Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

gasfky Rootkit on board


  • This topic is locked This topic is locked
27 replies to this topic

#1 crusincuz

crusincuz

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 18 September 2009 - 02:01 PM

My Firefox and IE browsers get redirected to a different website than that specified in a link that I clicked on. Scans of my Windows XP computer with Malwarebyte's Anti-Malware and Super-AntiSpyware resulted in a few infections that are removed, but they keep coming back after I reboot the computer. Some of the malware/files present are Rootkit.TDss, Trojan.Agent, dll.dll, The and Trojan.Dropper/Gen-NV.

I'd appreciate help on resolving this issue. Here are my log files:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Toby Choy at 11:49:38.42 on 09/18/09
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.790 [GMT -7:00]

AV: avast! antivirus 4.8.1229 [VPS 090917-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32ZoneLabsvsmon.exe
C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
C:Program FilesAlwil SoftwareAvast4ashServ.exe
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSsystem32driversdcfssvc.exe
C:Program Filesewido anti-malwareewidoctrl.exe
C:Program FilesCommon FilesLogiShrdLVCOMSERLVComSer.exe
C:WINDOWSSystem32nvsvc32.exe
C:WINDOWSsystem32rpcnet.exe
C:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe
C:WINDOWSSystem32svchost.exe -k imgsvc
C:Program FilesCanonCALCALMAIN.exe
C:Program FilesCommon FilesLogiShrdLVCOMSERLVComSer.exe
C:WINDOWSsystem32spoolsv.exe
C:PROGRA~1ALWILS~1Avast4ashDisp.exe
C:WINDOWSSamsungComSMMgrssmmgr.exe
C:Program FilesZoneAlarmzlclient.exe
C:Program FilesPDFpdfSaverpdfSaver3.exe
C:Program FilesVinadeReminderReminder.exe
C:Program FilesWinCleaner Memory OptimizerWinMemOpt.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesSiber SystemsAI RoboFormRoboTaskBarIcon.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:Program FilesGridVistaGridVistaU.exe
C:Program FilesSyncBackSyncBack.exe
C:WINDOWSsystem32notepad.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:WINDOWSsystem32wscntfy.exe
C:Program FilesMozilla Thunderbird 3 Beta 1thunderbird.exe
C:Program FilesMicrosoft OfficeOfficeEXCEL.EXE
C:Documents and SettingsToby ChoyMy DocumentsDownloadsdds(3).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ebay.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Taskman=c:recyclers-1-5-21-0269167821-0828106831-719528405-0919msimfo32.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:program filessiber systemsai roboformroboform.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.5.0_06binssv.dll
BHO: {7C7A8947-5935-4430-AC0E-E7D04697414E} - No File
BHO: {9aa2f14f-e956-44b8-8694-a5b615cdf341} - NOW!Imaging
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogletoolbar3.dll
BHO: metaspinner GmbH: {cd9b7762-dfbc-42b1-bb30-02a78287b456} - c:progra~1pricep~1pricep~1IEBUTT~2.DLL
BHO: metaspinner GmbH: {e9e027bf-c3f3-4022-8f6b-8f6d39a59684} - c:progra~1pricep~1pricep~1IEBUTT~1.DLL
TB: NVRIEbar.IEbar: {bcbf738c-4891-4b9a-959a-c6bf7f608c3a} - c:program filesnaturalsoftnaturalreaderNVRIEBar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogletoolbar3.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:program filesaol toolbartoolbar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:program filessiber systemsai roboformroboform.dll
TB: {D79559E8-9991-41C5-AA2B-A96EC766F43F} - No File
TB: {335F0F8C-A84A-4A83-8F7D-F98462C32492} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [pdfSaver3] "c:program filespdfpdfsaverpdfSaver3.exe"
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
uRun: [Vinade Reminder] c:program filesvinadereminderReminder.exe
uRun: [WinMem] c:program fileswincleaner memory optimizerWinMemOpt.exe
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [RoboForm] "c:program filessiber systemsai roboformRoboTaskBarIcon.exe"
uRun: [Microsoft Works Update Detection] c:program filesmicrosoft worksWkDetect.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Ink Monitor] c:program filesepsonink monitorInkMonitor.exe
mRun: [avast!] c:progra~1alwils~1avast4ashDisp.exe
mRun: [Samsung Common SM] "c:windowssamsungcomsmmgrssmmgr.exe" /autorun
mRun: [REGSHAVE] c:program filesregshaveREGSHAVE.EXE /AUTORUN
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [ZoneAlarm Client] "c:program fileszonealarmzlclient.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwarembam.exe" /runcleanupscript
StartupFolder: c:docume~1tobych~1startm~1programsstartupgridvi~1.lnk - c:program filesgridvistaGridVistaU.exe
StartupFolder: c:docume~1tobych~1startm~1programsstartupsyncback.lnk - c:program filessyncbackSyncBack.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadober~1.lnk - c:program filesadobeacrobat 7.0readerreader_sl.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupiomega~1.lnk - c:program filesiomega quiksync 3quiksync3.exe
StartupFolder: c:documents and settingsall usersstart menuprogramsstartupLogitech Desktop Messenger.lnk.disabled
StartupFolder: c:documents and settingsall usersstart menuprogramsstartupLogitech SetPoint.lnk.disabled
StartupFolder: c:docume~1alluse~1startm~1programsstartupmicros~2.lnk - c:program filesmicrosoft officeofficeOSA9.EXE
IE:
IE: &AOL Toolbar search - c:program filesaol toolbartoolbar.dll/SEARCH.HTML
IE: &Google Search - c:program filesgoogleGoogleToolbar3.dll/cmsearch.html
IE: &Translate English Word - c:program filesgoogleGoogleToolbar3.dll/cmwordtrans.html
IE: Add to AMV Converter... - c:program filesdiablotek mp3 player utilities 4.09amvconvertergrab.html
IE: Add to Media Manager... - c:program filesdiablotek mp3 player utilities 4.09mediamanagergrab.html
IE: Backward Links - c:program filesgoogleGoogleToolbar3.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:program filesgoogleGoogleToolbar3.dll/cmcache.html
IE: Customize Menu - file://c:program filessiber systemsai roboformRoboFormComCustomizeIEMenu.html
IE: eBay - Home Page - c:program filespricepiratespricepiratesSearchEbay.htm
IE: eBay - My eBay - c:program filespricepiratespricepiratesSearchEbaymein.htm
IE: eBay - Powersearch - c:program filespricepiratespricepiratesSearchEbaypower.htm
IE: eBay - Start Search - c:program filespricepiratespricepiratesSearchEbay.htm
IE: Fill Forms - file://c:program filessiber systemsai roboformRoboFormComFillForms.html
IE: Google - Search - c:program filespricepiratespricepiratesSearchGoogle.htm
IE: Google - Start Search - c:program filespricepiratespricepiratesSearchGoogle.htm
IE: RoboForm Toolbar - file://c:program filessiber systemsai roboformRoboFormComShowToolbar.html
IE: Save Forms - file://c:program filessiber systemsai roboformRoboFormComSavePass.html
IE: Similar Pages - c:program filesgoogleGoogleToolbar3.dll/cmsimilar.html
IE: Translate Page into English - c:program filesgoogleGoogleToolbar3.dll/cmtrans.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:program filessiber systemsai roboformRoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:program filessiber systemsai roboformRoboFormComSavePass.html
IE: {350F4DA2-3886-4BB8-A1A8-D7F57B56DFFF} - c:program filespricepiratespricepiratespreispiraten3ie.exe
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:program filessiber systemsai roboformRoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:program filesjavajre1.5.0_06binssv.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:program filesaol toolbartoolbar.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
DPF: Microsoft XML Parser for Java
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38146.7204861111
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:program fileslogitechdesktop messenger8876480programGAPlugProtocol-8876480.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:windowswc98pp.dll
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.DLL
SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} - c:program filesewido anti-malwareshellhook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:docume~1tobych~1applic~1mozillafirefoxprofilesbolkzr6u.default
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:program filessiber systemsai roboformfirefoxcomponentsrfproxy_31.dll
FF - plugin: c:program filesjavajre1.5.0_06binNPJava11.dll
FF - plugin: c:program filesjavajre1.5.0_06binNPJava12.dll
FF - plugin: c:program filesjavajre1.5.0_06binNPJava13.dll
FF - plugin: c:program filesjavajre1.5.0_06binNPJava14.dll
FF - plugin: c:program filesjavajre1.5.0_06binNPJava32.dll
FF - plugin: c:program filesjavajre1.5.0_06binNPJPI150_06.dll
FF - plugin: c:program filesjavajre1.5.0_06binNPOJI610.dll
FF - plugin: c:program filesmozilla firefoxpluginsNPAdbESD.dll
FF - plugin: c:program filesmozilla firefoxpluginsNPcol305.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpViewpoint_03050024.dll
FF - plugin: c:program filesmozilla firefoxpluginsNPZoneSB.dll
FF - plugin: c:program filesquicktime alternativepluginsnpqtplugin.dll
FF - plugin: c:program filesquicktime alternativepluginsnpqtplugin2.dll
FF - plugin: c:program filesquicktime alternativepluginsnpqtplugin3.dll
FF - plugin: c:program filesquicktime alternativepluginsnpqtplugin4.dll
FF - plugin: c:program filesquicktime alternativepluginsnpqtplugin5.dll
FF - plugin: c:program filesquicktime alternativepluginsnpqtplugin6.dll
FF - plugin: c:program filesquicktime alternativepluginsnpqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("media.enforce_same_site_origin", false);
c:program filesmozilla firefoxgreprefsall.js - pref("media.cache_size", 51200);
c:program filesmozilla firefoxgreprefsall.js - pref("media.ogg.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("media.wave.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("media.autoplay.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.urlbar.autocomplete.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:program filesmozilla firefoxgreprefsall.js - pref("dom.storage.default_quota", 5120);
c:program filesmozilla firefoxgreprefsall.js - pref("content.sink.event_probe_rate", 3);
c:program filesmozilla firefoxgreprefsall.js - pref("network.http.prompt-temp-redirect", true);
c:program filesmozilla firefoxgreprefsall.js - pref("layout.css.dpi", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("layout.css.devPixelsPerPx", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("gestures.enable_single_finger_input", true);
c:program filesmozilla firefoxgreprefsall.js - pref("dom.max_chrome_script_run_time", 0);
c:program filesmozilla firefoxgreprefsall.js - pref("network.tcp.sendbuffer", 131072);
c:program filesmozilla firefoxgreprefsall.js - pref("geo.enabled", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.blocklist.level", 2);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.urlbar.restrict.typed", "~");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.urlbar.default.behavior", 0);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.history", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.cache", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.history", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.formdata", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.passwords", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.downloads", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.cookies", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.cache", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.sessions", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.offlineApps", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.siteSettings", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.ssl_override_behavior", 2);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.privatebrowsing.autostart", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2009-9-10 64160]
R1 aswSP;avast! Self Protection;c:windowssystem32driversaswSP.sys [2008-4-12 78416]
R1 SASDIFSV;SASDIFSV;c:program filessuperantispywareSASDIFSV.SYS [2006-2-16 9968]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2006-6-9 74480]
R1 vsdatant;vsdatant;c:windowssystem32vsdatant.sys [2008-7-15 353680]
R2 aswFsBlk;aswFsBlk;c:windowssystem32driversaswFsBlk.sys [2008-4-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:program filesalwil softwareavast4ashServ.exe [2006-5-12 147640]
R2 ewido security suite control;ewido security suite control;c:program filesewido anti-malwareewidoctrl.exe [2005-11-30 13888]
R2 MSSQL$AUCTIONI;SQL Server (AUCTIONI);c:program filesmicrosoft sql servermssql.1mssqlbinnsqlservr.exe [2008-11-24 29263712]
R2 vsmon;TrueVector Internet Monitor;c:windowssystem32zonelabsvsmon.exe -service --> c:windowssystem32zonelabsvsmon.exe -service [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:program filesalwil softwareavast4ashMaiSv.exe [2006-5-12 250040]
S3 avast! Web Scanner;avast! Web Scanner;c:program filesalwil softwareavast4ashWebSv.exe [2006-5-12 348344]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2009-7-3 1029456]
S3 MEMSWEEP2;MEMSWEEP2;??c:windowssystem323.tmp --> c:windowssystem323.tmp [?]
S3 SASENUM;SASENUM;c:program filessuperantispywareSASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2009-09-18 10:06 <DIR> --ds---- C:ComboFix
2009-09-18 09:16 578,560 ac------ c:windowssystem32dllcacheuser32.dll
2009-09-18 08:59 <DIR> --d----- c:windowsERUNT
2009-09-17 20:38 7,396 a------- c:windowssystem32driverspctcore.cat
2009-09-16 16:20 <DIR> --d-h--- C:RD4B335D2AF9F44185AFC417F8D8D4B473DR
2009-09-16 01:59 <DIR> a-dshr-- C:cmdcons
2009-09-16 01:57 389,120 a------- c:windowssystem32CF13744.exe
2009-09-10 23:04 15,688 a------- c:windowssystem32lsdelete.exe
2009-09-10 17:11 64,160 a------- c:windowssystem32driversLbd.sys
2009-09-10 17:09 <DIR> -cd-h--- c:docume~1alluse~1applic~1{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-09 03:36 153,088 -c------ c:windowssystem32dllcachetriedit.dll

