Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Problem


  • This topic is locked This topic is locked
21 replies to this topic

#1 peetee15

peetee15

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 05 October 2009 - 01:28 PM

Here are the basics of what is going on. First, it started when i was redirected to virus sites when i would type something and search in google. in addition, i would have random audio ads that would start up, but there was no way to close them (at this point, that hasn't happened in a few days). then, my computer restarted and when it came back up, my background would come up, but none of my desktop icons, start menu, nothing else would come up. i'm still actually having to just press ctrl alt delete and run everything through taskmanager. also, when i try to run malwarebytes or just about any other program, it may run for a few seconds or minutes, but it always shuts down whatever program i'm trying to run and then it locks me out of it by saying "windows cannot access the specified device, path, or file. you may not have appropriate permissions to access the item" whenever i try to run the program again after it has been shutdown. and yes, i've already tried renaming the programs to get them to run but it still shuts those down as well.


here's an otl log


OTL logfile created on: 9/24/2009 9:48:51 PM - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = D:\Documents and Settings\Ian\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 234.87 Mb Available Physical Memory | 45.96% Memory free
1.22 Gb Paging File | 0.66 Gb Available in Paging File | 54.16% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 36.51 Gb Total Space | 20.03 Gb Free Space | 54.87% Space Free | Partition Type: NTFS
Drive D: | 37.25 Gb Total Space | 8.31 Gb Free Space | 22.30% Space Free | Partition Type: NTFS
Drive E: | 74.46 Gb Total Space | 46.27 Gb Free Space | 62.15% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 241.97 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive R: | 753.05 Mb Total Space | 746.69 Mb Free Space | 99.16% Space Free | Partition Type: NTFS

Computer Name: HOME
Current User Name: Ian
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2006/03/03 21:03:10 | 00,069,632 | ---- | M] (HP) -- C:\WINNT\System32\HPZipm12.exe
PRC - [2008/04/13 19:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\wscntfy.exe
PRC - [2009/07/22 22:44:50 | 01,181,064 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsTray.exe
PRC - [2009/04/15 18:37:11 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/09/24 21:37:30 | 00,514,560 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Ian\Desktop\OTL.exe
PRC - [2008/04/13 19:12:37 | 00,135,680 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\taskmgr.exe
PRC - [2008/04/13 19:12:29 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINNT\notepad.exe

========== Win32 Services (SafeList) ==========


========== Driver Services (SafeList) ==========


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3945725102-565274025-4042124420-1013\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inside.msfc.nasa.gov
IE - HKU\S-1-5-21-3945725102-565274025-4042124420-1013\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKU\S-1-5-21-3945725102-565274025-4042124420-1013\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3945725102-565274025-4042124420-1013\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-3945725102-565274025-4042124420-1013\S-1-5-21-3945725102-565274025-4042124420-1013\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/04/17 18:36:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINNT\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 03:00:57 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/23 14:52:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/30 01:03:48 | 00,000,000 | ---D | M]

