Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop ups on google/yahoo exc that try to install malware


  • This topic is locked This topic is locked
35 replies to this topic

#1 meowmix1

meowmix1

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 18 November 2009 - 10:12 AM

Recently I was infected with some fake anti virus software called anti virus pro 2009 and it disabled all my stuff so I had to have help removing it here, http://www.bleepingcomputer.com/forums/t/271130/malware/, and after all that all the symptons were gone but when I started using IE again I kept getting pop ups on trustworthy sites that try to install malware, especially on google or yahoo whenever I click a search result.

Also when I restart and log in I get a window called RUNDLL that says,
Error loading C:\DOCUM~1\devin\locals~1\Temp\odbc_inc.dll
The specified module could not be found.

malware bytes, super antispyware, eset scan all show nothing now. Here are DDs and root repeal logs,

Attached File  rootrepeal_log.txt   2.94KB   6 downloads
Attached File  DDS.txt   7.48KB   5 downloads
Attached File  Attach.txt   9.61KB   2 downloads


DDS (Ver_09-10-26.01) - NTFSx86
Run by Devin at 8:53:04.18 on Wed 11/18/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.550 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Devin\Desktop\RootRepeal.exe
C:\Documents and Settings\Devin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdminHpr] RUNDLL32.EXE c:\docume~1\devin\locals~1\temp\odbc_inc.DLL,i
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CAB
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156300706609
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156304524812
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: beziseno.dll c:\windows\system32\telemize.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: wobebadeb - {05617644-3d4f-42b5-b78d-e065d7acbf87} - c:\windows\system32\telemize.dll
STS: jugezatag: {05617644-3d4f-42b5-b78d-e065d7acbf87} - c:\windows\system32\telemize.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli pekuveme.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-11 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-11 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-3 108289]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2008-9-19 65536]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-11 7408]
S3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [2007-12-25 347648]

=============== Created Last 30 ================

2009-11-18 10:38:57 0 d-----w- c:\program files\SpywareBlaster
2009-11-17 18:42:41 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-17 16:03:55 0 d-sh--w- C:\found.000
2009-11-16 14:07:02 1026 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-11-15 18:50:21 0 d-----w- c:\program files\ESET
2009-11-15 12:26:21 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-15 12:26:01 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-15 12:26:01 0 d-----w- c:\docume~1\devin\applic~1\SUPERAntiSpyware.com
2009-11-13 19:40:16 2198 ----a-w- C:\eJ6.bat
2009-11-13 19:40:14 0 d-----w- C:\SafetyCenter
2009-11-13 18:55:02 0 d-----w- c:\docume~1\devin\applic~1\Malwarebytes
2009-11-13 12:45:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 12:45:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 12:45:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-13 12:11:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-13 11:45:48 0 --sh--w- c:\windows\system32\wavepivo.exe
2009-11-06 07:15:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2009-11-03 22:25:09 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-03 22:24:59 0 d-----w- c:\program files\Avira
2009-11-03 22:24:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

==================== Find3M ====================

2009-09-03 19:37:13 44864 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-09-14 13:34:13 83 ----a-w- c:\program files\APC_HostConnections.log
2008-09-14 13:07:47 3287032 ----a-w- c:\program files\remote-desktop-control.exe
2008-09-14 12:54:27 0 ----a-w- c:\program files\adminaccount.ini
2008-09-11 05:27:33 144 --sha-w- c:\windows\system32\2419169505.dat
2009-08-13 11:45:22 20480 --sha-w- c:\windows\system32\nudodidi.exe
2008-11-01 08:40:27 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-08-13 17:45:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081320080814\index.dat
2008-11-01 08:40:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110120081102\index.dat

============= FINISH: 8:54:56.65 ===============

Edited by meowmix1, 18 November 2009 - 07:30 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:31 PM

Posted 26 November 2009 - 08:27 AM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 meowmix1

meowmix1
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 26 November 2009 - 02:40 PM

Ok im not really getting pop ups anymore I just get redirected whenever I click on a search result from google or yahoo to some advertisement or something that tries to install malware.



