Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

very bad virus


  • This topic is locked This topic is locked
16 replies to this topic

#1 piperm

piperm

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 07 September 2009 - 03:52 AM

i have windows xp pro. My desktop will not load nor will the icons. i tried safe mode to find the same outcome. and worst of all.. im on my mom's comp. when i tried malware bytes or spybot this was the error message: "windows cannot access the specified device, path or file. You may not have permission to access the item" and when i tried to rename mbam it showed me this: "cannot rename mbabm: access denid. Make sure the disk is not full or write- protected and that the file is not currently in use "


DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 1:25:16.35 on Mon 09/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.559 [GMT -7:00]

FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\Administrator\Desktop\EMPIRE EARTH\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uWindow Title = Windows Internet Explorer provided by Qwest
uDefault_Page_URL = hxxp://qwest.live.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Monopod] c:\docume~1\admini~1\locals~1\temp\b.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LXBSCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBStime.dll,_RunDLLEntry@16
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRunOnce: [*Restore] c:\windows\system32\restore\rstrui.exe -i
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-15 365448]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-4-18 204800]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-5 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090904.009\NAVENG.sys [2009-9-4 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090904.009\NAVEX15.sys [2009-9-4 1323568]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-17 133104]

=============== Created Last 30 ================

2009-09-06 22:38 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-09-06 22:38 153,088 a------- c:\windows\system32\UNRAR3.dll
2009-09-06 22:38 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-09-06 22:38 75,264 a------- c:\windows\system32\unacev2.dll
2009-09-06 22:38 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-09-06 22:37 <DIR> --d----- c:\program files\Trojan Remover
2009-09-06 22:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-09-06 22:37 <DIR> --d----- c:\docume~1\admini~1\applic~1\Simply Super Software
2009-09-06 22:19 <DIR> --d----- c:\docume~1\admini~1\applic~1\Error Fix
2009-09-06 22:19 <DIR> --d----- c:\program files\Error Fix
2009-09-06 22:18 <DIR> --d----- c:\program files\Downloaded Installers
2009-09-06 21:25 189,952 a------- c:\windows\msa.exe
2009-09-05 00:26 <DIR> --d----- c:\program files\Warcraft ft
2009-09-05 00:25 126,976 a------- c:\windows\W3DemoUnin.exe
2009-09-05 00:25 12,507 a------- c:\windows\W3DemoUnin.dat
2009-09-05 00:25 2,829 a------- c:\windows\W3DemoUnin.pif
2009-09-05 00:24 <DIR> --d----- c:\program files\Warcraft III Demo
2009-09-05 00:21 <DIR> --d----- c:\program files\PowerISO
2009-09-05 00:21 <DIR> --d-h--- c:\windows\PIF
2009-09-04 23:52 <DIR> --d----- c:\program files\PFPortChecker
2009-09-04 23:25 <DIR> --d----- c:\program files\Ask.com
2009-09-04 00:57 <DIR> --d----- c:\program files\Empire Earth
2009-08-31 23:32 <DIR> --d----- c:\program files\Call of Duty 2
2009-08-30 22:20 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-30 22:20 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-30 22:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-30 22:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-30 22:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 18:29 <DIR> --d----- c:\program files\common files\Uninstall
2009-08-21 12:03 <DIR> --d----- C:\my dvd
2009-08-21 12:02 67 a------- c:\windows\Easy DVD Creator.INI
2009-08-21 12:01 <DIR> --d----- c:\program files\Easy DVD Creator
2009-08-18 17:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PMB Files
2009-08-18 17:55 204 a------- C:\Plugins
2009-08-18 17:55 <DIR> --d----- c:\program files\Pando Networks
2009-08-15 03:23 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-15 03:05 <DIR> --d----- C:\8145c87132468a33fa3c
2009-08-13 11:31 <DIR> --d----- c:\program files\Portable.Sarm.Resume.Builder.4.8
2009-08-12 12:55 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-08-12 12:36 221,184 a------- c:\windows\system32\wmpns.dll
2009-08-12 02:34 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 02:34 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-10 20:05 <DIR> --d----- c:\windows\system32\Adobe

==================== Find3M ====================

2009-09-07 01:05 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-09-07 01:05 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-08-27 23:07 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-08-24 14:09 25,592 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-26 19:43 58,908 a------- c:\windows\system32\drivers\scdemu.sys
2009-07-20 15:38 138,944 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-20 15:38 189,784 a------- c:\windows\system32\PnkBstrB.exe
2009-07-17 13:58 2,373,712 a------- c:\windows\system32\pbsvc.exe
2009-07-17 13:58 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-15 11:21 83,672 a------- c:\windows\system32\S32EVNT1.DLL
2009-07-15 11:21 73,224 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 10:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 01:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 01:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 01:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 01:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 01:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 01:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 05:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-09 23:14 132,096 a------- c:\windows\system32\wkssvc.dll

============= FINISH: 1:25:50.73 ===============

Edited by piperm, 07 September 2009 - 03:56 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:30 AM

Posted 07 September 2009 - 12:49 PM

Hello and welcome to the BleepingComputer.com! :(

I will be helping you today. :( If you still need help, please let me know by replying to this thread. :) Please reply back and let my know, that you still need help.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 piperm

piperm
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 07 September 2009 - 01:32 PM

I have updated my norton antivirus since post.. but other than that i have done nothing new

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:30 AM

Posted 07 September 2009 - 01:33 PM

Hi,

glad to see you're back. :( Let's try the following before attacking with Norton:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Afterwards please run rootrepeal:
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.
Please post back the log from Combofix and Rootrepeal in your next reply.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 piperm

piperm
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 07 September 2009 - 02:18 PM

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/07 12:01
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA40A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B4E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8CCA000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF73AE000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\msdownld.tmp\msdownld.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Status: Locked to the Windows API!

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINDOWS\addins\addins
Status: Locked to the Windows API!