[2009/04/30 09:29:53 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Ian\Application Data\mozilla\Firefox\Profiles\751mth4y.default\extensions
[2009/09/09 16:13:53 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/14 18:00:27 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/17 18:37:17 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/08/14 17:59:59 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/14 18:00:00 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2004/09/09 00:03:50 | 00,049,152 | ---- | M] (Macromedia, Inc.) -- C:\Program Files\mozilla firefox\plugins\np32dsw.dll
[2009/04/17 18:36:50 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/03/12 15:16:54 | 00,155,648 | ---- | M] (Dassault Systèmes SolidWorks Corp.) -- C:\Program Files\mozilla firefox\plugins\npEModelPlugin.dll
[2009/05/20 01:49:50 | 00,083,376 | ---- | M] (NHN USA Inc.) -- C:\Program Files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
[2009/08/14 18:00:15 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2003/07/14 22:56:52 | 00,013,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL
[2005/09/23 21:44:16 | 00,077,824 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/06/04 19:33:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/06/04 19:33:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/06/04 19:33:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/06/04 19:33:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/06/04 19:33:34 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/06/04 19:33:34 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/06/04 19:33:34 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/04/17 16:53:29 | 03,771,296 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\NPSWF32.dll
[2009/04/23 19:39:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/04/23 19:39:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/23 19:39:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/23 19:39:08 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/04/23 19:39:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/04/23 19:39:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/23 19:39:08 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (306581 bytes) - C:\WINNT\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 prosecure.microsoft.com
O1 - Hosts: 209.44.111.62 antivir-prof.com
O1 - Hosts: 209.44.111.62 www.antivir-prof.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 10578 more lines...
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-3945725102-565274025-4042124420-1013\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe File not found
O4 - HKLM..\Run: [BCMSMMSG] C:\WINNT\BCMSMMSG.exe (Broadcom Corporation)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe ()
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe ()
O4 - HKLM..\Run: [ISTray] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINNT\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINNT\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINNT\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SolidWorks_CheckForUpdates] C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe (Dassault Systèmes SolidWorks Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TLogonPath] C:\Program Files\Timbuktu Pro\tb2logon.exe (Netopia, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-3945725102-565274025-4042124420-1013..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] H:\New Folder (2)\Malwarebytes' Anti-Malware\mbamgui.exe File not found
O4 - HKU\S-1-5-21-3945725102-565274025-4042124420-1013..\RunOnce: [FlashPlayerUpdate] C:\WINNT\System32\Macromed\Flash\FlashUtil10b.exe (Adobe Systems, Inc.)
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: nodrivetypeautorun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-21-3945725102-565274025-4042124420-1013\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3945725102-565274025-4042124420-1013\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = 1
O7 - HKU\S-1-5-21-3945725102-565274025-4042124420-1013\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINNT\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINNT\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-3945725102-565274025-4042124420-1013\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} http://download.macromedia.com/pub/shockwa...are/awswaxf.cab (Macromedia Authorware Web Player Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1122054005666 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace.com/upload/MySpaceUploader2.cab (MySpace Uploader Control)
O16 - DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} http://www.solidworks.com/sw/support/subsc...dimdownload.cab (SolidWorks Installation Manager Contol)
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} http://www.yoyogames.com/downloads/activex/YoYo.cab (YYGInstantPlay Control)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 69.1.30.43 69.1.30.42
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (c:\winnt\system32\wuhomuro.dll) - C:\WINNT\System32\wuhomuro.dll File not found
O20 - AppInit_DLLs: (c:\winnt\system32\tovebogi.dll) - C:\WINNT\System32\tovebogi.dll File not found
O20 - AppInit_DLLs: (joretido.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\Explorer.exe ()
O20 - HKLM Winlogon: Shell - (rundll32.exe) - File not found
O20 - HKLM Winlogon: Shell - (tftp.msc) - C:\WINNT\System32\tftp.msc ()
O20 - HKLM Winlogon: Shell - (beforegllav) - File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - H:\New Folder\SASWINLO.dll - H:\New Folder\SASWINLO.dll File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINNT\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINNT\system32\NavLogon.dll - C:\WINNT\System32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\Timbuktu Pro: DllName - C:\Program Files\Timbuktu Pro\Hook32.dll - C:\Program Files\Timbuktu Pro\Hook32.dll (Netopia, Inc.)
O21 - SSODL: nusizusot - {9c9ec39d-3ca4-4bfc-a25f-66b34a258a30} - CLSID or File not found.
O22 - SharedTaskScheduler: {9c9ec39d-3ca4-4bfc-a25f-66b34a258a30} - kupuhivus - Reg Error: Value error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - H:\New Folder\SASSEH.DLL File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2005/04/07 07:27:15 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/04/04 10:16:03 | 00,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{3912b9fb-56e7-11de-aaee-000cf1836818}\Shell\autorun\command - "" = H:\CA_EdgeLitemobile.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINNT\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/09/24 21:37:27 | 00,514,560 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Ian\Desktop\OTL.exe
[2009/09/23 15:58:42 | 00,047,616 | ---- | C] () -- D:\Documents and Settings\Ian\Desktop\klj.exe
[2009/09/20 15:53:32 | 00,000,000 | ---D | C] -- D:\Documents and Settings\Ian\Application Data\SUPERAntiSpyware.com
[2009/09/15 22:29:45 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/09/15 22:28:28 | 00,000,406 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/09/15 20:23:52 | 00,000,000 | ---D | C] -- C:\Program Files\aASAFSD
[2009/09/15 20:08:34 | 00,000,000 | -H-D | C] -- C:\WINNT\PIF
[2009/09/15 18:27:13 | 00,000,000 | ---D | C] -- C:\Program Files\12
[2009/09/14 17:46:49 | 00,000,000 | ---D | C] -- C:\Program Files\New Folder
[2009/09/14 16:52:53 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/09/13 14:47:16 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2009/09/13 14:47:14 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2009/09/12 16:35:41 | 00,001,210 | ---- | C] () -- D:\Documents and Settings\Ian\My Documents\safeboot.reg
[2009/09/12 13:25:15 | 00,000,000 | -H-D | C] -- D:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
[2009/09/12 13:22:04 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/09/12 13:11:07 | 00,000,000 | ---D | C] -- C:\Program Files\Yues
[2009/09/12 12:16:22 | 00,025,088 | ---- | C] () -- C:\WINNT\System32\tftp.msc
[2009/09/11 16:57:07 | 00,161,808 | ---- | C] () -- C:\WINNT\System32\counters
[2009/09/11 06:40:14 | 00,000,004 | ---- | C] () -- C:\WINNT\System32\bincd32.dat
[2009/09/10 19:59:12 | 00,159,600 | ---- | C] (PC Tools) -- C:\WINNT\System32\drivers\pctgntdi.sys
[2009/09/10 19:59:01 | 00,206,256 | ---- | C] (PC Tools) -- C:\WINNT\System32\drivers\PCTCore.sys
[2009/09/10 19:59:01 | 00,086,888 | ---- | C] (PC Tools) -- C:\WINNT\System32\drivers\PCTAppEvent.sys
[2009/09/10 19:59:01 | 00,007,396 | ---- | C] () -- C:\WINNT\System32\drivers\pctcore.cat
[2009/09/10 19:58:53 | 00,001,537 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2009/09/10 19:58:48 | 00,064,392 | ---- | C] (PC Tools) -- C:\WINNT\System32\drivers\pctplsg.sys
[2009/09/10 19:58:48 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2009/09/10 19:58:32 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\PC Tools
[2009/09/10 19:58:32 | 00,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2009/09/10 19:58:29 | 00,000,632 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Registry Mechanic.lnk
[2009/09/10 19:58:27 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\STKIT432.DLL
[2009/09/10 19:58:17 | 00,000,000 | ---D | C] -- C:\Program Files\Registry Mechanic
[2009/09/10 19:57:55 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\TEMP
[2009/09/10 19:50:43 | 00,008,547 | ---- | C] () -- C:\WINNT\System32\wispex.html
[2009/09/10 19:50:43 | 00,000,000 | ---D | C] -- C:\WINNT\System32\images
[2009/09/10 19:43:18 | 00,000,000 | ---D | C] -- C:\Program Files\Mallywdar
[2009/09/10 19:28:34 | 00,019,078 | ---- | C] () -- C:\WINNT\System32\zoha.db
[2009/09/10 19:28:34 | 00,017,023 | ---- | C] () -- C:\WINNT\qawexewe.bin
[2009/09/10 19:28:34 | 00,016,652 | ---- | C] () -- C:\WINNT\mycolawaky.lib
[2009/09/10 19:28:33 | 00,016,903 | ---- | C] () -- C:\WINNT\igysawyxev.exe
[2009/09/10 19:28:33 | 00,016,283 | ---- | C] () -- C:\WINNT\cimo._sy
[2009/09/10 19:28:33 | 00,015,933 | ---- | C] () -- C:\WINNT\System32\yzunipega.com
[2009/09/10 19:28:33 | 00,015,639 | ---- | C] () -- C:\WINNT\System32\buzulozoja.scr
[2009/09/10 19:28:33 | 00,012,959 | ---- | C] () -- C:\Program Files\Common Files\cugese.reg
[2009/09/10 19:28:33 | 00,012,081 | ---- | C] () -- C:\Program Files\Common Files\focavo.pif
[2009/09/10 19:28:33 | 00,011,594 | ---- | C] () -- C:\WINNT\ewicuqysyl.lib
[2009/09/10 19:28:33 | 00,010,931 | ---- | C] () -- C:\WINNT\System32\miwyca.exe
[2009/09/10 19:28:33 | 00,010,330 | ---- | C] () -- C:\WINNT\kexebipy.pif
[2009/09/10 18:51:05 | 00,001,382 | ---- | C] () -- C:\WINNT\System32\onhelp.htm
[2009/09/10 18:45:37 | 00,000,382 | ---- | C] () -- C:\Program Files\Shortcut to Program Files.lnk
[2009/09/10 18:31:26 | 00,000,058 | ---- | C] () -- C:\WINNT\ppp4.dat
[2009/09/10 18:31:26 | 00,000,003 | ---- | C] () -- C:\WINNT\ppp3.dat
[2009/09/10 18:31:24 | 00,000,036 | ---- | C] () -- C:\WINNT\System32\sysnet.dat
[2009/09/10 18:31:24 | 00,000,009 | ---- | C] () -- C:\WINNT\System32\bennuar.old
[2009/09/10 18:31:23 | 00,000,032 | ---- | C] () -- C:\WINNT\System32\sonhelp.htm
[2009/09/10 17:36:43 | 00,014,928 | ---- | C] () -- C:\WINNT\System32\oxyl.exe
[2009/09/10 17:36:43 | 00,013,908 | ---- | C] () -- C:\Program Files\Common Files\alyreqexad.exe
[2009/09/10 17:36:43 | 00,011,243 | ---- | C] () -- C:\Program Files\Common Files\yfivosuly._dl
[2009/09/10 17:36:43 | 00,011,212 | ---- | C] () -- C:\WINNT\amigeh.bat
[2009/09/10 17:36:42 | 00,019,497 | ---- | C] () -- C:\WINNT\gida.dat
[2009/09/10 17:36:41 | 00,015,985 | ---- | C] () -- C:\WINNT\zerazob.pif
[2009/09/10 17:36:41 | 00,014,416 | ---- | C] () -- D:\Documents and Settings\All Users\Application Data\ozudetel.dll
[2009/09/10 17:36:41 | 00,011,389 | ---- | C] () -- C:\WINNT\adygysyp.vbs
[2009/09/10 17:00:56 | 00,227,840 | ---- | C] (Legal Corporation) -- C:\WINNT\System32\_scui.cpl
[2009/09/09 21:22:50 | 00,000,000 | ---- | C] () -- C:\WINNT\System32\41.exe
[2009/09/09 21:15:32 | 00,025,088 | ---- | C] () -- C:\WINNT\System32\tapi.nfo
[2009/09/09 21:15:00 | 00,000,046 | ---- | C] () -- C:\p2hhr.bat
[2009/09/09 21:13:46 | 00,000,000 | ---- | C] () -- C:\WINNT\System32\drivers\e09b46c2.sys
[2009/09/09 21:12:55 | 00,000,000 | ---D | C] -- C:\spoolerlogs
[2009/09/09 21:12:30 | 00,017,920 | ---- | C] () -- C:\fjmpqp.exe
[2009/09/09 21:12:29 | 00,049,664 | ---- | C] () -- C:\scmhux.exe
[2009/09/09 21:12:27 | 00,022,016 | ---- | C] () -- C:\udtcnn.exe
[2009/09/09 21:12:26 | 00,009,728 | ---- | C] () -- C:\kqbvc.exe
[2009/09/09 21:12:14 | 00,047,104 | ---- | C] () -- C:\WINNT\System32\~.exe
[2009/09/09 21:01:59 | 00,070,656 | ---- | C] () -- C:\WINNT\System32\drivers\vsipfvornmxxxiqd.sys
[2009/09/09 21:01:52 | 00,000,198 | -H-- | C] () -- C:\WINNT\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
[2009/09/09 21:01:47 | 00,000,246 | -H-- | C] () -- C:\WINNT\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
[2009/09/05 21:03:01 | 00,000,000 | ---D | C] -- D:\Documents and Settings\Ian\Application Data\Windows Desktop Search
[2009/09/05 21:01:42 | 00,000,000 | ---D | C] -- D:\Documents and Settings\Ian\Application Data\IM
[2009/08/30 01:11:02 | 00,001,976 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\DWGeditor.lnk
[2009/08/30 01:07:52 | 00,000,000 | ---- | C] () -- C:\WINNT\eDrawingOfficeAutomator.INI
[2009/08/30 01:06:08 | 00,001,730 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\SolidWorks eDrawings 2009.lnk
[2009/08/30 00:46:07 | 00,000,023 | -H-- | C] () -- C:\WINNT\yacht.xws
[2009/08/30 00:37:22 | 00,002,249 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\SolidWorks 2009 SP3.0.lnk
[2009/08/30 00:12:19 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\SolidWorks Shared
[2009/08/30 00:10:01 | 00,000,000 | ---D | C] -- C:\Program Files\AGEIA Technologies
[2009/08/30 00:09:53 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\SolidWorks
[2009/08/30 00:09:53 | 00,000,000 | ---D | C] -- C:\Program Files\SolidWorks Corp
[2009/08/30 00:04:08 | 00,001,647 | ---- | C] () -- D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
[2009/08/30 00:03:36 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Desktop Search
[2009/08/30 00:01:34 | 00,000,000 | ---D | C] -- C:\Program Files\MSECache
[2009/08/29 23:59:15 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio 8
[2009/08/29 23:59:14 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Microsoft Help
[2009/08/29 23:02:22 | 00,000,000 | ---D | C] -- C:\SolidWorks Data
[2009/08/29 22:59:58 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\SolidWorks Installation Manager
[2009/08/29 22:59:03 | 00,000,000 | ---D | C] -- C:\WINNT\SolidWorks
[2009/08/11 21:44:39 | 00,000,000 | ---- | C] () -- C:\WINNT\RingtoneMaker.INI
[2009/08/11 21:19:39 | 00,002,770 | ---- | C] () -- C:\WINNT\mgxoschk.ini
[2009/07/30 00:19:56 | 00,000,069 | ---- | C] () -- C:\WINNT\NeroDigital.ini
[2009/07/23 15:09:43 | 00,000,039 | ---- | C] () -- C:\WINNT\Irremote.ini
[2009/06/15 18:45:57 | 00,037,888 | -HS- | C] () -- C:\WINNT\System32\vovugesi.dll
[2009/06/14 16:11:38 | 00,050,176 | -HS- | C] () -- C:\WINNT\System32\wiziwera.dll
[2009/06/14 16:10:34 | 00,037,376 | -HS- | C] () -- C:\WINNT\System32\pupamawe.dll
[2009/06/14 16:10:32 | 00,050,176 | -HS- | C] () -- C:\WINNT\System32\jazijase.dll
[2009/06/13 19:08:36 | 00,038,400 | -HS- | C] () -- C:\WINNT\System32\zidoyowi.dll
[2009/06/12 12:14:16 | 00,037,376 | -HS- | C] () -- C:\WINNT\System32\pojezija.dll
[2009/06/11 17:41:39 | 00,037,376 | -HS- | C] () -- C:\WINNT\System32\merunime.dll
[2009/06/10 15:52:03 | 00,037,376 | -HS- | C] () -- C:\WINNT\System32\risowupa.dll
[2009/06/10 15:52:01 | 00,050,176 | -HS- | C] () -- C:\WINNT\System32\lawalasi.dll
[2009/06/09 21:21:29 | 00,037,888 | -HS- | C] () -- C:\WINNT\System32\gijotoda.dll
[2009/06/02 20:36:29 | 00,027,648 | ---- | C] () -- C:\WINNT\System32\AVSredirect.dll
[2009/05/18 22:17:33 | 00,061,440 | ---- | C] () -- C:\WINNT\System32\drivers\zwndsrw.sys
[2009/05/18 21:12:02 | 00,001,152 | ---- | C] () -- C:\WINNT\System32\windrv.sys
[2009/04/16 08:03:17 | 00,077,824 | R--- | C] () -- C:\WINNT\System32\HPZIDS01.dll
[2009/04/14 19:05:25 | 00,000,523 | ---- | C] () -- C:\WINNT\ATICIM.INI
[2008/05/16 14:01:00 | 01,703,936 | ---- | C] () -- C:\WINNT\System32\nvwdmcpl.dll
[2008/05/16 14:01:00 | 01,486,848 | ---- | C] () -- C:\WINNT\System32\nview.dll
[2008/05/16 14:01:00 | 01,019,904 | ---- | C] () -- C:\WINNT\System32\nvwimg.dll
[2008/05/16 14:01:00 | 00,466,944 | ---- | C] () -- C:\WINNT\System32\nvshell.dll
[2008/05/16 14:01:00 | 00,286,720 | ---- | C] () -- C:\WINNT\System32\nvnt4cpl.dll
[2007/01/03 11:24:36 | 00,020,698 | ---- | C] () -- C:\WINNT\System32\idxcntrs.ini
[2007/01/03 11:22:46 | 00,030,628 | ---- | C] () -- C:\WINNT\System32\gsrvctr.ini
[2007/01/03 11:22:14 | 00,031,698 | ---- | C] () -- C:\WINNT\System32\gthrctr.ini
[2006/04/06 11:15:43 | 00,000,064 | ---- | C] () -- C:\WINNT\msfcinfo.ini
[2005/08/18 07:56:27 | 00,001,368 | ---- | C] () -- C:\WINNT\System32\oeminfo.ini
[2005/05/20 13:30:28 | 00,000,061 | ---- | C] () -- C:\WINNT\smscfg.ini
[2005/04/08 10:20:57 | 00,065,536 | ---- | C] ( ) -- C:\WINNT\System32\A3d.dll
[2005/04/07 13:13:20 | 00,000,000 | ---- | C] () -- C:\WINNT\VPC32.INI
[2005/04/07 10:45:32 | 00,000,370 | ---- | C] () -- C:\WINNT\ODBC.INI
[2005/04/07 07:41:28 | 00,139,264 | ---- | C] () -- C:\WINNT\System32\e1000msg.dll
[2004/08/04 01:56:44 | 00,061,952 | ---- | C] () -- C:\WINNT\System32\eventlog.dll
[2003/07/08 13:41:48 | 00,047,616 | ---- | C] () -- C:\WINNT\System32\P16X.dll
[2003/07/02 13:54:08 | 00,010,752 | ---- | C] () -- C:\WINNT\System32\xsavesig.dll
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINNT\System32\OUTLPERF.INI
[2001/08/23 07:00:00 | 00,000,857 | ---- | C] () -- C:\WINNT\win.ini
[2001/08/23 07:00:00 | 00,000,227 | ---- | C] () -- C:\WINNT\system.ini
[2001/07/07 03:00:00 | 00,003,399 | ---- | C] () -- C:\WINNT\System32\hptcpmon.ini
[1997/05/12 02:10:00 | 00,097,280 | ---- | C] () -- C:\WINNT\System32\ZIPDLL.DLL
[1997/05/12 02:10:00 | 00,089,088 | ---- | C] ( ) -- C:\WINNT\System32\UNZDLL.DLL

