinder2.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 12505 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Registration reminder 1.job
C:\WINDOWS\tasks\Registration reminder 2.job
C:\WINDOWS\tasks\Registration reminder 3.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2006-02-14 1191424]
{21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-10 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-10 455168]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]
"Updater"=C:\WINDOWS\system32\updater\explorer.exe [2007-10-30 1440354]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"OM2_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe [2008-02-22 54576]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-06-14 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-02-16 81920]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-08-29 2007832]
"TalkTalk"=C:\Program Files\TalkTalk\bin\sprtcmd.exe [2007-10-12 202016]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2007-04-16 577536]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-07-13 292128]
"ActivFilter"=C:\Program Files\Activ Software\Activdriver\ActivFilter.exe [2002-11-07 23552]
"ActivControl"=C:\Program Files\Activ Software\Activdriver\ActivControl2.exe [2009-04-03 1040384]
"sys32_nov"=C:\WINDOWS\system32\sys32_nov.exe [2009-09-01 29216]
"Regedit32"=C:\WINDOWS\system32\regedit.exe []
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe [2007-07-12 132496]
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [2007-06-18 271360]
"osCheck"=C:\Program Files\Norton Internet Security\osCheck.exe []
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe []
"ATIPTA"=C:\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-08-12 339968]
"PC Antispyware 2010"=C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe /hide []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"OM2_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe [2008-02-22 95536]
"TomTomHOME.exe"=C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [2009-08-07 247144]
"sys32_nov"=C:\Documents and Settings\windows user\sys32_nov.exe [2009-09-01 29216]
"braviax"= []
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
SMART Board Tools.lnk - C:\Program Files\SMART Board Software\SMARTBoardTools.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="cru629.dat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-08-29 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"ForceClassicControlPanel"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoResolveSearch"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%ProgramFiles%\AOL 9.0\aol.exe"="%ProgramFiles%\AOL 9.0\aol.exe:*:Enabled:AOL"
"%ProgramFiles%\UBISOFT\Splinter Cell Pandora Tomorrow\logo_ubi.exe"="%ProgramFiles%\UBISOFT\Splinter Cell Pandora Tomorrow\logo_ubi.exe:*:Enabled:SPLINTER CELL PANDORA"
"%ProgramFiles%\UBISOFT\Splinter Cell Pandora Tomorrow\pandora.exe"="%ProgramFiles%\UBISOFT\Splinter Cell Pandora Tomorrow\pandora.exe:*:Enabled:PANDORA"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\TalkTalk\agent\bin\bcont.exe"="C:\Program Files\TalkTalk\agent\bin\bcont.exe:*:Enabled:bcont.exe"
"C:\Program Files\Common Files\SupportSoft\bin\tgsrvc.exe"="C:\Program Files\Common Files\SupportSoft\bin\tgsrvc.exe:*:Enabled:tgsrvc.exe"
"C:\Program Files\TalkTalk\agent\bin\bcont_nm.exe"="C:\Program Files\TalkTalk\agent\bin\bcont_nm.exe:*:Enabled:bcont_nm.exe"
"C:\Program Files\TalkTalk\bin\sprtcmd.exe"="C:\Program Files\TalkTalk\bin\sprtcmd.exe:*:Enabled:sprtcmd.exe"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\APPS\skype\phone\Skype.exe"="C:\APPS\skype\phone\Skype.exe:*:Enabled:Skype"
"D:\mflpro\Data\Disk1\setup.exe"="D:\mflpro\Data\Disk1\setup.exe:*:Enabled:Setup.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78ab9bd1-a6b4-11da-b959-0013d48ac454}]
shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95810880-6a6b-11de-839a-001921470a73}]
shell\AutoRun\command - G:\InstallTomTomHOME.exe


======File associations======

.scr - open - "C:\WINDOWS\notepad.exe" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2009-09-03 08:09:35 ----D---- C:\rsit
2009-09-03 08:09:35 ----D---- C:\Program Files\trend micro
2009-09-02 15:24:30 ----A---- C:\WINDOWS\system32\wisdstr.exe
2009-09-02 12:50:16 ----A---- C:\WINDOWS\system32\milotilef.bat
2009-09-02 12:50:16 ----A---- C:\WINDOWS\odyvafyn.com
2009-09-02 12:50:16 ----A---- C:\Documents and Settings\windows user\Application Data\omefa.dll
2009-09-02 12:50:16 ----A---- C:\Documents and Settings\windows user\Application Data\iceca.dll
2009-09-02 12:50:16 ----A---- C:\Documents and Settings\All Users\Application Data\ywyf.exe
2009-09-02 12:37:08 ----A---- C:\WINDOWS\system32\braviax.exe
2009-09-02 12:04:24 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-09-02 11:49:20 ----A---- C:\WINDOWS\sykyjilyku.vbs
2009-09-02 11:49:19 ----A---- C:\WINDOWS\ikiwyqi.com
2009-09-02 11:49:19 ----A---- C:\Program Files\Common Files\gecakuhino.com
2009-09-02 11:49:19 ----A---- C:\Documents and Settings\windows user\Application Data\murimyx.com
2009-09-02 11:23:31 ----A---- C:\WINDOWS\system32\hotoza.vbs
2009-09-02 11:23:31 ----A---- C:\WINDOWS\epory.com
2009-09-02 11:23:31 ----A---- C:\Program Files\Common Files\canahore.dll
2009-09-02 11:23:31 ----A---- C:\Documents and Settings\All Users\Application Data\eruwomuzy.vbs
2009-09-02 09:36:38 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-09-01 23:08:30 ----A---- C:\WINDOWS\ntbtlog.txt
2009-09-01 15:29:41 ----A---- C:\WINDOWS\kukenepo.exe
2009-09-01 15:29:40 ----A---- C:\WINDOWS\system32\lafysy.com
2009-09-01 15:29:40 ----A---- C:\WINDOWS\qerububiky.exe
2009-09-01 15:29:40 ----A---- C:\WINDOWS\kycan.dll
2009-09-01 15:29:40 ----A---- C:\WINDOWS\hyhoqav.com
2009-09-01 15:29:40 ----A---- C:\WINDOWS\apemefu.bat
2009-09-01 14:17:43 ----A---- C:\WINDOWS\unyx.com
2009-09-01 14:17:43 ----A---- C:\WINDOWS\izuvy.vbs
2009-09-01 14:17:43 ----A---- C:\WINDOWS\iwovyze.vbs
2009-09-01 14:17:43 ----A---- C:\WINDOWS\isujile.vbs
2009-09-01 14:17:43 ----A---- C:\Documents and Settings\windows user\Application Data\ijan.vbs
2009-09-01 13:44:07 ----A---- C:\WINDOWS\vyqebekyd.bat
2009-09-01 13:44:07 ----A---- C:\Documents and Settings\windows user\Application Data\uqejapece.com
2009-09-01 13:44:06 ----A---- C:\WINDOWS\ujicilanu.com
2009-09-01 13:44:06 ----A---- C:\WINDOWS\udumut.com
2009-09-01 13:44:06 ----A---- C:\WINDOWS\system32\kiqoqacyr.dll
2009-09-01 13:44:06 ----A---- C:\WINDOWS\system32\axezod.com
2009-09-01 13:44:06 ----A---- C:\WINDOWS\irewolir.dll
2009-09-01 13:44:06 ----A---- C:\Program Files\Common Files\fazepur.vbs
2009-09-01 13:44:06 ----A---- C:\Documents and Settings\All Users\Application Data\ynejoj.vbs
2009-09-01 09:09:43 ----A---- C:\WINDOWS\yvuxo.dll
2009-09-01 09:09:43 ----A---- C:\WINDOWS\system32\ufaf.exe
2009-09-01 09:09:43 ----A---- C:\Documents and Settings\windows user\Application Data\wulaxu.com
2009-09-01 09:09:43 ----A---- C:\Documents and Settings\windows user\Application Data\vagy.com
2009-09-01 09:03:57 ----A---- C:\WINDOWS\system32\sys32_nov.exe
2009-08-31 19:15:30 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-08-31 17:47:08 ----A---- C:\WINDOWS\system32\lsdelete.exe
2009-08-31 17:26:38 ----HDC---- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-31 17:25:33 ----D---- C:\Program Files\Lavasoft
2009-08-31 17:25:33 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-08-31 13:40:17 ----D---- C:\Documents and Settings\windows user\Application Data\Malwarebytes
2009-08-31 13:40:10 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-31 13:40:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-30 18:08:03 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-30 18:03:31 ----D---- C:\Program Files\SUPERAntiSpyware
2009-08-30 18:03:31 ----D---- C:\Documents and Settings\windows user\Application Data\SUPERAntiSpyware.com
2009-08-26 14:34:31 ----N---- C:\WINDOWS\system32\BRCrypt.dll
2009-08-26 14:34:20 ----N---- C:\WINDOWS\system32\BrMfNt.dll
2009-08-26 14:34:18 ----N---- C:\WINDOWS\system32\BrWiaNCp.dll
2009-08-26 14:34:18 ----N---- C:\WINDOWS\system32\Brnsplg.dll
2009-08-26 14:34:18 ----N---- C:\WINDOWS\system32\BrNetSti.dll
2009-08-26 14:34:18 ----N---- C:\WINDOWS\system32\BrMuSNMP.dll
2009-08-26 14:33:57 ----N---- C:\WINDOWS\system32\NSSearch.dll
2009-08-26 14:33:49 ----D---- C:\Program Files\Brother
2009-08-26 14:31:34 ----D---- C:\Program Files\Nuance
2009-08-26 14:29:18 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$
2009-08-26 14:27:53 ----D---- C:\Documents and Settings\All Users\Application Data\Brother
2009-08-19 16:20:11 ----D---- C:\Program Files\Microsoft Works
2009-08-19 16:18:28 ----D---- C:\Program Files\Microsoft.NET
2009-08-19 16:15:50 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-08-19 16:15:05 ----RHD---- C:\MSOCache
2009-08-13 11:36:49 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-13 11:36:42 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-13 11:36:36 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-13 11:36:27 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-13 11:36:17 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-13 11:36:11 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-13 11:36:03 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-13 11:35:54 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-13 11:32:52 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-08-07 13:05:43 ----A---- C:\WINDOWS\brmx2001.ini
2009-08-07 13:05:32 ----N---- C:\WINDOWS\system32\Pdrvinst.dll
2009-08-07 13:03:32 ----A---- C:\WINDOWS\Brownie.ini
2009-08-06 17:09:23 ----D---- C:\Documents and Settings\windows user\Application Data\Promethean
2009-08-06 17:02:02 ----D---- C:\Documents and Settings\All Users\Application Data\Promethean
2009-08-06 17:00:28 ----D---- C:\Program Files\Common Files\Activ Software
2009-08-06 17:00:28 ----D---- C:\Documents and Settings\All Users\Application Data\Activ Software
2009-08-06 17:00:26 ----D---- C:\Program Files\Activ Software