Path: C:\WINDOWS\PIF\PIF
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB915865\KB915865
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\EventCache\EventCache
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1025\1025
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1028\1028
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1031\1031
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1037\1037
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1041\1041
Status: Locked to the Windows API!


combofix.txt:

ComboFix 09-09-06.06 - Administrator 09/07/2009 12:30.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.481 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\combo-fun.exe.exe
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-07 18:41 . 2009-09-07 19:29 -------- d-s---w- C:\ComboFix
2009-09-07 10:15 . 2009-09-07 10:15 -------- d-----w- c:\program files\ESET
2009-09-07 09:57 . 2009-07-15 21:19 103288 ----a-w- c:\windows\system32\drivers\dwprot.sys
2009-09-07 09:57 . 2009-09-07 09:57 -------- d-----w- c:\program files\Common Files\Doctor Web
2009-09-07 09:56 . 2009-09-07 09:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Doctor Web
2009-09-07 09:56 . 2009-09-07 18:27 -------- d-----w- c:\program files\DrWeb
2009-09-07 09:46 . 2009-09-07 10:13 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-09-07 09:25 . 2009-09-07 09:25 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-09-07 09:00 . 2009-09-07 09:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-07 09:00 . 2009-09-07 09:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-07 09:00 . 2009-09-07 09:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-09-07 09:00 . 2009-09-07 09:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-07 05:19 . 2009-09-07 05:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Error Fix
2009-09-07 05:19 . 2009-09-07 09:04 -------- d-----w- c:\program files\Error Fix
2009-09-05 10:14 . 2009-09-05 11:11 -------- d-----w- c:\program files\Warcraft III
2009-09-05 07:26 . 2009-09-05 07:28 -------- d-----w- c:\program files\Warcraft ft
2009-09-05 07:25 . 2009-09-05 07:25 12507 ----a-w- c:\windows\W3DemoUnin.dat
2009-09-05 07:25 . 2009-09-05 07:25 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-09-05 07:25 . 2009-09-05 07:25 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-09-05 07:24 . 2009-09-06 04:42 -------- d-----w- c:\program files\Warcraft III Demo
2009-09-05 07:21 . 2009-09-05 07:21 -------- d-----w- c:\program files\PowerISO
2009-09-05 07:21 . 2009-09-07 04:25 -------- d--h--w- c:\windows\PIF
2009-09-05 06:25 . 2009-09-05 06:26 -------- d-----w- c:\program files\Ask.com
2009-09-04 07:57 . 2009-09-05 04:34 -------- d-----w- c:\program files\Empire Earth
2009-09-01 06:32 . 2009-09-01 07:22 -------- d-----w- c:\program files\Call of Duty 2
2009-08-31 05:20 . 2009-08-31 05:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-31 05:20 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 05:20 . 2009-08-31 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-31 05:20 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-31 05:20 . 2009-08-31 05:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 01:29 . 2009-08-31 06:19 -------- d-----w- c:\program files\Common Files\Uninstall
2009-08-29 06:16 . 2009-09-05 07:05 85760 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-21 19:03 . 2009-08-21 22:07 -------- d-----w- C:\my dvd
2009-08-21 19:01 . 2009-08-21 19:03 -------- d-----w- c:\program files\Easy DVD Creator
2009-08-19 00:56 . 2009-08-19 01:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PMB Files
2009-08-19 00:56 . 2009-08-19 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-08-19 00:55 . 2009-08-19 00:55 -------- d-----w- c:\program files\Pando Networks
2009-08-18 01:26 . 2005-03-12 01:37 1986560 ----a-w- c:\windows\system32\AudFile.dll
2009-08-18 01:26 . 2005-02-24 20:11 1212416 ----a-w- c:\windows\system32\AudioInfos.dll
2009-08-18 01:26 . 2005-02-24 19:51 348160 ----a-w- c:\windows\system32\WMAFile.dll
2009-08-18 01:26 . 2003-01-26 19:41 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2009-08-18 01:26 . 1999-03-26 01:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-08-18 01:26 . 1998-07-13 05:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2009-08-18 01:26 . 2000-10-02 01:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2009-08-18 01:26 . 1998-07-13 05:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2009-08-18 01:26 . 1998-07-13 01:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2009-08-18 01:26 . 2003-04-18 22:29 44544 ----a-w- c:\windows\system32\msxml4a.dll
2009-08-15 10:05 . 2009-08-15 10:06 -------- d-----w- C:\8145c87132468a33fa3c
2009-08-13 18:31 . 2009-08-13 18:46 -------- d-----w- c:\program files\Portable.Sarm.Resume.Builder.4.8
2009-08-12 19:55 . 2009-08-12 19:55 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-12 19:53 . 2009-08-12 19:54 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-08-12 19:36 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-08-12 09:34 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 03:05 . 2009-08-11 03:12 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 18:55 . 2009-05-02 23:19 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-07 18:55 . 2009-05-02 23:19 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-09-07 08:28 . 2009-07-15 18:34 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-07 05:39 . 2009-06-25 14:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-07 05:08 . 2009-06-26 01:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Thinstall
2009-09-07 04:21 . 2008-09-24 02:59 -------- d-----w- c:\program files\Lx_cats
2009-09-04 07:18 . 2009-07-22 03:14 -------- d-----w- c:\program files\Microsoft Games
2009-09-01 20:32 . 2009-07-22 03:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\GameRanger
2009-08-28 07:59 . 2008-03-11 21:10 25592 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 15:58 . 2009-07-24 01:14 -------- d-----w- c:\program files\HJsplit
2009-08-19 01:53 . 2009-07-26 23:32 -------- d-----w- c:\program files\Fish Tycoon
2009-08-18 01:39 . 2009-07-25 16:57 -------- d-----w- c:\program files\BFG
2009-08-18 01:29 . 2008-03-11 20:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-12 22:58 . 2009-07-15 03:34 25 ----a-w- c:\windows\popcinfot.dat
2009-08-12 19:31 . 2009-04-30 05:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-08-12 15:05 . 2009-04-30 05:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 20:17 . 2009-07-16 01:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-03 15:38 . 2009-07-21 01:52 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-27 02:43 . 2009-07-27 02:43 58908 ----a-w- c:\windows\system32\drivers\scdemu.sys
2009-07-26 23:31 . 2009-07-26 23:31 -------- d-----w- c:\program files\ReflexiveArcade
2009-07-26 22:10 . 2009-07-26 22:05 -------- d-----w- c:\program files\Cheat Engine
2009-07-25 17:18 . 2009-07-25 16:57 -------- d-----w- c:\program files\Virtual Villagers
2009-07-24 01:55 . 2009-07-24 01:55 -------- d-----w- c:\program files\Common Files\eSellerate
2009-07-24 00:02 . 2009-07-24 00:01 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-07-23 20:34 . 2009-07-23 20:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\AweSEM
2009-07-20 22:38 . 2009-07-17 21:45 138944 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-20 22:38 . 2009-07-17 20:40 189784 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-18 22:06 . 2008-11-02 00:19 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-18 03:00 . 2009-06-25 14:08 -------- d-----w- c:\program files\Google
2009-07-17 20:59 . 2009-07-17 20:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\id Software
2009-07-17 20:58 . 2009-07-17 20:40 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-17 20:58 . 2009-07-17 20:40 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2009-07-17 20:51 . 2009-07-16 16:59 -------- d-----w- c:\program files\StarCraft
2009-07-17 20:40 . 2009-07-17 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 18:22 . 2009-07-17 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-07-16 17:14 . 2009-07-16 16:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-07-16 15:41 . 2009-07-16 15:40 -------- d-----w- c:\program files\iTunes
2009-07-16 15:40 . 2009-07-16 15:40 -------- d-----w- c:\program files\iPod
2009-07-16 15:40 . 2008-12-25 16:34 -------- d-----w- c:\program files\Common Files\Apple
2009-07-16 01:10 . 2009-07-16 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-16 01:04 . 2009-06-28 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-07-15 18:33 . 2009-07-15 18:33 -------- d-----w- c:\program files\Zone Labs
2009-07-15 18:24 . 2009-07-15 18:23 -------- d-----w- c:\program files\Symantec
2009-07-15 18:24 . 2009-07-15 18:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-15 18:23 . 2009-07-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-15 18:22 . 2009-07-15 18:22 -------- d-----w- c:\program files\Symantec_Client_Security
2009-07-15 18:21 . 2009-07-15 18:24 83672 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-07-15 18:21 . 2009-07-15 18:24 73224 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-15 00:10 . 2009-07-15 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-07-14 06:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2008-03-11 19:44 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