Logfile of random's system information tool 1.06 (written by random/random)
Run by Devin at 2009-11-26 13:20:42
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 18 GB (23%) free of 76 GB
Total RAM: 1023 MB (61% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:54 PM, on 11/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Devin\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Devin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 antiviraprof-2009.microsoft.com
O1 - Hosts: 91.212.127.227 antiviraprof2009.com
O1 - Hosts: 91.212.127.227 www.antiviraprof2009.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdminHpr] RUNDLL32.EXE C:\DOCUME~1\Devin\LOCALS~1\Temp\odbc_inc.DLL,i
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games – Matchmaking) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} (DyynoX Class) - http://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CAB
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (MSN Games – Game Chat) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1156300706609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156304524812
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...k.cab102118.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O20 - AppInit_DLLs: beziseno.dll c:\windows\system32\telemize.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: wobebadeb - {05617644-3d4f-42b5-b78d-e065d7acbf87} - c:\windows\system32\telemize.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {05617644-3d4f-42b5-b78d-e065d7acbf87} - c:\windows\system32\telemize.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 6118 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-08-01 61440]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-11-13 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"AdminHpr"=C:\DOCUME~1\Devin\LOCALS~1\Temp\odbc_inc.DLL,i []
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="beziseno.dll c:\windows\system32\telemize.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-09-23 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
wobebadeb - {05617644-3d4f-42b5-b78d-e065d7acbf87} - c:\windows\system32\telemize.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
jugezatag - {05617644-3d4f-42b5-b78d-e065d7acbf87} - c:\windows\system32\telemize.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
pekuveme.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDrives"=0
"NoActiveDesktopChanges"=0
"NoSetActiveDesktop"=0
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoActiveDesktopChanges"=
"NoSetActiveDesktop"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Steam\steamapps\drew87\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\drew87\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\lilharba\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\lilharba\counter-strike source\hl2.exe:*:Disabled:hl2"
"C:\Program Files\EA Games\Ultima Online Mondain's Legacy\uog\42\client.exe"="C:\Program Files\EA Games\Ultima Online Mondain's Legacy\uog\42\client.exe:*:Enabled:Ultima Online Client"
"C:\Program Files\Steam\Steam.exe"="C:\Program Files\Steam\Steam.exe:*:Enabled:Steam"
"C:\Program Files\GameSpy Arcade\Aphex.exe"="C:\Program Files\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\Program Files\Microsoft Games\Age of Empires\EMPIRES.EXE"="C:\Program Files\Microsoft Games\Age of Empires\EMPIRES.EXE:*:Enabled:Age of Empires"
"C:\Program Files\Microsoft Games\Age of Empires\EMPIRESX.EXE"="C:\Program Files\Microsoft Games\Age of Empires\EMPIRESX.EXE:*:Enabled:Age of Empires, the Rise of Rome"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Steam\steamapps\drew87\team fortress 2\hl2.exe"="C:\Program Files\Steam\steamapps\drew87\team fortress 2\hl2.exe:*:Enabled:hl2"
"C:\Program Files\apc_host.exe"="C:\Program Files\apc_host.exe:*:Enabled:Remote Desktop Control - Host Module"
"C:\Program Files\TVersity\Media Server\MediaServer.exe"="C:\Program Files\TVersity\Media Server\MediaServer.exe:*:Enabled:TVersity Media Server"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Documents and Settings\Devin\Local Settings\temp\Blizzard Launcher Temporary - 3999c860\Launcher.exe"="C:\Documents and Settings\Devin\Local Settings\temp\Blizzard Launcher Temporary - 3999c860\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Documents and Settings\Devin\Local Settings\temp\Blizzard Launcher Temporary - 3c1fa168\Launcher.exe"="C:\Documents and Settings\Devin\Local Settings\temp\Blizzard Launcher Temporary - 3c1fa168\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\World of Warcraft Public Test\Launcher.exe"="C:\Program Files\World of Warcraft Public Test\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe"="C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\Documents and Settings\Devin\Local Settings\Application Data\Dyyno Receiver\DPPM.exe"="C:\Documents and Settings\Devin\Local Settings\Application Data\Dyyno Receiver\DPPM.exe:*:Enabled:Dyyno Plugin Receiver"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\World of Warcraft\Launcher.exe"="C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\World of Warcraft\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Steam\steamapps\dr\darwinia demo\darwinia.exe"="C:\Program Files\Steam\steamapps\drew87\darwinia demo\darwinia.exe:*:Enabled:Darwinia Demo"
"C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe"="C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10072-to-0.2.0.10083-enUS-downloader.exe"="C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10072-to-0.2.0.10083-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft Public Test\wow-0.2.0.10083-to-0.2.0.10116-enUS-downloader.exe"="C:\Program Files\World of Warcraft Public Test\wow-0.2.0.10083-to-0.2.0.10116-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10116-to-0.2.0.10128-enUS-downloader.exe"="C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10116-to-0.2.0.10128-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10128-to-0.2.0.10147-enUS-downloader.exe"="C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10128-to-0.2.0.10147-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:rundll32"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-11-26 13:20:42 ----D---- C:\rsit
2009-11-18 04:38:57 ----D---- C:\Program Files\SpywareBlaster
2009-11-17 14:06:47 ----A---- C:\ark.txt
2009-11-17 14:01:38 ----A---- C:\RootRepeal report 11-17-09 (14-01-38).txt
2009-11-17 10:03:55 ----SHD---- C:\found.000
2009-11-15 12:50:21 ----D---- C:\Program Files\ESET
2009-11-15 06:26:21 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-15 06:26:01 ----D---- C:\Program Files\SUPERAntiSpyware
2009-11-15 06:26:01 ----D---- C:\Documents and Settings\Devin\Application Data\SUPERAntiSpyware.com
2009-11-13 13:40:16 ----A---- C:\eJ6.bat
2009-11-13 13:40:14 ----D---- C:\SafetyCenter
2009-11-13 12:55:02 ----D---- C:\Documents and Settings\Devin\Application Data\Malwarebytes
2009-11-13 06:45:35 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-13 06:11:06 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-11-13 05:45:48 ----SH---- C:\WINDOWS\system32\wavepivo.exe
2009-11-13 00:43:10 ----A---- C:\WINDOWS\ntbtlog.txt
2009-11-07 01:39:47 ----D---- C:\WINDOWS\Sun
2009-11-07 01:39:47 ----D---- C:\Documents and Settings\Devin\Application Data\Sun
2009-11-06 01:15:44 ----D---- C:\Documents and Settings\All Users\Application Data\Blizzard Entertainment
2009-11-03 16:24:59 ----D---- C:\Program Files\Avira
2009-11-03 16:24:59 ----D---- C:\Documents and Settings\All Users\Application Data\Avira