==================== Find3M ====================

2009-09-18 09:41 17,408 a------- c:windowssystem32rpcnetp.exe
2009-09-18 09:40 17,408 a------- c:windowssystem32rpcnetp.dll
2009-09-18 09:40 56,680 a------- c:windowssystem32rpcnet.dll
2009-09-18 09:38 0 a------- c:windowssystem32driverslvuvc.hs
2009-09-18 09:38 0 a------- c:windowssystem32driverslogiflt.iad
2009-09-10 14:54 38,224 a------- c:windowssystem32driversmbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:windowssystem32driversmbam.sys
2009-08-05 02:01 204,800 a------- c:windowssystem32mswebdvd.dll
2009-07-17 12:01 58,880 a------- c:windowssystem32atl.dll
2009-07-13 10:08 286,720 a------- c:windowssystem32wmpdxm.dll
2009-07-04 09:21 81,208 a------- c:docume~1tobych~1applic~1GDIPFONTCACHEV1.DAT
2009-07-03 10:09 915,456 a------- c:windowssystem32wininet.dll
2009-06-25 01:25 730,112 a------- c:windowssystem32lsasrv.dll
2009-06-25 01:25 301,568 a------- c:windowssystem32kerberos.dll
2009-06-25 01:25 147,456 a------- c:windowssystem32schannel.dll
2009-06-25 01:25 136,192 a------- c:windowssystem32msv1_0.dll
2009-06-25 01:25 56,832 a------- c:windowssystem32secur32.dll
2009-06-25 01:25 54,272 a------- c:windowssystem32wdigest.dll
1758-07-03 19:09 4,263 ---sh--- c:windowswindllreg1c.sys
2006-05-03 02:06 163,328 ---shr-- c:windowssystem32flvDX.dll
2007-02-21 03:47 31,232 ---shr-- c:windowssystem32msfDX.dll

============= FINISH: 11:55:07.26 ===============

attach.txt

ark.txt

Attached Files


Edited by The weatherman, 18 September 2009 - 06:09 PM.
Merged posts.~Tw


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:03 AM

Posted 05 October 2009 - 10:20 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 crusincuz

crusincuz
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 06 October 2009 - 01:11 AM

Hello, thank you for responding. My Firefox and IE browsers still get redirected intermittently to a different website other than the intended link I click on in a Google search results page. I no longer get any malware or viruses appearing in an anti-malware or virus scan, but there must still be malware present due to the unexpected behavior of the internet browser.




DDS (Ver_09-09-29.01) - NTFSx86
Run by Toby Choy at 23:04:28.85 on 10/05/09
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.816 [GMT -7:00]

AV: avast! antivirus 4.8.1229 [VPS 091005-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\PDF\pdfSaver\pdfSaver3.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Vinade\Reminder\Reminder.exe
C:\Program Files\WinCleaner Memory Optimizer\WinMemOpt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\GridVista\GridVistaU.exe
C:\Program Files\SyncBack\SyncBack.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Toby Choy\My Documents\Downloads\dds(4).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ebay.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {7C7A8947-5935-4430-AC0E-E7D04697414E} - No File
BHO: {9aa2f14f-e956-44b8-8694-a5b615cdf341} - NOW!Imaging
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: metaspinner GmbH: {cd9b7762-dfbc-42b1-bb30-02a78287b456} - c:\progra~1\pricep~1\pricep~1\IEBUTT~2.DLL
BHO: metaspinner GmbH: {e9e027bf-c3f3-4022-8f6b-8f6d39a59684} - c:\progra~1\pricep~1\pricep~1\IEBUTT~1.DLL
TB: NVRIEbar.IEbar: {bcbf738c-4891-4b9a-959a-c6bf7f608c3a} - c:\program files\naturalsoft\naturalreader\NVRIEBar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {D79559E8-9991-41C5-AA2B-A96EC766F43F} - No File
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {335F0F8C-A84A-4A83-8F7D-F98462C32492} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [pdfSaver3] "c:\program files\pdf\pdfsaver\pdfSaver3.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Vinade Reminder] c:\program files\vinade\reminder\Reminder.exe
uRun: [WinMem] c:\program files\wincleaner memory optimizer\WinMemOpt.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Ink Monitor] c:\program files\epson\ink monitor\InkMonitor.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Samsung Common SM] "c:\windows\samsung\comsmmgr\ssmmgr.exe" /autorun
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Dgesijegohew] rundll32.exe "c:\windows\efisodamape.dll",Startup
mRun: [ZoneAlarm Client] "c:\program files\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\tobych~1\startm~1\programs\startup\gridvi~1.lnk - c:\program files\gridvista\GridVistaU.exe
StartupFolder: c:\docume~1\tobych~1\startm~1\programs\startup\syncback.lnk - c:\program files\syncback\SyncBack.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\iomega~1.lnk - c:\program files\iomega quiksync 3\quiksync3.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Logitech Desktop Messenger.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Logitech SetPoint.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE:
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Google Search - c:\program files\google\GoogleToolbar3.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
IE: Add to AMV Converter... - c:\program files\diablotek mp3 player utilities 4.09\amvconverter\grab.html
IE: Add to Media Manager... - c:\program files\diablotek mp3 player utilities 4.09\mediamanager\grab.html
IE: Backward Links - c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar3.dll/cmcache.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: eBay - Home Page - c:\program files\pricepirates\pricepirates\SearchEbay.htm
IE: eBay - My eBay - c:\program files\pricepirates\pricepirates\SearchEbaymein.htm
IE: eBay - Powersearch - c:\program files\pricepirates\pricepirates\SearchEbaypower.htm
IE: eBay - Start Search - c:\program files\pricepirates\pricepirates\SearchEbay.htm
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google - Search - c:\program files\pricepirates\pricepirates\SearchGoogle.htm
IE: Google - Start Search - c:\program files\pricepirates\pricepirates\SearchGoogle.htm
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Similar Pages - c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar3.dll/cmtrans.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {350F4DA2-3886-4BB8-A1A8-D7F57B56DFFF} - c:\program files\pricepirates\pricepirates\preispiraten3ie.exe
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38146.7204861111
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} - c:\program files\ewido anti-malware\shellhook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tobych~1\applic~1\mozilla\firefox\profiles\bolkzr6u.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint_03050024.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {FF49E9A1-1B43-4089-B5E9-0F0CAC39FE25} - c:\documents and settings\toby choy\local settings\application data\{FF49E9A1-1B43-4089-B5E9-0F0CAC39FE25}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-10 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-12 78416]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-2-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2006-6-9 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-7-15 353672]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-9-25 464264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2006-5-12 147640]
R2 ewido security suite control;ewido security suite control;c:\program files\ewido anti-malware\ewidoctrl.exe [2005-11-30 13888]
R2 MSSQL$AUCTIONI;SQL Server (AUCTIONI);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2006-5-12 348344]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2006-5-12 250040]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2009-09-25 11:30 <DIR> --d----- c:\program files\AskBarDis
2009-09-23 19:20 120 a------- c:\windows\Wnuqanerulatoqez.dat
2009-09-23 19:20 0 a------- c:\windows\Xmaledes.bin
2009-09-18 10:06 <DIR> --ds---- C:\ComboFix
2009-09-18 09:16 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-09-18 08:59 <DIR> --d----- c:\windows\ERUNT
2009-09-17 20:38 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-09-16 16:20 <DIR> --d-h--- C:\RD4B335D2AF9F44185AFC417F8D8D4B473DR
2009-09-16 01:59 <DIR> a-dshr-- C:\cmdcons
2009-09-16 01:57 389,120 a------- c:\windows\system32\CF13744.exe
2009-09-10 23:04 15,688 a------- c:\windows\system32\lsdelete.exe
2009-09-10 17:11 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-09-10 17:09 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-09 03:36 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-10-05 09:13 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-10-05 09:13 56,680 a------- c:\windows\system32\rpcnet.dll
2009-10-05 09:13 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-10-05 09:13 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-10-02 08:37 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-09-25 11:29 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-04 09:21 81,208 a------- c:\docume~1\tobych~1\applic~1\GDIPFONTCACHEV1.DAT
1758-07-03 19:09 4,263 ---sh--- c:\windows\windllreg1c.sys
2006-05-03 02:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 03:47 31,232 ---shr-- c:\windows\system32\msfDX.dll

============= FINISH: 23:07:43.93 ===============

Attached Files


Edited by crusincuz, 06 October 2009 - 01:14 AM.