------- Sigcheck -------

[-] !HASH: COULD NOT OPEN FILE !!!!! [------] c:\windows\explorer.exe
[7] A0732187050030AE399B241436565E64 [6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)] c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 12896823FB95BFB3DC9B46BCAEDC9923 [6.00.2900.5512 (xpsp.080413-2105)] c:\windows\ServicePackFiles\i386\explorer.exe
[7] 12896823FB95BFB3DC9B46BCAEDC9923 [6.00.2900.5512 (xpsp.080413-2105)] c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-11 00:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXBSCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll" [2004-03-17 65536]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"SpIDerAgent"="c:\program files\DrWeb\SpIDerAgent.exe" [2009-06-01 447728]
"SpIDerMail"="c:\program files\DrWeb\spiderml.exe" [2009-07-01 644336]
"SpIDerGate"="c:\program files\DrWeb\spidergate.exe" [2009-07-04 1471728]
"SpIDerNT"="c:\progra~1\DrWeb\spiderui.exe" [2009-08-18 231840]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ScreenArt.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ScreenArt.lnk
backup=c:\windows\pss\ScreenArt.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\QQGames.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\QQGamesD.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\Update\\Update.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"56307:TCP"= 56307:TCP:Pando Media Booster
"56307:UDP"= 56307:UDP:Pando Media Booster

R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [9/7/2009 2:57 AM 103288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [4/18/2008 2:30 AM 204800]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/5/2009 10:23 AM 24652]
S2 DrWebEngine;Dr.Web Scanning Engine (DrWebEngine);c:\program files\Common Files\Doctor Web\Scanning Engine\dwengine.exe [8/27/2009 7:06 PM 869688]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/17/2009 2:54 PM 133104]
S2 SPIDER;SpIDer Guard File System Monitor;c:\progra~1\DrWeb\spider.sys [8/17/2009 5:47 PM 306464]
S2 SPIDERNT;SpIDer Guard for Windows;c:\progra~1\DrWeb\spidernt.exe [8/17/2009 5:47 PM 231328]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-09-07 c:\windows\Tasks\Dr.Web Daily scan.job
- c:\program files\DrWeb\DrWeb32w.exe [2009-08-19 03:42]

2009-09-07 c:\windows\Tasks\Dr.Web Update.job
- c:\program files\DrWeb\DrWebUpW.exe [2009-08-19 03:33]

2009-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-17 21:54]

2009-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-17 21:54]

2009-09-07 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-07-11 00:29]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
SafeBoot-DWSHIELD00007EF4.SYS


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Scan link by Dr.Web - http://www.drweb.com/online/drweb-online-en.html
LSP: c:\program files\DrWeb\drwebsp.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 12:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBSCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,87,fc,e6,1a,73,42,27,4e,83,31,fa,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,87,fc,e6,1a,73,42,27,4e,83,31,fa,\

[HKEY_USERS\S-1-5-21-515967899-1935655697-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,54,e6,73,3b,ec,fc,4f,41,a2,54,a5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,54,e6,73,3b,ec,fc,4f,41,a2,54,a5,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,54,e6,73,3b,ec,fc,4f,41,a2,54,a5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(816)
c:\program files\DrWeb\drwebsp.dll
.
Completion time: 2009-09-07 12:41
ComboFix-quarantined-files.txt 2009-09-07 19:41

Pre-Run: 46,325,309,440 bytes free
Post-Run: 46,273,499,136 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
326 --- E O F --- 2009-09-02 05:42

Edited by piperm, 07 September 2009 - 02:44 PM.


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:30 AM

Posted 07 September 2009 - 03:01 PM

Hi,

that actually doesn't look to bad. :(


You are missing some windows files. We are going to try to restore these files.
You might need your Windows CD for the following steps:

Please run Taskmanager, and select new task. Type cmd into the window to start the commandline.

Once you have the commandline working, please type sfc /scannow into it. Windows will start verifying system files, this might take some time. If prompted for the Windows CD please insert it.

Please report back how your PC behaves, once the scan has finished.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 piperm

piperm
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 07 September 2009 - 03:10 PM

I tried running cmd prompt but i do not have cd :(, anyone else have a possible solution?

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:30 AM

Posted 07 September 2009 - 03:14 PM

Hi,
  • reboot your PC
  • press F8 twice to get into the advanced boot options
  • select safe mode
  • open a command line
  • type the following commands into it:

    copy C:\windows\system32\dllcache\explorer.exe C:\windows\explorer.exe

    Note: Please hit enter before beginning a new line
    You should see 1 file(s) copied after hitting enter.
This should restore the missing files onto your system. Please type exit to leave the recovery console and reboot your PC. Tell me if you can now boot into Windows normally.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 piperm

piperm
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 07 September 2009 - 03:40 PM

so after safemode i had to go back in and redo the dll in cmd prompt. and the C:\windows\explorer.exe still doesn't work the first one does though. But i never saw the (1 file copied) message

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:30 AM

Posted 07 September 2009 - 03:49 PM

Hi,

ok, great to hear your desktop is back. :(

Please try to install the Recovery Console manually now:

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.