======List of files/folders modified in the last 1 months======

2009-09-03 08:09:37 ----D---- C:\WINDOWS\Prefetch
2009-09-03 08:09:35 ----RD---- C:\Program Files
2009-09-03 07:57:42 ----SHD---- C:\WINDOWS\Installer
2009-09-03 07:57:05 ----D---- C:\WINDOWS\system32\drivers
2009-09-03 07:57:05 ----D---- C:\Program Files\Common Files
2009-09-03 07:30:39 ----D---- C:\WINDOWS
2009-09-03 07:28:27 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-09-03 07:28:09 ----D---- C:\WINDOWS\Temp
2009-09-03 07:25:05 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-03 07:24:52 ----D---- C:\WINDOWS\Registration
2009-09-03 07:22:16 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-03 07:21:56 ----RSH---- C:\BOOT.INI
2009-09-03 07:21:56 ----A---- C:\WINDOWS\win.ini
2009-09-03 07:21:56 ----A---- C:\WINDOWS\system.ini
2009-09-02 16:56:49 ----D---- C:\WINDOWS\system32
2009-09-02 16:56:41 ----RSD---- C:\WINDOWS\Fonts
2009-09-02 15:31:34 ----D---- C:\WINDOWS\system32\Macromed
2009-09-02 14:56:32 ----HD---- C:\$AVG8.VAULT$
2009-09-02 10:18:06 ----HD---- C:\WINDOWS\inf
2009-09-01 22:56:06 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-31 19:15:49 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-31 17:33:36 ----SD---- C:\WINDOWS\Tasks
2009-08-31 17:28:40 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-08-31 17:25:22 ----D---- C:\WINDOWS\WinSxS
2009-08-30 18:02:58 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-08-30 17:34:04 ----D---- C:\WINDOWS\system32\Restore
2009-08-29 13:53:10 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-08-26 16:34:53 ----A---- C:\WINDOWS\BRWMARK.INI
2009-08-26 16:34:53 ----A---- C:\WINDOWS\BRPP2KA.INI
2009-08-26 16:34:25 ----HD---- C:\Program Files\InstallShield Installation Information
2009-08-26 14:29:56 ----A---- C:\WINDOWS\imsins.BAK
2009-08-26 14:29:11 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-08-21 23:51:12 ----D---- C:\Documents and Settings\windows user\Application Data\Skype
2009-08-21 23:39:55 ----D---- C:\Documents and Settings\windows user\Application Data\skypePM
2009-08-20 14:32:51 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-08-19 16:26:54 ----SD---- C:\Documents and Settings\windows user\Application Data\Microsoft
2009-08-19 16:20:44 ----RSD---- C:\WINDOWS\assembly
2009-08-19 16:20:25 ----D---- C:\WINDOWS\system32\config
2009-08-19 16:20:11 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-08-19 16:19:48 ----D---- C:\Program Files\Microsoft Office
2009-08-19 16:19:29 ----D---- C:\WINDOWS\ShellNew
2009-08-19 16:18:28 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-08-15 23:49:57 ----A---- C:\WINDOWS\cdplayer.ini
2009-08-13 11:36:05 ----D---- C:\Program Files\Outlook Express
2009-08-13 11:33:07 ----D---- C:\WINDOWS\Debug
2009-08-05 10:01:48 ----A---- C:\WINDOWS\system32\mswebdvd.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-08-29 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-08-29 27784]
R1 Filter;Filter; \??\C:\WINDOWS\system32\drivers\Filter.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]
R2 fssfltr;FssFltr; C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys [2009-02-06 55152]
R2 tifsfilter;Acronis True Image FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2008-06-23 44384]
R3 3xHybrid;3xHybrid service; C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-01-28 974336]
R3 ActivHidSerMini;Promethean Serial Board Driver; C:\WINDOWS\system32\DRIVERS\activhidsermini.sys [2008-12-17 55424]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2008-09-24 4122368]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-12 786944]
R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-03-19 23400]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 Mtlmnt5;Mtlmnt5; C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys [2003-07-16 221736]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 prmvmouse;Promethean HID Mouse Service; C:\WINDOWS\system32\DRIVERS\activmouse.sys [2008-12-17 4352]
R3 Slntamr;SmartLink AMR_PCI Driver; C:\WINDOWS\system32\DRIVERS\slntamr.sys [2003-08-20 548952]
R3 SlWdmSup;SlWdmSup; C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys [2003-07-02 39348]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 BrScnUsb;Brother USB Still Image driver; C:\WINDOWS\System32\Drivers\BrScnUsb.sys [2003-12-19 15263]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 MPE;BDA MPE Filter; C:\WINDOWS\system32\DRIVERS\MPE.sys [2008-04-13 15232]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 Mtlstrm;Mtlstrm; C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys [2003-07-02 1301128]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2007-02-22 137216]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2007-02-22 8320]
S3 nmwcdcj;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2007-02-22 12288]
S3 nmwcdcm;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2007-02-22 12288]
S3 NtMtlFax;NtMtlFax; C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys [2003-07-02 167384]
S3 P2k;Motorola USB Device; C:\WINDOWS\system32\DRIVERS\P2k.sys [2005-11-07 36480]
S3 QCDonner;Logitech QuickCam Express; C:\WINDOWS\system32\DRIVERS\OVCD.sys [2001-08-17 28032]
S3 RecAgent;recagent; \??\C:\WINDOWS\system32\DRIVERS\RecAgent.sys []
S3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2004-12-02 70912]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SlNtHal;SlNtHal; C:\WINDOWS\system32\DRIVERS\Slnthal.sys [2003-07-02 86128]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 UacCtl2;Customer Control Driver; C:\WINDOWS\system32\DRIVERS\uacctl2.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbser;Motorola USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2008-04-13 26112]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 ZDCndis5;ZDCndis5 Protocol Driver; \??\C:\WINDOWS\system32\ZDCndis5.SYS []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-07-09 144712]
R2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-29 297752]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 Brother XP spl Service;BrSplService; C:\WINDOWS\system32\brsvc01a.exe [2002-04-12 57344]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-10-11 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 Iprip;RIP Listener; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-05-19 240512]
R2 SimpTcp;Simple TCP/IP Services; C:\WINDOWS\system32\tcpsvcs.exe [2004-08-10 19456]
R2 SLService;SmartLinkService; C:\WINDOWS\system32\slserv.exe [2003-07-02 45056]
R2 SMART Board Service;SMART Board Service; C:\Program Files\SMART Board Software\SMARTBoardService.exe [2006-09-18 978944]
R2 SNMP;SNMP Service; C:\WINDOWS\System32\snmp.exe [2008-04-14 33280]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk); C:\Program Files\TalkTalk\bin\sprtsvc.exe [2007-10-12 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk); C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe [2007-08-02 148768]
R2 TomTomHOMEService;TomTomHOMEService; C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe [2009-08-07 92008]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-07-13 542496]
R3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2007-06-15 300544]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2004-08-12 516096]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 fsssvc;Windows Live Family Safety; C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 1029456]
S3 LPDSVC;TCP/IP Print Server; C:\WINDOWS\system32\tcpsvcs.exe [2004-08-10 19456]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 p2pgasvc;Peer Networking Group Authentication; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2pimsvc;Peer Networking Identity Manager; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2psvc;Peer Networking; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 PNRPSvc;Peer Name Resolution Protocol; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 SNMPTRAP;SNMP Trap Service; C:\WINDOWS\System32\snmptrap.exe [2008-04-14 8704]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist; C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe [2007-08-02 382320]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-08-03 38912]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/03 08:12
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA4CA0000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Processes
-------------------
Path: C:\WINDOWS\system32\braviax.exe
PID: 3428 Status: Hidden from the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf767e87e

#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\System32\Drivers\Beep.SYS" at address 0xf70a81a0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf767ebfe

Stealth Objects
-------------------
Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 3380) Address: 0x01000000 Size: 20480

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 1220) Address: 0x01000000 Size: 20480

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 3628) Address: 0x01000000 Size: 20480

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 3712) Address: 0x01000000 Size: 20480

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 3788) Address: 0x01000000 Size: 20480

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 2664) Address: 0x01000000 Size: 20480

==EOF==

Attached Files

  • Attached File  log.txt   39.82KB   8 downloads
  • Attached File  ark.txt   3.35KB   1 downloads

Edited by walty666, 03 September 2009 - 08:35 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:09 PM

Posted 04 September 2009 - 12:01 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 walty666

walty666
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 05 September 2009 - 10:45 AM

Hello Sam,
Thanks for the response. I downloaded ComboFix but it wouldn't run initially. I suspected that this might be due to the virus blocking it so I changed the .exe name to 'bob' and it then ran fine and rebooted my PC automatically. It got all the way through the process up until the last screen which says something like: 'This blue window will close shortly' and that a log would be created in c:/COMBOFIX.TXT.
Unfortunately, just before the Combofix window closed, my computer crashed and showed the blue error screen (see attached image). Seems to be having a problem with a system file called 'catchme.sys'?! On manual reboot the annoying pop-up warnings are still occuring and the red circle/white cross is still in the system tray. Now it's trying to automatically install 'Antispyware Pro 2010' instead of 'PC Antispyware 2010'. Unfortunately, the COMBOFIX.TXT log was not produced? It's also disabled my firewall again but this time I don't appear to hae the rights to renable it - the on/off is greyed out and at the top it says 'For your security, some settings are controlled by Group policy'
Arggh!
Any thoughts?
Thanks again in advance...
Ross

Attached Files



#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:09 PM

Posted 06 September 2009 - 09:19 AM

Please delete combofix.exe from your desktop. And let's try this again with one small difference.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 walty666

walty666
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 07 September 2009 - 03:20 AM

OK. It worked properly that time. After ComboFix ran, the red circle/white cross disappeared, the pop-ups stopped and I was able to turn my Windows firewall back on, although my computer was still trying to download Antispyware Pro 2010 (even when it's unplugged from the modem router!) and my default internet browser had been changed. However, since manually rebooting, the red circle/cross is back, the pop-ups are reappearing and the firewall has been turned off again, and greyed-out so I can't turn it back on. It seems all the problems reappear on start up. Here's the Combofix log:

ComboFix 09-09-06.04 - windows user 07/09/2009 8:32.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.586 [GMT 1:00]
Running from: c:\documents and settings\windows user\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ecypowufe._sy
c:\documents and settings\All Users\Application Data\enasamyje.sys
c:\documents and settings\All Users\Application Data\ixocuzo.com
c:\documents and settings\All Users\Application Data\wyzytuwy._sy
c:\documents and settings\All Users\Application Data\zona._sy
c:\documents and settings\All Users\Documents\arese.ban
c:\documents and settings\All Users\Documents\axyg.exe
c:\documents and settings\All Users\Documents\izudop.vbs
c:\documents and settings\All Users\Documents\lodusefe.com
c:\documents and settings\All Users\Documents\ofuxon.ban
c:\documents and settings\All Users\Documents\rypyzun.com
c:\documents and settings\windows user\Application Data\ajiz._dl
c:\documents and settings\windows user\Application Data\kyjonom.inf
c:\documents and settings\windows user\Application Data\midyfiryci.lib
c:\documents and settings\windows user\Application Data\nifygulet.sys
c:\documents and settings\windows user\Application Data\nydywog.scr
c:\documents and settings\windows user\Application Data\wecumafir.vbs
c:\documents and settings\windows user\Cookies\babezucog.ban
c:\documents and settings\windows user\Cookies\icyxidynib.vbs
c:\documents and settings\windows user\Local Settings\Application Data\ficu.inf
c:\documents and settings\windows user\Local Settings\Application Data\gusuxidup.reg
c:\documents and settings\windows user\Local Settings\Application Data\okigoki.exe
c:\documents and settings\windows user\Local Settings\Application Data\ulojopoli.inf
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\anuf.bin
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\enokun._dl
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\fuly.bin
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\orade.dll
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\pydagow.dat
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\sijomym.exe
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\xuqesise.dll
c:\program files\Common Files\azuwyte._dl
c:\program files\Common Files\fisev.inf
c:\program files\Common Files\olijik.exe
c:\program files\Common Files\pabogabevo.pif
c:\program files\Common Files\pejer.reg
c:\program files\Common Files\rojowyv.exe
c:\program files\Common Files\tosorece.vbs
c:\program files\Common Files\weco.sys
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\dyhim.bat
c:\windows\roqucizezy.pif
c:\windows\system32\_scui.cpl
c:\windows\system32\braviax.exe
c:\windows\system32\cru629.dat
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\dllcache\figaro.sys
c:\windows\system32\sepexuq.exe
c:\windows\system32\uxox.dl
c:\windows\system32\wisdstr.exe
c:\windows\uximowy.sys
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\ekojifales.bin
c:\documents and settings\All Users\Application Data\enyjew._dl
c:\documents and settings\All Users\Application Data\eruwomuzy.vbs
c:\documents and settings\All Users\Application Data\esaduwakyr.dl
c:\documents and settings\All Users\Application Data\izemavur.dl
c:\documents and settings\All Users\Application Data\jeletecipa.inf
c:\documents and settings\All Users\Application Data\lajohura.sys
c:\documents and settings\All Users\Application Data\lyxibyqolu.inf
c:\documents and settings\All Users\Application Data\qekifyhoki.ban
c:\documents and settings\All Users\Application Data\qunohe.ban
c:\documents and settings\All Users\Application Data\uhug.scr
c:\documents and settings\All Users\Application Data\vemasimik.lib
c:\documents and settings\All Users\Application Data\xeqigulih.sys
c:\documents and settings\All Users\Application Data\ynejoj.vbs
c:\documents and settings\All Users\Application Data\ywyf.exe
c:\documents and settings\windows user\Application Data\cabuluh.pif
c:\documents and settings\windows user\Application Data\cemyb.ban
c:\documents and settings\windows user\Application Data\esad.reg
c:\documents and settings\windows user\Application Data\gafuwo.bin
c:\documents and settings\windows user\Application Data\hopesezi.reg
c:\documents and settings\windows user\Application Data\iceca.dll
c:\documents and settings\windows user\Application Data\ijan.vbs
c:\documents and settings\windows user\Application Data\jetydur.lib
c:\documents and settings\windows user\Application Data\lodisymize.scr
c:\documents and settings\windows user\Application Data\murimyx.com
c:\documents and settings\windows user\Application Data\namyzytaf.pif
c:\documents and settings\windows user\Application Data\odam.bin
c:\documents and settings\windows user\Application Data\omefa.dll
c:\documents and settings\windows user\Application Data\orebadogy.pif
c:\documents and settings\windows user\Application Data\qecywobak.inf
c:\documents and settings\windows user\Application Data\sytavu._sy
c:\documents and settings\windows user\Application Data\unomedu._sy
c:\documents and settings\windows user\Application Data\uqejapece.com
c:\documents and settings\windows user\Application Data\vagy.com
c:\documents and settings\windows user\Application Data\wibu.lib
c:\documents and settings\windows user\Application Data\wulaxu.com
c:\documents and settings\windows user\Application Data\xowiri.bin
c:\documents and settings\windows user\Cookies\arehaj.dll
c:\documents and settings\windows user\Cookies\conudyc.dat
c:\documents and settings\windows user\Cookies\edoxahucy.dat
c:\documents and settings\windows user\Cookies\eriwevomyv.bin
c:\documents and settings\windows user\Cookies\gevazixow.dl
c:\documents and settings\windows user\Cookies\gijizabir.sys
c:\documents and settings\windows user\Cookies\lisybalefy.dll
c:\documents and settings\windows user\Cookies\qidozax.dll
c:\documents and settings\windows user\Cookies\quse.sys
c:\documents and settings\windows user\Cookies\xuwojoxij.dl
c:\documents and settings\windows user\Cookies\xylimezym.scr
c:\documents and settings\windows user\Cookies\ynahehugo.scr
c:\documents and settings\windows user\Cookies\zaqicyhuvy._dl
c:\documents and settings\windows user\Cookies\zecep.reg
c:\documents and settings\windows user\Cookies\ziluvu.dll
c:\documents and settings\windows user\Local Settings\Application Data\amyfac.sys
c:\documents and settings\windows user\Local Settings\Application Data\bula.bat
c:\documents and settings\windows user\Local Settings\Application Data\duneja.dll
c:\documents and settings\windows user\Local Settings\Application Data\duxi.vbs
c:\documents and settings\windows user\Local Settings\Application Data\dyqunecixu.dll
c:\documents and settings\windows user\Local Settings\Application Data\ijikav.sys
c:\documents and settings\windows user\Local Settings\Application Data\itipiry.bin
c:\documents and settings\windows user\Local Settings\Application Data\ixicovuc.sys
c:\documents and settings\windows user\Local Settings\Application Data\jozebocyl._dl
c:\documents and settings\windows user\Local Settings\Application Data\lemerum.com
c:\documents and settings\windows user\Local Settings\Application Data\mili.bin
c:\documents and settings\windows user\Local Settings\Application Data\moqovytat.bat
c:\documents and settings\windows user\Local Settings\Application Data\omimasim.bat
c:\documents and settings\windows user\Local Settings\Application Data\otyqebyxal.sys
c:\documents and settings\windows user\Local Settings\Application Data\papocufoz.scr
c:\documents and settings\windows user\Local Settings\Application Data\sogegeqo.dl
c:\documents and settings\windows user\Local Settings\Application Data\sypol.com
c:\documents and settings\windows user\Local Settings\Application Data\xidolux.exe
c:\documents and settings\windows user\Local Settings\Application Data\ybomovo.dll
c:\documents and settings\windows user\Local Settings\Application Data\ygykedagu.vbs
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\ahiqoh.bin
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\ajot.ban
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\ariv.bin
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\atoharo.inf
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\bida.ban
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\cugom.ban
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\eculolu.dl
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\ehicohog.dll
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\fopo._sy
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\mezuducos.dl
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\ohysevy._dl
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\omojyk.db
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\qafuha.dat
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\sazu.inf
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\vocefyku.ban
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\wuzomiv.com
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\ylyxulama.com
c:\documents and settings\windows user\sys32_nov.exe
c:\program files\Common Files\byde.pif
c:\program files\Common Files\canahore.dll
c:\program files\Common Files\carehy.scr
c:\program files\Common Files\dygomepywa.ban
c:\program files\Common Files\etyl.pif
c:\program files\Common Files\fazepur.vbs
c:\program files\Common Files\gecakuhino.com
c:\program files\Common Files\huwagup.reg
c:\program files\Common Files\inysop._dl
c:\program files\Common Files\ipise.inf
c:\program files\Common Files\ocepixyhej.sys
c:\program files\Common Files\olylaka.ban
c:\program files\Common Files\oryz.pif
c:\program files\Common Files\ozitu.bin
c:\program files\Common Files\qykaheve.pif
c:\program files\Common Files\uxoh.sys
c:\program files\Common Files\vone._dl
c:\program files\Common Files\wumatanade.dl
c:\program files\Common Files\ypypozepex.pif
c:\program files\Common Files\zysarija._dl
c:\windows\apemefu.bat
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\ebaqehaku.sys
c:\windows\enymu.sys
c:\windows\evyn._dl
c:\windows\haginexofu._dl
c:\windows\hihidu.reg
c:\windows\homivywove.dl
c:\windows\inijo._dl
c:\windows\irewolir.dll
c:\windows\isujile.vbs
c:\windows\iwovyze.vbs
c:\windows\izuvy.vbs
c:\windows\jygedur._dl
c:\windows\kb913800.exe
c:\windows\kukenepo.exe
c:\windows\kycan.dll
c:\windows\lagasiruw.ban
c:\windows\nogy.sys
c:\windows\owavu.bin
c:\windows\qerububiky.exe
c:\windows\qizo.scr
c:\windows\ruqocis.sys
c:\windows\sykyjilyku.vbs
c:\windows\system32\apewip.pif
c:\windows\system32\braviax.exe
c:\windows\system32\cru629.dat
c:\windows\system32\cysekyf.ban
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\dllcache\figaro.sys
c:\windows\system32\fygu.pif
c:\windows\system32\hotoza.vbs
c:\windows\system32\isyh.dl
c:\windows\system32\ital.inf
c:\windows\system32\jehiwami.pif
c:\windows\system32\kiqoqacyr.dll
c:\windows\system32\milotilef.bat
c:\windows\system32\ohodad.pif
c:\windows\system32\poceh.reg
c:\windows\system32\ufaf.exe
c:\windows\system32\wisdstr.exe
c:\windows\system32\yjebysyrol.bin
c:\windows\system32\ykena.ban
c:\windows\ucikoby.pif
c:\windows\ulapamusiw.dl
c:\windows\vyqebekyd.bat
c:\windows\xycipodofo.sys
c:\windows\ytymof.pif
c:\windows\yvuxo.dll
c:\windows\yvykubi.dl
c:\windows\zerepa.ban
c:\windows\zewesolaz.bin

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP751\A0177170.sys

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180488.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_UacCtl2
-------\Legacy_UacFlt
-------\Service_Iprip
-------\Service_SfX
-------\Service_UacCtl2
-------\Service_UacFlt