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:03 AM

Posted 11 October 2009 - 06:55 PM

Hello crusincuz :( Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


Please go to the following page and follow the instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix



Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 crusincuz

crusincuz
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 12 October 2009 - 05:11 PM

Okay, here is the ComboFix log. Thanks for responding. I'm glad we could get things moving on this issue.

ComboFix 09-10-11.03 - Toby Choy 10/12/09 14:40.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.844 [GMT -7:00]
Running from: c:\documents and settings\Toby Choy\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1229 [VPS 091011-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-0269167821-0828106831-719528405-0919
c:\recycler\S-1-5-21-1273694717-6085580394-601555833-3308
c:\recycler\S-1-5-21-1922247769-4265059636-260867472-5714
c:\recycler\S-1-5-21-2673411859-5056042451-495559018-7043
c:\recycler\S-1-5-21-4712866966-8360000591-078171138-5912
c:\recycler\S-1-5-21-5059715269-4357454048-442708741-9884
c:\recycler\S-1-5-21-6810723584-2613473069-340843234-6532
c:\recycler\S-1-5-21-9417827331-1599631491-086164160-0312
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\efisodamape.dll
c:\windows\Installer\10122b8.msp
c:\windows\Installer\104248e.msp
c:\windows\Installer\109f9d.msp
c:\windows\Installer\10a07a3.msp
c:\windows\Installer\10af927.msp
c:\windows\Installer\10b940.msp
c:\windows\Installer\10baad3.msp
c:\windows\Installer\10f9ac3.msp
c:\windows\Installer\1154bda.msp
c:\windows\Installer\1154bde.msp
c:\windows\Installer\1167bf.msp
c:\windows\Installer\11755c.msp
c:\windows\Installer\1181b0.msp
c:\windows\Installer\11f781.msp
c:\windows\Installer\120dfd7.msp
c:\windows\Installer\1242483.msp
c:\windows\Installer\1242487.msp
c:\windows\Installer\1248f8.msp
c:\windows\Installer\125154.msp
c:\windows\Installer\127e3fc.msp
c:\windows\Installer\128a095.msp
c:\windows\Installer\1298c8b.msp
c:\windows\Installer\12a65a.msp
c:\windows\Installer\12a65e.msp
c:\windows\Installer\12c367.msp
c:\windows\Installer\12c36b.msp
c:\windows\Installer\12df748.msp
c:\windows\Installer\12e2b7.msp
c:\windows\Installer\12ec854.msp
c:\windows\Installer\12ec858.msp
c:\windows\Installer\12fe3e.msp
c:\windows\Installer\12fe42.msp
c:\windows\Installer\130458.msp
c:\windows\Installer\1337d39.msp
c:\windows\Installer\138d42a.msp
c:\windows\Installer\13925a6.msp
c:\windows\Installer\13925aa.msp
c:\windows\Installer\13935d2.msp
c:\windows\Installer\13b3e2.msp
c:\windows\Installer\13c5f07.msp
c:\windows\Installer\13c7d7.msp
c:\windows\Installer\13cdd4f.msp
c:\windows\Installer\13e7302.msp
c:\windows\Installer\13e7306.msp
c:\windows\Installer\140463.msp
c:\windows\Installer\144a84.msp
c:\windows\Installer\1474b89.msp
c:\windows\Installer\147e18.msp
c:\windows\Installer\14d8db5.msp
c:\windows\Installer\14e91b8.msp
c:\windows\Installer\14fe15.msp
c:\windows\Installer\1517d76.msp
c:\windows\Installer\152dbcd.msp
c:\windows\Installer\1530260.msp
c:\windows\Installer\153ac0.msp
c:\windows\Installer\154715.msp
c:\windows\Installer\1550d05.msp
c:\windows\Installer\15549cf.msp
c:\windows\Installer\1562a3d.msp
c:\windows\Installer\1581c77.msp
c:\windows\Installer\1585a3c.msp
c:\windows\Installer\159208.msp
c:\windows\Installer\159cc98.msp
c:\windows\Installer\15d098.msp
c:\windows\Installer\15fe96a.msp
c:\windows\Installer\160e30c.msp
c:\windows\Installer\162d3f.msp
c:\windows\Installer\1635777.msp
c:\windows\Installer\166cecc.msp
c:\windows\Installer\16861d.msp
c:\windows\Installer\168621.msp
c:\windows\Installer\16926f4.msp
c:\windows\Installer\16cc2e.msp
c:\windows\Installer\16d6fc.msp
c:\windows\Installer\16d700.msp
c:\windows\Installer\17418d.msp
c:\windows\Installer\17531b8.msp
c:\windows\Installer\175ca6.msp
c:\windows\Installer\175caa.msp
c:\windows\Installer\1761c7.msp
c:\windows\Installer\1762ddb.msp
c:\windows\Installer\17c47de.msp
c:\windows\Installer\17fc2eb.msp
c:\windows\Installer\1817c9.msp
c:\windows\Installer\1834461.msp
c:\windows\Installer\1841359.msp
c:\windows\Installer\187896.msp
c:\windows\Installer\18a9761.msp
c:\windows\Installer\18d0b8.msp
c:\windows\Installer\18d3cee.msp
c:\windows\Installer\18e250c.msp
c:\windows\Installer\195a055.msp
c:\windows\Installer\19604cb.msp
c:\windows\Installer\1976eb.msp
c:\windows\Installer\198d89c.msp
c:\windows\Installer\199967.msp
c:\windows\Installer\19d7ca9.msp
c:\windows\Installer\19d7cad.msp
c:\windows\Installer\19f4747.msp
c:\windows\Installer\1a04a6f.msp
c:\windows\Installer\1a1698b.msp
c:\windows\Installer\1a7f43.msp
c:\windows\Installer\1aac20.msp
c:\windows\Installer\1ab1659.msp
c:\windows\Installer\1ab56dd.msp
c:\windows\Installer\1acef01.msp
c:\windows\Installer\1ad6e9.msp
c:\windows\Installer\1ae00b0.msp
c:\windows\Installer\1b52c0.msp
c:\windows\Installer\1b76e91.msp
c:\windows\Installer\1b78aa4.msp
c:\windows\Installer\1b88dbd.msp
c:\windows\Installer\1b8af6.msp
c:\windows\Installer\1b8afa.msp
c:\windows\Installer\1b940f.msp
c:\windows\Installer\1b9df91.msp
c:\windows\Installer\1bd178a.msp
c:\windows\Installer\1be5d1a.msp
c:\windows\Installer\1befe2d.msp
c:\windows\Installer\1c232fa.msp
c:\windows\Installer\1c2da94.msp
c:\windows\Installer\1c2da98.msp
c:\windows\Installer\1c387c.msp
c:\windows\Installer\1c5a06b.msp
c:\windows\Installer\1c72015.msp
c:\windows\Installer\1caabe.msp
c:\windows\Installer\1ceca9.msp
c:\windows\Installer\1d005ea.msp
c:\windows\Installer\1d33009.msp
c:\windows\Installer\1d33662.msp
c:\windows\Installer\1d5f3bd.msp
c:\windows\Installer\1d810a.msp
c:\windows\Installer\1d810e.msp
c:\windows\Installer\1d89831.msp
c:\windows\Installer\1e1d379.msp
c:\windows\Installer\1e1db1a.msp
c:\windows\Installer\1e47741.msp
c:\windows\Installer\1e47938.msp
c:\windows\Installer\1e47afa.msp
c:\windows\Installer\1e47cad.msp
c:\windows\Installer\1e47e66.msp
c:\windows\Installer\1e4801b.msp
c:\windows\Installer\1e481d1.msp
c:\windows\Installer\1e483a6.msp
c:\windows\Installer\1e4855e.msp
c:\windows\Installer\1e48714.msp
c:\windows\Installer\1e564b.msp
c:\windows\Installer\1e5765.msp
c:\windows\Installer\1e5c145.msp
c:\windows\Installer\1e5c149.msp
c:\windows\Installer\1e6424c.msp
c:\windows\Installer\1e658e2.msp
c:\windows\Installer\1e6e87.msp
c:\windows\Installer\1e750e.msp
c:\windows\Installer\1eb7fab.msp
c:\windows\Installer\1ebb32e.msp
c:\windows\Installer\1eceaa5.msp
c:\windows\Installer\1ee9db4.msp
c:\windows\Installer\1f1035.msp
c:\windows\Installer\1f74bc.msp
c:\windows\Installer\1fae0b.msp
c:\windows\Installer\1fb779f.msp
c:\windows\Installer\1fb7935.msp
c:\windows\Installer\1fd355c.msp
c:\windows\Installer\1ffc03d.msp
c:\windows\Installer\20082d1.msp
c:\windows\Installer\20314f6.msp
c:\windows\Installer\203304e.msp
c:\windows\Installer\2062c19.msp
c:\windows\Installer\20931b8.msp
c:\windows\Installer\2117e4b.msp
c:\windows\Installer\2117e4f.msp
c:\windows\Installer\212a6ec.msp
c:\windows\Installer\216c9b3.msp
c:\windows\Installer\216c9b7.msp
c:\windows\Installer\216e9ed.msp
c:\windows\Installer\219171.msp
c:\windows\Installer\21c7164.msp
c:\windows\Installer\220910e.msp
c:\windows\Installer\2209112.msp
c:\windows\Installer\220ae7.msp
c:\windows\Installer\220aeb.msp
c:\windows\Installer\221b91.msp
c:\windows\Installer\221b95.msp
c:\windows\Installer\2229318.msp
c:\windows\Installer\22447fc.msp
c:\windows\Installer\2264cf.msp
c:\windows\Installer\22827fd.msp
c:\windows\Installer\2282801.msp
c:\windows\Installer\2388d41.msp
c:\windows\Installer\239bc8.msp
c:\windows\Installer\23d20b.msp
c:\windows\Installer\23d353.msp
c:\windows\Installer\23da313.msp
c:\windows\Installer\23da317.msp
c:\windows\Installer\23dc5ae.msp
c:\windows\Installer\23f8ad.msp
c:\windows\Installer\242809e.msp
c:\windows\Installer\2430abd.msp
c:\windows\Installer\246a71e.msp
c:\windows\Installer\24ac3e.msp
c:\windows\Installer\250d2b.msp
c:\windows\Installer\2510fca.msp
c:\windows\Installer\252b80.msp
c:\windows\Installer\257f105.msp
c:\windows\Installer\2588391.msp
c:\windows\Installer\25b369b.msp
c:\windows\Installer\25dad39.msp
c:\windows\Installer\25dad3d.msp
c:\windows\Installer\25f1be.msp
c:\windows\Installer\26457c.msp
c:\windows\Installer\26500b.msp
c:\windows\Installer\266c096.msp
c:\windows\Installer\266c09a.msp
c:\windows\Installer\26797ac.msp
c:\windows\Installer\2687e05.msp
c:\windows\Installer\26c579.msp
c:\windows\Installer\26ec959.msp
c:\windows\Installer\2710cd1.msp
c:\windows\Installer\274894.msp
c:\windows\Installer\274898.msp
c:\windows\Installer\275e00c.msp
c:\windows\Installer\276ef8.msp
c:\windows\Installer\276efc.msp
c:\windows\Installer\27c69e.msp
c:\windows\Installer\280c1d0.msp
c:\windows\Installer\280c1d4.msp
c:\windows\Installer\2848149.msp
c:\windows\Installer\285987.msp
c:\windows\Installer\28598b.msp
c:\windows\Installer\2860bf0.msp
c:\windows\Installer\28723f.msp
c:\windows\Installer\289298.msp
c:\windows\Installer\28abf00.msp
c:\windows\Installer\291517.msp
c:\windows\Installer\293457.msp
c:\windows\Installer\293582c.msp
c:\windows\Installer\293d694.msp
c:\windows\Installer\298ec17.msp
c:\windows\Installer\298ec1b.msp
c:\windows\Installer\29e5f6a.msp
c:\windows\Installer\2a031f8.msp
c:\windows\Installer\2a304cf.msp
c:\windows\Installer\2ae67b.msp
c:\windows\Installer\2b07184.msp
c:\windows\Installer\2b07188.msp
c:\windows\Installer\2b275b0.msp