Please post back the log from Comofix.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 piperm

piperm
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 07 September 2009 - 04:25 PM

ComboFix 09-09-06.06 - Administrator 09/07/2009 14:08.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.403 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-07 10:15 . 2009-09-07 10:15 -------- d-----w- c:\program files\ESET
2009-09-07 09:57 . 2009-07-15 21:19 103288 ----a-w- c:\windows\system32\drivers\dwprot.sys
2009-09-07 09:57 . 2009-09-07 09:57 -------- d-----w- c:\program files\Common Files\Doctor Web
2009-09-07 09:56 . 2009-09-07 09:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Doctor Web
2009-09-07 09:56 . 2009-09-07 20:57 -------- d-----w- c:\program files\DrWeb
2009-09-07 09:46 . 2009-09-07 20:33 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-09-07 09:25 . 2009-09-07 09:25 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-09-07 09:00 . 2009-09-07 09:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-07 09:00 . 2009-09-07 09:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-07 09:00 . 2009-09-07 09:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-09-07 09:00 . 2009-09-07 09:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-07 05:19 . 2009-09-07 05:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Error Fix
2009-09-07 05:19 . 2009-09-07 09:04 -------- d-----w- c:\program files\Error Fix
2009-09-05 10:14 . 2009-09-05 11:11 -------- d-----w- c:\program files\Warcraft III
2009-09-05 07:26 . 2009-09-05 07:28 -------- d-----w- c:\program files\Warcraft ft
2009-09-05 07:25 . 2009-09-05 07:25 12507 ----a-w- c:\windows\W3DemoUnin.dat
2009-09-05 07:25 . 2009-09-05 07:25 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-09-05 07:25 . 2009-09-05 07:25 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-09-05 07:24 . 2009-09-06 04:42 -------- d-----w- c:\program files\Warcraft III Demo
2009-09-05 07:21 . 2009-09-05 07:21 -------- d-----w- c:\program files\PowerISO
2009-09-05 07:21 . 2009-09-07 04:25 -------- d--h--w- c:\windows\PIF
2009-09-05 06:25 . 2009-09-05 06:26 -------- d-----w- c:\program files\Ask.com
2009-09-04 07:57 . 2009-09-05 04:34 -------- d-----w- c:\program files\Empire Earth
2009-09-01 06:32 . 2009-09-01 07:22 -------- d-----w- c:\program files\Call of Duty 2
2009-08-31 05:20 . 2009-08-31 05:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-31 05:20 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 05:20 . 2009-08-31 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-31 05:20 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-31 05:20 . 2009-08-31 05:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 01:29 . 2009-08-31 06:19 -------- d-----w- c:\program files\Common Files\Uninstall
2009-08-29 06:16 . 2009-09-05 07:05 85760 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-21 19:03 . 2009-08-21 22:07 -------- d-----w- C:\my dvd
2009-08-21 19:01 . 2009-08-21 19:03 -------- d-----w- c:\program files\Easy DVD Creator
2009-08-19 00:56 . 2009-08-19 01:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PMB Files
2009-08-19 00:56 . 2009-08-19 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-08-19 00:55 . 2009-08-19 00:55 -------- d-----w- c:\program files\Pando Networks
2009-08-18 01:26 . 2005-03-12 01:37 1986560 ----a-w- c:\windows\system32\AudFile.dll
2009-08-18 01:26 . 2005-02-24 20:11 1212416 ----a-w- c:\windows\system32\AudioInfos.dll
2009-08-18 01:26 . 2005-02-24 19:51 348160 ----a-w- c:\windows\system32\WMAFile.dll
2009-08-18 01:26 . 2003-01-26 19:41 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2009-08-18 01:26 . 1999-03-26 01:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-08-18 01:26 . 1998-07-13 05:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2009-08-18 01:26 . 2000-10-02 01:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2009-08-18 01:26 . 1998-07-13 05:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2009-08-18 01:26 . 1998-07-13 01:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2009-08-18 01:26 . 2003-04-18 22:29 44544 ----a-w- c:\windows\system32\msxml4a.dll
2009-08-15 10:05 . 2009-08-15 10:06 -------- d-----w- C:\8145c87132468a33fa3c
2009-08-13 18:31 . 2009-08-13 18:46 -------- d-----w- c:\program files\Portable.Sarm.Resume.Builder.4.8
2009-08-12 19:55 . 2009-08-12 19:55 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-12 19:53 . 2009-08-12 19:54 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-08-12 19:36 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-08-12 09:34 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 03:05 . 2009-08-11 03:12 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 20:31 . 2009-05-02 23:19 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-07 20:31 . 2009-05-02 23:19 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-09-07 08:28 . 2009-07-15 18:34 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-07 05:39 . 2009-06-25 14:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-07 05:08 . 2009-06-26 01:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Thinstall
2009-09-07 04:21 . 2008-09-24 02:59 -------- d-----w- c:\program files\Lx_cats
2009-09-04 07:18 . 2009-07-22 03:14 -------- d-----w- c:\program files\Microsoft Games
2009-09-01 20:32 . 2009-07-22 03:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\GameRanger
2009-08-28 07:59 . 2008-03-11 21:10 25592 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 15:58 . 2009-07-24 01:14 -------- d-----w- c:\program files\HJsplit
2009-08-19 01:53 . 2009-07-26 23:32 -------- d-----w- c:\program files\Fish Tycoon
2009-08-18 01:39 . 2009-07-25 16:57 -------- d-----w- c:\program files\BFG
2009-08-18 01:29 . 2008-03-11 20:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-12 22:58 . 2009-07-15 03:34 25 ----a-w- c:\windows\popcinfot.dat
2009-08-12 19:31 . 2009-04-30 05:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-08-12 15:05 . 2009-04-30 05:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 20:17 . 2009-07-16 01:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-03 15:38 . 2009-07-21 01:52 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-27 02:43 . 2009-07-27 02:43 58908 ----a-w- c:\windows\system32\drivers\scdemu.sys
2009-07-26 23:31 . 2009-07-26 23:31 -------- d-----w- c:\program files\ReflexiveArcade
2009-07-26 22:10 . 2009-07-26 22:05 -------- d-----w- c:\program files\Cheat Engine
2009-07-25 17:18 . 2009-07-25 16:57 -------- d-----w- c:\program files\Virtual Villagers
2009-07-24 01:55 . 2009-07-24 01:55 -------- d-----w- c:\program files\Common Files\eSellerate
2009-07-24 00:02 . 2009-07-24 00:01 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-07-23 20:34 . 2009-07-23 20:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\AweSEM
2009-07-20 22:38 . 2009-07-17 21:45 138944 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-20 22:38 . 2009-07-17 20:40 189784 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-18 22:06 . 2008-11-02 00:19 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-18 03:00 . 2009-06-25 14:08 -------- d-----w- c:\program files\Google
2009-07-17 20:59 . 2009-07-17 20:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\id Software
2009-07-17 20:58 . 2009-07-17 20:40 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-17 20:58 . 2009-07-17 20:40 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2009-07-17 20:51 . 2009-07-16 16:59 -------- d-----w- c:\program files\StarCraft
2009-07-17 20:40 . 2009-07-17 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 18:22 . 2009-07-17 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-07-16 17:14 . 2009-07-16 16:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-07-16 15:41 . 2009-07-16 15:40 -------- d-----w- c:\program files\iTunes
2009-07-16 15:40 . 2009-07-16 15:40 -------- d-----w- c:\program files\iPod
2009-07-16 15:40 . 2008-12-25 16:34 -------- d-----w- c:\program files\Common Files\Apple
2009-07-16 01:10 . 2009-07-16 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-16 01:04 . 2009-06-28 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-07-15 18:33 . 2009-07-15 18:33 -------- d-----w- c:\program files\Zone Labs
2009-07-15 18:24 . 2009-07-15 18:23 -------- d-----w- c:\program files\Symantec
2009-07-15 18:24 . 2009-07-15 18:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-15 18:23 . 2009-07-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-15 18:22 . 2009-07-15 18:22 -------- d-----w- c:\program files\Symantec_Client_Security
2009-07-15 18:21 . 2009-07-15 18:24 83672 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-07-15 18:21 . 2009-07-15 18:24 73224 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-15 00:10 . 2009-07-15 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-07-14 06:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2008-03-11 19:44 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