======List of files/folders modified in the last 1 months======

2009-11-25 22:43:05 ----D---- C:\WINDOWS\system32
2009-11-25 12:24:49 ----D---- C:\WINDOWS\temp
2009-11-25 12:20:25 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-24 15:54:10 ----D---- C:\Program Files\Full Tilt Poker
2009-11-23 09:47:25 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-11-23 09:40:02 ----D---- C:\Program Files\PokerStars
2009-11-22 15:48:49 ----D---- C:\Documents and Settings\Devin\Application Data\mIRC
2009-11-22 14:12:04 ----D---- C:\Program Files\mIRC
2009-11-21 19:26:12 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-21 17:23:53 ----D---- C:\Documents and Settings\Devin\Application Data\LimeWire
2009-11-18 08:21:17 ----D---- C:\WINDOWS\system32\drivers
2009-11-18 04:38:57 ----AD---- C:\Program Files
2009-11-17 13:39:12 ----D---- C:\WINDOWS\Prefetch
2009-11-17 12:43:02 ----D---- C:\WINDOWS\system32\config
2009-11-17 12:42:41 ----D---- C:\WINDOWS\system32\wbem
2009-11-17 12:42:41 ----D---- C:\WINDOWS\Registration
2009-11-17 10:21:31 ----SHD---- C:\System Volume Information
2009-11-17 10:21:31 ----D---- C:\WINDOWS\system32\Restore
2009-11-17 06:13:04 ----D---- C:\WINDOWS
2009-11-16 08:07:21 ----SHD---- C:\WINDOWS\Installer
2009-11-16 08:07:21 ----HD---- C:\Program Files\InstallShield Installation Information
2009-11-16 08:07:20 ----SHD---- C:\Config.Msi
2009-11-16 08:07:19 ----D---- C:\Program Files\Electronic Arts
2009-11-15 12:50:25 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-15 06:25:47 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-11-15 00:25:47 ----SD---- C:\WINDOWS\Tasks
2009-11-13 00:43:44 ----D---- C:\Documents and Settings
2009-11-13 00:38:11 ----D---- C:\Program Files\Steam
2009-11-12 17:17:10 ----D---- C:\Program Files\World of Warcraft
2009-11-09 20:09:53 ----D---- C:\WINDOWS\Minidump
2009-11-03 16:25:21 ----HD---- C:\WINDOWS\inf
2009-11-03 16:19:05 ----D---- C:\WINDOWS\WinSxS
2009-11-02 12:25:55 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 NPPTNT2;NPPTNT2; \??\C:\WINDOWS\system32\npptNT2.sys []
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-07-16 12032]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-07-28 55656]
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2008-03-18 8413]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2008-09-23 3331072]
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2003-03-04 145408]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-07-02 1063936]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-07-02 202368]
R3 Pcouffin;Low level access layer for CD devices; C:\WINDOWS\System32\Drivers\Pcouffin.sys [2007-06-26 39488]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 21248]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-06-18 578176]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-07-02 631680]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter; \??\C:\WINDOWS\system32\drivers\NSDriver.sys []
S3 bvrp_pci;bvrp_pci; \??\C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2003-07-16 12160]
S3 rootrepeal;rootrepeal; \??\C:\WINDOWS\system32\drivers\rootrepeal.sys []
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WlanUIG;2Wire 802.11g USB Driver; C:\WINDOWS\system32\DRIVERS\WlanUIG.sys [2007-01-08 347648]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-09-23 581632]
R2 pgsql-8.3;PostgreSQL Database Server 8.3; C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
R2 spkrmon;spkrmon; C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe [2003-06-16 61440]
R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-09-23 593920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------





info.txt logfile of random's system information tool 1.06 2009-11-26 13:20:58

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x7269
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Catalyst Control Center - Branding-->MsiExec.exe /I{FA3A247D-437A-455E-A88F-7EB6E5F9E799}
Conexant SmartHSFi V.9x 56K DF PCI Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2702\HXFSETUP.EXE -U -IDel8d8xk.INF
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Digital Voice Recorder-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B478ACE-8512-4A46-ACB2-69D83DF2F6C7}\setup.exe" -l0x9 -remove
DVDXCopy Xpress 5.0.0-->"C:\Program Files\DVDXCopyInternational\Xpress\uninstall.exe"
Dynex mini card reader -->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{F1B993AF-70F6-432F-9FA2-59E4DFB9CCE6} /l1033
DyynoPlayer 0.8.6f.2-->C:\Program Files\Dyyno\Dyyno Player\uninstall.exe
EPSON CX 4200 4800 Guide-->C:\Program Files\epson\guide\cx4200_4800_e\uninstall.exe
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r
ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
ffdshow [rev 1723] [2007-12-24]-->"C:\Program Files\ffdshow\unins000.exe"
Full Tilt Poker-->"C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -runfromtemp -l0x0009 -removeonly
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel® PRO Network Adapters and Drivers-->Prounstl.exe
J2SE Runtime Environment 5.0 Update 8-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
LimeWire 4.18.8-->"C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft .NET Framework 3.5-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
mIRC-->C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
PokerStars-->"C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars
PokerStove version 1.23-->"C:\Program Files\PokerStove\unins000.exe"
PostgreSQL 8.3-->MsiExec.exe /I{B823632F-3B72-4514-8861-B961CE263224}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 8 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP8$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
SpywareBlaster 4.2-->"C:\Program Files\SpywareBlaster\unins000.exe"
Steam-->C:\PROGRA~1\Steam\UNWISE.EXE C:\PROGRA~1\Steam\INSTALL.LOG
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Team Fortress 2-->"C:\Program Files\Steam\steam.exe" steam://uninstall/440
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WordPerfect Office 11-->MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}
World of Warcraft FREE Trial-->MsiExec.exe /X{02EBDBB9-4600-41D3-B566-40CB861511D2}
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"
XP Codec Pack-->C:\Program Files\XP Codec Pack\Uninstall.exe