c:\windows\Installer\2b2e68b.msp
c:\windows\Installer\2b2e68f.msp
c:\windows\Installer\2b3576.msp
c:\windows\Installer\2b357a.msp
c:\windows\Installer\2b446e6.msp
c:\windows\Installer\2b446ea.msp
c:\windows\Installer\2b45c81.msp
c:\windows\Installer\2b7b7b2.msp
c:\windows\Installer\2ba71c.msp
c:\windows\Installer\2bca693.msp
c:\windows\Installer\2bda61.msp
c:\windows\Installer\2bf0c97.msp
c:\windows\Installer\2bf1cf2.msp
c:\windows\Installer\2c215ef.msp
c:\windows\Installer\2c309f.msp
c:\windows\Installer\2c69db9.msp
c:\windows\Installer\2c6c02.msp
c:\windows\Installer\2c8026.msp
c:\windows\Installer\2ccb55b.msp
c:\windows\Installer\2ccb55f.msp
c:\windows\Installer\2cf7c7.msp
c:\windows\Installer\2cf91f.msp
c:\windows\Installer\2d0301a.msp
c:\windows\Installer\2d08d5d.msp
c:\windows\Installer\2d0dd71.msp
c:\windows\Installer\2d21555.msp
c:\windows\Installer\2d32a9d.msp
c:\windows\Installer\2d32aa1.msp
c:\windows\Installer\2d38d.msi
c:\windows\Installer\2d6b441.msp
c:\windows\Installer\2d97073.msp
c:\windows\Installer\2dc71cc.msp
c:\windows\Installer\2dca4a.msp
c:\windows\Installer\2deca62.msp
c:\windows\Installer\2df6f7c.msp
c:\windows\Installer\2e1f3b5.msp
c:\windows\Installer\2e226ac.msp
c:\windows\Installer\2e24fd0.msp
c:\windows\Installer\2e5290f.msp
c:\windows\Installer\2e930cc.msp
c:\windows\Installer\2e9e806.msp
c:\windows\Installer\2e9e80a.msp
c:\windows\Installer\2eae775.msp
c:\windows\Installer\2eded7.msp
c:\windows\Installer\2eec071.msp
c:\windows\Installer\2f14dd3.msp
c:\windows\Installer\2f8d7e1.msp
c:\windows\Installer\2f9b03.msp
c:\windows\Installer\2f9f1bd.msp
c:\windows\Installer\2fc04ed.msp
c:\windows\Installer\2fdef58.msp
c:\windows\Installer\2fdef5c.msp
c:\windows\Installer\3045ba.msp
c:\windows\Installer\304b078.msp
c:\windows\Installer\30573a9.msp
c:\windows\Installer\30a09b.msp
c:\windows\Installer\30b3607.msp
c:\windows\Installer\30cb081.msp
c:\windows\Installer\30cb085.msp
c:\windows\Installer\30d2a26.msp
c:\windows\Installer\30eb346.msp
c:\windows\Installer\30ee1d8.msp
c:\windows\Installer\30ee1dc.msp
c:\windows\Installer\30effa1.msp
c:\windows\Installer\3139ead.msp
c:\windows\Installer\31494d4.msp
c:\windows\Installer\3156b10.msp
c:\windows\Installer\3156b14.msp
c:\windows\Installer\3166faf.msp
c:\windows\Installer\31aa310.msp
c:\windows\Installer\31d7470.msp
c:\windows\Installer\320943.msp
c:\windows\Installer\3217a96.msp
c:\windows\Installer\321f9b9.msp
c:\windows\Installer\3228233.msp
c:\windows\Installer\322958c.msp
c:\windows\Installer\323e7ce.msp
c:\windows\Installer\323e7d2.msp
c:\windows\Installer\3245e55.msp
c:\windows\Installer\325aa00.msp
c:\windows\Installer\32816e9.msp
c:\windows\Installer\329929c.msp
c:\windows\Installer\32c3ab9.msp
c:\windows\Installer\32c9433.msp
c:\windows\Installer\32e0ac6.msp
c:\windows\Installer\32f3869.msp
c:\windows\Installer\330d5ae.msp
c:\windows\Installer\3310e0.msp
c:\windows\Installer\3320e3d.msp
c:\windows\Installer\3320e41.msp
c:\windows\Installer\33217c3.msp
c:\windows\Installer\33217c7.msp
c:\windows\Installer\3335004.msp
c:\windows\Installer\334b1d6.msp
c:\windows\Installer\334b1da.msp
c:\windows\Installer\337e934.msp
c:\windows\Installer\3397310.msp
c:\windows\Installer\33b2dfe.msp
c:\windows\Installer\33c382b.msp
c:\windows\Installer\33c7515.msp
c:\windows\Installer\33cbc9d.msp
c:\windows\Installer\33da538.msp
c:\windows\Installer\33daf2b.msp
c:\windows\Installer\33e0682.msp
c:\windows\Installer\33e4011.msp
c:\windows\Installer\33f358d.msp
c:\windows\Installer\33f3591.msp
c:\windows\Installer\3408648.msp
c:\windows\Installer\340864c.msp
c:\windows\Installer\340b2b7.msp
c:\windows\Installer\341020f.msp
c:\windows\Installer\3410213.msp
c:\windows\Installer\3424398.msp
c:\windows\Installer\342439c.msp
c:\windows\Installer\343039c.msp
c:\windows\Installer\3462dda.msp
c:\windows\Installer\3477955.msp
c:\windows\Installer\3477959.msp
c:\windows\Installer\347f636.msp
c:\windows\Installer\3485fbe.msp
c:\windows\Installer\34a9b75.msp
c:\windows\Installer\34cbc22.msp
c:\windows\Installer\34d93c.msp
c:\windows\Installer\34df66.msp
c:\windows\Installer\34e605d.msp
c:\windows\Installer\3508243.msp
c:\windows\Installer\3564617.msp
c:\windows\Installer\3568841.msp
c:\windows\Installer\356f2d2.msp
c:\windows\Installer\3572730.msp
c:\windows\Installer\3572734.msp
c:\windows\Installer\3593e1a.msp
c:\windows\Installer\359862f.msp
c:\windows\Installer\35c43c8.msp
c:\windows\Installer\35c6a2c.msp
c:\windows\Installer\35c8fc5.msp
c:\windows\Installer\35dbbe1.msp
c:\windows\Installer\35e7b1a.msp
c:\windows\Installer\3624f15.msp
c:\windows\Installer\3626964.msp
c:\windows\Installer\3632e5a.msp
c:\windows\Installer\3632e5e.msp
c:\windows\Installer\3638a64.msp
c:\windows\Installer\3638f94.msp
c:\windows\Installer\364cb2.msp
c:\windows\Installer\364cc99.msp
c:\windows\Installer\364cc9d.msp
c:\windows\Installer\365a9ba.msp
c:\windows\Installer\366042e.msp
c:\windows\Installer\366f45b.msp
c:\windows\Installer\3681ed1.msp
c:\windows\Installer\3686947.msp
c:\windows\Installer\368694b.msp
c:\windows\Installer\3689096.msp
c:\windows\Installer\3697019.msp
c:\windows\Installer\369ae3b.msp
c:\windows\Installer\369bfb.msp
c:\windows\Installer\36b1136.msp
c:\windows\Installer\36ce0f5.msp
c:\windows\Installer\36e2d7a.msp
c:\windows\Installer\36fbf74.msp
c:\windows\Installer\36fd2ae.msp
c:\windows\Installer\3728c4f.msp
c:\windows\Installer\3755ae1.msp
c:\windows\Installer\377f16a.msp
c:\windows\Installer\3795782.msp
c:\windows\Installer\3795786.msp
c:\windows\Installer\37b158d.msp
c:\windows\Installer\37c3083.msp
c:\windows\Installer\37c3087.msp
c:\windows\Installer\37d9572.msp
c:\windows\Installer\38055ca.msp
c:\windows\Installer\383a311.msp
c:\windows\Installer\3848979.msp
c:\windows\Installer\384897d.msp
c:\windows\Installer\386c1e5.msp
c:\windows\Installer\386c1e9.msp
c:\windows\Installer\38a456e.msp
c:\windows\Installer\38b4838.msp
c:\windows\Installer\38ff473.msp
c:\windows\Installer\392c788.msp
c:\windows\Installer\3979d.msp
c:\windows\Installer\39970ea.msp
c:\windows\Installer\39a3c77.msp
c:\windows\Installer\39bfad1.msp
c:\windows\Installer\3a07906.msp
c:\windows\Installer\3a0790a.msp
c:\windows\Installer\3a0c4f4.msp
c:\windows\Installer\3a40c10.msp
c:\windows\Installer\3a63067.msp
c:\windows\Installer\3a84609.msp
c:\windows\Installer\3a8f3ae.msp
c:\windows\Installer\3a8f3b2.msp
c:\windows\Installer\3a98520.msp
c:\windows\Installer\3a98524.msp
c:\windows\Installer\3a9f781.msp
c:\windows\Installer\3acaf10.msp
c:\windows\Installer\3ae3562.msp
c:\windows\Installer\3ae3566.msp
c:\windows\Installer\3ae3a82.msp
c:\windows\Installer\3ae3a91.msp
c:\windows\Installer\3b3184c.msp
c:\windows\Installer\3b31850.msp
c:\windows\Installer\3bc869b.msp
c:\windows\Installer\3bf1e2.msp
c:\windows\Installer\3c1496a.msp
c:\windows\Installer\3c2ca7c.msp
c:\windows\Installer\3c7cf85.msp
c:\windows\Installer\3ca0030.msp
c:\windows\Installer\3ca4577.msp
c:\windows\Installer\3cda9c0.msp
c:\windows\Installer\3d0d1ac.msp
c:\windows\Installer\3d0d1b0.msp
c:\windows\Installer\3d41ed3.msp
c:\windows\Installer\3e446.msp
c:\windows\Installer\3e735d.msp
c:\windows\Installer\3e8fbf.msp
c:\windows\Installer\3eb1667.msp
c:\windows\Installer\3eb166b.msp
c:\windows\Installer\3eddb06.msp
c:\windows\Installer\3eeaef.msp
c:\windows\Installer\3f3853.msp
c:\windows\Installer\3f53f9.msp
c:\windows\Installer\3f5fa.msp
c:\windows\Installer\3f98f1.msp
c:\windows\Installer\401f0.msp
c:\windows\Installer\401fc96.msp
c:\windows\Installer\40951e8.msp
c:\windows\Installer\40951ec.msp
c:\windows\Installer\4095ff.msp
c:\windows\Installer\40c9bc3.msp
c:\windows\Installer\40d2c8a.msp
c:\windows\Installer\40de21e.msp
c:\windows\Installer\40de222.msp
c:\windows\Installer\412cd46.msp
c:\windows\Installer\412cd4a.msp
c:\windows\Installer\4147921.msp
c:\windows\Installer\418bb28.msp
c:\windows\Installer\41d6d8d.msp
c:\windows\Installer\4227b8e.msp
c:\windows\Installer\42c8a.msp
c:\windows\Installer\43435c.msp
c:\windows\Installer\434360.msp
c:\windows\Installer\437568.msp
c:\windows\Installer\4394e7.msp
c:\windows\Installer\43cacd1.msp
c:\windows\Installer\44061.msp
c:\windows\Installer\44264.msp
c:\windows\Installer\448c1b6.msp
c:\windows\Installer\44c70e.msp
c:\windows\Installer\44d3c0.msp
c:\windows\Installer\44d3c4.msp
c:\windows\Installer\450837e.msp
c:\windows\Installer\45c796.msp
c:\windows\Installer\46af65.msp
c:\windows\Installer\48470d.msp
c:\windows\Installer\485bdd.msp
c:\windows\Installer\485dfd5.msp
c:\windows\Installer\49b7e22.msp
c:\windows\Installer\49bcf.msp
c:\windows\Installer\4a4965.msp
c:\windows\Installer\4a4d7c.msp
c:\windows\Installer\4a788b7.msp
c:\windows\Installer\4a7b81.msp
c:\windows\Installer\4accbe.msp
c:\windows\Installer\4ae4c38.msp
c:\windows\Installer\4ae4c3c.msp
c:\windows\Installer\4b39b0.msp
c:\windows\Installer\4ba24e.msp
c:\windows\Installer\4c11a.msp
c:\windows\Installer\4c11e.msp
c:\windows\Installer\4d40db0.msp
c:\windows\Installer\4dadf4b.msp
c:\windows\Installer\4dccddc.msp
c:\windows\Installer\4e01110.msp
c:\windows\Installer\4e01114.msp
c:\windows\Installer\4e163.msp
c:\windows\Installer\4e4b54c.msp
c:\windows\Installer\4e66ba7.msp
c:\windows\Installer\4e66bab.msp
c:\windows\Installer\4ebedaf.msp
c:\windows\Installer\4ebedb3.msp
c:\windows\Installer\4ef2e44.msp
c:\windows\Installer\4f86b4.msp
c:\windows\Installer\4f8c930.msp
c:\windows\Installer\4f8d508.msp
c:\windows\Installer\4fa9bfc.msp