------- Sigcheck -------

[-] !HASH: COULD NOT OPEN FILE !!!!! [------] c:\windows\explorer.exe
[7] A0732187050030AE399B241436565E64 [6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)] c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 12896823FB95BFB3DC9B46BCAEDC9923 [6.00.2900.5512 (xpsp.080413-2105)] c:\windows\ServicePackFiles\i386\explorer.exe
[7] 12896823FB95BFB3DC9B46BCAEDC9923 [6.00.2900.5512 (xpsp.080413-2105)] c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-09-07_19.38.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00 . 2008-04-14 00:11 36921 c:\windows\system32\dllcache\imeshare.dll
+ 2008-09-25 00:39 . 2008-04-14 00:12 30720 c:\windows\system32\dllcache\iisrstas.exe
+ 2008-09-25 00:39 . 2008-04-14 00:11 64512 c:\windows\system32\dllcache\iismap.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 68608 c:\windows\system32\dllcache\iisext51.dll
+ 2008-09-25 00:39 . 2008-04-14 00:12 20538 c:\windows\system32\dllcache\fpremadm.exe
+ 2008-09-25 00:39 . 2008-04-14 00:11 20541 c:\windows\system32\dllcache\fpexedll.dll
+ 2008-09-25 00:39 . 2008-04-14 00:12 15120 c:\windows\system32\dllcache\fp98sadm.exe
+ 2008-09-25 00:39 . 2008-04-14 00:11 49212 c:\windows\system32\dllcache\fp4awebs.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 32826 c:\windows\system32\dllcache\fp4avss.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 41020 c:\windows\system32\dllcache\fp4avnb.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 49210 c:\windows\system32\dllcache\fp4areg.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 82035 c:\windows\system32\dllcache\fp4anscp.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 32768 c:\windows\system32\dllcache\dispex.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 39936 c:\windows\system32\dllcache\dimsroam.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 19456 c:\windows\system32\dllcache\dimsntfy.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 62464 c:\windows\system32\dllcache\cryptsvc.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 64512 c:\windows\system32\dllcache\cryptnet.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 53760 c:\windows\system32\dllcache\cryptext.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 74752 c:\windows\system32\dllcache\cryptdlg.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 46592 c:\windows\system32\dllcache\coadmin.dll
+ 2004-08-04 12:00 . 2008-04-14 00:09 16896 c:\windows\system32\dllcache\cfgmgr32.dll
+ 2008-09-25 00:39 . 2008-04-14 00:12 16439 c:\windows\system32\dllcache\author.exe
+ 2008-09-25 00:39 . 2008-04-14 00:11 20540 c:\windows\system32\dllcache\author.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 30208 c:\windows\system32\dllcache\atmlib.dll
+ 2004-08-04 12:00 . 2008-04-14 00:12 98304 c:\windows\system32\dllcache\ahui.exe
+ 2008-09-25 00:39 . 2008-04-14 00:11 43520 c:\windows\system32\dllcache\admwprox.dll
+ 2008-09-25 00:39 . 2008-04-14 00:12 16439 c:\windows\system32\dllcache\admin.exe
+ 2008-09-25 00:39 . 2008-04-14 00:11 20540 c:\windows\system32\dllcache\admin.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 7168 c:\windows\system32\dllcache\bitsprx4.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 829440 c:\windows\system32\dllcache\inetmgr.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 133632 c:\windows\system32\dllcache\iisrtl.dll
+ 2008-09-25 00:39 . 2007-04-02 16:36 208896 c:\windows\system32\dllcache\fpmmcsat.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 598071 c:\windows\system32\dllcache\fpmmc.dll
+ 2008-09-25 00:39 . 2008-04-14 00:12 188494 c:\windows\system32\dllcache\fpcount.exe
+ 2008-09-25 00:39 . 2008-04-14 00:12 109840 c:\windows\system32\dllcache\fp98swin.exe
+ 2008-09-25 00:39 . 2008-04-14 00:11 876653 c:\windows\system32\dllcache\fp4awel.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 102509 c:\windows\system32\dllcache\fp4atxt.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 147513 c:\windows\system32\dllcache\fp4apws.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 184435 c:\windows\system32\dllcache\fp4amsft.dll
+ 2004-08-04 12:00 . 2008-04-13 19:14 143744 c:\windows\system32\dllcache\fastfat.sys
+ 2004-08-04 12:00 . 2008-04-13 17:37 138752 c:\windows\system32\dllcache\dssenh.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 512512 c:\windows\system32\dllcache\cryptui.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 252928 c:\windows\system32\dllcache\compatui.dll
+ 2008-09-25 00:39 . 2008-04-14 00:12 188480 c:\windows\system32\dllcache\cfgwiz.exe
+ 2008-09-25 00:39 . 2008-04-14 00:11 233472 c:\windows\system32\dllcache\azroles.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 290816 c:\windows\system32\dllcache\adsiis51.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 116224 c:\windows\system32\dllcache\acxtrnal.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 245248 c:\windows\system32\dllcache\acspecfc.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 451072 c:\windows\system32\dllcache\aclayers.dll
+ 2008-09-25 00:39 . 2008-04-14 00:11 136192 c:\windows\system32\dllcache\aaclient.dll
+ 2009-07-15 18:34 . 2009-09-07 20:37 13620478 c:\windows\system32\ZoneLabs\spyware.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-11 00:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXBSCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll" [2004-03-17 65536]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]
"SpIDerAgent"="c:\program files\DrWeb\SpIDerAgent.exe" [2009-06-01 447728]
"SpIDerGate"="c:\program files\DrWeb\spidergate.exe" [2009-07-04 1471728]
"QuickCare2.2"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 198184]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-07-27 180224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ScreenArt.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ScreenArt.lnk
backup=c:\windows\pss\ScreenArt.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\QQGames.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\QQGamesD.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\Update\\Update.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"56307:TCP"= 56307:TCP:Pando Media Booster
"56307:UDP"= 56307:UDP:Pando Media Booster