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-05 14:57 . 2009-09-05 15:15 -------- d-s---w- C:\bob
2009-09-05 14:24 . 2004-08-10 14:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-03 07:09 . 2009-09-03 07:09 -------- d-----w- C:\rsit
2009-09-03 07:09 . 2009-09-03 07:09 -------- d-----w- c:\program files\trend micro
2009-09-02 15:05 . 2009-09-02 15:05 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\Downloaded Installations
2009-09-02 14:24 . 2009-09-07 07:29 94272 ----a-w- c:\windows\system32\dllcache\agp440.sys
2009-09-02 11:50 . 2009-09-02 11:50 11153 ----a-w- c:\windows\odyvafyn.com
2009-09-02 11:04 . 2009-09-02 11:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-02 10:49 . 2009-09-02 10:49 10542 ----a-w- c:\windows\ikiwyqi.com
2009-09-02 10:49 . 2009-09-02 10:49 10317 ----a-w- c:\windows\ywazuhehu.dat
2009-09-02 10:23 . 2009-09-02 10:23 14530 ----a-w- c:\windows\epory.com
2009-09-01 18:36 . 2009-09-01 18:36 -------- d-----w- c:\documents and settings\Polly\Local Settings\Application Data\SupportSoft
2009-09-01 18:35 . 2009-09-01 18:35 -------- d-sh--w- c:\documents and settings\Polly\IETldCache
2009-09-01 14:29 . 2009-09-01 14:29 10816 ----a-w- c:\windows\system32\lafysy.com
2009-09-01 14:29 . 2009-09-01 14:29 15840 ----a-w- c:\windows\hyhoqav.com
2009-09-01 14:29 . 2009-09-01 14:29 15035 ----a-w- c:\program files\Common Files\gideryb.dat
2009-09-01 14:29 . 2009-09-01 14:29 11008 ----a-w- c:\windows\system32\niwexuqawe.dat
2009-09-01 13:17 . 2009-09-01 13:17 10233 ----a-w- c:\windows\unyx.com
2009-09-01 12:44 . 2009-09-01 12:44 17377 ----a-w- c:\windows\system32\axezod.com
2009-09-01 12:44 . 2009-09-01 12:44 17190 ----a-w- c:\windows\ujicilanu.com
2009-09-01 12:44 . 2009-09-01 12:44 11720 ----a-w- c:\windows\udumut.com
2009-09-01 08:09 . 2009-09-01 08:09 19041 ----a-w- c:\windows\cygycali.dat
2009-09-01 08:08 . 2009-09-01 13:52 120 ----a-w- c:\windows\Qsetuk.dat
2009-09-01 08:07 . 2009-09-01 08:07 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\{004AEE05-713B-43C3-82FE-07E3773C1F0B}
2009-09-01 08:03 . 2009-09-01 08:03 29216 ----a-w- c:\windows\system32\sys32_nov.exe
2009-08-31 18:15 . 2009-08-31 18:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-31 16:47 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-31 16:28 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-31 16:26 . 2009-08-31 16:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-31 16:25 . 2009-08-31 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-31 16:25 . 2009-08-31 16:25 -------- d-----w- c:\program files\Lavasoft
2009-08-31 12:40 . 2009-08-31 12:40 -------- d-----w- c:\documents and settings\windows user\Application Data\Malwarebytes
2009-08-31 12:40 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 12:40 . 2009-08-31 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-31 12:40 . 2009-09-01 16:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 12:40 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 17:08 . 2009-08-30 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-30 17:03 . 2009-09-01 08:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-30 17:03 . 2009-08-30 17:03 -------- d-----w- c:\documents and settings\windows user\Application Data\SUPERAntiSpyware.com
2009-08-30 15:06 . 2009-08-30 15:11 3600 ----a-w- c:\windows\ex1234.dat
2009-08-30 15:05 . 2009-08-30 15:05 37760 ----a-w- c:\windows\system32\drivers\Filter.sys
2009-08-26 15:34 . 2009-08-26 15:34 0 ----a-w- c:\program files\error.dat
2009-08-26 13:43 . 2009-08-26 13:43 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\Scansoft
2009-08-26 13:34 . 2009-08-26 13:52 50 ----a-w- c:\windows\system32\bridf08a.dat
2009-08-26 13:34 . 2006-07-07 11:40 73728 ------w- c:\windows\system32\BRCrypt.dll
2009-08-26 13:34 . 2008-01-25 11:48 102400 ------w- c:\windows\system32\BrMfNt.dll
2009-08-26 13:34 . 2008-01-25 19:36 63488 ------w- c:\windows\system32\BrNetSti.dll
2009-08-26 13:34 . 2007-12-03 17:13 57856 ------w- c:\windows\system32\BrWiaNCp.dll
2009-08-26 13:34 . 2007-12-03 17:13 42496 ------w- c:\windows\system32\Brnsplg.dll
2009-08-26 13:34 . 2002-11-26 12:43 106496 ------w- c:\windows\system32\BrMuSNMP.dll
2009-08-26 13:33 . 2008-01-25 14:21 167936 ------w- c:\windows\system32\NSSearch.dll
2009-08-26 13:33 . 2009-08-26 15:34 -------- d-----w- c:\program files\Brother
2009-08-26 13:31 . 2009-08-26 13:31 -------- d-----w- c:\program files\Nuance
2009-08-26 13:27 . 2009-08-26 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-08-22 13:11 . 2009-08-22 13:11 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-20 11:43 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-08-20 11:43 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-08-19 15:20 . 2009-08-19 15:20 -------- d-----w- c:\program files\Microsoft Works
2009-08-19 15:18 . 2009-08-19 15:18 -------- d-----w- c:\program files\Microsoft.NET
2009-08-19 15:16 . 2009-08-19 15:16 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\Microsoft Help
2009-08-19 15:15 . 2009-08-19 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-19 15:15 . 2009-08-19 15:15 -------- d--h--r- C:\MSOCache
2009-08-13 09:30 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 07:29 . 2009-07-06 14:06 94272 ----a-w- c:\windows\system32\drivers\agp440.sys
2009-09-06 16:13 . 2009-09-06 16:13 10935 ----a-w- c:\documents and settings\All Users\Application Data\rypuposi.dat
2009-09-05 14:38 . 2006-04-27 07:01 130184 ----a-w- c:\documents and settings\windows user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-02 16:19 . 2009-08-06 16:00 -------- d-----w- c:\program files\Common Files\Activ Software
2009-09-02 16:19 . 2009-08-06 16:00 -------- d-----w- c:\program files\Activ Software
2009-09-02 15:56 . 2009-08-06 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Activ Software
2009-09-02 11:50 . 2009-09-02 11:50 17980 ----a-w- c:\program files\Common Files\wusyv._sy
2009-09-02 11:50 . 2009-09-02 11:50 15494 ----a-w- c:\program files\Common Files\guhovepa._sy
2009-09-02 10:49 . 2009-09-02 10:49 15682 ----a-w- c:\program files\Common Files\kesodupawa._sy
2009-09-02 10:49 . 2009-09-02 10:49 14949 ----a-w- c:\program files\Common Files\juwyvu.lib
2009-09-02 10:23 . 2009-09-02 10:23 15880 ----a-w- c:\documents and settings\All Users\Application Data\pacitema.dat
2009-09-02 10:23 . 2009-09-02 10:23 15719 ----a-w- c:\program files\Common Files\ipuxurek.lib
2009-09-01 14:29 . 2009-09-01 14:29 15805 ----a-w- c:\documents and settings\windows user\Application Data\ozati.dat
2009-09-01 14:29 . 2009-09-01 14:29 12453 ----a-w- c:\program files\Common Files\tuge._sy
2009-09-01 13:17 . 2009-09-01 13:17 10061 ----a-w- c:\program files\Common Files\yhawovuf.lib
2009-09-01 12:44 . 2009-09-01 12:44 12513 ----a-w- c:\program files\Common Files\etifoc._sy
2009-09-01 08:09 . 2009-09-01 08:09 12138 ----a-w- c:\program files\Common Files\baqakaf._sy
2009-08-31 18:15 . 2007-09-26 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-30 17:02 . 2009-07-06 09:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-26 15:34 . 2001-12-31 23:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-21 22:51 . 2008-04-07 20:07 -------- d-----w- c:\documents and settings\windows user\Application Data\Skype
2009-08-21 22:39 . 2008-04-07 20:21 -------- d-----w- c:\documents and settings\windows user\Application Data\skypePM
2009-08-14 05:58 . 2009-09-02 11:05 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-07 09:39 . 2009-08-06 16:09 -------- d-----w- c:\documents and settings\windows user\Application Data\Promethean
2009-08-06 16:02 . 2009-08-06 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Promethean
2009-08-05 09:01 . 2004-09-10 14:57 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-01 20:07 . 2006-02-27 00:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-01 18:53 . 2008-02-17 11:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-21 08:50 . 2006-02-26 15:19 -------- d-----w- c:\program files\iTunes
2009-07-20 09:41 . 2009-07-06 09:57 -------- d-----w- c:\program files\Windows Live
2009-07-20 09:40 . 2009-07-20 09:40 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-07-20 09:06 . 2009-07-20 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-20 09:05 . 2006-02-15 17:52 -------- d-----w- c:\program files\iPod
2009-07-20 09:05 . 2007-06-30 17:57 -------- d-----w- c:\program files\Common Files\Apple
2009-07-20 09:04 . 2009-07-20 09:04 -------- d-----w- c:\program files\Bonjour
2009-07-20 09:04 . 2009-07-20 09:03 -------- d-----w- c:\program files\QuickTime
2009-07-20 09:01 . 2006-10-07 10:32 -------- d-----w- c:\program files\Apple Software Update
2009-07-18 20:23 . 2009-07-18 20:23 -------- d-----w- c:\program files\TomTom HOME 2
2009-07-17 19:01 . 2004-09-10 14:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 09:38 . 2009-07-16 09:37 -------- d-----w- c:\program files\CCleaner
2009-07-13 09:08 . 2004-09-10 14:58 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 09:01 . 2009-07-11 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-12 09:00 . 2009-07-11 17:39 -------- d-----w- c:\program files\NOS
2009-07-10 17:48 . 2009-07-10 17:48 -------- d-----w- c:\program files\MSBuild
2009-07-10 17:48 . 2009-07-10 17:48 -------- d-----w- c:\program files\Reference Assemblies
2009-07-09 16:08 . 2009-07-09 16:08 -------- d-----w- c:\program files\Microsoft IntelliPoint 5.0
2009-07-07 14:22 . 2009-07-07 14:22 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-06 19:27 . 2009-07-06 19:27 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2009-07-03 17:09 . 2004-09-10 14:57 915456 ------w- c:\windows\system32\wininet.dll
2009-06-28 11:40 . 2009-06-28 11:40 128 ----a-w- c:\documents and settings\Polly\Local Settings\Application Data\fusioncache.dat
2009-06-25 08:25 . 2009-07-06 14:04 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2009-07-06 14:04 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2009-07-06 14:04 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-09-10 14:57 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-09-10 14:57 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-09-10 14:57 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2009-07-06 14:04 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-21 12:58 . 2009-06-21 12:58 77320 ----a-w- c:\documents and settings\Polly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 14:36 . 2004-09-10 14:57 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-09-10 14:57 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-09-10 14:57 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-09-10 14:57 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-09-10 14:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2004-09-10 15:30 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2009-07-06 14:04 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