=====HijackThis Backups=====

O4 - HKCU\..\Run: [wekewfjo983mkefdd] C:\DOCUME~1\Devin\LOCALS~1\Temp\winlogan.exe [2008-08-14]
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) [2008-08-14]
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 [2008-08-14]
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\WILLYW~1\LOCALS~1\Temp\csrssc.exe [2008-08-14]
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) [2008-08-14]
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe [2008-09-11]
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab [2008-09-11]
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll [2008-09-11]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab [2008-09-11]
O9 - Extra button: Absolute Poker - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Documents and Settings\Devin\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU) [2009-11-13]

======Hosts File======

127.0.0.1 localhost
::1 localhost
91.212.127.227 antiviraprof-2009.microsoft.com
91.212.127.227 antiviraprof2009.com
91.212.127.227 www.antiviraprof2009.com

======Security center information======

AV: AntiVir Desktop

======System event log======

Computer Name: DEVIN
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 3951
Source Name: W32Time
Time Written: 20090709084930.000000-300
Event Type: warning
User:

Computer Name: DEVIN
Event Code: 1003
Message: Error code 000000ea, parameter1 86a05020, parameter2 866419c8, parameter3 8696f6a0, parameter4 00000001.

Record Number: 3930
Source Name: System Error
Time Written: 20090708184358.000000-300
Event Type: error
User:

Computer Name: DEVIN
Event Code: 1003
Message: Error code 000000ea, parameter1 8613c020, parameter2 8630ebb0, parameter3 865f4130, parameter4 00000001.

Record Number: 3929
Source Name: System Error
Time Written: 20090708184351.000000-300
Event Type: error
User:

Computer Name: DEVIN
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 3887
Source Name: W32Time
Time Written: 20090708051900.000000-300
Event Type: warning
User:

Computer Name: DEVIN
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 3886
Source Name: Tcpip
Time Written: 20090707175944.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: WILLARD
Event Code: 1000
Message: Faulting application oblivion.exe, version 1.2.0.416, faulting module oblivion.exe, version 1.2.0.416, fault address 0x0025c640.

Record Number: 529
Source Name: Application Error
Time Written: 20080720041831.000000-300
Event Type: error
User:

Computer Name: WILLARD
Event Code: 1000
Message: Faulting application oblivion.exe, version 1.2.0.416, faulting module oblivion.exe, version 1.2.0.416, fault address 0x0033a5e8.

Record Number: 528
Source Name: Application Error
Time Written: 20080720000931.000000-300
Event Type: error
User:

Computer Name: WILLARD
Event Code: 1000
Message: Faulting application oblivion.exe, version 1.2.0.416, faulting module oblivion.exe, version 1.2.0.416, fault address 0x000c9a80.

Record Number: 522
Source Name: Application Error
Time Written: 20080718190347.000000-300
Event Type: error
User:

Computer Name: WILLARD
Event Code: 1000
Message: Faulting application aim.exe, version 5.9.3861.0, faulting module unknown, version 0.0.0.0, fault address 0x1221254f.

Record Number: 516
Source Name: Application Error
Time Written: 20080717215536.000000-300
Event Type: error
User:

Computer Name: WILLARD
Event Code: 1002
Message: Hanging application BearShare.exe, version 5.2.5.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 515
Source Name: Application Hang
Time Written: 20080717215532.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------


Thx for help!

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:31 PM

Posted 27 November 2009 - 03:40 AM

Hi meowmix1,


Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case Limewire). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.



Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.



Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Please post back here with the following logs:
  • Report.txt
  • MBAM log
  • New Rsit log
Thanks

unite.jpg


#5 meowmix1

meowmix1
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 27 November 2009 - 04:15 PM

Ok finished with that stuff, haven't tested to see if it still redirects searches im afraid it will install malware.
Edit: Ok just as I entered this reply I got a pop up called redirect