R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [9/7/2009 2:57 AM 103288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 DrWebEngine;Dr.Web Scanning Engine (DrWebEngine);c:\program files\Common Files\Doctor Web\Scanning Engine\dwengine.exe [8/27/2009 7:06 PM 869688]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [4/18/2008 2:30 AM 204800]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/5/2009 10:23 AM 24652]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/17/2009 2:54 PM 133104]
S2 SPIDER;SpIDer Guard File System Monitor;c:\progra~1\DrWeb\spider.sys [8/17/2009 5:47 PM 306464]
S2 SPIDERNT;SpIDer Guard for Windows;c:\progra~1\DrWeb\spidernt.exe [8/17/2009 5:47 PM 231328]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-09-07 c:\windows\Tasks\Dr.Web Daily scan.job
- c:\program files\DrWeb\DrWeb32w.exe [2009-08-19 03:42]

2009-09-07 c:\windows\Tasks\Dr.Web Update.job
- c:\program files\DrWeb\DrWebUpW.exe [2009-08-19 03:33]

2009-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-17 21:54]

2009-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-17 21:54]

2009-09-07 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-07-11 00:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Scan link by Dr.Web - http://www.drweb.com/online/drweb-online-en.html
LSP: c:\program files\DrWeb\drwebsp.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 14:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBSCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,87,fc,e6,1a,73,42,27,4e,83,31,fa,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,87,fc,e6,1a,73,42,27,4e,83,31,fa,\

[HKEY_USERS\S-1-5-21-515967899-1935655697-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,54,e6,73,3b,ec,fc,4f,41,a2,54,a5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,54,e6,73,3b,ec,fc,4f,41,a2,54,a5,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,54,e6,73,3b,ec,fc,4f,41,a2,54,a5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(816)
c:\program files\DrWeb\drwebsp.dll
.
Completion time: 2009-09-07 14:23
ComboFix-quarantined-files.txt 2009-09-07 21:23
ComboFix2.txt 2009-09-07 19:41

Pre-Run: 46,192,549,888 bytes free
Post-Run: 46,141,894,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

378 --- E O F --- 2009-09-02 05:42

After running combofix i had to go back into cmd prompt and type C:\windows\system32\dllcache\explorer.exe

Edited by piperm, 07 September 2009 - 04:35 PM.


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:30 AM

Posted 07 September 2009 - 04:35 PM

Hi,

please run the following script to help repair your PC:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
c:\windows\system32\dllcache\explorer.exe | C:\windows\explorer.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. Let me know if the desktop comes back after this.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 piperm

piperm
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 07 September 2009 - 04:55 PM