------- Sigcheck -------

[-] 5FD32526EDA7ED3ADB2E077B8255A566 [------] c:\windows\system32\dllcache\beep.sys
[-] 5FD32526EDA7ED3ADB2E077B8255A566 [------] c:\windows\system32\drivers\beep.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-09-05_15.10.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-07 07:21 . 2009-09-07 07:21 16384 c:\windows\Temp\Perflib_Perfdata_2fc.dat
+ 2009-09-07 07:43 . 2009-09-07 07:43 16384 c:\windows\Temp\Perflib_Perfdata_2e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-07 247144]
"sys32_nov"="c:\documents and settings\windows user\sys32_nov.exe" [BU]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"braviax"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-02-22 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-14 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ActivFilter"="c:\program files\Activ Software\Activdriver\ActivFilter.exe" [2002-11-07 23552]
"ActivControl"="c:\program files\Activ Software\Activdriver\ActivControl2.exe" [2009-04-03 1040384]
"sys32_nov"="c:\windows\system32\sys32_nov.exe" [2009-09-01 29216]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [BU]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [BU]
"ATIPTA"="c:\ati technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968]
"Regedit32"="c:\windows\system32\regedit.exe" [BU]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]
"braviax"="" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-10-2 49254]
SMART Board Tools.lnk - c:\program files\SMART Board Software\SMARTBoardTools.exe [2006-9-18 3395584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\APPS\\skype\\phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"8085:TCP"= 8085:TCP:ddnsfilter

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [31/08/2009 17:28 64160]
R1 Filter;Filter;c:\windows\system32\drivers\Filter.sys [30/08/2009 16:05 37760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 74480]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [20/07/2009 10:41 55152]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 09:33 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 14:42 148768]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [07/08/2009 15:31 92008]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [01/01/2002 00:39 974336]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [17/12/2008 10:42 55424]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [06/08/2009 17:00 4352]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 18:08 533360]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 7408]
S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,36
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2002-01-27 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-10 00:12]

2002-01-27 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-10 00:12]

2002-01-27 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-10 00:12]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Antivirus Pro 2010 - c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {{c23dd370-cb79-11d2-898a-00c04f80a47f} - c:\program files\Internet Explorer\Toolbar\toolbar.hta
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://doubleoverhead-porthcawl.remotemanager.co.uk/common/activex/MJPEGRender.ocx
DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} - hxxp://support.packardbell.com/files/activex/InfosFinder2.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 08:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\braviax.exe 11264 bytes executable
c:\windows\system32\wisdstr.exe 182384 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4084)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\ACTIV Software\ActivApplications\ActivFocusHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\SMART Board Software\SMARTBoardService.exe
c:\windows\system32\snmp.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\SMART Board Software\Aware.exe
c:\program files\SMART Board Software\Marker.exe
c:\program files\Activ Software\Activdriver\ActivMgr.exe
c:\program files\Common Files\SMART Technologies Inc\SMART Product Update\SmartProductUpdate.exe
c:\windows\system32\braviax.exe
.
**************************************************************************
.
Completion time: 2009-09-07 9:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 08:01

Pre-Run: 111,341,330,432 bytes free
Post-Run: 111,324,975,104 bytes free

607 --- E O F --- 2009-09-02 08:36

Attached Files



#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:09 PM

Posted 07 September 2009 - 12:49 PM

Try to keep your computer disconnected from the internet as much as possible while we weed out all these malware files.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Rootkit::
c:\windows\system32\braviax.exe 
c:\windows\system32\wisdstr.exe

File::
c:\windows\system32\sys32_nov.exe
c:\documents and settings\windows user\sys32_nov.exe
c:\documents and settings\All Users\Application Data\pacitema.dat
c:\documents and settings\All Users\Application Data\rypuposi.dat
c:\documents and settings\windows user\Application Data\ozati.dat
c:\program files\Common Files\baqakaf._sy
c:\program files\Common Files\etifoc._sy
c:\program files\Common Files\gideryb.dat
c:\program files\Common Files\guhovepa._sy
c:\program files\Common Files\ipuxurek.lib
c:\program files\Common Files\juwyvu.lib
c:\program files\Common Files\kesodupawa._sy
c:\program files\Common Files\tuge._sy
c:\program files\Common Files\wusyv._sy
c:\program files\Common Files\yhawovuf.lib
c:\windows\cygycali.dat
c:\windows\epory.com
c:\windows\hyhoqav.com
c:\windows\ikiwyqi.com
c:\windows\odyvafyn.com
c:\windows\Qsetuk.dat
c:\windows\system32\axezod.com
c:\windows\system32\lafysy.com
c:\windows\system32\niwexuqawe.dat
c:\windows\udumut.com
c:\windows\ujicilanu.com
c:\windows\unyx.com
c:\windows\ywazuhehu.dat


Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sys32_nov"=-
"Regedit32"=-
"braviax"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sys32_nov"=-
"braviax"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===================



Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Edited by Buckeye_Sam, 07 September 2009 - 12:50 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 walty666

walty666
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 08 September 2009 - 01:22 AM

Hi Sam,
Please see ComboFix and MBAM logs below. Since running them I'm not experiencing any pop-ups at the moment and I've regained control of my firewall...

ComboFix 09-09-06.04 - windows user 07/09/2009 21:59.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.586 [GMT 1:00]
Running from: c:\documents and settings\windows user\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\windows user\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\All Users\Application Data\pacitema.dat"
"c:\documents and settings\All Users\Application Data\rypuposi.dat"
"c:\documents and settings\windows user\Application Data\ozati.dat"
"c:\documents and settings\windows user\sys32_nov.exe"
"c:\program files\Common Files\baqakaf._sy"
"c:\program files\Common Files\etifoc._sy"
"c:\program files\Common Files\gideryb.dat"
"c:\program files\Common Files\guhovepa._sy"
"c:\program files\Common Files\ipuxurek.lib"
"c:\program files\Common Files\juwyvu.lib"
"c:\program files\Common Files\kesodupawa._sy"
"c:\program files\Common Files\tuge._sy"
"c:\program files\Common Files\wusyv._sy"
"c:\program files\Common Files\yhawovuf.lib"
"c:\windows\cygycali.dat"
"c:\windows\epory.com"
"c:\windows\hyhoqav.com"
"c:\windows\ikiwyqi.com"
"c:\windows\odyvafyn.com"
"c:\windows\Qsetuk.dat"
"c:\windows\system32\axezod.com"
"c:\windows\system32\lafysy.com"
"c:\windows\system32\niwexuqawe.dat"
"c:\windows\system32\sys32_nov.exe"
"c:\windows\udumut.com"
"c:\windows\ujicilanu.com"
"c:\windows\unyx.com"
"c:\windows\ywazuhehu.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\lerajoz.sys
c:\documents and settings\All Users\Application Data\pacitema.dat
c:\documents and settings\All Users\Application Data\rypuposi.dat
c:\documents and settings\All Users\Application Data\yragusyne.dll
c:\documents and settings\windows user\Application Data\eman.dl
c:\documents and settings\windows user\Application Data\erofag.inf
c:\documents and settings\windows user\Application Data\ozati.dat
c:\documents and settings\windows user\Application Data\ryze.exe
c:\documents and settings\windows user\Application Data\uxohatan.ban
c:\documents and settings\windows user\Cookies\qafis.reg
c:\documents and settings\windows user\Local Settings\Application Data\agul.ban
c:\documents and settings\windows user\Local Settings\Application Data\ezuzovine.exe
c:\documents and settings\windows user\Local Settings\Application Data\fepel.exe
c:\documents and settings\windows user\Local Settings\Application Data\nepa.dl
c:\documents and settings\windows user\Local Settings\Application Data\ominezoqeh.dl
c:\documents and settings\windows user\Local Settings\Application Data\onoxupife.com
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\odasuz._dl
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\ujyq.dll
c:\documents and settings\windows user\Local Settings\Temporary Internet Files\xymug.bin
c:\program files\Common Files\baqakaf._sy
c:\program files\Common Files\emuza.reg
c:\program files\Common Files\etifoc._sy
c:\program files\Common Files\gideryb.dat
c:\program files\Common Files\guhovepa._sy
c:\program files\Common Files\ipuxurek.lib
c:\program files\Common Files\juwyvu.lib
c:\program files\Common Files\kesodupawa._sy
c:\program files\Common Files\oqop.bat
c:\program files\Common Files\sosoleh.reg
c:\program files\Common Files\tuge._sy
c:\program files\Common Files\vuketemuf.sys
c:\program files\Common Files\wusyv._sy
c:\program files\Common Files\yhawovuf.lib
c:\windows\ahegixamoz.bin
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\cygycali.dat
c:\windows\edovefa.exe
c:\windows\epory.com
c:\windows\hyhoqav.com
c:\windows\ifavyjejac.scr
c:\windows\ikiwyqi.com
c:\windows\nofo._dl
c:\windows\odyvafyn.com
c:\windows\Qsetuk.dat
c:\windows\system32\_scui.cpl
c:\windows\system32\axezod.com
c:\windows\system32\braviax.exe
c:\windows\system32\cru629.dat
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\dllcache\figaro.sys
c:\windows\system32\lafysy.com
c:\windows\system32\niwexuqawe.dat
c:\windows\system32\sys32_nov.exe
c:\windows\system32\wisdstr.exe
c:\windows\udumut.com
c:\windows\ujicilanu.com
c:\windows\unyx.com
c:\windows\ywazuhehu.dat

c:\windows\system32\drivers\beep.sys . . . is infected!! . . .Failed to restore. Attempting to replace on reboot