========== Files - Modified Within 30 Days ==========

[2009/09/24 21:37:30 | 00,514,560 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Ian\Desktop\OTL.exe
[2009/09/24 21:27:31 | 00,000,246 | -H-- | M] () -- C:\WINNT\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
[2009/09/24 21:26:00 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2009/09/24 21:25:36 | 00,002,206 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2009/09/24 21:25:19 | 00,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2009/09/23 20:00:00 | 00,000,198 | -H-- | M] () -- C:\WINNT\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
[2009/09/23 15:58:42 | 00,047,616 | ---- | M] () -- D:\Documents and Settings\Ian\Desktop\klj.exe
[2009/09/22 20:35:00 | 00,000,472 | ---- | M] () -- C:\WINNT\tasks\Ad-Aware Update (Weekly).job
[2009/09/15 22:32:37 | 00,000,406 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/09/15 21:31:10 | 00,000,227 | ---- | M] () -- C:\WINNT\system.ini
[2009/09/15 19:19:59 | 00,011,168 | -H-- | M] () -- C:\WINNT\System32\viweyune
[2009/09/15 18:45:58 | 00,037,888 | -HS- | M] () -- C:\WINNT\System32\vovugesi.dll
[2009/09/14 16:11:08 | 00,050,176 | -HS- | M] () -- C:\WINNT\System32\jazijase.dll
[2009/09/14 16:10:35 | 00,037,376 | -HS- | M] () -- C:\WINNT\System32\pupamawe.dll
[2009/09/13 19:08:37 | 00,038,400 | -HS- | M] () -- C:\WINNT\System32\zidoyowi.dll
[2009/09/12 16:35:41 | 00,001,210 | ---- | M] () -- D:\Documents and Settings\Ian\My Documents\safeboot.reg
[2009/09/12 12:14:49 | 00,000,370 | ---- | M] () -- C:\WINNT\ODBC.INI
[2009/09/12 12:14:19 | 00,037,376 | -HS- | M] () -- C:\WINNT\System32\pojezija.dll
[2009/09/12 12:14:16 | 00,025,088 | ---- | M] () -- C:\WINNT\System32\tftp.msc
[2009/09/11 23:34:07 | 00,000,284 | ---- | M] () -- C:\WINNT\tasks\AppleSoftwareUpdate.job
[2009/09/11 17:41:40 | 00,037,376 | -HS- | M] () -- C:\WINNT\System32\merunime.dll
[2009/09/11 16:57:07 | 00,161,808 | ---- | M] () -- C:\WINNT\System32\counters
[2009/09/11 15:56:16 | 00,000,058 | ---- | M] () -- C:\WINNT\ppp4.dat
[2009/09/11 15:56:16 | 00,000,003 | ---- | M] () -- C:\WINNT\ppp3.dat
[2009/09/11 15:45:21 | 00,000,000 | ---- | M] () -- C:\WINNT\System32\drivers\e09b46c2.sys
[2009/09/11 15:29:39 | 00,001,382 | ---- | M] () -- C:\WINNT\System32\onhelp.htm
[2009/09/11 06:40:14 | 00,000,004 | ---- | M] () -- C:\WINNT\System32\bincd32.dat
[2009/09/11 00:08:34 | 00,227,840 | ---- | M] (Legal Corporation) -- C:\WINNT\System32\_scui.cpl
[2009/09/10 19:58:53 | 00,001,537 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2009/09/10 19:58:29 | 00,000,632 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Registry Mechanic.lnk
[2009/09/10 19:49:40 | 00,000,009 | ---- | M] () -- C:\WINNT\System32\bennuar.old
[2009/09/10 19:28:41 | 00,000,000 | ---- | M] () -- C:\WINNT\System32\41.exe
[2009/09/10 19:28:34 | 00,019,078 | ---- | M] () -- C:\WINNT\System32\zoha.db
[2009/09/10 19:28:34 | 00,017,023 | ---- | M] () -- C:\WINNT\qawexewe.bin
[2009/09/10 19:28:34 | 00,016,652 | ---- | M] () -- C:\WINNT\mycolawaky.lib
[2009/09/10 19:28:33 | 00,016,903 | ---- | M] () -- C:\WINNT\igysawyxev.exe
[2009/09/10 19:28:33 | 00,016,283 | ---- | M] () -- C:\WINNT\cimo._sy
[2009/09/10 19:28:33 | 00,015,933 | ---- | M] () -- C:\WINNT\System32\yzunipega.com
[2009/09/10 19:28:33 | 00,015,639 | ---- | M] () -- C:\WINNT\System32\buzulozoja.scr
[2009/09/10 19:28:33 | 00,012,959 | ---- | M] () -- C:\Program Files\Common Files\cugese.reg
[2009/09/10 19:28:33 | 00,012,081 | ---- | M] () -- C:\Program Files\Common Files\focavo.pif
[2009/09/10 19:28:33 | 00,011,594 | ---- | M] () -- C:\WINNT\ewicuqysyl.lib
[2009/09/10 19:28:33 | 00,010,931 | ---- | M] () -- C:\WINNT\System32\miwyca.exe
[2009/09/10 19:28:33 | 00,010,330 | ---- | M] () -- C:\WINNT\kexebipy.pif
[2009/09/10 19:20:29 | 00,047,104 | ---- | M] () -- C:\WINNT\System32\~.exe
[2009/09/10 18:45:37 | 00,000,382 | ---- | M] () -- C:\Program Files\Shortcut to Program Files.lnk
[2009/09/10 18:31:24 | 00,000,036 | ---- | M] () -- C:\WINNT\System32\sysnet.dat
[2009/09/10 18:31:23 | 00,000,032 | ---- | M] () -- C:\WINNT\System32\sonhelp.htm
[2009/09/10 18:28:58 | 00,186,097 | ---- | M] () -- C:\WINNT\System32\nvapps.xml
[2009/09/10 17:36:43 | 00,014,928 | ---- | M] () -- C:\WINNT\System32\oxyl.exe
[2009/09/10 17:36:43 | 00,013,908 | ---- | M] () -- C:\Program Files\Common Files\alyreqexad.exe
[2009/09/10 17:36:43 | 00,011,243 | ---- | M] () -- C:\Program Files\Common Files\yfivosuly._dl
[2009/09/10 17:36:43 | 00,011,212 | ---- | M] () -- C:\WINNT\amigeh.bat
[2009/09/10 17:36:42 | 00,019,497 | ---- | M] () -- C:\WINNT\gida.dat
[2009/09/10 17:36:41 | 00,015,985 | ---- | M] () -- C:\WINNT\zerazob.pif
[2009/09/10 17:36:41 | 00,014,416 | ---- | M] () -- D:\Documents and Settings\All Users\Application Data\ozudetel.dll
[2009/09/10 17:36:41 | 00,011,389 | ---- | M] () -- C:\WINNT\adygysyp.vbs
[2009/09/10 15:52:33 | 00,050,176 | -HS- | M] () -- C:\WINNT\System32\lawalasi.dll
[2009/09/10 15:52:04 | 00,053,248 | -HS- | M] () -- C:\WINNT\System32\lekegafu.exe
[2009/09/10 15:52:04 | 00,037,376 | -HS- | M] () -- C:\WINNT\System32\risowupa.dll
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2009/09/09 21:21:31 | 00,044,970 | -HS- | M] () -- C:\WINNT\System32\wowafuha.exe
[2009/09/09 21:21:30 | 00,037,888 | -HS- | M] () -- C:\WINNT\System32\gijotoda.dll
[2009/09/09 21:15:00 | 00,000,046 | ---- | M] () -- C:\p2hhr.bat
[2009/09/09 21:12:38 | 00,025,088 | ---- | M] () -- C:\WINNT\System32\tapi.nfo
[2009/09/09 21:12:35 | 00,049,664 | ---- | M] () -- C:\scmhux.exe
[2009/09/09 21:12:35 | 00,017,920 | ---- | M] () -- C:\fjmpqp.exe
[2009/09/09 21:12:28 | 00,022,016 | ---- | M] () -- C:\udtcnn.exe
[2009/09/09 21:12:27 | 00,009,728 | ---- | M] () -- C:\kqbvc.exe
[2009/09/09 21:01:59 | 00,070,656 | ---- | M] () -- C:\WINNT\System32\drivers\vsipfvornmxxxiqd.sys
[2009/09/09 03:02:01 | 00,001,355 | ---- | M] () -- C:\WINNT\imsins.BAK
[2009/09/05 21:04:47 | 00,072,704 | ---- | M] () -- D:\Documents and Settings\Ian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/02 18:40:29 | 00,000,000 | -H-- | M] () -- C:\WINNT\System32\drivers\UMDF\Msft_User_WpdMtpDr_01_00_00.Wdf
[2009/08/30 16:43:37 | 00,002,249 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\SolidWorks 2009 SP3.0.lnk
[2009/08/30 09:25:03 | 00,239,144 | ---- | M] () -- C:\WINNT\System32\FNTCACHE.DAT
[2009/08/30 01:11:02 | 00,001,976 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\DWGeditor.lnk
[2009/08/30 01:07:52 | 00,000,000 | ---- | M] () -- C:\WINNT\eDrawingOfficeAutomator.INI
[2009/08/30 01:06:08 | 00,001,730 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\SolidWorks eDrawings 2009.lnk
[2009/08/30 00:46:07 | 00,000,023 | -H-- | M] () -- C:\WINNT\yacht.xws
[2009/08/30 00:04:08 | 00,001,647 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
[2009/08/30 00:03:46 | 00,547,118 | ---- | M] () -- C:\WINNT\System32\PerfStringBackup.INI
[2009/08/30 00:03:46 | 00,465,072 | ---- | M] () -- C:\WINNT\System32\perfh009.dat
[2009/08/30 00:03:46 | 00,078,958 | ---- | M] () -- C:\WINNT\System32\perfc009.dat
[2009/08/26 21:43:54 | 04,843,168 | -H-- | M] () -- D:\Documents and Settings\Ian\Local Settings\Application Data\IconCache.db
[2009/08/26 02:24:45 | 00,008,547 | ---- | M] () -- C:\WINNT\System32\wispex.html

========== Alternate Data Streams ==========

@Alternate Data Stream - 60 bytes -> C:\WINNT\System32\shellext.dll:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\WINNT\System32\ntlog.dll:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\WINNT\System32\nsldapssl32v30.dll:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\WINNT\System32\cbkhdlr.exe:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\Program Files\Timbuktu Pro\tb2logon.exe:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\Program Files\Timbuktu Pro\Hook32.dll:AFP_AfpInfo
@Alternate Data Stream - 155 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 149 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
< End of report >

BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:17 PM

Posted 05 October 2009 - 03:52 PM

Open your command prompt by clicking start-->run, then type:
CMD
...in the run box and click "OK". When the command window opens, paste the following:
@SC CONFIG EVENTLOG START= DISABLED
...you should receive a "Success" message returned. If so, try running malwarebytes again. If it opens for you, try to run a manual update and perform a quick scan. Please post back your results. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 peetee15

peetee15
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 05 October 2009 - 08:21 PM

i pasted the thing. got success. when i run malware bytes it just closes after it starts for a few seconds.

Edited by peetee15, 05 October 2009 - 09:10 PM.