ComboFix 09-09-06.06 - Administrator 09/07/2009 14:39.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.407 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-07 19:29 . 2009-09-07 19:41 -------- d-s---w- C:\combo-fun.exe
2009-09-07 10:15 . 2009-09-07 10:15 -------- d-----w- c:\program files\ESET
2009-09-07 09:57 . 2009-07-15 21:19 103288 ----a-w- c:\windows\system32\drivers\dwprot.sys
2009-09-07 09:57 . 2009-09-07 09:57 -------- d-----w- c:\program files\Common Files\Doctor Web
2009-09-07 09:56 . 2009-09-07 09:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Doctor Web
2009-09-07 09:56 . 2009-09-07 21:27 -------- d-----w- c:\program files\DrWeb
2009-09-07 09:46 . 2009-09-07 20:33 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-09-07 09:25 . 2009-09-07 09:25 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-09-07 09:00 . 2009-09-07 09:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-07 09:00 . 2009-09-07 09:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-07 09:00 . 2009-09-07 09:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-09-07 09:00 . 2009-09-07 09:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-07 05:19 . 2009-09-07 05:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Error Fix
2009-09-07 05:19 . 2009-09-07 09:04 -------- d-----w- c:\program files\Error Fix
2009-09-05 10:14 . 2009-09-05 11:11 -------- d-----w- c:\program files\Warcraft III
2009-09-05 07:26 . 2009-09-05 07:28 -------- d-----w- c:\program files\Warcraft ft
2009-09-05 07:25 . 2009-09-05 07:25 12507 ----a-w- c:\windows\W3DemoUnin.dat
2009-09-05 07:25 . 2009-09-05 07:25 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-09-05 07:25 . 2009-09-05 07:25 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-09-05 07:24 . 2009-09-06 04:42 -------- d-----w- c:\program files\Warcraft III Demo
2009-09-05 07:21 . 2009-09-05 07:21 -------- d-----w- c:\program files\PowerISO
2009-09-05 07:21 . 2009-09-07 04:25 -------- d--h--w- c:\windows\PIF
2009-09-05 06:25 . 2009-09-05 06:26 -------- d-----w- c:\program files\Ask.com
2009-09-04 07:57 . 2009-09-05 04:34 -------- d-----w- c:\program files\Empire Earth
2009-09-01 06:32 . 2009-09-01 07:22 -------- d-----w- c:\program files\Call of Duty 2
2009-08-31 05:20 . 2009-08-31 05:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-31 05:20 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 05:20 . 2009-08-31 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-31 05:20 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-31 05:20 . 2009-08-31 05:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 01:29 . 2009-08-31 06:19 -------- d-----w- c:\program files\Common Files\Uninstall
2009-08-29 06:16 . 2009-09-05 07:05 85760 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-21 19:03 . 2009-08-21 22:07 -------- d-----w- C:\my dvd
2009-08-21 19:01 . 2009-08-21 19:03 -------- d-----w- c:\program files\Easy DVD Creator
2009-08-19 00:56 . 2009-08-19 01:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PMB Files
2009-08-19 00:56 . 2009-08-19 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-08-19 00:55 . 2009-08-19 00:55 -------- d-----w- c:\program files\Pando Networks
2009-08-18 01:26 . 2005-03-12 01:37 1986560 ----a-w- c:\windows\system32\AudFile.dll
2009-08-18 01:26 . 2005-02-24 20:11 1212416 ----a-w- c:\windows\system32\AudioInfos.dll
2009-08-18 01:26 . 2005-02-24 19:51 348160 ----a-w- c:\windows\system32\WMAFile.dll
2009-08-18 01:26 . 2003-01-26 19:41 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2009-08-18 01:26 . 1999-03-26 01:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-08-18 01:26 . 1998-07-13 05:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2009-08-18 01:26 . 2000-10-02 01:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2009-08-18 01:26 . 1998-07-13 05:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2009-08-18 01:26 . 1998-07-13 01:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2009-08-18 01:26 . 2003-04-18 22:29 44544 ----a-w- c:\windows\system32\msxml4a.dll
2009-08-15 10:05 . 2009-08-15 10:06 -------- d-----w- C:\8145c87132468a33fa3c
2009-08-13 18:31 . 2009-08-13 18:46 -------- d-----w- c:\program files\Portable.Sarm.Resume.Builder.4.8
2009-08-12 19:55 . 2009-08-12 19:55 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-12 19:53 . 2009-08-12 19:54 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-08-12 19:36 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-08-12 09:34 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 03:05 . 2009-08-11 03:12 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 21:27 . 2009-04-05 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-07 20:31 . 2009-05-02 23:19 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-07 20:31 . 2009-05-02 23:19 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-09-07 08:28 . 2009-07-15 18:34 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-07 05:39 . 2009-06-25 14:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-07 05:08 . 2009-06-26 01:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Thinstall
2009-09-07 04:21 . 2008-09-24 02:59 -------- d-----w- c:\program files\Lx_cats
2009-09-04 07:18 . 2009-07-22 03:14 -------- d-----w- c:\program files\Microsoft Games
2009-09-01 20:32 . 2009-07-22 03:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\GameRanger
2009-08-28 07:59 . 2008-03-11 21:10 25592 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 15:58 . 2009-07-24 01:14 -------- d-----w- c:\program files\HJsplit
2009-08-19 01:53 . 2009-07-26 23:32 -------- d-----w- c:\program files\Fish Tycoon
2009-08-18 01:39 . 2009-07-25 16:57 -------- d-----w- c:\program files\BFG
2009-08-18 01:29 . 2008-03-11 20:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-12 22:58 . 2009-07-15 03:34 25 ----a-w- c:\windows\popcinfot.dat
2009-08-12 19:31 . 2009-04-30 05:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-08-12 15:05 . 2009-04-30 05:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 20:17 . 2009-07-16 01:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-03 15:38 . 2009-07-21 01:52 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-27 02:43 . 2009-07-27 02:43 58908 ----a-w- c:\windows\system32\drivers\scdemu.sys
2009-07-26 23:31 . 2009-07-26 23:31 -------- d-----w- c:\program files\ReflexiveArcade
2009-07-26 22:10 . 2009-07-26 22:05 -------- d-----w- c:\program files\Cheat Engine
2009-07-25 17:18 . 2009-07-25 16:57 -------- d-----w- c:\program files\Virtual Villagers
2009-07-24 01:55 . 2009-07-24 01:55 -------- d-----w- c:\program files\Common Files\eSellerate
2009-07-24 00:02 . 2009-07-24 00:01 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-07-23 20:34 . 2009-07-23 20:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\AweSEM
2009-07-20 22:38 . 2009-07-17 21:45 138944 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-20 22:38 . 2009-07-17 20:40 189784 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-18 22:06 . 2008-11-02 00:19 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-18 03:00 . 2009-06-25 14:08 -------- d-----w- c:\program files\Google
2009-07-17 20:59 . 2009-07-17 20:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\id Software
2009-07-17 20:58 . 2009-07-17 20:40 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-17 20:58 . 2009-07-17 20:40 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2009-07-17 20:51 . 2009-07-16 16:59 -------- d-----w- c:\program files\StarCraft
2009-07-17 20:40 . 2009-07-17 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 18:22 . 2009-07-17 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-07-16 17:14 . 2009-07-16 16:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-07-16 15:41 . 2009-07-16 15:40 -------- d-----w- c:\program files\iTunes
2009-07-16 15:40 . 2009-07-16 15:40 -------- d-----w- c:\program files\iPod
2009-07-16 15:40 . 2008-12-25 16:34 -------- d-----w- c:\program files\Common Files\Apple
2009-07-16 01:10 . 2009-07-16 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-16 01:04 . 2009-06-28 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-07-15 18:33 . 2009-07-15 18:33 -------- d-----w- c:\program files\Zone Labs
2009-07-15 18:24 . 2009-07-15 18:23 -------- d-----w- c:\program files\Symantec
2009-07-15 18:24 . 2009-07-15 18:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-15 18:23 . 2009-07-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-15 18:22 . 2009-07-15 18:22 -------- d-----w- c:\program files\Symantec_Client_Security
2009-07-15 18:21 . 2009-07-15 18:24 83672 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-07-15 18:21 . 2009-07-15 18:24 73224 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-15 00:10 . 2009-07-15 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-07-14 06:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2008-03-11 19:44 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-09-07_21.20.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\svchost.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-11 00:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXBSCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll" [2004-03-17 65536]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]
"SpIDerAgent"="c:\program files\DrWeb\SpIDerAgent.exe" [2009-06-01 447728]
"SpIDerGate"="c:\program files\DrWeb\spidergate.exe" [2009-07-04 1471728]
"QuickCare2.2"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 198184]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-07-27 180224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ScreenArt.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ScreenArt.lnk
backup=c:\windows\pss\ScreenArt.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\QQGames.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\QQGamesD.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\Update\\Update.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"56307:TCP"= 56307:TCP:Pando Media Booster
"56307:UDP"= 56307:UDP:Pando Media Booster

R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [9/7/2009 2:57 AM 103288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 DrWebEngine;Dr.Web Scanning Engine (DrWebEngine);c:\program files\Common Files\Doctor Web\Scanning Engine\dwengine.exe [8/27/2009 7:06 PM 869688]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [4/18/2008 2:30 AM 204800]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/17/2009 2:54 PM 133104]
S2 SPIDER;SpIDer Guard File System Monitor;c:\progra~1\DrWeb\spider.sys [8/17/2009 5:47 PM 306464]
S2 SPIDERNT;SpIDer Guard for Windows;c:\progra~1\DrWeb\spidernt.exe [8/17/2009 5:47 PM 231328]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-09-07 c:\windows\Tasks\Dr.Web Daily scan.job
- c:\program files\DrWeb\DrWeb32w.exe [2009-08-19 03:42]