c:\windows\Installer\4fb5af7.msp
c:\windows\Installer\4fbbed2.msp
c:\windows\Installer\4fbbed6.msp
c:\windows\Installer\4fe7259.msp
c:\windows\Installer\4fec134.msp
c:\windows\Installer\501018.msp
c:\windows\Installer\50101c.msp
c:\windows\Installer\5066429.msp
c:\windows\Installer\506ac3e.msp
c:\windows\Installer\50b796e.msp
c:\windows\Installer\50d5070.msp
c:\windows\Installer\50d5074.msp
c:\windows\Installer\512675b.msp
c:\windows\Installer\51362a3.msp
c:\windows\Installer\523ccb.msp
c:\windows\Installer\525db56.msp
c:\windows\Installer\528156.msp
c:\windows\Installer\52815a.msp
c:\windows\Installer\528ad.msp
c:\windows\Installer\5292002.msp
c:\windows\Installer\52b03b6.msp
c:\windows\Installer\52b84cd.msp
c:\windows\Installer\52b84d1.msp
c:\windows\Installer\52d51ad.msp
c:\windows\Installer\52da413.msp
c:\windows\Installer\5304e43.msp
c:\windows\Installer\532d9ff.msp
c:\windows\Installer\5333b2a.msp
c:\windows\Installer\533a57d.msp
c:\windows\Installer\533a581.msp
c:\windows\Installer\537f9c.msp
c:\windows\Installer\53cbfcf.msp
c:\windows\Installer\5439e99.msp
c:\windows\Installer\543e0f2.msp
c:\windows\Installer\5458105.msp
c:\windows\Installer\54932f.msp
c:\windows\Installer\54abf8d.msp
c:\windows\Installer\54bae52.msp
c:\windows\Installer\55247e5.msp
c:\windows\Installer\556cce1.msp
c:\windows\Installer\5587eb7.msp
c:\windows\Installer\5587ed4.msp
c:\windows\Installer\55981c.msp
c:\windows\Installer\55aa010.msp
c:\windows\Installer\55e0ec.msp
c:\windows\Installer\562cf28.msp
c:\windows\Installer\56579f5.msp
c:\windows\Installer\56a565.msp
c:\windows\Installer\56eb992.msp
c:\windows\Installer\579301.msp
c:\windows\Installer\582704.msp
c:\windows\Installer\585056.msp
c:\windows\Installer\585b91.msp
c:\windows\Installer\587497.msp
c:\windows\Installer\590a46f.msp
c:\windows\Installer\592e1.msp
c:\windows\Installer\592e5.msp
c:\windows\Installer\5961021.msp
c:\windows\Installer\596d073.msp
c:\windows\Installer\59f9dee.msp
c:\windows\Installer\5a24976.msp
c:\windows\Installer\5a2497a.msp
c:\windows\Installer\5a7e0.msp
c:\windows\Installer\5a860f9.msp
c:\windows\Installer\5aa041.msp
c:\windows\Installer\5b8cd4.msp
c:\windows\Installer\5b8cd8.msp
c:\windows\Installer\5b98026.msp
c:\windows\Installer\5b9802a.msp
c:\windows\Installer\5c4e9d.msp
c:\windows\Installer\5e1190d.msp
c:\windows\Installer\5e18a46.msp
c:\windows\Installer\5e699de.msp
c:\windows\Installer\5ea48.msp
c:\windows\Installer\5ea4c.msp
c:\windows\Installer\5f39e.msp
c:\windows\Installer\5fb884.msp
c:\windows\Installer\5fc94d.msp
c:\windows\Installer\5fc951.msp
c:\windows\Installer\5fdc0.msp
c:\windows\Installer\5ff88a.msp
c:\windows\Installer\602386c.msp
c:\windows\Installer\61a12.msp
c:\windows\Installer\61a16.msp
c:\windows\Installer\61ebcf.msp
c:\windows\Installer\62deb21.msp
c:\windows\Installer\6453cac.msp
c:\windows\Installer\64fc302.msp
c:\windows\Installer\64fc306.msp
c:\windows\Installer\657b540.msp
c:\windows\Installer\663c5a1.msp
c:\windows\Installer\67c53f.msp
c:\windows\Installer\67e5688.msp
c:\windows\Installer\67e568c.msp
c:\windows\Installer\680db9d.msp
c:\windows\Installer\6825be.msp
c:\windows\Installer\6825c2.msp
c:\windows\Installer\694a1.msp
c:\windows\Installer\6af7b86.msp
c:\windows\Installer\6af7b8a.msp
c:\windows\Installer\6b6818.msp
c:\windows\Installer\6bc2ab.msp
c:\windows\Installer\6bf537e.msp
c:\windows\Installer\6d3333.msp
c:\windows\Installer\6d3337.msp
c:\windows\Installer\6f2762.msp
c:\windows\Installer\6f44c97.msp
c:\windows\Installer\6f44c9b.msp
c:\windows\Installer\6f8f9.msp
c:\windows\Installer\6ff52.msp
c:\windows\Installer\702b26.msp
c:\windows\Installer\71bc64.msp
c:\windows\Installer\71c6e4.msp
c:\windows\Installer\71dd6.msp
c:\windows\Installer\71dda.msp
c:\windows\Installer\72a8f7.msp
c:\windows\Installer\72aac25.msp
c:\windows\Installer\7312bd.msp
c:\windows\Installer\73c0d.msp
c:\windows\Installer\77ddba.msp
c:\windows\Installer\782090.msp
c:\windows\Installer\788bfc.msp
c:\windows\Installer\78c28d.msp
c:\windows\Installer\79c9bc.msp
c:\windows\Installer\7bc5516.msp
c:\windows\Installer\7bc551a.msp
c:\windows\Installer\7ce5175.msp
c:\windows\Installer\7e1298.msp
c:\windows\Installer\7e9b57b.msp
c:\windows\Installer\7eb6f7.msp
c:\windows\Installer\7f7dd1.msp
c:\windows\Installer\7f93ab.msp
c:\windows\Installer\80429b2.msp
c:\windows\Installer\8044e.msp
c:\windows\Installer\811bc.msp
c:\windows\Installer\817e40d.msp
c:\windows\Installer\81916f.msp
c:\windows\Installer\81fb6.msp
c:\windows\Installer\828e7e3.msp
c:\windows\Installer\82914b.msp
c:\windows\Installer\82e2d6.msp
c:\windows\Installer\8395351.msp
c:\windows\Installer\8404f09.msp
c:\windows\Installer\85317d.msp
c:\windows\Installer\85a4c4c.msp
c:\windows\Installer\85a4c50.msp
c:\windows\Installer\85ca3a9.msp
c:\windows\Installer\85ca3ad.msp
c:\windows\Installer\88bcd2.msp
c:\windows\Installer\88d83.msp
c:\windows\Installer\88e4a6a.msp
c:\windows\Installer\896ce97.msp
c:\windows\Installer\8a9b12f.msp
c:\windows\Installer\8ab60a5.msp
c:\windows\Installer\8ac27.msp
c:\windows\Installer\8c7546.msp
c:\windows\Installer\8d402.msp
c:\windows\Installer\8dc749.msp
c:\windows\Installer\8dee482.msp
c:\windows\Installer\8df8b.msp
c:\windows\Installer\8e1c3bd.msp
c:\windows\Installer\8ffc69.msp
c:\windows\Installer\8ffc6d.msp
c:\windows\Installer\91c3bc.msp
c:\windows\Installer\91c3c0.msp
c:\windows\Installer\92f94b3.msp
c:\windows\Installer\92f94b7.msp
c:\windows\Installer\963ff28.msp
c:\windows\Installer\963ff2c.msp
c:\windows\Installer\9714c.msp
c:\windows\Installer\981a89.msp
c:\windows\Installer\9859b5.msp
c:\windows\Installer\995c6f.msp
c:\windows\Installer\9a2c23.msp
c:\windows\Installer\9b63f7.msp
c:\windows\Installer\9bf2d.msp
c:\windows\Installer\9c5c5.msp
c:\windows\Installer\9cef5a.msp
c:\windows\Installer\9d43f2.msp
c:\windows\Installer\9d43f6.msp
c:\windows\Installer\9da27.msp
c:\windows\Installer\9e6735.msp
c:\windows\Installer\9efc9f.msp
c:\windows\Installer\9efe4d.msp
c:\windows\Installer\9efff5.msp
c:\windows\Installer\9f36647.msp
c:\windows\Installer\9f3664b.msp
c:\windows\Installer\a0b69.msp
c:\windows\Installer\a0e092.msp
c:\windows\Installer\a190409.msp
c:\windows\Installer\a19040d.msp
c:\windows\Installer\a20278d.msp
c:\windows\Installer\a2a6ea.msp
c:\windows\Installer\a3c2f.msp
c:\windows\Installer\a4a56.msp
c:\windows\Installer\a538ef.msp
c:\windows\Installer\a5416a8.msp
c:\windows\Installer\a74133.msp
c:\windows\Installer\a75fd6.msp
c:\windows\Installer\a8446a.msp
c:\windows\Installer\a8513b.msp
c:\windows\Installer\aa02404.msp
c:\windows\Installer\aa1c57.msp
c:\windows\Installer\aa1c5b.msp
c:\windows\Installer\aac8b.msp
c:\windows\Installer\ad47dfe.msp
c:\windows\Installer\ad5928b.msp
c:\windows\Installer\ae6bdb.msp
c:\windows\Installer\b0847a.msp
c:\windows\Installer\b18f33.msp
c:\windows\Installer\b1c19d.msp
c:\windows\Installer\b1c52aa.msp
c:\windows\Installer\b3f3ee.msp
c:\windows\Installer\b50d858.msp
c:\windows\Installer\b50d85c.msp
c:\windows\Installer\b5a8e.msp
c:\windows\Installer\b661c2.msp
c:\windows\Installer\b7c7d.msp
c:\windows\Installer\b901c1.msp
c:\windows\Installer\b91ab.msp
c:\windows\Installer\baacc1.msp
c:\windows\Installer\bb60fe.msp
c:\windows\Installer\bbb98e.msp
c:\windows\Installer\bbb992.msp
c:\windows\Installer\bbd469.msp
c:\windows\Installer\bbd64a.msp
c:\windows\Installer\bbd821.msp
c:\windows\Installer\bbf14.msp
c:\windows\Installer\bedce6.msp
c:\windows\Installer\bf92f.msp
c:\windows\Installer\c06972.msp
c:\windows\Installer\c08bfe.msp
c:\windows\Installer\c08c02.msp
c:\windows\Installer\c22e82.msp
c:\windows\Installer\c22e86.msp
c:\windows\Installer\c6d926.msp
c:\windows\Installer\c75c50.msp
c:\windows\Installer\c92ac7.msp
c:\windows\Installer\ca2fe3.msp
c:\windows\Installer\cbc306.msp
c:\windows\Installer\cf2607.msp
c:\windows\Installer\cf3f7b.msp
c:\windows\Installer\d0ee44.msp
c:\windows\Installer\d13715.msp
c:\windows\Installer\d3355.msp
c:\windows\Installer\d3359.msp
c:\windows\Installer\d494f5.msp
c:\windows\Installer\d4fe00.msp
c:\windows\Installer\d4fe04.msp
c:\windows\Installer\d72ee.msp
c:\windows\Installer\d9b2e5.msp
c:\windows\Installer\d9d5a.msp
c:\windows\Installer\dadb5.msp
c:\windows\Installer\dbab3a.msp
c:\windows\Installer\dd9b33.msp
c:\windows\Installer\ddae0.msp
c:\windows\Installer\df79b7.msp
c:\windows\Installer\e1f7b7.msp
c:\windows\Installer\e35615f.msp
c:\windows\Installer\e356163.msp
c:\windows\Installer\e4a41a.msp
c:\windows\Installer\e6fec.msp
c:\windows\Installer\e8e9bb.msp
c:\windows\Installer\e9ca19.msp
c:\windows\Installer\ed1f2.msp
c:\windows\Installer\f17412.msp
c:\windows\Installer\f1ad81.msp
c:\windows\Installer\f1dc0.msp
c:\windows\Installer\f2c47.msp
c:\windows\Installer\f49a2.msp
c:\windows\Installer\f4f11.msp
c:\windows\Installer\f5748c.msp
c:\windows\Installer\f62936.msp
c:\windows\Installer\f6e11c.msp
c:\windows\Installer\f80672.msp
c:\windows\Installer\f83fc.msp
c:\windows\Installer\f8400.msp
c:\windows\Installer\f856a46.msp
c:\windows\Installer\f9a33.msp
c:\windows\Installer\fa06d6.msp
c:\windows\Installer\fa06da.msp
c:\windows\Installer\fa5cc.msp
c:\windows\Installer\fa5d0.msp
c:\windows\Installer\fbe1c0.msp
c:\windows\Installer\fc835f.msp
c:\windows\Installer\fc8363.msp
c:\windows\Installer\fc858.msp
c:\windows\Installer\fca8a.msp
c:\windows\Installer\ff7e4.msp
c:\windows\patch.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 )))))))))))))))))))))))))))))))
.