#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:17 PM

Posted 05 October 2009 - 09:33 PM

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 peetee15

peetee15
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 06 October 2009 - 11:26 AM

here's the log



ComboFix 09-10-05.01 - Rhonda 10/06/2009 11:11.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.140 [GMT -5:00]
Running from: d:\documents and settings\Rhonda\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Rhonda\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
.
---- Previous Run -------
.
C:\fjmpqp.exe
C:\kqbvc.exe
C:\p2hhr.bat
c:\program files\Common Files\alyreqexad.exe
c:\program files\Common Files\cugese.reg
c:\program files\Common Files\focavo.pif
c:\program files\Common Files\yfivosuly._dl
c:\recycler\S-1-5-21-1002093285-1286645119-3579179382-500
c:\recycler\S-1-5-21-1469093456-2587108148-2370716886-1007
c:\recycler\S-1-5-21-1469093456-2587108148-2370716886-500
c:\recycler\S-1-5-21-2044008786-291764476-3411471629-500
c:\recycler\S-1-5-21-2615553307-2063484960-1345357212-500
c:\recycler\S-1-5-21-3065922716-2405271540-973762042-500
c:\recycler\S-1-5-21-527237240-1425521274-725345543-500
C:\udtcnn.exe
c:\winnt\adygysyp.vbs
c:\winnt\amigeh.bat
c:\winnt\igysawyxev.exe
c:\winnt\kexebipy.pif
c:\winnt\ppp3.dat
c:\winnt\ppp4.dat
c:\winnt\qawexewe.bin
c:\winnt\run.log
c:\winnt\system32\_scui.cpl
c:\winnt\system32\~.exe
c:\winnt\system32\404Fix.exe
c:\winnt\system32\41.exe
c:\winnt\system32\bennuar.old
c:\winnt\system32\bincd32.dat
c:\winnt\system32\buzulozoja.scr
c:\winnt\system32\drivers\vsipfvornmxxxiqd.sys
c:\winnt\system32\Drivers\zwndsrw.sys
c:\winnt\system32\dumphive.exe
c:\winnt\system32\gijotoda.dll
c:\winnt\system32\IEDFix.C.exe
c:\winnt\system32\IEDFix.exe
c:\winnt\system32\images
c:\winnt\system32\images\i1.gif
c:\winnt\system32\images\i2.gif
c:\winnt\system32\images\i3.gif
c:\winnt\system32\images\j1.gif
c:\winnt\system32\images\j2.gif
c:\winnt\system32\images\j3.gif
c:\winnt\system32\images\jj1.gif
c:\winnt\system32\images\jj2.gif
c:\winnt\system32\images\jj3.gif
c:\winnt\system32\images\l1.gif
c:\winnt\system32\images\l2.gif
c:\winnt\system32\images\l3.gif
c:\winnt\system32\images\pix.gif
c:\winnt\system32\images\t1.gif
c:\winnt\system32\images\t2.gif
c:\winnt\system32\images\up1.gif
c:\winnt\system32\images\up2.gif
c:\winnt\system32\images\w1.gif
c:\winnt\system32\images\w11.gif
c:\winnt\system32\images\w2.gif
c:\winnt\system32\images\w3.gif
c:\winnt\system32\images\w3.jpg
c:\winnt\system32\images\wt1.gif
c:\winnt\system32\images\wt2.gif
c:\winnt\system32\images\wt3.gif
c:\winnt\system32\merunime.dll
c:\winnt\system32\miwyca.exe
c:\winnt\system32\onhelp.htm
c:\winnt\system32\oxyl.exe
c:\winnt\system32\pojezija.dll
c:\winnt\system32\Process.exe
c:\winnt\system32\pupamawe.dll
c:\winnt\system32\risowupa.dll
c:\winnt\system32\sonhelp.htm
c:\winnt\system32\SrchSTS.exe
c:\winnt\system32\sysnet.dat
c:\winnt\system32\tapi.nfo
c:\winnt\system32\tmp.reg
c:\winnt\system32\VACFix.exe
c:\winnt\system32\VCCLSID.exe
c:\winnt\system32\vovugesi.dll
c:\winnt\system32\wispex.html
c:\winnt\system32\zidoyowi.dll
c:\winnt\Temp\1345494186.exe
c:\winnt\Temp\1880970404.exe
c:\winnt\Temp\2550072680.exe
c:\winnt\Temp\3589505818.exe
c:\winnt\Temp\3802474766.exe
c:\winnt\TEMP\csrss.exe
c:\winnt\TEMP\taskmgr.exe
c:\winnt\TEMP\winlogon.exe
c:\winnt\zerazob.pif
d:\documents and settings\All Users\Application Data\99540616.ini
d:\documents and settings\All Users\Application Data\ozudetel.dll
d:\documents and settings\Ian\My Documents\ZbThumbnail.info
d:\documents and settings\Paul II\Application Data\awizoxof.ban
d:\documents and settings\Paul II\Application Data\ihihiqew.dl
d:\documents and settings\Paul II\Application Data\sazaja.pif
d:\documents and settings\Paul II\Local Settings\Application Data\apakirit.com
d:\documents and settings\Paul II\Local Settings\Application Data\nyqac.com
d:\documents and settings\Paul II\Local Settings\Application Data\videdi._dl
d:\documents and settings\Paul II\Local Settings\Application Data\visoci.scr
d:\documents and settings\Paul II\Local Settings\Application Data\yfytawyca.exe
d:\documents and settings\Paul\My Documents\ZbThumbnail.info

----- BITS: Possible infected sites -----

hxxp://au.dowj+|Cv+@J:NGD_DQ{zcxLJS@n3uBaAJava Update.S-1-5-21-3945725102-565274025-4042124420-1015XtD$?.e!? .e!.e!6VwoQZCDHM
-- Previous Run --

Infected copy of c:\winnt\system32\eventlog.dll was found and disinfected
Restored copy from - c:\winnt\ServicePackFiles\i386\eventlog.dll

c:\winnt\system32\proquota.exe was missing
Restored copy from - c:\winnt\ServicePackFiles\i386\proquota.exe

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-10-06 03:38 . 2008-04-14 00:12 50176 ----a-w- c:\winnt\system32\proquota.exe
2009-10-06 02:08 . 2009-09-10 19:54 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-10-06 02:08 . 2009-10-06 02:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-06 02:08 . 2009-09-10 19:53 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-09-20 20:53 . 2009-09-20 20:53 -------- d-----w- d:\documents and settings\Ian\Application Data\SUPERAntiSpyware.com
2009-09-16 03:29 . 2009-09-16 03:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-16 01:23 . 2009-09-16 02:14 -------- d-----w- c:\program files\aASAFSD
2009-09-16 01:08 . 2009-09-16 01:11 -------- d--h--w- c:\winnt\PIF
2009-09-15 23:27 . 2009-09-16 02:20 -------- d-----w- c:\program files\12
2009-09-14 22:46 . 2009-09-15 23:26 -------- d-----w- c:\program files\New Folder
2009-09-14 22:21 . 2009-09-14 22:21 -------- d-----w- d:\documents and settings\LocalService\Application Data\SUPERAntiSpyware.com
2009-09-14 21:52 . 2009-09-14 21:52 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-14 21:52 . 2009-09-14 21:52 -------- d-----w- d:\documents and settings\Rhonda\Application Data\SUPERAntiSpyware.com
2009-09-13 23:46 . 2009-09-13 23:46 -------- d-----w- d:\documents and settings\LocalService\Application Data\Malwarebytes
2009-09-13 23:39 . 2009-09-13 23:39 -------- d-sh--w- d:\documents and settings\LocalService\PrivacIE
2009-09-13 04:23 . 2009-09-13 04:23 -------- d-----w- d:\documents and settings\NetworkService\Application Data\Malwarebytes
2009-09-13 04:20 . 2009-09-13 04:20 -------- d-sh--w- d:\documents and settings\NetworkService\PrivacIE
2009-09-13 00:28 . 2009-09-13 00:28 -------- d-----w- d:\documents and settings\Rhonda\Local Settings\Application Data\Identities
2009-09-12 18:25 . 2009-09-12 18:25 -------- dc-h--w- d:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-12 18:11 . 2009-09-12 18:18 -------- d-----w- c:\program files\Yues
2009-09-11 13:37 . 2009-09-11 13:37 -------- d-sh--w- c:\winnt\system32\config\systemprofile\PrivacIE
2009-09-11 00:59 . 2008-12-11 13:38 159600 ----a-w- c:\winnt\system32\drivers\pctgntdi.sys
2009-09-11 00:59 . 2009-08-24 19:05 206256 ----a-w- c:\winnt\system32\drivers\PCTCore.sys
2009-09-11 00:59 . 2009-08-19 16:01 86888 ----a-w- c:\winnt\system32\drivers\PCTAppEvent.sys
2009-09-11 00:58 . 2009-09-11 01:00 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-11 00:58 . 2008-12-10 16:36 64392 ----a-w- c:\winnt\system32\drivers\pctplsg.sys
2009-09-11 00:58 . 2009-09-12 18:07 -------- d-----w- c:\program files\Spyware Doctor
2009-09-11 00:58 . 2009-09-11 00:58 -------- d-----w- d:\documents and settings\Paul II\Application Data\PC Tools
2009-09-11 00:58 . 2009-09-11 00:58 -------- d-----w- d:\documents and settings\All Users\Application Data\PC Tools
2009-09-11 00:57 . 2009-10-06 16:04 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2009-09-11 00:43 . 2009-09-11 00:44 -------- d-----w- c:\program files\Mallywdar
2009-09-11 00:28 . 2009-09-11 00:28 15933 ----a-w- c:\winnt\system32\yzunipega.com
2009-09-10 22:36 . 2009-09-10 22:36 19497 ----a-w- c:\winnt\gida.dat
2009-09-10 02:13 . 2009-09-11 20:45 0 ----a-w- c:\winnt\system32\drivers\e09b46c2.sys
2009-09-10 02:12 . 2009-09-10 02:12 -------- d-----w- C:\spoolerlogs
2009-09-10 02:12 . 2009-09-10 02:12 49664 ----a-w- C:\scmhux.exe
2009-09-10 02:04 . 2009-09-10 02:04 -------- d-sh--we c:\winnt\system32\GroupPolicy\User\Scripts\Logoff\Logoff
2009-09-10 02:04 . 2009-09-10 02:04 -------- d-sh--we c:\winnt\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown
2009-09-09 07:21 . 2009-06-21 21:44 153088 -c----w- c:\winnt\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 21:11 . 2009-06-14 21:10 50176 --sha-w- c:\winnt\system32\jazijase.dll
2009-09-10 23:45 . 2009-09-10 23:45 382 ----a-w- c:\program files\Shortcut to Program Files.lnk
2009-09-10 23:28 . 2009-08-30 03:58 -------- d-----w- d:\documents and settings\Paul II\Application Data\IM
2009-09-10 20:52 . 2009-06-10 20:52 50176 --sha-w- c:\winnt\system32\lawalasi.dll
2009-09-10 20:52 . 2009-06-10 20:52 53248 --sha-w- c:\winnt\system32\lekegafu.exe
2009-09-10 02:21 . 2009-06-10 02:21 44970 --sha-w- c:\winnt\system32\wowafuha.exe
2009-09-10 02:01 . 2005-11-30 17:11 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-06 02:04 . 2009-04-16 20:36 72704 ----a-w- d:\documents and settings\Ian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 02:03 . 2009-09-06 02:03 -------- d-----w- d:\documents and settings\Ian\Application Data\Windows Desktop Search
2009-09-06 02:01 . 2009-09-06 02:01 -------- d-----w- d:\documents and settings\Ian\Application Data\IM
2009-08-31 01:22 . 2009-08-30 20:31 -------- d-----w- d:\documents and settings\Paul II\Application Data\SolidWorks
2009-08-30 20:38 . 2009-08-30 05:09 -------- d-----w- d:\documents and settings\All Users\Application Data\SolidWorks
2009-08-30 14:30 . 2009-04-16 22:12 72704 ----a-w- d:\documents and settings\Paul II\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 06:09 . 2009-08-30 05:09 -------- d-----w- c:\program files\SolidWorks Corp
2009-08-30 05:43 . 2009-08-30 04:59 -------- d-----w- d:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-30 05:40 . 2009-08-30 05:12 -------- d-----w- c:\program files\Common Files\SolidWorks Shared
2009-08-30 05:10 . 2009-08-30 05:10 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-30 05:04 . 2009-08-30 05:04 -------- d-----w- d:\documents and settings\Paul II\Application Data\Windows Desktop Search
2009-08-30 05:03 . 2009-08-30 05:03 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-30 05:01 . 2009-08-30 05:01 -------- d-----w- c:\program files\MSECache
2009-08-30 04:59 . 2009-08-30 04:59 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-08-30 04:00 . 2009-08-30 03:59 -------- d-----w- c:\program files\Common Files\SolidWorks Installation Manager
2009-08-24 21:16 . 2009-04-17 23:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 21:13 . 2009-07-23 19:46 -------- d-----w- c:\program files\Common Files\Nero
2009-08-23 21:09 . 2009-07-23 19:46 -------- d-----w- d:\documents and settings\All Users\Application Data\Nero
2009-08-18 23:36 . 2009-08-18 23:36 -------- d-----w- c:\program files\San Andreas Mod Installer
2009-08-17 22:40 . 2009-08-15 16:48 -------- d-----w- c:\program files\Hot Coffee
2009-08-14 11:58 . 2009-09-11 00:59 7396 ----a-w- c:\winnt\system32\drivers\pctcore.cat
2009-08-12 02:21 . 2009-08-12 02:21 -------- d-----w- c:\program files\Common Files\MAGIX Shared
2009-08-11 21:44 . 2009-08-11 21:44 -------- d-----w- c:\program files\LG Electronics
2009-08-11 21:44 . 2009-04-14 02:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2004-08-04 06:56 204800 ----a-w- c:\winnt\system32\mswebdvd.dll
2009-07-24 12:03 . 2005-04-07 18:11 46864 ----a-w- d:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 19:01 . 2004-08-04 06:56 58880 ----a-w- c:\winnt\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 06:56 286208 ----a-w- c:\winnt\system32\wmpdxm.dll
2009-07-13 14:00 . 2009-06-19 02:00 54 ----a-w- c:\winnt\system32\rp_stats.dat
2009-07-13 14:00 . 2009-06-19 02:00 39 ----a-w- c:\winnt\system32\rp_rules.dat
2004-08-04 06:56 . 2005-07-25 14:14 73728 --sha-w- c:\winnt\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2009-06-14 21:11 . 2009-06-14 21:11 50176 --sha-w- c:\winnt\system32\wiziwera.dll
.