SDFix: Version 1.240
Run by Administrator on Fri 11/27/2009 at 02:03 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\WINDOWS\SYSTEM32\WAVEPIVO.EXE - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 14:42:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG11.00.00.01WORKSTATION"="278F7AEF3D099E83772F179AE8A0C3A7B6338916AF889E1288FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667C038D530D6EB3452BA7FD869164D679415AB5F0CE5D11FD23C22BE99ECB860635DCD61C330409995CFFCEB718068DC6E4E1B36440B76856BB601E7B8F982FBAB16CA69D76BA052288244A8EEB10AAC72C96123E66D687594F0CCCC98EFA4EA6F777D3DC3EBC6F6370063B08B8070D37632A4560089D38628FE6474C4C3522C57261B5937C594095E190B16B43FC4F9A5A3AD15E10D4CA6816B48780FA5A78D11B7814AA344CBDD3B918E7B1DF392982F30E8B99D5D4413823520078CF4A3364F372E34BE64149E70A0641CBCD8CB01475B67AF0E1297E010CD35E29544271E47A443500357F84B2773AAC04FDD45D3A51FDDFACD7481F7111AF3E148DEF912327109672E0369B387A9A0CBD225B488856825AEBC062613F275F06E05C046334E0669DAC200B9FD4056A9B18A0538E9A5173A7480798843282E6007729819F4DCBDF31C071CA1A405824EF9FE86CF174C023E8A80B7926B22869C3E78CCE621A3E6DB3305D93AF48CAAB840F96BDF823EF1F5C168DA9243DC3223B844F484D4EC4476BA8AED051010BD3CB68A23327248234B7F293239D7D2DD163246DE2D00858CBFE3AAC1656C4F21499F0556F0023BC6493CF5C21C8684A5BB783689FEE83E6C57EF3BF321D38D2B7954FEDD2EA0E981A285C743B406779C7D6E0AA97CA56E817EB6D555E5648FA88841D4C8DC902BED2AFC5B9E60DBB4C86A8A02288BA5EFDE1E24596A408FA259D56526DA57E8DA175B582F74DFE4482432561D2277299E8CBEB7E6EEA69A9372E6575408D71359FE506008195951C21D2C6FA0676DC2DD841103E54EEEA0341B613D087E01508A1B4C716E1457A3B8935309967D015E1336E72FFE2BD38D5D6E1354AB195531D4D2337F2F20C4B443DFC2694C9A29B7A6053876A15BF5A4E87EE9ECEEECBE9DA5060D8CD8ADF32F7E4C3F6BD1AD3EDD07C79F288067D87BB4CD7C6BC43F884F6A8288B3C0DF1C930C942D7B7DD60137A5C8DBA8100DE27AA4547FC6E38BE2D6988F75A17F8D53360FEC951EE6E811FCF8474FEC8BBD60E11E7FD18D477F6315A66549986FC31ABDB2F9A8E7ECED77BAF9F68103702000410D2DF1DD2F7D814291B19C6C31C0CF2720D637042F239C51A6FE1D08810D557F5E3404EC9E1C1A685894AC872AF73BC08A11B6B014F650777FF9F030441259D507594F825BA66DE6FD235AE6829205AE262A4140C48FC4330CF57043836F64D17CDBC07C721BA0708BE5A91CA46ABAE92C189497ADC41062D4F7B29BCD9C3857B8696749312C3A8A0BDBC34C420FCDBDD64693B27FA3ACB6E776F0A8F3C2F719"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000015a
"TracesSuccessful"=dword:00000009

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Steam\\steamapps\\drew87\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\drew87\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\lilharbaugh420\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\lilharbaugh420\\counter-strike source\\hl2.exe:*:Disabled:hl2"
"C:\\Program Files\\EA Games\\Ultima Online Mondain's Legacy\\uog\\42\\client.exe"="C:\\Program Files\\EA Games\\Ultima Online Mondain's Legacy\\uog\\42\\client.exe:*:Enabled:Ultima Online Client"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRES.EXE"="C:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRES.EXE:*:Enabled:Age of Empires"
"C:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE"="C:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE:*:Enabled:Age of Empires, the Rise of Rome"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Steam\\steamapps\\drew87\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\drew87\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\apc_host.exe"="C:\\Program Files\\apc_host.exe:*:Enabled:Remote Desktop Control - Host Module"
"C:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"="C:\\Program Files\\TVersity\\Media Server\\MediaServer.exe:*:Enabled:TVersity Media Server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="C:\\Program Files\\Electronic Arts\\EADM\\Core.exe:*:Enabled:EA Download Manager"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Ventrilo\\Ventrilo.exe"="C:\\Program Files\\Ventrilo\\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\\Documents and Settings\\Devin\\Local Settings\\temp\\Blizzard Launcher Temporary - 3999c860\\Launcher.exe"="C:\\Documents and Settings\\Devin\\Local Settings\\temp\\Blizzard Launcher Temporary - 3999c860\\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\\Documents and Settings\\Devin\\Local Settings\\temp\\Blizzard Launcher Temporary - 3c1fa168\\Launcher.exe"="C:\\Documents and Settings\\Devin\\Local Settings\\temp\\Blizzard Launcher Temporary - 3c1fa168\\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"="C:\\Program Files\\World of Warcraft Public Test\\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Documents and Settings\\Devin\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"="C:\\Documents and Settings\\Devin\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe:*:Enabled:Dyyno Plugin Receiver"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\World of Warcraft\\Launcher.exe"="C:\\Program Files\\World of Warcraft\\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Steam\\steamapps\\drew\\darwinia demo\\darwinia.exe"="C:\\Program Files\\Steam\\steamapps\\drew87\\darwinia demo\\darwinia.exe:*:Enabled:Darwinia Demo"