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180497.sys
.
((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-07 17:02 . 2009-09-07 17:02 17571 ----a-w- c:\windows\system32\cyhaxopavo.com
2009-09-07 17:02 . 2009-09-07 17:02 12906 ----a-w- c:\windows\ceke.com
2009-09-05 14:57 . 2009-09-05 15:15 -------- d-s---w- C:\bob
2009-09-05 14:24 . 2009-09-07 21:06 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-03 07:09 . 2009-09-03 07:09 -------- d-----w- C:\rsit
2009-09-03 07:09 . 2009-09-03 07:09 -------- d-----w- c:\program files\trend micro
2009-09-02 15:05 . 2009-09-02 15:05 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\Downloaded Installations
2009-09-02 14:24 . 2009-09-07 20:47 94272 ----a-w- c:\windows\system32\dllcache\agp440.sys
2009-09-02 11:04 . 2009-09-02 11:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-01 18:36 . 2009-09-01 18:36 -------- d-----w- c:\documents and settings\Polly\Local Settings\Application Data\SupportSoft
2009-09-01 18:35 . 2009-09-01 18:35 -------- d-sh--w- c:\documents and settings\Polly\IETldCache
2009-09-01 08:07 . 2009-09-01 08:07 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\{004AEE05-713B-43C3-82FE-07E3773C1F0B}
2009-08-31 18:15 . 2009-08-31 18:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-31 16:47 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-31 16:28 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-31 16:26 . 2009-08-31 16:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-31 16:25 . 2009-08-31 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-31 16:25 . 2009-08-31 16:25 -------- d-----w- c:\program files\Lavasoft
2009-08-31 12:40 . 2009-08-31 12:40 -------- d-----w- c:\documents and settings\windows user\Application Data\Malwarebytes
2009-08-31 12:40 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 12:40 . 2009-08-31 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-31 12:40 . 2009-09-01 16:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 12:40 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 17:08 . 2009-08-30 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-30 17:03 . 2009-09-01 08:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-30 17:03 . 2009-08-30 17:03 -------- d-----w- c:\documents and settings\windows user\Application Data\SUPERAntiSpyware.com
2009-08-30 15:06 . 2009-08-30 15:11 3600 ----a-w- c:\windows\ex1234.dat
2009-08-30 15:05 . 2009-08-30 15:05 37760 ----a-w- c:\windows\system32\drivers\Filter.sys
2009-08-26 15:34 . 2009-08-26 15:34 0 ----a-w- c:\program files\error.dat
2009-08-26 13:43 . 2009-08-26 13:43 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\Scansoft
2009-08-26 13:34 . 2009-08-26 13:52 50 ----a-w- c:\windows\system32\bridf08a.dat
2009-08-26 13:34 . 2006-07-07 11:40 73728 ------w- c:\windows\system32\BRCrypt.dll
2009-08-26 13:34 . 2008-01-25 11:48 102400 ------w- c:\windows\system32\BrMfNt.dll
2009-08-26 13:34 . 2008-01-25 19:36 63488 ------w- c:\windows\system32\BrNetSti.dll
2009-08-26 13:34 . 2007-12-03 17:13 57856 ------w- c:\windows\system32\BrWiaNCp.dll
2009-08-26 13:34 . 2007-12-03 17:13 42496 ------w- c:\windows\system32\Brnsplg.dll
2009-08-26 13:34 . 2002-11-26 12:43 106496 ------w- c:\windows\system32\BrMuSNMP.dll
2009-08-26 13:33 . 2008-01-25 14:21 167936 ------w- c:\windows\system32\NSSearch.dll
2009-08-26 13:33 . 2009-08-26 15:34 -------- d-----w- c:\program files\Brother
2009-08-26 13:31 . 2009-08-26 13:31 -------- d-----w- c:\program files\Nuance
2009-08-26 13:27 . 2009-08-26 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-08-22 13:11 . 2009-08-22 13:11 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-20 11:43 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-08-20 11:43 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-08-19 15:20 . 2009-08-19 15:20 -------- d-----w- c:\program files\Microsoft Works
2009-08-19 15:18 . 2009-08-19 15:18 -------- d-----w- c:\program files\Microsoft.NET
2009-08-19 15:16 . 2009-08-19 15:16 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\Microsoft Help
2009-08-19 15:15 . 2009-08-19 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-19 15:15 . 2009-08-19 15:15 -------- d--h--r- C:\MSOCache
2009-08-13 09:30 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 20:47 . 2009-07-06 14:06 94272 ----a-w- c:\windows\system32\drivers\agp440.sys
2009-09-05 14:38 . 2006-04-27 07:01 130184 ----a-w- c:\documents and settings\windows user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-02 16:19 . 2009-08-06 16:00 -------- d-----w- c:\program files\Common Files\Activ Software
2009-09-02 16:19 . 2009-08-06 16:00 -------- d-----w- c:\program files\Activ Software
2009-09-02 15:56 . 2009-08-06 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Activ Software
2009-08-31 18:15 . 2007-09-26 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-30 17:02 . 2009-07-06 09:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-26 15:34 . 2001-12-31 23:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-21 22:51 . 2008-04-07 20:07 -------- d-----w- c:\documents and settings\windows user\Application Data\Skype
2009-08-21 22:39 . 2008-04-07 20:21 -------- d-----w- c:\documents and settings\windows user\Application Data\skypePM
2009-08-14 05:58 . 2009-09-02 11:05 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-07 09:39 . 2009-08-06 16:09 -------- d-----w- c:\documents and settings\windows user\Application Data\Promethean
2009-08-06 16:02 . 2009-08-06 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Promethean
2009-08-05 09:01 . 2004-09-10 14:57 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-01 20:07 . 2006-02-27 00:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-01 18:53 . 2008-02-17 11:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-21 08:50 . 2006-02-26 15:19 -------- d-----w- c:\program files\iTunes
2009-07-20 09:41 . 2009-07-06 09:57 -------- d-----w- c:\program files\Windows Live
2009-07-20 09:40 . 2009-07-20 09:40 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-07-20 09:06 . 2009-07-20 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-20 09:05 . 2006-02-15 17:52 -------- d-----w- c:\program files\iPod
2009-07-20 09:05 . 2007-06-30 17:57 -------- d-----w- c:\program files\Common Files\Apple
2009-07-20 09:04 . 2009-07-20 09:04 -------- d-----w- c:\program files\Bonjour
2009-07-20 09:04 . 2009-07-20 09:03 -------- d-----w- c:\program files\QuickTime
2009-07-20 09:01 . 2006-10-07 10:32 -------- d-----w- c:\program files\Apple Software Update
2009-07-18 20:23 . 2009-07-18 20:23 -------- d-----w- c:\program files\TomTom HOME 2
2009-07-17 19:01 . 2004-09-10 14:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 09:38 . 2009-07-16 09:37 -------- d-----w- c:\program files\CCleaner
2009-07-13 09:08 . 2004-09-10 14:58 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 09:01 . 2009-07-11 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-12 09:00 . 2009-07-11 17:39 -------- d-----w- c:\program files\NOS
2009-07-10 17:48 . 2009-07-10 17:48 -------- d-----w- c:\program files\MSBuild
2009-07-10 17:48 . 2009-07-10 17:48 -------- d-----w- c:\program files\Reference Assemblies
2009-07-07 14:22 . 2009-07-07 14:22 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-06 19:27 . 2009-07-06 19:27 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2009-07-03 17:09 . 2004-09-10 14:57 915456 ------w- c:\windows\system32\wininet.dll
2009-06-28 11:40 . 2009-06-28 11:40 128 ----a-w- c:\documents and settings\Polly\Local Settings\Application Data\fusioncache.dat
2009-06-25 08:25 . 2009-07-06 14:04 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2009-07-06 14:04 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2009-07-06 14:04 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-09-10 14:57 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-09-10 14:57 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-09-10 14:57 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2009-07-06 14:04 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-21 12:58 . 2009-06-21 12:58 77320 ----a-w- c:\documents and settings\Polly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 14:36 . 2004-09-10 14:57 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-09-10 14:57 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-09-10 14:57 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-09-10 14:57 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-09-10 14:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2004-09-10 15:30 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2009-07-06 14:04 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

------- Sigcheck -------

[-] A058EBADF778FC582FC278BF333870B4 [------] c:\windows\system32\drivers\beep.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-09-05_15.10.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-07 21:09 . 2009-09-07 21:09 16384 c:\windows\Temp\Perflib_Perfdata_e0.dat
+ 2009-09-07 20:42 . 2009-09-07 20:42 16384 c:\windows\Temp\Perflib_Perfdata_30c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-07 247144]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-02-22 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-14 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ActivFilter"="c:\program files\Activ Software\Activdriver\ActivFilter.exe" [2002-11-07 23552]
"ActivControl"="c:\program files\Activ Software\Activdriver\ActivControl2.exe" [2009-04-03 1040384]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [BU]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [BU]
"ATIPTA"="c:\ati technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968]
"Antivirus Pro 2010"="c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe" [BU]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-10-2 49254]
SMART Board Tools.lnk - c:\program files\SMART Board Software\SMARTBoardTools.exe [2006-9-18 3395584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\APPS\\skype\\phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [31/08/2009 17:28 64160]
R1 Filter;Filter;c:\windows\system32\drivers\Filter.sys [30/08/2009 16:05 37760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 74480]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [20/07/2009 10:41 55152]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 09:33 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 14:42 148768]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [07/08/2009 15:31 92008]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [01/01/2002 00:39 974336]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [17/12/2008 10:42 55424]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [06/08/2009 17:00 4352]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 18:08 533360]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 7408]
S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,36
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2002-01-27 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-10 00:12]

2002-01-27 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-10 00:12]

2002-01-27 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-10 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {{c23dd370-cb79-11d2-898a-00c04f80a47f} - c:\program files\Internet Explorer\Toolbar\toolbar.hta
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://doubleoverhead-porthcawl.remotemanager.co.uk/common/activex/MJPEGRender.ocx
DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} - hxxp://support.packardbell.com/files/activex/InfosFinder2.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 22:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3564)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\ACTIV Software\ActivApplications\ActivFocusHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\SMART Board Software\SMARTBoardService.exe
c:\windows\system32\snmp.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\SMART Board Software\Aware.exe
c:\program files\SMART Board Software\Marker.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Activ Software\Activdriver\ActivMgr.exe
c:\program files\Common Files\SMART Technologies Inc\SMART Product Update\SmartProductUpdate.exe
.
**************************************************************************
.
Completion time: 2009-09-07 22:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 21:15
ComboFix2.txt 2009-09-07 08:01

Pre-Run: 111,318,675,456 bytes free
Post-Run: 111,290,064,896 bytes free

408 --- E O F --- 2009-09-02 08:36


Malwarebytes' Anti-Malware 1.40
Database version: 2754
Windows 5.1.2600 Service Pack 3

08/09/2009 03:20:00
mbam-log-2009-09-08 (03-20-00).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 194078
Time elapsed: 43 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 77

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\cru629.dat.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cru629.dat.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\figaro.sys.vir (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP739\A0168543.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP740\A0170611.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP740\A0172635.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP740\A0172640.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP740\A0172642.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP740\A0168601.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP740\A0170612.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP742\snapshot\MFEX-1.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP742\snapshot\MFEX-2.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP742\snapshot\MFEX-3.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP743\snapshot\MFEX-1.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP743\snapshot\MFEX-2.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP743\snapshot\MFEX-3.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP746\snapshot\MFEX-1.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP746\snapshot\MFEX-2.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP746\snapshot\MFEX-3.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP747\snapshot\MFEX-1.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP747\snapshot\MFEX-2.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP747\snapshot\MFEX-3.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP748\snapshot\MFEX-1.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP748\snapshot\MFEX-2.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP748\snapshot\MFEX-3.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP749\snapshot\MFEX-1.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP749\snapshot\MFEX-2.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP749\snapshot\MFEX-3.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP750\A0175008.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP750\A0175019.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP750\A0175025.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP750\snapshot\MFEX-1.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP750\snapshot\MFEX-2.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP750\snapshot\MFEX-3.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP751\A0177041.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP751\A0177148.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP751\A0177166.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP751\A0177167.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP751\A0177168.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP751\A0177169.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP751\A0177205.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP753\A0180323.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP753\A0180335.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP753\A0180336.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP753\A0180340.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP753\A0180351.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP753\A0180353.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP753\A0180358.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP753\A0180384.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP753\A0180385.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP753\A0180386.cpl (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP753\A0180390.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP753\A0180402.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP753\A0180403.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP753\snapshot\MFEX-1.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP753\snapshot\MFEX-2.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180410.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180423.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180427.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180439.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180484.cpl (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180486.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180422.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180440.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180655.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180644.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180656.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180666.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180678.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180679.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180686.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180698.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180699.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\A0180748.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP754\snapshot\MFEX-1.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.