------- Sigcheck -------

[-] 2008-04-14 00:12 . !HASH: COULD NOT OPEN FILE !!!!! . 1033728 . . [------] . . c:\winnt\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\winnt\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\winnt\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\winnt\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\winnt\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\winnt\system32\NVMCTRAY.DLL" [2008-05-16 86016]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-15 68856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\winnt\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2008-05-16 86016]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2008-05-16 13529088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-17 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"TLogonPath"="c:\program files\Timbuktu Pro\tb2logon.exe" [2002-02-09 143360]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2004-07-01 118784]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2004-07-01 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2009-03-20 7308584]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-23 1181064]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2008-05-16 1630208]
"BCMSMMSG"="BCMSMMSG.exe" - c:\winnt\BCMSMMSG.exe [2003-08-29 122880]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2002-02-09 04:05 81973 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINNT\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINNT\\system32\\taskmgr.exe"=

R0 a320raid;a320raid;c:\winnt\system32\drivers\a320raid.sys [4/8/2005 10:20 AM 251578]
R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [4/14/2009 8:35 PM 64160]
R0 pctcore;PCTools KDS;c:\winnt\system32\drivers\PCTCore.sys [9/10/2009 7:59 PM 206256]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S1 e09b46c2;e09b46c2;c:\winnt\system32\drivers\e09b46c2.sys [9/9/2009 9:13 PM 0]
S1 SASDIFSV;SASDIFSV;\??\h:\new folder\SASDIFSV.SYS --> h:\new folder\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/10/2009 7:58 PM 348752]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [3/19/2009 11:31 AM 83240]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 8:02 PM 102448]
S3 npggsvc;nProtect GameGuard Service;c:\winnt\system32\GameMon.des -service --> c:\winnt\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;\??\h:\new folder\SASENUM.SYS --> h:\new folder\SASENUM.SYS [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 2:27 PM 169200]
S3 tatertot;tatertot;\??\c:\winnt\system32\drivers\tatertot.sys --> c:\winnt\system32\drivers\tatertot.sys [?]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\winnt\system32\drivers\xbreader.sys [1/2/2001 11:53 PM 19677]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-12 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/sw/support/subscription/sldimdownload.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
SharedTaskScheduler-{9c9ec39d-3ca4-4bfc-a25f-66b34a258a30} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - h:\new folder\SASSEH.DLL
SSODL-nusizusot-{9c9ec39d-3ca4-4bfc-a25f-66b34a258a30} - (no file)
Notify-!SASWinLogon - h:\new folder\SASWINLO.dll
AddRemove-Malwarebytes' Anti-Malware_is1 - h:\new folder (2)\Malwarebytes' Anti-Malware\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 11:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\npggsvc]
"ImagePath"="c:\winnt\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,31,9e,3b,d5,b0,70,4b,9d,59,6e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,31,9e,3b,d5,b0,70,4b,9d,59,6e,\
.
Completion time: 2009-10-06 11:23
ComboFix-quarantined-files.txt 2009-10-06 16:23

Pre-Run: 21,356,224,512 bytes free
Post-Run: 21,308,690,432 bytes free

354 --- E O F --- 2009-09-09 08:05

#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:17 PM

Posted 06 October 2009 - 06:25 PM

Why did you run combofix twice? May I see the results of the first run please? Look for the log here:
C:\Qoobox\

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 peetee15

peetee15
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 06 October 2009 - 10:01 PM

this is the first one it completed. I have tried to run it before but it closed out one time and my computer shut down one time. I have a Quarantined list and Add/Remove Programs list in that folder

#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:17 PM

Posted 07 October 2009 - 06:48 AM

OK...I'm in the midst of working up a script for you to run. While I'm working on that, if you are online, please post the "Add/Remove Programs list in that folder" on your next reply. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:17 PM

Posted 07 October 2009 - 09:19 AM

You have some folders that seem to be meaningless...well, to me that is. Google seems to agree with me on most of them but I concede, some (or all?) may belong to some game you play (I don't play any games so I wouldn't have the slightest clue). There is one that you may even created. The "New Folder" obviously is what I am referring to but to be sure, I want to take a look at them all.

Please visit this site. Navigate to the file indicated below in Bold and upload the file for a free scan:

c:\WINNT\Downloaded Program Files\PurpleBean.exe

If you're unsure how to do that, follow the instructions below:
  • Click the Browse button to navigate the file path.
  • In the File Upload window that opens, click the drop down menu arrow and select your C: drive.
  • Click the "WINNT" folder and click "Open", use the scroll bar to scroll across and locate the "Downloaded Program Files" folder.
  • Scroll across until you locate the file PurpleBean.exe and click open.
  • Now click the Upload button. When the scan completes, please scroll to the bottom and click the Copy to clipboard button. On your reply, please remember to include those results.
Please click start-->run, type Notepad.exe...a blank notepad will open.
Please copy/paste the text from the quote box below into the blank notepad:

http://www.bleepingcomputer.com/forums/top...ml#entry1451266

Collect::
d:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
C:\spoolerlogs
C:\scmhux.exe
c:\winnt\system32\jazijase.dll
c:\winnt\system32\lawalasi.dll
c:\winnt\system32\lekegafu.exe
c:\winnt\system32\wowafuha.exe
c:\winnt\system32\wiziwera.dll


FCopy::
c:\winnt\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
c:\winnt\ServicePackFiles\i386\explorer.exe | c:\winnt\$hf_mig$\KB938828\SP2QFE\explorer.exe
c:\winnt\$NtUninstallKB938828$\explorer.exe | c:\winnt\$NtServicePackUninstall$\explorer.exe


File::
c:\winnt\system32\yzunipega.com
c:\winnt\gida.dat
c:\winnt\system32\drivers\e09b46c2.sys


Driver::
e09b46c2


DirLook::
c:\program files\aASAFSD
c:\winnt\PIF
c:\program files\12
c:\program files\New Folder
c:\program files\Yues
c:\program files\Mallywdar


Reglock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]

Save this as CFScript.txt. Change "Save as type" to All Files and save it to your Desktop.


Next, please drag the CFScript.txt into the ComboFix.exe icon on your Desktop. Combofix will scan again automatically.

When finished, it will produce a log for you. Please post that log in your next reply along with your results from the VirScan above. Thanks!

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#10 peetee15

peetee15
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 07 October 2009 - 11:24 AM

the purplebean thing isn't harmful. It is part of a game i use to play


heres the log


ComboFix 09-10-06.04 - Rhonda 10/07/2009 11:01.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.173 [GMT -5:00]
Running from: d:\documents and settings\Rhonda\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Rhonda\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\winnt\gida.dat"
"c:\winnt\system32\drivers\e09b46c2.sys"
"c:\winnt\system32\yzunipega.com"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\scmhux.exe
c:\winnt\gida.dat
c:\winnt\system32\drivers\e09b46c2.sys
c:\winnt\system32\jazijase.dll
c:\winnt\system32\lawalasi.dll
c:\winnt\system32\lekegafu.exe
c:\winnt\system32\wiziwera.dll
c:\winnt\system32\wowafuha.exe
c:\winnt\system32\yzunipega.com
c:\winnt\Temp\log.txt

.
--------------- FCopy ---------------

c:\winnt\ServicePackFiles\i386\explorer.exe --> c:\windows\explorer.exe
c:\winnt\ServicePackFiles\i386\explorer.exe --> c:\winnt\$hf_mig$\KB938828\SP2QFE\explorer.exe
c:\winnt\$NtUninstallKB938828$\explorer.exe --> c:\winnt\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_e09b46c2


((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.