"C:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10072-to-0.2.0.10083-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10072-to-0.2.0.10083-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft Public Test\\wow-0.2.0.10083-to-0.2.0.10116-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft Public Test\\wow-0.2.0.10083-to-0.2.0.10116-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10116-to-0.2.0.10128-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10116-to-0.2.0.10128-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10128-to-0.2.0.10147-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10128-to-0.2.0.10147-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"
"C:\\WINDOWS\\system32\\logonui.exe"="C:\\WINDOWS\\system32\\logonui.exe:*:Enabled:logonui"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:rundll32"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
"C:\\WINDOWS\\system32\\lsass.exe"="C:\\WINDOWS\\system32\\lsass.exe:*:Enabled:lsass"
"C:\\Documents and Settings\\Devin\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Devin\\Desktop\\utorrent.exe:*:Enabled:ćTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 13 Aug 2009 20,480 A.SH. --- "C:\WINDOWS\system32\nudodidi.exe"
Tue 16 Sep 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 2 Aug 2006 118,784 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\AtiCimUn.exe"
Wed 2 Aug 2006 73,728 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\CheckVer.exe"
Wed 2 Aug 2006 51,712 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\DrvUI64A.exe"
Wed 2 Aug 2006 127,488 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\issetup.exe"
Sun 25 Jan 2004 127,488 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\makensisw.exe"
Wed 2 Aug 2006 18,192 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\psapi.dll"
Wed 2 Aug 2006 65,536 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\Setup.exe"
Sat 10 Oct 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 2 Aug 2006 94,208 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\ACE\ACE.dll"
Thu 10 Aug 2006 4,592,547 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\ACE\setup.exe"
Wed 2 Aug 2006 6,656 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\BIN\aticd64a.sys"
Wed 2 Aug 2006 348,160 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\BIN\aticds10.dll"
Wed 2 Aug 2006 53,248 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\BIN\AtiCIM.dll"
Wed 2 Aug 2006 385,024 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\BIN\atiicdxx.dll"
Wed 2 Aug 2006 291,328 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\BIN\atiicdxx.exe"
Wed 2 Aug 2006 6,144 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\BIN\atiicdxx.sys"
Wed 2 Aug 2006 123,392 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\BIN\EnumDev.exe"
Wed 2 Aug 2006 128,512 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\BIN\UpdatPnP.exe"
Wed 2 Aug 2006 94,208 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\Driver\Driver.DLL"
Wed 2 Aug 2006 46,080 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\Driver\Setup.exe"
Fri 18 Feb 2005 139,264 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\WDM_ALL\Setup.exe"
Wed 2 Aug 2006 94,208 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\WDM_ALL\WDM_ALL.dll"
Thu 11 Dec 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\19db395f07b4ea57f58c6126880eb512\BITE.tmp"
Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\Willy Wonka\Application Data\U3\temp\Launchpad Removal.exe"
Wed 6 Dec 2006 4,348 A..H. --- "C:\Documents and Settings\Willy Wonka\My Documents\My Music\License Backup\drmv1key.bak"
Tue 4 Sep 2007 20 A..H. --- "C:\Documents and Settings\Willy Wonka\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 10 Jul 2007 400 A.SH. --- "C:\Documents and Settings\Willy Wonka\My Documents\My Music\License Backup\drmv2key.bak"
Tue 18 Mar 2008 20 A..H. --- "C:\Documents and Settings\Willy Wonka\Application Data\Real\rhapsody\wmlicbackup\drmv1lic.bak"
Wed 2 Aug 2006 307,200 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\Driver\2KXP_INF\B_35255\atiiiexx.dll"
Thu 6 Jul 2006 168,576 A..H. --- "C:\drvrtmp\SUPPORT\6-8_xp-2k_dd_ccc_wdm_enu_35179\WDM_ALL\AVS_T200\XP\atinavt2.SYS"