Attached Files



#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:09 PM

Posted 08 September 2009 - 10:36 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\cyhaxopavo.com
c:\windows\ceke.com

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Antivirus Pro 2010"=-
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 walty666

walty666
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 08 September 2009 - 12:55 PM

Hello Sam,
Please see ComboFix log below. Still no annoying pop-ups and my firewall is staying on. What have you discovered from these logs?
Cheers
Ross

-------------

ComboFix 09-09-06.04 - windows user 08/09/2009 18:39.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.588 [GMT 1:00]
Running from: c:\documents and settings\windows user\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\windows user\Desktop\CFScript.txt

FILE ::
"c:\windows\ceke.com"
"c:\windows\system32\cyhaxopavo.com"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ceke.com
c:\windows\system32\cyhaxopavo.com

.
((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-05 14:57 . 2009-09-05 15:15 -------- d-s---w- C:\bob
2009-09-05 14:24 . 2004-08-10 14:00 4224 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-09-03 07:09 . 2009-09-03 07:09 -------- d-----w- C:\rsit
2009-09-03 07:09 . 2009-09-03 07:09 -------- d-----w- c:\program files\trend micro
2009-09-02 15:05 . 2009-09-02 15:05 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\Downloaded Installations
2009-09-02 14:24 . 2009-09-07 20:47 94272 ----a-w- c:\windows\system32\dllcache\agp440.sys
2009-09-02 11:04 . 2009-09-02 11:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-01 18:36 . 2009-09-01 18:36 -------- d-----w- c:\documents and settings\Polly\Local Settings\Application Data\SupportSoft
2009-09-01 18:35 . 2009-09-01 18:35 -------- d-sh--w- c:\documents and settings\Polly\IETldCache
2009-09-01 08:07 . 2009-09-01 08:07 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\{004AEE05-713B-43C3-82FE-07E3773C1F0B}
2009-08-31 18:15 . 2009-08-31 18:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-31 16:47 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-31 16:28 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-31 16:26 . 2009-08-31 16:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-31 16:25 . 2009-08-31 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-31 16:25 . 2009-08-31 16:25 -------- d-----w- c:\program files\Lavasoft
2009-08-31 12:40 . 2009-08-31 12:40 -------- d-----w- c:\documents and settings\windows user\Application Data\Malwarebytes
2009-08-31 12:40 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 12:40 . 2009-08-31 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-31 12:40 . 2009-09-01 16:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 12:40 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 17:08 . 2009-08-30 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-30 17:03 . 2009-09-01 08:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-30 17:03 . 2009-08-30 17:03 -------- d-----w- c:\documents and settings\windows user\Application Data\SUPERAntiSpyware.com
2009-08-30 15:06 . 2009-08-30 15:11 3600 ----a-w- c:\windows\ex1234.dat
2009-08-30 15:05 . 2009-08-30 15:05 37760 ----a-w- c:\windows\system32\drivers\Filter.sys
2009-08-26 15:34 . 2009-08-26 15:34 0 ----a-w- c:\program files\error.dat
2009-08-26 13:43 . 2009-08-26 13:43 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\Scansoft
2009-08-26 13:34 . 2009-08-26 13:52 50 ----a-w- c:\windows\system32\bridf08a.dat
2009-08-26 13:34 . 2006-07-07 11:40 73728 ------w- c:\windows\system32\BRCrypt.dll
2009-08-26 13:34 . 2008-01-25 11:48 102400 ------w- c:\windows\system32\BrMfNt.dll
2009-08-26 13:34 . 2008-01-25 19:36 63488 ------w- c:\windows\system32\BrNetSti.dll
2009-08-26 13:34 . 2007-12-03 17:13 57856 ------w- c:\windows\system32\BrWiaNCp.dll
2009-08-26 13:34 . 2007-12-03 17:13 42496 ------w- c:\windows\system32\Brnsplg.dll
2009-08-26 13:34 . 2002-11-26 12:43 106496 ------w- c:\windows\system32\BrMuSNMP.dll
2009-08-26 13:33 . 2008-01-25 14:21 167936 ------w- c:\windows\system32\NSSearch.dll
2009-08-26 13:33 . 2009-08-26 15:34 -------- d-----w- c:\program files\Brother
2009-08-26 13:31 . 2009-08-26 13:31 -------- d-----w- c:\program files\Nuance
2009-08-26 13:27 . 2009-08-26 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-08-22 13:11 . 2009-08-22 13:11 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-20 11:43 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-08-20 11:43 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-08-19 15:20 . 2009-08-19 15:20 -------- d-----w- c:\program files\Microsoft Works
2009-08-19 15:18 . 2009-08-19 15:18 -------- d-----w- c:\program files\Microsoft.NET
2009-08-19 15:16 . 2009-08-19 15:16 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\Microsoft Help
2009-08-19 15:15 . 2009-08-19 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-19 15:15 . 2009-08-19 15:15 -------- d--h--r- C:\MSOCache
2009-08-13 09:30 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 20:47 . 2009-07-06 14:06 94272 ----a-w- c:\windows\system32\drivers\agp440.sys
2009-09-05 14:38 . 2006-04-27 07:01 130184 ----a-w- c:\documents and settings\windows user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-02 16:19 . 2009-08-06 16:00 -------- d-----w- c:\program files\Common Files\Activ Software
2009-09-02 16:19 . 2009-08-06 16:00 -------- d-----w- c:\program files\Activ Software
2009-09-02 15:56 . 2009-08-06 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Activ Software
2009-08-31 18:15 . 2007-09-26 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-30 17:02 . 2009-07-06 09:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-26 15:34 . 2001-12-31 23:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-21 22:51 . 2008-04-07 20:07 -------- d-----w- c:\documents and settings\windows user\Application Data\Skype
2009-08-21 22:39 . 2008-04-07 20:21 -------- d-----w- c:\documents and settings\windows user\Application Data\skypePM
2009-08-14 05:58 . 2009-09-02 11:05 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-07 09:39 . 2009-08-06 16:09 -------- d-----w- c:\documents and settings\windows user\Application Data\Promethean
2009-08-06 16:02 . 2009-08-06 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Promethean
2009-08-05 09:01 . 2004-09-10 14:57 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-01 20:07 . 2006-02-27 00:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-01 18:53 . 2008-02-17 11:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-21 08:50 . 2006-02-26 15:19 -------- d-----w- c:\program files\iTunes
2009-07-20 09:41 . 2009-07-06 09:57 -------- d-----w- c:\program files\Windows Live
2009-07-20 09:40 . 2009-07-20 09:40 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-07-20 09:06 . 2009-07-20 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-20 09:05 . 2006-02-15 17:52 -------- d-----w- c:\program files\iPod
2009-07-20 09:05 . 2007-06-30 17:57 -------- d-----w- c:\program files\Common Files\Apple
2009-07-20 09:04 . 2009-07-20 09:04 -------- d-----w- c:\program files\Bonjour
2009-07-20 09:04 . 2009-07-20 09:03 -------- d-----w- c:\program files\QuickTime
2009-07-20 09:01 . 2006-10-07 10:32 -------- d-----w- c:\program files\Apple Software Update
2009-07-18 20:23 . 2009-07-18 20:23 -------- d-----w- c:\program files\TomTom HOME 2
2009-07-17 19:01 . 2004-09-10 14:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 09:38 . 2009-07-16 09:37 -------- d-----w- c:\program files\CCleaner
2009-07-13 09:08 . 2004-09-10 14:58 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 09:01 . 2009-07-11 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-12 09:00 . 2009-07-11 17:39 -------- d-----w- c:\program files\NOS
2009-07-10 17:48 . 2009-07-10 17:48 -------- d-----w- c:\program files\MSBuild
2009-07-10 17:48 . 2009-07-10 17:48 -------- d-----w- c:\program files\Reference Assemblies
2009-07-07 14:22 . 2009-07-07 14:22 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-06 19:27 . 2009-07-06 19:27 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2009-07-03 17:09 . 2004-09-10 14:57 915456 ------w- c:\windows\system32\wininet.dll
2009-06-28 11:40 . 2009-06-28 11:40 128 ----a-w- c:\documents and settings\Polly\Local Settings\Application Data\fusioncache.dat
2009-06-25 08:25 . 2009-07-06 14:04 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2009-07-06 14:04 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2009-07-06 14:04 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-09-10 14:57 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-09-10 14:57 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-09-10 14:57 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2009-07-06 14:04 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-21 12:58 . 2009-06-21 12:58 77320 ----a-w- c:\documents and settings\Polly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 14:36 . 2004-09-10 14:57 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-09-10 14:57 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-09-10 14:57 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-09-10 14:57 76288 ----a-w- c:\windows\system32\telnet.exe
.

------- Sigcheck -------

[7] DA1F27D85E0D1525F6621372E7B685E9 [5.1.2600.0 (XPClient.010817-1148)] c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-09-05_15.10.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-08 17:33 . 2009-09-08 17:33 16384 c:\windows\Temp\Perflib_Perfdata_2f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-07 247144]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-02-22 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-14 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ActivFilter"="c:\program files\Activ Software\Activdriver\ActivFilter.exe" [2002-11-07 23552]
"ActivControl"="c:\program files\Activ Software\Activdriver\ActivControl2.exe" [2009-04-03 1040384]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [BU]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [BU]
"ATIPTA"="c:\ati technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-10-2 49254]
SMART Board Tools.lnk - c:\program files\SMART Board Software\SMARTBoardTools.exe [2006-9-18 3395584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\APPS\\skype\\phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [31/08/2009 17:28 64160]
R1 Filter;Filter;c:\windows\system32\drivers\Filter.sys [30/08/2009 16:05 37760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 74480]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [20/07/2009 10:41 55152]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 09:33 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 14:42 148768]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [07/08/2009 15:31 92008]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [01/01/2002 00:39 974336]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [17/12/2008 10:42 55424]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [06/08/2009 17:00 4352]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 18:08 533360]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 7408]
S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,36
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2002-01-27 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-10 00:12]

2002-01-27 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-10 00:12]

2002-01-27 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-10 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {{c23dd370-cb79-11d2-898a-00c04f80a47f} - c:\program files\Internet Explorer\Toolbar\toolbar.hta
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://doubleoverhead-porthcawl.remotemanager.co.uk/common/activex/MJPEGRender.ocx
DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} - hxxp://support.packardbell.com/files/activex/InfosFinder2.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 18:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-09-08 18:48
ComboFix-quarantined-files.txt 2009-09-08 17:48
ComboFix2.txt 2009-09-07 21:15
ComboFix3.txt 2009-09-07 08:01

Pre-Run: 111,324,336,128 bytes free
Post-Run: 111,276,306,432 bytes free

282 --- E O F --- 2009-09-02 08:36

Attached Files



#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:09 PM

Posted 08 September 2009 - 02:08 PM

It's looking pretty good to me as far as malware goes. We do need to restore a file that was infected.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

FCopy::
c:\windows\system32\dllcache\beep.sys | c:\windows\system32\drivers\beep.sys
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 walty666

walty666
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 09 September 2009 - 02:31 AM

Here you go Sam:



ComboFix 09-09-06.04 - windows user 09/09/2009 7:53.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.578 [GMT 1:00]
Running from: c:\documents and settings\windows user\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\windows user\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\beep.sys --> c:\windows\system32\drivers\beep.sys
.
((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-09 06:53 . 2004-08-10 14:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-09 06:53 . 2004-08-10 14:00 4224 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-09-05 14:57 . 2009-09-05 15:15 -------- d-s---w- C:\bob
2009-09-03 07:09 . 2009-09-03 07:09 -------- d-----w- C:\rsit
2009-09-03 07:09 . 2009-09-03 07:09 -------- d-----w- c:\program files\trend micro
2009-09-02 15:05 . 2009-09-02 15:05 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\Downloaded Installations
2009-09-02 14:24 . 2009-09-07 20:47 94272 ----a-w- c:\windows\system32\dllcache\agp440.sys
2009-09-02 11:04 . 2009-09-02 11:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-01 18:36 . 2009-09-01 18:36 -------- d-----w- c:\documents and settings\Polly\Local Settings\Application Data\SupportSoft
2009-09-01 18:35 . 2009-09-01 18:35 -------- d-sh--w- c:\documents and settings\Polly\IETldCache
2009-09-01 08:07 . 2009-09-01 08:07 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\{004AEE05-713B-43C3-82FE-07E3773C1F0B}
2009-08-31 18:15 . 2009-08-31 18:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-31 16:47 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-31 16:28 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-31 16:26 . 2009-08-31 16:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-31 16:25 . 2009-08-31 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-31 16:25 . 2009-08-31 16:25 -------- d-----w- c:\program files\Lavasoft
2009-08-31 12:40 . 2009-08-31 12:40 -------- d-----w- c:\documents and settings\windows user\Application Data\Malwarebytes
2009-08-31 12:40 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 12:40 . 2009-08-31 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-31 12:40 . 2009-09-01 16:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 12:40 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 17:08 . 2009-08-30 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-30 17:03 . 2009-09-01 08:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-30 17:03 . 2009-08-30 17:03 -------- d-----w- c:\documents and settings\windows user\Application Data\SUPERAntiSpyware.com
2009-08-30 15:06 . 2009-08-30 15:11 3600 ----a-w- c:\windows\ex1234.dat
2009-08-30 15:05 . 2009-08-30 15:05 37760 ----a-w- c:\windows\system32\drivers\Filter.sys
2009-08-26 15:34 . 2009-08-26 15:34 0 ----a-w- c:\program files\error.dat
2009-08-26 13:43 . 2009-08-26 13:43 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\Scansoft
2009-08-26 13:34 . 2009-08-26 13:52 50 ----a-w- c:\windows\system32\bridf08a.dat
2009-08-26 13:34 . 2006-07-07 11:40 73728 ------w- c:\windows\system32\BRCrypt.dll
2009-08-26 13:34 . 2008-01-25 11:48 102400 ------w- c:\windows\system32\BrMfNt.dll
2009-08-26 13:34 . 2008-01-25 19:36 63488 ------w- c:\windows\system32\BrNetSti.dll
2009-08-26 13:34 . 2007-12-03 17:13 57856 ------w- c:\windows\system32\BrWiaNCp.dll
2009-08-26 13:34 . 2007-12-03 17:13 42496 ------w- c:\windows\system32\Brnsplg.dll
2009-08-26 13:34 . 2002-11-26 12:43 106496 ------w- c:\windows\system32\BrMuSNMP.dll
2009-08-26 13:33 . 2008-01-25 14:21 167936 ------w- c:\windows\system32\NSSearch.dll
2009-08-26 13:33 . 2009-08-26 15:34 -------- d-----w- c:\program files\Brother
2009-08-26 13:31 . 2009-08-26 13:31 -------- d-----w- c:\program files\Nuance
2009-08-26 13:27 . 2009-08-26 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-08-22 13:11 . 2009-08-22 13:11 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-20 11:43 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-08-20 11:43 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-08-19 15:20 . 2009-08-19 15:20 -------- d-----w- c:\program files\Microsoft Works
2009-08-19 15:18 . 2009-08-19 15:18 -------- d-----w- c:\program files\Microsoft.NET
2009-08-19 15:16 . 2009-08-19 15:16 -------- d-----w- c:\documents and settings\windows user\Local Settings\Application Data\Microsoft Help
2009-08-19 15:15 . 2009-08-19 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-19 15:15 . 2009-08-19 15:15 -------- d--h--r- C:\MSOCache
2009-08-13 09:30 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 20:47 . 2009-07-06 14:06 94272 ----a-w- c:\windows\system32\drivers\agp440.sys
2009-09-05 14:38 . 2006-04-27 07:01 130184 ----a-w- c:\documents and settings\windows user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-02 16:19 . 2009-08-06 16:00 -------- d-----w- c:\program files\Common Files\Activ Software
2009-09-02 16:19 . 2009-08-06 16:00 -------- d-----w- c:\program files\Activ Software
2009-09-02 15:56 . 2009-08-06 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Activ Software
2009-08-31 18:15 . 2007-09-26 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-30 17:02 . 2009-07-06 09:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-26 15:34 . 2001-12-31 23:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-21 22:51 . 2008-04-07 20:07 -------- d-----w- c:\documents and settings\windows user\Application Data\Skype
2009-08-21 22:39 . 2008-04-07 20:21 -------- d-----w- c:\documents and settings\windows user\Application Data\skypePM
2009-08-14 05:58 . 2009-09-02 11:05 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-07 09:39 . 2009-08-06 16:09 -------- d-----w- c:\documents and settings\windows user\Application Data\Promethean
2009-08-06 16:02 . 2009-08-06 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Promethean
2009-08-05 09:01 . 2004-09-10 14:57 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-01 20:07 . 2006-02-27 00:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-01 18:53 . 2008-02-17 11:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-21 08:50 . 2006-02-26 15:19 -------- d-----w- c:\program files\iTunes
2009-07-20 09:41 . 2009-07-06 09:57 -------- d-----w- c:\program files\Windows Live
2009-07-20 09:40 . 2009-07-20 09:40 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-07-20 09:06 . 2009-07-20 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-20 09:05 . 2006-02-15 17:52 -------- d-----w- c:\program files\iPod
2009-07-20 09:05 . 2007-06-30 17:57 -------- d-----w- c:\program files\Common Files\Apple
2009-07-20 09:04 . 2009-07-20 09:04 -------- d-----w- c:\program files\Bonjour
2009-07-20 09:04 . 2009-07-20 09:03 -------- d-----w- c:\program files\QuickTime
2009-07-20 09:01 . 2006-10-07 10:32 -------- d-----w- c:\program files\Apple Software Update
2009-07-18 20:23 . 2009-07-18 20:23 -------- d-----w- c:\program files\TomTom HOME 2
2009-07-17 19:01 . 2004-09-10 14:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 09:38 . 2009-07-16 09:37 -------- d-----w- c:\program files\CCleaner
2009-07-13 09:08 . 2004-09-10 14:58 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 09:01 . 2009-07-11 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-12 09:00 . 2009-07-11 17:39 -------- d-----w- c:\program files\NOS
2009-07-07 14:22 . 2009-07-07 14:22 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-06 19:27 . 2009-07-06 19:27 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2009-07-03 17:09 . 2004-09-10 14:57 915456 ------w- c:\windows\system32\wininet.dll
2009-06-28 11:40 . 2009-06-28 11:40 128 ----a-w- c:\documents and settings\Polly\Local Settings\Application Data\fusioncache.dat
2009-06-25 08:25 . 2009-07-06 14:04 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2009-07-06 14:04 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2009-07-06 14:04 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-09-10 14:57 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-09-10 14:57 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-09-10 14:57 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2009-07-06 14:04 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-21 12:58 . 2009-06-21 12:58 77320 ----a-w- c:\documents and settings\Polly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 14:36 . 2004-09-10 14:57 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-09-10 14:57 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-09-10 14:57 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-09-10 14:57 76288 ----a-w- c:\windows\system32\telnet.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-09-05_15.10.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-09 06:27 . 2009-09-09 06:27 16384 c:\windows\Temp\Perflib_Perfdata_7d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-07 247144]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-02-22 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-14 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ActivFilter"="c:\program files\Activ Software\Activdriver\ActivFilter.exe" [2002-11-07 23552]
"ActivControl"="c:\program files\Activ Software\Activdriver\ActivControl2.exe" [2009-04-03 1040384]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [BU]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [BU]
"ATIPTA"="c:\ati technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-10-2 49254]
SMART Board Tools.lnk - c:\program files\SMART Board Software\SMARTBoardTools.exe [2006-9-18 3395584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\APPS\\skype\\phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [31/08/2009 17:28 64160]
R1 Filter;Filter;c:\windows\system32\drivers\Filter.sys [30/08/2009 16:05 37760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 74480]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [20/07/2009 10:41 55152]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 09:33 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 14:42 148768]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [07/08/2009 15:31 92008]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [01/01/2002 00:39 974336]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [17/12/2008 10:42 55424]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [06/08/2009 17:00 4352]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 18:08 533360]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 7408]
S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,36
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2002-01-27 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-10 00:12]

2002-01-27 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-10 00:12]

2002-01-27 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-10 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {{c23dd370-cb79-11d2-898a-00c04f80a47f} - c:\program files\Internet Explorer\Toolbar\toolbar.hta
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://doubleoverhead-porthcawl.remotemanager.co.uk/common/activex/MJPEGRender.ocx
DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} - hxxp://support.packardbell.com/files/activex/InfosFinder2.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 08:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2740)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\ACTIV Software\ActivApplications\ActivFocusHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-09-09 8:03
ComboFix-quarantined-files.txt 2009-09-09 07:03
ComboFix2.txt 2009-09-08 17:48
ComboFix3.txt 2009-09-07 21:15
ComboFix4.txt 2009-09-07 08:01

Pre-Run: 110,577,795,072 bytes free
Post-Run: 110,524,018,688 bytes free

281 --- E O F --- 2009-09-02 08:36

Attached Files



#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:09 PM

Posted 09 September 2009 - 01:44 PM

Looks good to me! :(
If everything is running smoothly on your end we can go ahead and clean up. Then I'll post some final recommendations for you.


We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 walty666

walty666
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 10 September 2009 - 05:27 AM

Hi Sam,
Thanks again for your help. MBAM is only picking up one file (see log below) and since reinstalling AVG it's also picked up a couple of things (see attached image). I've quarantined/removed all of them. Other than that everything seems to be fine.


Malwarebytes' Anti-Malware 1.40
Database version: 2770
Windows 5.1.2600 Service Pack 3

10/09/2009 09:40:54
mbam-log-2009-09-10 (09-40-54).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 167048
Time elapsed: 37 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP760\A0181527.sys (Trojan.Cutwail) -> Quarantined and deleted successfully.

Attached Files



#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:09 PM

Posted 10 September 2009 - 09:36 AM

This is your system restore data. It's most certainly infected and needs to be flushed out per the recommendations that I made in my last post.

C:\System Volume Information\_restore


But the other file that AVG detected is not and could have been an active infection. Was it able to remove that file successfully?
How is your computer behaving?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 walty666

walty666
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 11 September 2009 - 02:49 AM

Hi Sam,
Yeah, I'd already cleared the system restore folder by the method you described. I've done it again and run another MBAM scan and there's absolutely nothing being flagged as malicious. I really appreciate all you help with this and will be recommending Bleeping Computer to anyone I know who suffers the same problems.
A massive thanks again...
Ross




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users