2009-10-07 15:38 . 2009-10-07 16:01 -------- d-----w- C:\windows
2009-10-06 03:38 . 2008-04-14 00:12 50176 ----a-w- c:\winnt\system32\proquota.exe
2009-10-06 02:08 . 2009-09-10 19:54 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-10-06 02:08 . 2009-10-06 02:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-06 02:08 . 2009-09-10 19:53 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-09-20 20:53 . 2009-09-20 20:53 -------- d-----w- d:\documents and settings\Ian\Application Data\SUPERAntiSpyware.com
2009-09-16 03:29 . 2009-09-16 03:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-16 01:23 . 2009-09-16 02:14 -------- d-----w- c:\program files\aASAFSD
2009-09-16 01:08 . 2009-09-16 01:11 -------- d--h--w- c:\winnt\PIF
2009-09-15 23:27 . 2009-09-16 02:20 -------- d-----w- c:\program files\12
2009-09-14 22:46 . 2009-09-15 23:26 -------- d-----w- c:\program files\New Folder
2009-09-14 22:21 . 2009-09-14 22:21 -------- d-----w- d:\documents and settings\LocalService\Application Data\SUPERAntiSpyware.com
2009-09-14 21:52 . 2009-09-14 21:52 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-14 21:52 . 2009-09-14 21:52 -------- d-----w- d:\documents and settings\Rhonda\Application Data\SUPERAntiSpyware.com
2009-09-13 23:46 . 2009-09-13 23:46 -------- d-----w- d:\documents and settings\LocalService\Application Data\Malwarebytes
2009-09-13 23:39 . 2009-09-13 23:39 -------- d-sh--w- d:\documents and settings\LocalService\PrivacIE
2009-09-13 04:23 . 2009-09-13 04:23 -------- d-----w- d:\documents and settings\NetworkService\Application Data\Malwarebytes
2009-09-13 04:20 . 2009-09-13 04:20 -------- d-sh--w- d:\documents and settings\NetworkService\PrivacIE
2009-09-13 00:28 . 2009-09-13 00:28 -------- d-----w- d:\documents and settings\Rhonda\Local Settings\Application Data\Identities
2009-09-12 18:25 . 2009-09-12 18:25 -------- dc-h--w- d:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-12 18:11 . 2009-09-12 18:18 -------- d-----w- c:\program files\Yues
2009-09-11 13:37 . 2009-09-11 13:37 -------- d-sh--w- c:\winnt\system32\config\systemprofile\PrivacIE
2009-09-11 00:59 . 2008-12-11 13:38 159600 ----a-w- c:\winnt\system32\drivers\pctgntdi.sys
2009-09-11 00:59 . 2009-08-24 19:05 206256 ----a-w- c:\winnt\system32\drivers\PCTCore.sys
2009-09-11 00:59 . 2009-08-19 16:01 86888 ----a-w- c:\winnt\system32\drivers\PCTAppEvent.sys
2009-09-11 00:58 . 2009-09-11 01:00 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-11 00:58 . 2008-12-10 16:36 64392 ----a-w- c:\winnt\system32\drivers\pctplsg.sys
2009-09-11 00:58 . 2009-09-12 18:07 -------- d-----w- c:\program files\Spyware Doctor
2009-09-11 00:58 . 2009-09-11 00:58 -------- d-----w- d:\documents and settings\Paul II\Application Data\PC Tools
2009-09-11 00:58 . 2009-09-11 00:58 -------- d-----w- d:\documents and settings\All Users\Application Data\PC Tools
2009-09-11 00:57 . 2009-10-07 15:55 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2009-09-11 00:43 . 2009-09-11 00:44 -------- d-----w- c:\program files\Mallywdar
2009-09-10 02:12 . 2009-09-10 02:12 -------- d-----w- C:\spoolerlogs
2009-09-10 02:04 . 2009-09-10 02:04 -------- d-sh--we c:\winnt\system32\GroupPolicy\User\Scripts\Logoff\Logoff
2009-09-10 02:04 . 2009-09-10 02:04 -------- d-sh--we c:\winnt\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown
2009-09-09 07:21 . 2009-06-21 21:44 153088 -c----w- c:\winnt\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 23:45 . 2009-09-10 23:45 382 ----a-w- c:\program files\Shortcut to Program Files.lnk
2009-09-10 23:28 . 2009-08-30 03:58 -------- d-----w- d:\documents and settings\Paul II\Application Data\IM
2009-09-10 02:04 . 2009-04-14 03:50 -------- d-----w- c:\winnt\system32\config\systemprofile\Application Data\AdobeUM
2009-09-10 02:01 . 2005-11-30 17:11 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-06 02:04 . 2009-04-16 20:36 72704 ----a-w- d:\documents and settings\Ian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 02:03 . 2009-09-06 02:03 -------- d-----w- d:\documents and settings\Ian\Application Data\Windows Desktop Search
2009-09-06 02:01 . 2009-09-06 02:01 -------- d-----w- d:\documents and settings\Ian\Application Data\IM
2009-08-31 01:22 . 2009-08-30 20:31 -------- d-----w- d:\documents and settings\Paul II\Application Data\SolidWorks
2009-08-30 20:38 . 2009-08-30 05:09 -------- d-----w- d:\documents and settings\All Users\Application Data\SolidWorks
2009-08-30 14:30 . 2009-04-16 22:12 72704 ----a-w- d:\documents and settings\Paul II\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 06:09 . 2009-08-30 05:09 -------- d-----w- c:\program files\SolidWorks Corp
2009-08-30 05:43 . 2009-08-30 04:59 -------- d-----w- d:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-30 05:40 . 2009-08-30 05:12 -------- d-----w- c:\program files\Common Files\SolidWorks Shared
2009-08-30 05:10 . 2009-08-30 05:10 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-30 05:04 . 2009-08-30 05:04 -------- d-----w- d:\documents and settings\Paul II\Application Data\Windows Desktop Search
2009-08-30 05:03 . 2009-08-30 05:03 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-30 05:01 . 2009-08-30 05:01 -------- d-----w- c:\program files\MSECache
2009-08-30 04:59 . 2009-08-30 04:59 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-08-30 04:00 . 2009-08-30 03:59 -------- d-----w- c:\program files\Common Files\SolidWorks Installation Manager
2009-08-24 21:16 . 2009-04-17 23:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 21:13 . 2009-07-23 19:46 -------- d-----w- c:\program files\Common Files\Nero
2009-08-23 21:09 . 2009-07-23 19:46 -------- d-----w- d:\documents and settings\All Users\Application Data\Nero
2009-08-18 23:36 . 2009-08-18 23:36 -------- d-----w- c:\program files\San Andreas Mod Installer
2009-08-17 22:40 . 2009-08-15 16:48 -------- d-----w- c:\program files\Hot Coffee
2009-08-14 11:58 . 2009-09-11 00:59 7396 ----a-w- c:\winnt\system32\drivers\pctcore.cat
2009-08-12 02:21 . 2009-08-12 02:21 -------- d-----w- c:\program files\Common Files\MAGIX Shared
2009-08-11 21:44 . 2009-08-11 21:44 -------- d-----w- c:\program files\LG Electronics
2009-08-11 21:44 . 2009-04-14 02:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2004-08-04 06:56 204800 ----a-w- c:\winnt\system32\mswebdvd.dll
2009-07-24 12:03 . 2005-04-07 18:11 46864 ----a-w- d:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 19:01 . 2004-08-04 06:56 58880 ----a-w- c:\winnt\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 06:56 286208 ----a-w- c:\winnt\system32\wmpdxm.dll
2009-07-13 14:00 . 2009-06-19 02:00 54 ----a-w- c:\winnt\system32\rp_stats.dat
2009-07-13 14:00 . 2009-06-19 02:00 39 ----a-w- c:\winnt\system32\rp_rules.dat
2004-08-04 06:56 . 2005-07-25 14:14 73728 --sha-w- c:\winnt\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\12 ----

2009-09-16 02:20 . 2009-09-16 02:20 2855 ----a-w- c:\program files\12\SUPERAntiSpyware.PIF
2009-09-04 19:49 . 2009-09-04 19:49 1994480 ----a-w- c:\program files\12\234.exe
2009-09-04 19:49 . 2009-09-04 19:49 1994480 ----a-w- c:\program files\12\SUPERAntiSpyware.exe

---- Directory of c:\program files\aASAFSD ----

2009-09-04 19:50 . 2009-09-04 19:50 7408 ----a-r- c:\program files\aASAFSD\SASENUM.SYS
2009-09-04 19:50 . 2009-09-04 19:50 9968 ----a-w- c:\program files\aASAFSD\sasdifsv.sys
2009-09-04 19:49 . 2009-09-16 02:14 1994480 ----a-w- c:\program files\aASAFSD\asdf.exe
2009-09-04 19:49 . 2009-09-04 19:49 74480 ----a-w- c:\program files\aASAFSD\SASKUTIL.SYS
2009-09-04 19:49 . 2009-09-04 19:49 158960 ----a-w- c:\program files\aASAFSD\SSUpdate.exe
2009-09-04 13:17 . 2009-09-04 13:17 20389538 ----a-w- c:\program files\aASAFSD\PROCESSLIST.DB
2009-09-04 13:17 . 2009-09-04 13:17 1221444 ----a-w- c:\program files\aASAFSD\PROCESSLISTRELATED.DB
2009-09-03 20:21 . 2009-09-03 20:21 548352 ----a-w- c:\program files\aASAFSD\SASWINLO.dll
2009-09-02 03:56 . 2009-09-02 03:56 37786 ----a-w- c:\program files\aASAFSD\Language\Dutch (NL).lng
2009-08-05 18:03 . 2009-08-05 18:03 35985 ----a-w- c:\program files\aASAFSD\Language\Swedish (SE).lng
2009-08-05 17:26 . 2009-08-05 17:26 32627 ----a-w- c:\program files\aASAFSD\Language\Hungarian (HU).lng
2009-08-05 17:24 . 2009-08-05 17:24 34855 ----a-w- c:\program files\aASAFSD\Language\Estonian (EST).lng
2009-01-15 16:44 . 2009-01-15 16:44 34251 ----a-w- c:\program files\aASAFSD\Language\DANISH (DK).LNG
2009-01-15 16:43 . 2009-01-15 16:43 36425 ----a-w- c:\program files\aASAFSD\Language\Norwegian (NO).lng
2009-01-15 16:31 . 2009-01-15 16:31 36581 ----a-w- c:\program files\aASAFSD\Language\Polish (PL).lng
2009-01-15 16:28 . 2009-01-15 16:28 40572 ----a-w- c:\program files\aASAFSD\Language\Macedonian (MK).lng
2008-11-04 23:37 . 2008-11-04 23:37 39269 ----a-w- c:\program files\aASAFSD\Language\Portuguese (BR).lng
2008-11-03 18:49 . 2008-11-03 18:49 47912 ----a-w- c:\program files\aASAFSD\RUNSAS.EXE
2008-11-03 18:30 . 2008-11-03 18:30 40888 ----a-w- c:\program files\aASAFSD\Language\German (DE).lng
2008-11-03 18:28 . 2008-11-03 18:28 41152 ----a-w- c:\program files\aASAFSD\Language\Italian (IT).lng
2008-11-03 16:37 . 2008-11-03 16:37 40562 ----a-w- c:\program files\aASAFSD\Language\Spanish (ES).lng
2008-11-03 16:36 . 2008-11-03 16:36 42687 ----a-w- c:\program files\aASAFSD\Language\French (FR).lng
2008-10-06 19:20 . 2008-10-06 19:20 35739 ----a-w- c:\program files\aASAFSD\Language\English (US).lng
2008-07-28 16:10 . 2008-07-28 16:10 411136 ----a-w- c:\program files\aASAFSD\SASREPAIRS.STG
2008-05-13 15:13 . 2008-05-13 15:13 77824 ----a-w- c:\program files\aASAFSD\SASSEH.DLL
2008-03-12 16:29 . 2008-03-12 16:29 24576 ----a-r- c:\program files\aASAFSD\SASINST.EXE
2007-11-27 18:12 . 2007-11-27 18:12 1088725 ----a-w- c:\program files\aASAFSD\SUPERAntiSpyware.chm
2007-10-02 19:08 . 2007-10-02 19:08 122168 ----a-r- c:\program files\aASAFSD\BootSafe.exe
2007-02-27 17:39 . 2007-02-27 17:39 61440 ----a-w- c:\program files\aASAFSD\SASCTXMN.DLL
2006-09-19 20:55 . 2006-09-19 20:55 360448 ----a-r- c:\program files\aASAFSD\deupx.dll
2004-06-03 14:24 . 2004-06-03 14:24 69632 ----a-w- c:\program files\aASAFSD\Plugins\sab_incr.dll
2004-05-20 18:28 . 2004-05-20 18:28 2048 ----a-w- c:\program files\aASAFSD\detect.wav
2004-05-07 20:31 . 2004-05-07 20:31 348160 ----a-w- c:\program files\aASAFSD\msvcr71.dll
2004-05-07 20:31 . 2004-05-07 20:31 40960 ----a-w- c:\program files\aASAFSD\Plugins\sab_mapi.dll
2004-05-07 20:31 . 2004-05-07 20:31 61440 ----a-w- c:\program files\aASAFSD\Plugins\sab_wab.dll

---- Directory of c:\program files\Mallywdar ----

2009-09-11 00:43 . 2009-09-10 19:53 70992 ----a-w- c:\program files\Mallywdar\mbamext.dll
2009-09-11 00:43 . 2009-09-10 19:53 1312080 ----a-w- c:\program files\Mallywdar\awefrwa.exe

---- Directory of c:\program files\New Folder ----

2009-09-04 19:49 . 2009-09-04 19:49 1994480 ----a-w- c:\program files\New Folder\login.exe

---- Directory of c:\program files\Yues ----

2009-09-12 18:11 . 2009-09-10 19:54 269648 ----a-w- c:\program files\Yues\likeyou.exe
2009-09-12 18:11 . 2009-09-10 19:54 420176 ----a-w- c:\program files\Yues\duh.exe
2009-09-12 18:11 . 2009-09-10 19:53 1312080 ----a-w- c:\program files\Yues\coolio.exe

---- Directory of c:\winnt\PIF ----



------- Sigcheck -------

[-] 2008-04-14 00:12 . !HASH: COULD NOT OPEN FILE !!!!! . 1033728 . . [------] . . c:\winnt\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\winnt\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\winnt\ServicePackFiles\i386\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\winnt\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\winnt\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-10-06_16.20.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-07 16:12 . 2009-10-07 16:12 53248 c:\winnt\temp\catchme.dll
- 2009-10-06 16:19 . 2009-10-06 16:19 53248 c:\winnt\temp\catchme.dll
+ 2009-05-23 19:13 . 2004-08-04 06:56 1032192 c:\winnt\$NtServicePackUninstall$\explorer.exe
+ 2007-06-13 11:26 . 2008-04-14 00:12 1033728 c:\winnt\$hf_mig$\KB938828\SP2QFE\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\winnt\system32\NVMCTRAY.DLL" [2008-05-16 86016]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-15 68856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\winnt\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2008-05-16 86016]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2008-05-16 13529088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-17 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"TLogonPath"="c:\program files\Timbuktu Pro\tb2logon.exe" [2002-02-09 143360]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2004-07-01 118784]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2004-07-01 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2009-03-20 7308584]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-23 1181064]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2008-05-16 1630208]
"BCMSMMSG"="BCMSMMSG.exe" - c:\winnt\BCMSMMSG.exe [2003-08-29 122880]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2002-02-09 04:05 81973 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINNT\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINNT\\system32\\taskmgr.exe"=