2009-10-02 15:36 . 2009-10-02 15:36 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft
2009-09-25 18:30 . 2009-09-25 18:30 -------- d-----w- c:\program files\AskBarDis
2009-09-24 02:20 . 2009-10-12 20:14 120 ----a-w- c:\windows\Wnuqanerulatoqez.dat
2009-09-24 02:20 . 2009-10-12 20:14 0 ----a-w- c:\windows\Xmaledes.bin
2009-09-24 02:20 . 2009-09-24 02:20 -------- d-----w- c:\documents and settings\Toby Choy\Local Settings\Application Data\{FF49E9A1-1B43-4089-B5E9-0F0CAC39FE25}
2009-09-18 16:16 . 2009-09-18 16:16 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-09-18 15:59 . 2009-09-18 15:59 -------- d-----w- c:\windows\ERUNT
2009-09-16 23:20 . 2009-09-16 23:20 -------- d-----w- C:\RD4B335D2AF9F44185AFC417F8D8D4B473DR
2009-09-16 22:23 . 2009-09-16 22:24 -------- d-----w- c:\documents and settings\Toby Choy\Application Data\ImgBurn

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 19:00 . 2008-02-12 19:04 -------- d-----w- c:\program files\SyncBack
2009-10-12 15:48 . 2009-05-27 16:34 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-10-12 15:48 . 2009-05-27 16:39 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-10-12 15:47 . 2008-06-04 03:22 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-12 15:47 . 2008-06-04 03:22 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-10-12 07:08 . 2009-01-01 03:57 -------- d-----w- c:\program files\Mozilla Thunderbird 3 Beta 1
2009-10-09 21:08 . 2005-10-30 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-10-06 16:25 . 2009-05-27 16:35 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-09-25 18:31 . 2008-07-16 04:41 -------- d-----w- c:\program files\ZoneAlarm
2009-09-25 18:29 . 2006-05-18 00:04 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-18 16:19 . 2008-09-07 17:20 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2009-09-18 04:16 . 2009-05-28 21:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-18 02:44 . 2009-07-14 04:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-16 21:44 . 2006-08-20 15:39 -------- d-----w- c:\program files\ImgBurn
2009-09-16 16:49 . 2004-06-26 07:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-11 00:10 . 2009-09-11 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-11 00:09 . 2009-09-11 00:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-11 00:08 . 2004-06-08 18:40 -------- d-----w- c:\program files\Lavasoft
2009-09-11 00:05 . 2004-06-27 19:20 -------- d-----w- c:\program files\SpywareGuard
2009-09-10 23:53 . 2006-05-10 23:48 -------- d-----w- c:\documents and settings\Toby Choy\Application Data\Lavasoft
2009-09-10 21:54 . 2009-07-14 04:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-07-14 04:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 19:06 . 2004-06-08 18:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-10 17:27 . 2004-06-19 06:05 -------- d-----w- c:\program files\SpywareBlaster
2009-09-09 18:58 . 2006-09-06 06:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-09 16:52 . 2008-08-10 02:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-14 13:58 . 2009-09-18 03:38 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-05 09:01 . 2004-06-09 00:40 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-06-09 00:35 58880 ----a-w- c:\windows\system32\atl.dll
1758-07-04 02:09 . 1758-07-04 02:09 4263 --sh--w- c:\windows\windllreg1c.sys
2006-05-03 09:06 . 2007-09-25 05:56 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2007-09-25 05:56 31232 --sh--r- c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-17 01:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-17 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-17 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pdfSaver3"="c:\program files\PDF\pdfSaver\pdfSaver3.exe" [2004-05-19 385024]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Vinade Reminder"="c:\program files\Vinade\Reminder\Reminder.exe" [2005-05-09 749568]
"WinMem"="c:\program files\WinCleaner Memory Optimizer\WinMemOpt.exe" [2006-06-19 505856]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-08-28 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"Ink Monitor"="c:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2001-10-16 258118]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"Samsung Common SM"="c:\windows\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 372736]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ZoneAlarm Client"="c:\program files\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]

c:\documents and settings\Toby Choy\Start Menu\Programs\Startup\
GridVistaU.lnk - c:\program files\GridVista\GridVistaU.exe [2006-12-10 217088]
SyncBack.lnk - c:\program files\SyncBack\SyncBack.exe [2008-2-12 2665728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Iomega QuikSync 3.lnk - c:\program files\Iomega QuikSync 3\quiksync3.exe [2004-6-28 4677632]
Logitech Desktop Messenger.lnk.disabled [2008-5-14 2125]
Logitech SetPoint.lnk.disabled [2009-1-15 1734]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-16 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-24 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-05-28 21:03 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]
backup=c:\windows\pss\Device Detector 3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk]
backup=c:\windows\pss\KODAK Picture Transfer Software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"602PC SUITE PDF Saver"="c:\program files\Common Files\soft602\pdfSaver.exe"
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\My Wedding Companion\\rteng7.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\BRIDGESERVER.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\FedEx.Gsm.External.Verifi.Service.exe"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\POC.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\ASA\\WIN32\\DBENG9.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\ASA\\WIN32\\DBSRV9.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6160:TCP"= 6160:TCP:Seagull Driver Networking