2009-09-07 c:\windows\Tasks\Dr.Web Update.job
- c:\program files\DrWeb\DrWebUpW.exe [2009-08-19 03:33]

2009-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-17 21:54]

2009-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-17 21:54]

2009-09-07 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-07-11 00:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Scan link by Dr.Web - http://www.drweb.com/online/drweb-online-en.html
LSP: c:\program files\DrWeb\drwebsp.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 14:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBSCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,87,fc,e6,1a,73,42,27,4e,83,31,fa,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,87,fc,e6,1a,73,42,27,4e,83,31,fa,\

[HKEY_USERS\S-1-5-21-515967899-1935655697-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,54,e6,73,3b,ec,fc,4f,41,a2,54,a5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,54,e6,73,3b,ec,fc,4f,41,a2,54,a5,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,54,e6,73,3b,ec,fc,4f,41,a2,54,a5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(816)
c:\program files\DrWeb\drwebsp.dll
.
Completion time: 2009-09-07 14:52
ComboFix-quarantined-files.txt 2009-09-07 21:52
ComboFix2.txt 2009-09-07 21:23
ComboFix3.txt 2009-09-07 19:41

Pre-Run: 46,157,094,912 bytes free
Post-Run: 46,116,192,256 bytes free

321 --- E O F --- 2009-09-02 05:42


Desktop came back!! and the start menu bar came back to original color instead of cream color! Thank you _temp_!!

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:30 AM

Posted 07 September 2009 - 05:02 PM

Hi,

glad to hear, that your Desktop is back and running! :(

It looks as if you were running to resident anti virus programs.
While you can use different online scanners on one PC, I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either DrWeb or Norton.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Please post back the log from Malwarebytes, as well as a new DDS log (please also provide the attacht.txt from DDS).

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 piperm

piperm
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 07 September 2009 - 05:36 PM

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 15:32:01.64 on Mon 09/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.271 [GMT -7:00]

FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPC32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LXBSCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBStime.dll,_RunDLLEntry@16
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickCare2.2] c:\program files\qwest\quickcare\bin\sprtcmd.exe /P QuickCare2.2
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [SpIDerGate] "c:\program files\drweb\spidergate.exe" -autorun
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Scan link by Dr.Web
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-15 365448]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-4-18 204800]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-9-7 38160]
R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090907.002\NAVENG.sys [2009-9-7 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090907.002\NAVEX15.sys [2009-9-7 1323568]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-17 133104]

=============== Created Last 30 ================

2009-09-07 15:17 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-07 15:17 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-07 15:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-07 14:05 <DIR> a-dshr-- C:\cmdcons
2009-09-07 12:29 <DIR> --ds---- C:\combo-fun.exe
2009-09-07 11:42 230,912 a------- c:\windows\PEV.exe
2009-09-07 11:42 161,792 a------- c:\windows\SWREG.exe
2009-09-07 11:42 98,816 a------- c:\windows\sed.exe
2009-09-07 02:56 <DIR> --d----- c:\program files\DrWeb
2009-09-07 02:46 <DIR> --d----- c:\documents and settings\administrator\DoctorWeb
2009-09-07 02:25 <DIR> --d----- c:\documents and settings\administrator\.housecall6.6
2009-09-07 02:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-07 02:00 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-07 02:00 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-09-06 22:19 <DIR> --d----- c:\docume~1\admini~1\applic~1\Error Fix
2009-09-06 22:19 <DIR> --d----- c:\program files\Error Fix
2009-09-05 00:26 <DIR> --d----- c:\program files\Warcraft ft
2009-09-05 00:25 126,976 a------- c:\windows\W3DemoUnin.exe
2009-09-05 00:25 12,507 a------- c:\windows\W3DemoUnin.dat
2009-09-05 00:25 2,829 a------- c:\windows\W3DemoUnin.pif
2009-09-05 00:24 <DIR> --d----- c:\program files\Warcraft III Demo
2009-09-05 00:21 <DIR> --d----- c:\program files\PowerISO
2009-09-05 00:21 <DIR> --d-h--- c:\windows\PIF
2009-09-04 23:25 <DIR> --d----- c:\program files\Ask.com
2009-09-04 00:57 <DIR> --d----- c:\program files\Empire Earth
2009-08-31 23:32 <DIR> --d----- c:\program files\Call of Duty 2
2009-08-30 22:20 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-30 22:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-30 18:29 <DIR> --d----- c:\program files\common files\Uninstall
2009-08-21 12:03 <DIR> --d----- C:\my dvd
2009-08-21 12:02 67 a------- c:\windows\Easy DVD Creator.INI
2009-08-21 12:01 <DIR> --d----- c:\program files\Easy DVD Creator
2009-08-18 17:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PMB Files
2009-08-18 17:55 204 a------- C:\Plugins
2009-08-18 17:55 <DIR> --d----- c:\program files\Pando Networks
2009-08-15 03:23 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-15 03:05 <DIR> --d----- C:\8145c87132468a33fa3c
2009-08-13 11:31 <DIR> --d----- c:\program files\Portable.Sarm.Resume.Builder.4.8
2009-08-12 12:55 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-08-12 12:36 221,184 a------- c:\windows\system32\wmpns.dll
2009-08-12 02:34 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 02:34 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-10 20:05 <DIR> --d----- c:\windows\system32\Adobe

==================== Find3M ====================

2009-09-07 15:13 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-09-07 15:13 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-09-07 01:28 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-08-24 14:09 25,592 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-26 19:43 58,908 a------- c:\windows\system32\drivers\scdemu.sys
2009-07-20 15:38 138,944 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-20 15:38 189,784 a------- c:\windows\system32\PnkBstrB.exe
2009-07-17 13:58 2,373,712 a------- c:\windows\system32\pbsvc.exe
2009-07-17 13:58 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-15 11:21 83,672 a------- c:\windows\system32\S32EVNT1.DLL
2009-07-15 11:21 73,224 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-25 01:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 01:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 01:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 01:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 01:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 01:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 05:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-09 23:14 132,096 a------- c:\windows\system32\wkssvc.dll

============= FINISH: 15:33:02.59 ===============


Malwarebytes' Anti-Malware 1.40
Database version: 2754
Windows 5.1.2600 Service Pack 3

9/7/2009 3:36:07 PM
mbam-log-2009-09-07 (15-36-07).txt

Scan type: Quick Scan
Objects scanned: 92057
Time elapsed: 14 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users