R0 a320raid;a320raid;c:\winnt\system32\drivers\a320raid.sys [4/8/2005 10:20 AM 251578]
R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [4/14/2009 8:35 PM 64160]
R0 pctcore;PCTools KDS;c:\winnt\system32\drivers\PCTCore.sys [9/10/2009 7:59 PM 206256]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S1 SASDIFSV;SASDIFSV;h:\new folder\sasdifsv.sys [9/4/2009 2:50 PM 9968]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/10/2009 7:58 PM 348752]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [3/19/2009 11:31 AM 83240]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 8:02 PM 102448]
S3 npggsvc;nProtect GameGuard Service;c:\winnt\system32\GameMon.des -service --> c:\winnt\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;h:\new folder\SASENUM.SYS [9/4/2009 2:50 PM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 2:27 PM 169200]
S3 tatertot;tatertot;\??\c:\winnt\system32\drivers\tatertot.sys --> c:\winnt\system32\drivers\tatertot.sys [?]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\winnt\system32\drivers\xbreader.sys [1/2/2001 11:53 PM 19677]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-12 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/sw/support/subscription/sldimdownload.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 11:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\npggsvc]
"ImagePath"="c:\winnt\system32\GameMon.des -service"
.
Completion time: 2009-10-07 11:16
ComboFix-quarantined-files.txt 2009-10-07 16:16
ComboFix2.txt 2009-10-06 16:23

Pre-Run: 21,303,664,640 bytes free
Post-Run: 21,213,466,624 bytes free

298 --- E O F --- 2009-09-09 08:05

#11 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:17 PM

Posted 07 October 2009 - 05:37 PM

You may need to reinstall these:
SuperAntiSpyware
MBAM


I believe it was my error that created this directory in your log:
C:\windows
...from having scripted the FCopy command to place a copy of your explorer.exe in the Windows directory instead of in the winnt directory. We will try to take care of that with this next run...as I'm not so certain that windows will allow us to delete a folder named windows. We shall see.

Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



Folder::
c:\program files\12
c:\program files\Mallywdar
c:\program files\New Folder
c:\program files\Yues
c:\windows

FCopy::
c:\winnt\ServicePackFiles\i386\explorer.exe | c:\winnt\explorer.exe

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#12 peetee15

peetee15
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 07 October 2009 - 08:03 PM

new log


ComboFix 09-10-06.04 - Rhonda 10/07/2009 19:37.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.196 [GMT -5:00]
Running from: d:\documents and settings\Rhonda\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Rhonda\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\12
c:\program files\12\234.exe
c:\program files\12\SUPERAntiSpyware.exe
c:\program files\12\SUPERAntiSpyware.PIF
c:\program files\Mallywdar
c:\program files\Mallywdar\awefrwa.exe
c:\program files\Mallywdar\mbamext.dll
c:\program files\New Folder
c:\program files\New Folder\login.exe
c:\program files\Yues
c:\program files\Yues\coolio.exe
c:\program files\Yues\duh.exe
c:\program files\Yues\likeyou.exe
c:\windows
c:\windows\explorer.exe

.
--------------- FCopy ---------------

c:\winnt\ServicePackFiles\i386\explorer.exe --> c:\winnt\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))
.

2009-10-06 03:38 . 2008-04-14 00:12 50176 ----a-w- c:\winnt\system32\proquota.exe
2009-10-06 02:08 . 2009-09-10 19:54 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-10-06 02:08 . 2009-10-06 02:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-06 02:08 . 2009-09-10 19:53 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-09-20 20:53 . 2009-09-20 20:53 -------- d-----w- d:\documents and settings\Ian\Application Data\SUPERAntiSpyware.com
2009-09-16 03:29 . 2009-09-16 03:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-16 01:23 . 2009-09-16 02:14 -------- d-----w- c:\program files\aASAFSD
2009-09-16 01:08 . 2009-09-16 01:11 -------- d--h--w- c:\winnt\PIF
2009-09-14 22:21 . 2009-09-14 22:21 -------- d-----w- d:\documents and settings\LocalService\Application Data\SUPERAntiSpyware.com
2009-09-14 21:52 . 2009-09-14 21:52 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-14 21:52 . 2009-09-14 21:52 -------- d-----w- d:\documents and settings\Rhonda\Application Data\SUPERAntiSpyware.com
2009-09-13 23:46 . 2009-09-13 23:46 -------- d-----w- d:\documents and settings\LocalService\Application Data\Malwarebytes
2009-09-13 23:39 . 2009-09-13 23:39 -------- d-sh--w- d:\documents and settings\LocalService\PrivacIE
2009-09-13 04:23 . 2009-09-13 04:23 -------- d-----w- d:\documents and settings\NetworkService\Application Data\Malwarebytes
2009-09-13 04:20 . 2009-09-13 04:20 -------- d-sh--w- d:\documents and settings\NetworkService\PrivacIE
2009-09-13 00:28 . 2009-09-13 00:28 -------- d-----w- d:\documents and settings\Rhonda\Local Settings\Application Data\Identities
2009-09-12 18:25 . 2009-09-12 18:25 -------- dc-h--w- d:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-11 13:37 . 2009-09-11 13:37 -------- d-sh--w- c:\winnt\system32\config\systemprofile\PrivacIE
2009-09-11 00:59 . 2008-12-11 13:38 159600 ----a-w- c:\winnt\system32\drivers\pctgntdi.sys
2009-09-11 00:59 . 2009-08-24 19:05 206256 ----a-w- c:\winnt\system32\drivers\PCTCore.sys
2009-09-11 00:59 . 2009-08-19 16:01 86888 ----a-w- c:\winnt\system32\drivers\PCTAppEvent.sys
2009-09-11 00:58 . 2009-09-11 01:00 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-11 00:58 . 2008-12-10 16:36 64392 ----a-w- c:\winnt\system32\drivers\pctplsg.sys
2009-09-11 00:58 . 2009-09-12 18:07 -------- d-----w- c:\program files\Spyware Doctor
2009-09-11 00:58 . 2009-09-11 00:58 -------- d-----w- d:\documents and settings\Paul II\Application Data\PC Tools
2009-09-11 00:58 . 2009-09-11 00:58 -------- d-----w- d:\documents and settings\All Users\Application Data\PC Tools
2009-09-11 00:57 . 2009-10-08 00:17 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2009-09-10 02:12 . 2009-09-10 02:12 -------- d-----w- C:\spoolerlogs
2009-09-10 02:04 . 2009-09-10 02:04 -------- d-sh--we c:\winnt\system32\GroupPolicy\User\Scripts\Logoff\Logoff
2009-09-10 02:04 . 2009-09-10 02:04 -------- d-sh--we c:\winnt\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown
2009-09-09 07:21 . 2009-06-21 21:44 153088 -c----w- c:\winnt\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 23:45 . 2009-09-10 23:45 382 ----a-w- c:\program files\Shortcut to Program Files.lnk
2009-09-10 23:28 . 2009-08-30 03:58 -------- d-----w- d:\documents and settings\Paul II\Application Data\IM
2009-09-10 02:04 . 2009-04-14 03:50 -------- d-----w- c:\winnt\system32\config\systemprofile\Application Data\AdobeUM
2009-09-10 02:01 . 2005-11-30 17:11 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-06 02:04 . 2009-04-16 20:36 72704 ----a-w- d:\documents and settings\Ian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 02:03 . 2009-09-06 02:03 -------- d-----w- d:\documents and settings\Ian\Application Data\Windows Desktop Search
2009-09-06 02:01 . 2009-09-06 02:01 -------- d-----w- d:\documents and settings\Ian\Application Data\IM
2009-08-31 01:22 . 2009-08-30 20:31 -------- d-----w- d:\documents and settings\Paul II\Application Data\SolidWorks
2009-08-30 20:38 . 2009-08-30 05:09 -------- d-----w- d:\documents and settings\All Users\Application Data\SolidWorks
2009-08-30 14:30 . 2009-04-16 22:12 72704 ----a-w- d:\documents and settings\Paul II\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 06:09 . 2009-08-30 05:09 -------- d-----w- c:\program files\SolidWorks Corp
2009-08-30 05:43 . 2009-08-30 04:59 -------- d-----w- d:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-30 05:40 . 2009-08-30 05:12 -------- d-----w- c:\program files\Common Files\SolidWorks Shared
2009-08-30 05:10 . 2009-08-30 05:10 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-30 05:04 . 2009-08-30 05:04 -------- d-----w- d:\documents and settings\Paul II\Application Data\Windows Desktop Search
2009-08-30 05:03 . 2009-08-30 05:03 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-30 05:01 . 2009-08-30 05:01 -------- d-----w- c:\program files\MSECache
2009-08-30 04:59 . 2009-08-30 04:59 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-08-30 04:00 . 2009-08-30 03:59 -------- d-----w- c:\program files\Common Files\SolidWorks Installation Manager
2009-08-24 21:16 . 2009-04-17 23:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 21:13 . 2009-07-23 19:46 -------- d-----w- c:\program files\Common Files\Nero
2009-08-23 21:09 . 2009-07-23 19:46 -------- d-----w- d:\documents and settings\All Users\Application Data\Nero
2009-08-18 23:36 . 2009-08-18 23:36 -------- d-----w- c:\program files\San Andreas Mod Installer
2009-08-17 22:40 . 2009-08-15 16:48 -------- d-----w- c:\program files\Hot Coffee
2009-08-14 11:58 . 2009-09-11 00:59 7396 ----a-w- c:\winnt\system32\drivers\pctcore.cat
2009-08-12 02:21 . 2009-08-12 02:21 -------- d-----w- c:\program files\Common Files\MAGIX Shared
2009-08-11 21:44 . 2009-08-11 21:44 -------- d-----w- c:\program files\LG Electronics
2009-08-11 21:44 . 2009-04-14 02:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2004-08-04 06:56 204800 ----a-w- c:\winnt\system32\mswebdvd.dll
2009-07-24 12:03 . 2005-04-07 18:11 46864 ----a-w- d:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 19:01 . 2004-08-04 06:56 58880 ----a-w- c:\winnt\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 06:56 286208 ----a-w- c:\winnt\system32\wmpdxm.dll
2009-07-13 14:00 . 2009-06-19 02:00 54 ----a-w- c:\winnt\system32\rp_stats.dat
2009-07-13 14:00 . 2009-06-19 02:00 39 ----a-w- c:\winnt\system32\rp_rules.dat
2004-08-04 06:56 . 2005-07-25 14:14 73728 --sha-w- c:\winnt\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\winnt\system32\NVMCTRAY.DLL" [2008-05-16 86016]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-15 68856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\winnt\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2008-05-16 86016]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2008-05-16 13529088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-17 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"TLogonPath"="c:\program files\Timbuktu Pro\tb2logon.exe" [2002-02-09 143360]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2004-07-01 118784]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2004-07-01 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2009-03-20 7308584]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-23 1181064]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2008-05-16 1630208]
"BCMSMMSG"="BCMSMMSG.exe" - c:\winnt\BCMSMMSG.exe [2003-08-29 122880]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2002-02-09 04:05 81973 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINNT\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINNT\\system32\\taskmgr.exe"=

R0 a320raid;a320raid;c:\winnt\system32\drivers\a320raid.sys [4/8/2005 10:20 AM 251578]
R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [4/14/2009 8:35 PM 64160]
R0 pctcore;PCTools KDS;c:\winnt\system32\drivers\PCTCore.sys [9/10/2009 7:59 PM 206256]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/10/2009 7:58 PM 348752]
S1 SASDIFSV;SASDIFSV;h:\new folder\sasdifsv.sys [9/4/2009 2:50 PM 9968]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [3/19/2009 11:31 AM 83240]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 8:02 PM 102448]
S3 npggsvc;nProtect GameGuard Service;c:\winnt\system32\GameMon.des -service --> c:\winnt\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;h:\new folder\SASENUM.SYS [9/4/2009 2:50 PM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 2:27 PM 169200]
S3 tatertot;tatertot;\??\c:\winnt\system32\drivers\tatertot.sys --> c:\winnt\system32\drivers\tatertot.sys [?]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\winnt\system32\drivers\xbreader.sys [1/2/2001 11:53 PM 19677]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-12 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/sw/support/subscription/sldimdownload.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 19:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\npggsvc]
"ImagePath"="c:\winnt\system32\GameMon.des -service"
.
Completion time: 2009-10-08 19:54
ComboFix-quarantined-files.txt 2009-10-08 00:54
ComboFix2.txt 2009-10-07 16:38
ComboFix3.txt 2009-10-07 16:16
ComboFix4.txt 2009-10-06 16:23

Pre-Run: 21,257,531,392 bytes free
Post-Run: 21,169,086,464 bytes free

222 --- E O F --- 2009-09-09 08:05

#13 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:17 PM

Posted 08 October 2009 - 07:45 AM

Alright, good work peetee15! You may have already noticed some improvement but we need to make one more run to remove a directory that I initially mistook for a file when I tried to have it uploaded to sUBs private channel with the collection command...no need to have a look at it either as it is already known malicious.