Finished!







Malwarebytes' Anti-Malware 1.41
Database version: 3245
Windows 5.1.2600 Service Pack 3

11/27/2009 3:06:09 PM
mbam-log-2009-11-27 (15-06-09).txt

Scan type: Quick Scan
Objects scanned: 126538
Time elapsed: 7 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)









Logfile of random's system information tool 1.06 (written by random/random)
Run by Devin at 2009-11-27 15:06:48
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 18 GB (23%) free of 76 GB
Total RAM: 1023 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:54 PM, on 11/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Devin\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Devin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdminHpr] RUNDLL32.EXE C:\DOCUME~1\Devin\LOCALS~1\Temp\odbc_inc.DLL,i
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games – Matchmaking) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} (DyynoX Class) - http://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CAB
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (MSN Games – Game Chat) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1156300706609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156304524812
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...k.cab102118.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O20 - AppInit_DLLs: beziseno.dll c:\windows\system32\telemize.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: wobebadeb - {05617644-3d4f-42b5-b78d-e065d7acbf87} - c:\windows\system32\telemize.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {05617644-3d4f-42b5-b78d-e065d7acbf87} - c:\windows\system32\telemize.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 5912 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-08-01 61440]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-11-13 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"AdminHpr"=C:\DOCUME~1\Devin\LOCALS~1\Temp\odbc_inc.DLL,i []
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="beziseno.dll c:\windows\system32\telemize.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-09-23 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
wobebadeb - {05617644-3d4f-42b5-b78d-e065d7acbf87} - c:\windows\system32\telemize.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
jugezatag - {05617644-3d4f-42b5-b78d-e065d7acbf87} - c:\windows\system32\telemize.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
pekuveme.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Steam\steamapps\drew87\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\drew87\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\lilharbaugh420\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\lilharbaugh420\counter-strike source\hl2.exe:*:Disabled:hl2"
"C:\Program Files\EA Games\Ultima Online Mondain's Legacy\uog\42\client.exe"="C:\Program Files\EA Games\Ultima Online Mondain's Legacy\uog\42\client.exe:*:Enabled:Ultima Online Client"
"C:\Program Files\Steam\Steam.exe"="C:\Program Files\Steam\Steam.exe:*:Enabled:Steam"
"C:\Program Files\GameSpy Arcade\Aphex.exe"="C:\Program Files\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\Program Files\Microsoft Games\Age of Empires\EMPIRES.EXE"="C:\Program Files\Microsoft Games\Age of Empires\EMPIRES.EXE:*:Enabled:Age of Empires"
"C:\Program Files\Microsoft Games\Age of Empires\EMPIRESX.EXE"="C:\Program Files\Microsoft Games\Age of Empires\EMPIRESX.EXE:*:Enabled:Age of Empires, the Rise of Rome"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Steam\steamapps\drew87\team fortress 2\hl2.exe"="C:\Program Files\Steam\steamapps\drew87\team fortress 2\hl2.exe:*:Enabled:hl2"
"C:\Program Files\apc_host.exe"="C:\Program Files\apc_host.exe:*:Enabled:Remote Desktop Control - Host Module"
"C:\Program Files\TVersity\Media Server\MediaServer.exe"="C:\Program Files\TVersity\Media Server\MediaServer.exe:*:Enabled:TVersity Media Server"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Documents and Settings\Devin\Local Settings\temp\Blizzard Launcher Temporary - 3999c860\Launcher.exe"="C:\Documents and Settings\Devin\Local Settings\temp\Blizzard Launcher Temporary - 3999c860\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Documents and Settings\Devin\Local Settings\temp\Blizzard Launcher Temporary - 3c1fa168\Launcher.exe"="C:\Documents and Settings\Devin\Local Settings\temp\Blizzard Launcher Temporary - 3c1fa168\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\World of Warcraft Public Test\Launcher.exe"="C:\Program Files\World of Warcraft Public Test\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe"="C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\Documents and Settings\Devin\Local Settings\Application Data\Dyyno Receiver\DPPM.exe"="C:\Documents and Settings\Devin\Local Settings\Application Data\Dyyno Receiver\DPPM.exe:*:Enabled:Dyyno Plugin Receiver"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\World of Warcraft\Launcher.exe"="C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\World of Warcraft\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Steam\steamapps\drew87\darwinia demo\darwinia.exe"="C:\Program Files\Steam\steamapps\drew87\darwinia demo\darwinia.exe:*:Enabled:Darwinia Demo"
"C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe"="C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10072-to-0.2.0.10083-enUS-downloader.exe"="C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10072-to-0.2.0.10083-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft Public Test\wow-0.2.0.10083-to-0.2.0.10116-enUS-downloader.exe"="C:\Program Files\World of Warcraft Public Test\wow-0.2.0.10083-to-0.2.0.10116-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10116-to-0.2.0.10128-enUS-downloader.exe"="C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10116-to-0.2.0.10128-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10128-to-0.2.0.10147-enUS-downloader.exe"="C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10128-to-0.2.0.10147-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:rundll32"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"
"C:\Documents and Settings\Devin\Desktop\utorrent.exe"="C:\Documents and Settings\Devin\Desktop\utorrent.exe:*:Enabled:µTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-11-27 14:35:24 ----D---- C:\Documents and Settings\Devin\Application Data\WinRAR
2009-11-27 13:50:07 ----D---- C:\WINDOWS\ERUNT
2009-11-27 13:41:34 ----D---- C:\SDFix
2009-11-26 13:20:42 ----D---- C:\rsit
2009-11-18 04:38:57 ----D---- C:\Program Files\SpywareBlaster
2009-11-17 14:06:47 ----A---- C:\ark.txt
2009-11-17 14:01:38 ----A---- C:\RootRepeal report 11-17-09 (14-01-38).txt
2009-11-17 10:03:55 ----SHD---- C:\found.000
2009-11-15 12:50:21 ----D---- C:\Program Files\ESET
2009-11-15 06:26:21 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-15 06:26:01 ----D---- C:\Program Files\SUPERAntiSpyware
2009-11-15 06:26:01 ----D---- C:\Documents and Settings\Devin\Application Data\SUPERAntiSpyware.com
2009-11-13 13:40:16 ----A---- C:\eJ6.bat
2009-11-13 13:40:14 ----D---- C:\SafetyCenter
2009-11-13 12:55:02 ----D---- C:\Documents and Settings\Devin\Application Data\Malwarebytes
2009-11-13 06:45:35 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-13 06:11:06 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-11-13 00:43:10 ----A---- C:\WINDOWS\ntbtlog.txt
2009-11-07 01:39:47 ----D---- C:\WINDOWS\Sun
2009-11-07 01:39:47 ----D---- C:\Documents and Settings\Devin\Application Data\Sun
2009-11-06 01:15:44 ----D---- C:\Documents and Settings\All Users\Application Data\Blizzard Entertainment
2009-11-03 16:24:59 ----D---- C:\Program Files\Avira
2009-11-03 16:24:59 ----D---- C:\Documents and Settings\All Users\Application Data\Avira