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [09/10/09 5:11 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [04/12/08 10:41 AM 78416]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [02/16/06 5:51 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [06/09/06 3:45 PM 74480]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [09/25/09 11:30 AM 464264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/12/08 10:41 AM 20560]
R2 MSSQL$AUCTIONI;SQL Server (AUCTIONI);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/08 10:31 PM 29263712]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [07/03/09 7:49 AM 1028432]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/16/06 5:51 PM 4096]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 00:10]

2009-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-12 c:\windows\Tasks\SyncBack Backkup Toby's My Documents Every Week to F Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-07-27 c:\windows\Tasks\SyncBack Backup All Shared Documents Every 3 Weeks to F Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-09-28 c:\windows\Tasks\SyncBack Backup All Shared Documents Every Week to F Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-07 c:\windows\Tasks\SyncBack Backup Biweekly to MyFlash.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Daily to Kingston.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Every 3 Days to MyFlash.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Toby's My Documents Every Week to F Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Toby's Shared Documents Daily to Kingston.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Toby's Shared Documents Every Week to MyFlash.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-09 c:\windows\Tasks\SyncBack Backup Toby's Shared Documents Every 2 Days to Kingston J Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Toby's Shared Documents Every 2 Days to Kingston.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Toby's Shared Documents Every 3 Days to MyFlash.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Toby's Shared Documents Every Week to MyFlash K Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-05 c:\windows\Tasks\SyncBack Synchronize All Shared Documents Every 3 Weeks to F Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Synchronize Toby's My Documents Every Week to F Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Synchronize Toby's Shared Documents Every 2 Days to Kingston J Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Synchronize Toby's Shared Documents Every Week to MyFlash K Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ebay.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE:
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Google Search - c:\program files\google\GoogleToolbar3.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
IE: Add to AMV Converter... - c:\program files\Diablotek MP3 Player Utilities 4.09\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\Diablotek MP3 Player Utilities 4.09\MediaManager\grab.html
IE: Backward Links - c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar3.dll/cmcache.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: eBay - Home Page - c:\program files\Pricepirates\Pricepirates\SearchEbay.htm
IE: eBay - My eBay - c:\program files\Pricepirates\Pricepirates\SearchEbaymein.htm
IE: eBay - Powersearch - c:\program files\Pricepirates\Pricepirates\SearchEbaypower.htm
IE: eBay - Start Search - c:\program files\Pricepirates\Pricepirates\SearchEbay.htm
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google - Search - c:\program files\Pricepirates\Pricepirates\SearchGoogle.htm
IE: Google - Start Search - c:\program files\Pricepirates\Pricepirates\SearchGoogle.htm
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Similar Pages - c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar3.dll/cmtrans.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
DPF: Microsoft XML Parser for Java
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D}
FF - ProfilePath - c:\documents and settings\Toby Choy\Application Data\Mozilla\Firefox\Profiles\bolkzr6u.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint_03050024.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {FF49E9A1-1B43-4089-B5E9-0F0CAC39FE25} - c:\documents and settings\Toby Choy\Local Settings\Application Data\{FF49E9A1-1B43-4089-B5E9-0F0CAC39FE25}
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{335F0F8C-A84A-4A83-8F7D-F98462C32492} - (no file)
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKLM-Run-Dgesijegohew - c:\windows\efisodamape.dll
Notify-SASWinLogon - (no file)
AddRemove-Sophos-AntiRootkit - c:\program files\Sophos Anti-Rootkit\helper.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 14:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:bc,17,f3,4d,9f,e3,b5,5b,96,b1,da,9e,98,33,98,e4,cd,b1,3f,d5,db,
15,9f,66,fa,e0,87,01,cc,9c,8d,9a,33,c7,cf,71,04,95,79,f2,68,a7,1b,8c,e7,04,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:bc,17,f3,4d,9f,e3,b5,5b,96,b1,da,9e,98,33,98,e4,cd,b1,3f,d5,db,
15,9f,66,fa,e0,87,01,cc,9c,8d,9a,33,c7,cf,71,04,95,79,f2,68,a7,1b,8c,e7,04,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2009-10-12 15:02
ComboFix-quarantined-files.txt 2009-10-12 22:00

Pre-Run: 116,213,882,880 bytes free
Post-Run: 116,171,051,008 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
1120 --- E O F --- 2009-09-09 11:44

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:03 AM

Posted 12 October 2009 - 05:45 PM

You're welcome and we know a lot of people are waiting a really long time but we are just getting bombarded. There's a bunch of new very tough to deal with strains of infection out and we just can't keep up with the requests for help. I checked earlier and we had over 800 backlogs.


Do you know what these are?


2009-09-24 02:20 . 2009-10-12 20:14 120 ----a-w- c:\windows\Wnuqanerulatoqez.dat
2009-09-24 02:20 . 2009-10-12 20:14 0 ----a-w- c:\windows\Xmaledes.bin
2009-09-24 02:20 . 2009-09-24 02:20 -------- d-----w- c:\documents and settings\Toby
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 crusincuz

crusincuz
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 12 October 2009 - 05:56 PM

Hello, I am not aware of any use for the three files you mentioned.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:03 AM

Posted 12 October 2009 - 06:33 PM

OK, please go to the following folder and tell me is there is anything in it:

c:\documents and settings\Toby





Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 crusincuz

crusincuz
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 12 October 2009 - 09:01 PM

There is no folder named c:\documents and settings\Toby, but there is one named c:\documents and settings\Toby Choy, which has all my documents in it.

GooredFix by jpshortstuff (24.09.09.1)
Log created at 18:57 on 12/10/2009 (Toby Choy)
Firefox version 3.5.3 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{FF49E9A1-1B43-4089-B5E9-0F0CAC39FE25} -> Success!
Deleting C:\Documents and Settings\Toby Choy\Local Settings\Application Data\{FF49E9A1-1B43-4089-B5E9-0F0CAC39FE25} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{41697025-CA0B-4687-99DE-ABC82C5A630B} [06:16 15/12/2007]
{6348F59F-2D20-4A5C-A0A6-553DCFB33926} [21:09 17/06/2007]
{7059F90D-4474-4374-93CA-512826B3A8B6} [21:10 17/06/2007]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [18:51 13/04/2005]
{99a0337c-6303-4879-b72e-500fd9aaca8c} [14:12 13/02/2006]
{9d613b03-9b7c-4fa0-b2f8-32f7cc24873f} [06:16 15/12/2007]
{DED5FCB2-18A8-4204-9D15-C1EB07D30811} [21:09 17/06/2007]
{E843EA9A-B51C-4CAE-93B9-BBE52D0C4551} [05:53 04/04/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [18:32 31/05/2009]
"{22119944-ED35-4ab1-910B-E619EA06A115}"="C:\Program Files\Siber Systems\AI RoboForm\Firefox" [01:54 18/06/2008]

-=E.O.F=-

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:03 AM

Posted 12 October 2009 - 09:40 PM

Let's check these two out:

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:

c:\windows\Wnuqanerulatoqez.dat

Click Submit.
Please post the results of this scan to this thread.

Do the same for c:\windows\Xmaledes.bin
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 crusincuz

crusincuz
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 12 October 2009 - 10:34 PM

Hello, the scanners found nothing suspicious about Wnuqanerulatoqez.dat and Xmaledes.bin would not upload because it is empty (0 bytes).

For c:\windows\Wnuqanerulatoqez.dat:

[ArcaVir]
2009-10-12 Found nothing
[G DATA]
2009-10-13 Found nothing
[A-Squared]
2009-10-13 Found nothing
[Ikarus]
2009-10-13 Found nothing
[Avast! antivirus]
2009-10-12 Found nothing
[Kaspersky Anti-Virus]
2009-10-13 Found nothing
[Grisoft AVG Anti-Virus]
2009-10-12 Found nothing
[ESET NOD32]
2009-10-12 Found nothing
[Avira AntiVir]
2009-10-12 Found nothing
[Norman Virus Control]
2009-10-12 Found nothing
[Softwin BitDefender]
2009-10-13 Found nothing
[Panda Antivirus]
2009-10-12 Found nothing
[ClamAV]
2009-10-12 Found nothing
[Quick Heal]
2009-10-12 Found nothing
[CPsecure]
2009-10-13 Found nothing
[Sophos]
2009-10-13 Found nothing
[Dr.Web]
2009-10-13 Found nothing
[VirusBlokAda VBA32]
2009-10-12 Found nothing
[Frisk F-Prot Antivirus]
2009-10-13 Found nothing
[VirusBuster]
2009-10-12 Found nothing
[F-Secure Anti-Virus]
2009-10-13 Found nothing



For c:\windows\Xmaledes.bin:

Status:
File is empty (0 bytes)!

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:03 AM

Posted 12 October 2009 - 10:59 PM

0 Bytes can be an indication of Malware. Since you don't know what it is we will go ahead and remove both of them. I don't like things left lying around if it can be helped.


Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\Wnuqanerulatoqez.dat
c:\windows\Xmaledes.bin


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 crusincuz

crusincuz
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 13 October 2009 - 01:01 AM

Hello, okay here's the combofix log. Thanks for your quick responses today. You're really fast!

ComboFix 09-10-12.03 - Toby Choy 10/12/09 22:28.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.927 [GMT -7:00]
Running from: c:\documents and settings\Toby Choy\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Toby Choy\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1229 [VPS 091012-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\Wnuqanerulatoqez.dat"
"c:\windows\Xmaledes.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Wnuqanerulatoqez.dat
c:\windows\Xmaledes.bin

.
((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
.