Please open another blank Notepad. Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Once again, combofix will run automatically and produce another log. Please post back that new log and let us know how the system is behaving for you now and if you are having any other issues. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::


Folder::
d:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#14 peetee15

peetee15
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 08 October 2009 - 09:54 AM

here it is. I think its working :(

ComboFix 09-10-07.05 - Rhonda 10/08/2009 8:58.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.105 [GMT -5:00]
Running from: d:\documents and settings\Rhonda\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Rhonda\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\winnt\cimo._sy

.
((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))
.

2009-10-08 13:20 . 2009-10-08 13:20 -------- d-----w- d:\documents and settings\Rhonda\Application Data\Windows Desktop Search
2009-10-08 13:19 . 2009-10-08 14:26 -------- d-----w- d:\documents and settings\Rhonda\Application Data\IM
2009-10-06 03:38 . 2008-04-14 00:12 50176 ----a-w- c:\winnt\system32\proquota.exe
2009-10-06 02:08 . 2009-09-10 19:54 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-10-06 02:08 . 2009-10-06 02:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-06 02:08 . 2009-09-10 19:53 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-09-20 20:53 . 2009-09-20 20:53 -------- d-----w- d:\documents and settings\Ian\Application Data\SUPERAntiSpyware.com
2009-09-16 03:29 . 2009-09-16 03:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-16 01:23 . 2009-09-16 02:14 -------- d-----w- c:\program files\aASAFSD
2009-09-16 01:08 . 2009-09-16 01:11 -------- d--h--w- c:\winnt\PIF
2009-09-14 22:21 . 2009-09-14 22:21 -------- d-----w- d:\documents and settings\LocalService\Application Data\SUPERAntiSpyware.com
2009-09-14 21:52 . 2009-09-14 21:52 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-14 21:52 . 2009-09-14 21:52 -------- d-----w- d:\documents and settings\Rhonda\Application Data\SUPERAntiSpyware.com
2009-09-13 23:46 . 2009-09-13 23:46 -------- d-----w- d:\documents and settings\LocalService\Application Data\Malwarebytes
2009-09-13 23:39 . 2009-09-13 23:39 -------- d-sh--w- d:\documents and settings\LocalService\PrivacIE
2009-09-13 04:23 . 2009-09-13 04:23 -------- d-----w- d:\documents and settings\NetworkService\Application Data\Malwarebytes
2009-09-13 04:20 . 2009-09-13 04:20 -------- d-sh--w- d:\documents and settings\NetworkService\PrivacIE
2009-09-13 00:28 . 2009-09-13 00:28 -------- d-----w- d:\documents and settings\Rhonda\Local Settings\Application Data\Identities
2009-09-11 13:37 . 2009-09-11 13:37 -------- d-sh--w- c:\winnt\system32\config\systemprofile\PrivacIE
2009-09-11 00:59 . 2008-12-11 13:38 159600 ----a-w- c:\winnt\system32\drivers\pctgntdi.sys
2009-09-11 00:59 . 2009-08-24 19:05 206256 ----a-w- c:\winnt\system32\drivers\PCTCore.sys
2009-09-11 00:59 . 2009-08-19 16:01 86888 ----a-w- c:\winnt\system32\drivers\PCTAppEvent.sys
2009-09-11 00:58 . 2009-09-11 01:00 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-11 00:58 . 2008-12-10 16:36 64392 ----a-w- c:\winnt\system32\drivers\pctplsg.sys
2009-09-11 00:58 . 2009-09-12 18:07 -------- d-----w- c:\program files\Spyware Doctor
2009-09-11 00:58 . 2009-09-11 00:58 -------- d-----w- d:\documents and settings\Paul II\Application Data\PC Tools
2009-09-11 00:58 . 2009-09-11 00:58 -------- d-----w- d:\documents and settings\All Users\Application Data\PC Tools
2009-09-11 00:57 . 2009-10-08 13:25 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2009-09-10 02:12 . 2009-09-10 02:12 -------- d-----w- C:\spoolerlogs
2009-09-10 02:04 . 2009-09-10 02:04 -------- d-sh--we c:\winnt\system32\GroupPolicy\User\Scripts\Logoff\Logoff
2009-09-10 02:04 . 2009-09-10 02:04 -------- d-sh--we c:\winnt\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown
2009-09-09 07:21 . 2009-06-21 21:44 153088 -c----w- c:\winnt\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 13:20 . 2005-04-07 18:11 72704 ----a-w- d:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 23:45 . 2009-09-10 23:45 382 ----a-w- c:\program files\Shortcut to Program Files.lnk
2009-09-10 23:28 . 2009-08-30 03:58 -------- d-----w- d:\documents and settings\Paul II\Application Data\IM
2009-09-10 02:04 . 2009-04-14 03:50 -------- d-----w- c:\winnt\system32\config\systemprofile\Application Data\AdobeUM
2009-09-10 02:01 . 2005-11-30 17:11 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-06 02:04 . 2009-04-16 20:36 72704 ----a-w- d:\documents and settings\Ian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 02:03 . 2009-09-06 02:03 -------- d-----w- d:\documents and settings\Ian\Application Data\Windows Desktop Search
2009-09-06 02:01 . 2009-09-06 02:01 -------- d-----w- d:\documents and settings\Ian\Application Data\IM
2009-08-31 01:22 . 2009-08-30 20:31 -------- d-----w- d:\documents and settings\Paul II\Application Data\SolidWorks
2009-08-30 20:38 . 2009-08-30 05:09 -------- d-----w- d:\documents and settings\All Users\Application Data\SolidWorks
2009-08-30 14:30 . 2009-04-16 22:12 72704 ----a-w- d:\documents and settings\Paul II\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 06:09 . 2009-08-30 05:09 -------- d-----w- c:\program files\SolidWorks Corp
2009-08-30 05:43 . 2009-08-30 04:59 -------- d-----w- d:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-30 05:40 . 2009-08-30 05:12 -------- d-----w- c:\program files\Common Files\SolidWorks Shared
2009-08-30 05:10 . 2009-08-30 05:10 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-30 05:04 . 2009-08-30 05:04 -------- d-----w- d:\documents and settings\Paul II\Application Data\Windows Desktop Search
2009-08-30 05:03 . 2009-08-30 05:03 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-30 05:01 . 2009-08-30 05:01 -------- d-----w- c:\program files\MSECache
2009-08-30 04:59 . 2009-08-30 04:59 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-08-30 04:00 . 2009-08-30 03:59 -------- d-----w- c:\program files\Common Files\SolidWorks Installation Manager
2009-08-24 21:16 . 2009-04-17 23:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 21:13 . 2009-07-23 19:46 -------- d-----w- c:\program files\Common Files\Nero
2009-08-23 21:09 . 2009-07-23 19:46 -------- d-----w- d:\documents and settings\All Users\Application Data\Nero
2009-08-18 23:36 . 2009-08-18 23:36 -------- d-----w- c:\program files\San Andreas Mod Installer
2009-08-17 22:40 . 2009-08-15 16:48 -------- d-----w- c:\program files\Hot Coffee
2009-08-14 11:58 . 2009-09-11 00:59 7396 ----a-w- c:\winnt\system32\drivers\pctcore.cat
2009-08-12 02:21 . 2009-08-12 02:21 -------- d-----w- c:\program files\Common Files\MAGIX Shared
2009-08-11 21:44 . 2009-08-11 21:44 -------- d-----w- c:\program files\LG Electronics
2009-08-11 21:44 . 2009-04-14 02:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2004-08-04 06:56 204800 ----a-w- c:\winnt\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 06:56 58880 ----a-w- c:\winnt\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 06:56 286208 ----a-w- c:\winnt\system32\wmpdxm.dll
2009-07-13 14:00 . 2009-06-19 02:00 54 ----a-w- c:\winnt\system32\rp_stats.dat
2009-07-13 14:00 . 2009-06-19 02:00 39 ----a-w- c:\winnt\system32\rp_rules.dat
2004-08-04 06:56 . 2005-07-25 14:14 73728 --sha-w- c:\winnt\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-08_00.50.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-08 14:25 . 2009-10-08 14:25 16384 c:\winnt\temp\Perflib_Perfdata_514.dat
+ 2009-10-08 14:25 . 2009-10-08 14:25 53248 c:\winnt\temp\catchme.dll
- 2009-10-08 00:49 . 2009-10-08 00:49 53248 c:\winnt\temp\catchme.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\winnt\system32\NVMCTRAY.DLL" [2008-05-16 86016]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-15 68856]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2008-05-16 86016]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2008-05-16 13529088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-17 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"TLogonPath"="c:\program files\Timbuktu Pro\tb2logon.exe" [2002-02-09 143360]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2004-07-01 118784]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2004-07-01 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2009-03-20 7308584]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2008-05-16 1630208]
"BCMSMMSG"="BCMSMMSG.exe" - c:\winnt\BCMSMMSG.exe [2003-08-29 122880]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2002-02-09 04:05 81973 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINNT\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINNT\\system32\\taskmgr.exe"=

R0 a320raid;a320raid;c:\winnt\system32\drivers\a320raid.sys [4/8/2005 10:20 AM 251578]
R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [4/14/2009 8:35 PM 64160]
R0 pctcore;PCTools KDS;c:\winnt\system32\drivers\PCTCore.sys [9/10/2009 7:59 PM 206256]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S1 SASDIFSV;SASDIFSV;\??\h:\new folder\SASDIFSV.SYS --> h:\new folder\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [3/19/2009 11:31 AM 83240]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 8:02 PM 102448]
S3 npggsvc;nProtect GameGuard Service;c:\winnt\system32\GameMon.des -service --> c:\winnt\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;\??\h:\new folder\SASENUM.SYS --> h:\new folder\SASENUM.SYS [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 2:27 PM 169200]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/10/2009 7:58 PM 348752]
S3 tatertot;tatertot;\??\c:\winnt\system32\drivers\tatertot.sys --> c:\winnt\system32\drivers\tatertot.sys [?]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\winnt\system32\drivers\xbreader.sys [1/2/2001 11:53 PM 19677]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-12 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/sw/support/subscription/sldimdownload.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-08 09:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\npggsvc]
"ImagePath"="c:\winnt\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3480)
c:\winnt\system32\WININET.dll
c:\winnt\system32\webcheck.dll
c:\winnt\system32\IEFRAME.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\winnt\system32\rundll32.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\winnt\system32\nvsvc32.exe
c:\program files\Timbuktu Pro\tb2launch.exe
c:\winnt\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\winnt\system32\searchindexer.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\winnt\system32\searchprotocolhost.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\winnt\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-10-08 9:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-08 14:37
ComboFix2.txt 2009-10-08 00:54
ComboFix3.txt 2009-10-07 16:38
ComboFix4.txt 2009-10-07 16:16
ComboFix5.txt 2009-10-08 13:31

Pre-Run: 21,152,976,896 bytes free
Post-Run: 21,107,916,800 bytes free

243 --- E O F --- 2009-09-09 08:05

#15 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:17 PM

Posted 08 October 2009 - 10:07 AM

Looks good now, how's it running?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users