2009-10-02 15:36 . 2009-10-02 15:36 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft
2009-09-25 18:30 . 2009-09-25 18:30 -------- d-----w- c:\program files\AskBarDis
2009-09-18 16:16 . 2009-09-18 16:16 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-09-18 15:59 . 2009-09-18 15:59 -------- d-----w- c:\windows\ERUNT
2009-09-16 23:20 . 2009-09-16 23:20 -------- d-----w- C:\RD4B335D2AF9F44185AFC417F8D8D4B473DR
2009-09-16 22:23 . 2009-09-16 22:24 -------- d-----w- c:\documents and settings\Toby Choy\Application Data\ImgBurn

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-13 01:48 . 2009-05-27 16:34 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-10-13 01:48 . 2009-05-27 16:39 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-10-13 01:47 . 2008-06-04 03:22 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-13 01:47 . 2008-06-04 03:22 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-10-12 19:00 . 2008-02-12 19:04 -------- d-----w- c:\program files\SyncBack
2009-10-12 07:08 . 2009-01-01 03:57 -------- d-----w- c:\program files\Mozilla Thunderbird 3 Beta 1
2009-10-09 21:08 . 2005-10-30 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-10-06 16:25 . 2009-05-27 16:35 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-09-25 18:31 . 2008-07-16 04:41 -------- d-----w- c:\program files\ZoneAlarm
2009-09-25 18:29 . 2006-05-18 00:04 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-18 16:19 . 2008-09-07 17:20 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2009-09-18 04:16 . 2009-05-28 21:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-18 02:44 . 2009-07-14 04:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-16 21:44 . 2006-08-20 15:39 -------- d-----w- c:\program files\ImgBurn
2009-09-16 16:49 . 2004-06-26 07:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-11 00:10 . 2009-09-11 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-11 00:09 . 2009-09-11 00:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-11 00:08 . 2004-06-08 18:40 -------- d-----w- c:\program files\Lavasoft
2009-09-11 00:05 . 2004-06-27 19:20 -------- d-----w- c:\program files\SpywareGuard
2009-09-10 23:53 . 2006-05-10 23:48 -------- d-----w- c:\documents and settings\Toby Choy\Application Data\Lavasoft
2009-09-10 21:54 . 2009-07-14 04:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-07-14 04:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 19:06 . 2004-06-08 18:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-10 17:27 . 2004-06-19 06:05 -------- d-----w- c:\program files\SpywareBlaster
2009-09-09 18:58 . 2006-09-06 06:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-09 16:52 . 2008-08-10 02:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-14 13:58 . 2009-09-18 03:38 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-05 09:01 . 2004-06-09 00:40 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-06-09 00:35 58880 ----a-w- c:\windows\system32\atl.dll
1758-07-04 02:09 . 1758-07-04 02:09 4263 --sh--w- c:\windows\windllreg1c.sys
2006-05-03 09:06 . 2007-09-25 05:56 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2007-09-25 05:56 31232 --sh--r- c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-12_21.56.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-13 01:47 . 2009-10-13 01:47 16384 c:\windows\Temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-17 01:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-17 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-17 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pdfSaver3"="c:\program files\PDF\pdfSaver\pdfSaver3.exe" [2004-05-19 385024]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Vinade Reminder"="c:\program files\Vinade\Reminder\Reminder.exe" [2005-05-09 749568]
"WinMem"="c:\program files\WinCleaner Memory Optimizer\WinMemOpt.exe" [2006-06-19 505856]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-08-28 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"Ink Monitor"="c:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2001-10-16 258118]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"Samsung Common SM"="c:\windows\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 372736]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ZoneAlarm Client"="c:\program files\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]

c:\documents and settings\Toby Choy\Start Menu\Programs\Startup\
GridVistaU.lnk - c:\program files\GridVista\GridVistaU.exe [2006-12-10 217088]
SyncBack.lnk - c:\program files\SyncBack\SyncBack.exe [2008-2-12 2665728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Iomega QuikSync 3.lnk - c:\program files\Iomega QuikSync 3\quiksync3.exe [2004-6-28 4677632]
Logitech Desktop Messenger.lnk.disabled [2008-5-14 2125]
Logitech SetPoint.lnk.disabled [2009-1-15 1734]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-16 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-24 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-05-28 21:03 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]
backup=c:\windows\pss\Device Detector 3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk]
backup=c:\windows\pss\KODAK Picture Transfer Software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"602PC SUITE PDF Saver"="c:\program files\Common Files\soft602\pdfSaver.exe"
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\My Wedding Companion\\rteng7.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\BRIDGESERVER.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\FedEx.Gsm.External.Verifi.Service.exe"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\POC.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\ASA\\WIN32\\DBENG9.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\ASA\\WIN32\\DBSRV9.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6160:TCP"= 6160:TCP:Seagull Driver Networking

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [09/10/09 5:11 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [04/12/08 10:41 AM 78416]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [02/16/06 5:51 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [06/09/06 3:45 PM 74480]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [09/25/09 11:30 AM 464264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/12/08 10:41 AM 20560]
R2 MSSQL$AUCTIONI;SQL Server (AUCTIONI);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/08 10:31 PM 29263712]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [07/03/09 7:49 AM 1028432]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/16/06 5:51 PM 4096]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 00:10]

2009-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-12 c:\windows\Tasks\SyncBack Backkup Toby's My Documents Every Week to F Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-07-27 c:\windows\Tasks\SyncBack Backup All Shared Documents Every 3 Weeks to F Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-09-28 c:\windows\Tasks\SyncBack Backup All Shared Documents Every Week to F Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-07 c:\windows\Tasks\SyncBack Backup Biweekly to MyFlash.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Daily to Kingston.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Every 3 Days to MyFlash.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Toby's My Documents Every Week to F Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Toby's Shared Documents Daily to Kingston.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Toby's Shared Documents Every Week to MyFlash.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-09 c:\windows\Tasks\SyncBack Backup Toby's Shared Documents Every 2 Days to Kingston J Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Toby's Shared Documents Every 2 Days to Kingston.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Toby's Shared Documents Every 3 Days to MyFlash.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Backup Toby's Shared Documents Every Week to MyFlash K Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-05 c:\windows\Tasks\SyncBack Synchronize All Shared Documents Every 3 Weeks to F Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Synchronize Toby's My Documents Every Week to F Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Synchronize Toby's Shared Documents Every 2 Days to Kingston J Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]

2009-10-12 c:\windows\Tasks\SyncBack Synchronize Toby's Shared Documents Every Week to MyFlash K Drive.job
- c:\program files\SyncBack\SyncBack.exe [2008-02-12 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ebay.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE:
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Google Search - c:\program files\google\GoogleToolbar3.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
IE: Add to AMV Converter... - c:\program files\Diablotek MP3 Player Utilities 4.09\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\Diablotek MP3 Player Utilities 4.09\MediaManager\grab.html
IE: Backward Links - c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar3.dll/cmcache.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: eBay - Home Page - c:\program files\Pricepirates\Pricepirates\SearchEbay.htm
IE: eBay - My eBay - c:\program files\Pricepirates\Pricepirates\SearchEbaymein.htm
IE: eBay - Powersearch - c:\program files\Pricepirates\Pricepirates\SearchEbaypower.htm
IE: eBay - Start Search - c:\program files\Pricepirates\Pricepirates\SearchEbay.htm
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google - Search - c:\program files\Pricepirates\Pricepirates\SearchGoogle.htm
IE: Google - Start Search - c:\program files\Pricepirates\Pricepirates\SearchGoogle.htm
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Similar Pages - c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar3.dll/cmtrans.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
DPF: Microsoft XML Parser for Java
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D}
FF - ProfilePath - c:\documents and settings\Toby Choy\Application Data\Mozilla\Firefox\Profiles\bolkzr6u.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint_03050024.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 22:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:bc,17,f3,4d,9f,e3,b5,5b,96,b1,da,9e,98,33,98,e4,cd,b1,3f,d5,db,
15,9f,66,fa,e0,87,01,cc,9c,8d,9a,33,c7,cf,71,04,95,79,f2,68,a7,1b,8c,e7,04,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:bc,17,f3,4d,9f,e3,b5,5b,96,b1,da,9e,98,33,98,e4,cd,b1,3f,d5,db,
15,9f,66,fa,e0,87,01,cc,9c,8d,9a,33,c7,cf,71,04,95,79,f2,68,a7,1b,8c,e7,04,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2009-10-13 22:45
ComboFix-quarantined-files.txt 2009-10-13 05:43
ComboFix2.txt 2009-10-12 22:02

Pre-Run: 116,163,915,776 bytes free
Post-Run: 116,123,168,768 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
289 --- E O F --- 2009-09-09 11:44

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:03 AM

Posted 13 October 2009 - 10:16 AM

We can usually move along fairly fast depending on the pulls of our individual lives when we get to them, it's getting to the ones who are waiting that is the problem.


When you run the scan below uncheck Remove Found Threats. We want to look at anything it might find before deletion.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 crusincuz

crusincuz
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 13 October 2009 - 11:11 PM

The ESET scanner found a bunch of stuff. Some of it may have been already quarantined though.


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudWindowsPolicePro.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\Toby Choy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-4220a729-309e8a97.zip Java/TrojanDownloader.OpenStream.NAB trojan
C:\Program Files\Alwil Software\Avast4\DATA\moved\desot.exe.vir Win32/Adware.WindowsAntivirusPro application
C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application
C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{6D923925-B42A-404B-9D79-5026F10DACE3}\RP0\A0000001.dll Win32/Olmarik.KW trojan
C:\System Volume Information\_restore{6D923925-B42A-404B-9D79-5026F10DACE3}\RP0\A0000029.sys Win32/Olmarik.MK trojan
C:\System Volume Information\_restore{6D923925-B42A-404B-9D79-5026F10DACE3}\RP0\A0000030.sys a variant of Win32/Olmarik.NH trojan
C:\System Volume Information\_restore{6D923925-B42A-404B-9D79-5026F10DACE3}\RP0\A0000046.dll Win32/Olmarik.KW trojan
C:\System Volume Information\_restore{6D923925-B42A-404B-9D79-5026F10DACE3}\RP0\A0000050.sys a variant of Win32/Olmarik.NH trojan
C:\System Volume Information\_restore{6D923925-B42A-404B-9D79-5026F10DACE3}\RP0\A0000051.sys a variant of Win32/Olmarik.NH trojan
C:\System Volume Information\_restore{6D923925-B42A-404B-9D79-5026F10DACE3}\RP0\A0000052.sys Win32/Olmarik.MK trojan
C:\System Volume Information\_restore{6D923925-B42A-404B-9D79-5026F10DACE3}\RP0\A0000053.sys Win32/Olmarik.MK trojan
F:\Documents and Settings\Toby Choy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-4220a729-309e8a97.zip Java/TrojanDownloader.OpenStream.NAB trojan
Operating memory Win32/Toolbar.MyWebSearch application




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users