======List of files/folders modified in the last 1 months======

2009-11-27 15:02:30 ----D---- C:\WINDOWS\temp
2009-11-27 14:27:35 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-27 14:11:21 ----D---- C:\WINDOWS\system32
2009-11-27 13:59:50 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-27 13:50:07 ----D---- C:\WINDOWS
2009-11-27 13:47:25 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-26 20:59:22 ----D---- C:\Documents and Settings\Devin\Application Data\LimeWire
2009-11-24 15:54:10 ----D---- C:\Program Files\Full Tilt Poker
2009-11-23 09:47:25 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-11-23 09:40:02 ----D---- C:\Program Files\PokerStars
2009-11-22 15:48:49 ----D---- C:\Documents and Settings\Devin\Application Data\mIRC
2009-11-22 14:12:04 ----D---- C:\Program Files\mIRC
2009-11-18 08:21:17 ----D---- C:\WINDOWS\system32\drivers
2009-11-18 04:38:57 ----AD---- C:\Program Files
2009-11-17 13:39:12 ----D---- C:\WINDOWS\Prefetch
2009-11-17 12:43:02 ----D---- C:\WINDOWS\system32\config
2009-11-17 12:42:41 ----D---- C:\WINDOWS\system32\wbem
2009-11-17 12:42:41 ----D---- C:\WINDOWS\Registration
2009-11-17 10:21:31 ----SHD---- C:\System Volume Information
2009-11-17 10:21:31 ----D---- C:\WINDOWS\system32\Restore
2009-11-16 08:07:21 ----SHD---- C:\WINDOWS\Installer
2009-11-16 08:07:21 ----HD---- C:\Program Files\InstallShield Installation Information
2009-11-16 08:07:20 ----SHD---- C:\Config.Msi
2009-11-16 08:07:19 ----D---- C:\Program Files\Electronic Arts
2009-11-15 12:50:25 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-15 06:25:47 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-11-15 00:25:47 ----SD---- C:\WINDOWS\Tasks
2009-11-13 00:43:44 ----D---- C:\Documents and Settings
2009-11-13 00:38:11 ----D---- C:\Program Files\Steam
2009-11-12 17:17:10 ----D---- C:\Program Files\World of Warcraft
2009-11-09 20:09:53 ----D---- C:\WINDOWS\Minidump
2009-11-03 16:25:21 ----HD---- C:\WINDOWS\inf
2009-11-03 16:19:05 ----D---- C:\WINDOWS\WinSxS
2009-11-02 12:25:55 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 NPPTNT2;NPPTNT2; \??\C:\WINDOWS\system32\npptNT2.sys []
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-07-16 12032]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-07-28 55656]
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2008-03-18 8413]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2008-09-23 3331072]
R3 catchme;catchme; \??\C:\DOCUME~1\Devin\LOCALS~1\Temp\catchme.sys []
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2003-03-04 145408]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-07-02 1063936]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-07-02 202368]
R3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
R3 Pcouffin;Low level access layer for CD devices; C:\WINDOWS\System32\Drivers\Pcouffin.sys [2007-06-26 39488]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 21248]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-06-18 578176]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-07-02 631680]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter; \??\C:\WINDOWS\system32\drivers\NSDriver.sys []
S3 bvrp_pci;bvrp_pci; \??\C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2003-07-16 12160]
S3 rootrepeal;rootrepeal; \??\C:\WINDOWS\system32\drivers\rootrepeal.sys []
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WlanUIG;2Wire 802.11g USB Driver; C:\WINDOWS\system32\DRIVERS\WlanUIG.sys [2007-01-08 347648]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-09-23 581632]
R2 pgsql-8.3;PostgreSQL Database Server 8.3; C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
R2 spkrmon;spkrmon; C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe [2003-06-16 61440]
R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-09-23 593920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------

Edited by meowmix1, 27 November 2009 - 04:18 PM.


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:31 PM

Posted 28 November 2009 - 07:26 AM

Hi,

Please let me know if you are still getting popups after doing these next steps.


Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.


We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "AdminHpr"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "wobebadeb"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
    "{05617644-3d4f-42b5-b78d-e065d7acbf87}"=-
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\Documents and Settings\Devin\Local Settings\temp\Blizzard Launcher Temporary - 3999c860\Launcher.exe"=-
    "C:\Documents and Settings\Devin\Local Settings\temp\Blizzard Launcher Temporary - 3c1fa168\Launcher.exe"=-
    "C:\WINDOWS\explorer.exe"=-
    "C:\WINDOWS\system32\logonui.exe"=-
    "C:\WINDOWS\system32\rundll32.exe"=-
    "C:\WINDOWS\system32\winlogon.exe"=-
    "C:\WINDOWS\system32\lsass.exe"=-
    :Files
    C:\WINDOWS\system32\nudodidi.exe
    C:\eJ6.bat
    C:\SafetyCenter
    :Commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Please post back here with the following logs:
  • OTM results
  • Gmer log
  • New Rsit log
Thanks

unite.jpg


#7 meowmix1

meowmix1
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 28 November 2009 - 05:03 PM

Still getting pop ups not sure it's as frequently though, gmer didnt ask me any of those things also.

All processes killed
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\AdminHpr deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLS"|"" /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\wobebadeb deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\\{05617644-3d4f-42b5-b78d-e065d7acbf87} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05617644-3d4f-42b5-b78d-e065d7acbf87}\ deleted successfully.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Documents and Settings\Devin\Local Settings\temp\Blizzard Launcher Temporary - 3999c860\Launcher.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Documents and Settings\Devin\Local Settings\temp\Blizzard Launcher Temporary - 3c1fa168\Launcher.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\explorer.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\system32\logonui.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\system32\rundll32.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\system32\winlogon.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\system32\lsass.exe deleted successfully.
========== FILES ==========
C:\WINDOWS\system32\nudodidi.exe moved successfully.
C:\eJ6.bat moved successfully.
C:\SafetyCenter folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Devin
->Temp folder emptied: 875327 bytes
->Temporary Internet Files folder emptied: 15351234 bytes
->Java cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 112094 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: postgres
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Willy Wonka
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 115168 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 15.79 mb


OTM by OldTimer - Version 3.1.2.0 log created on 11282009_124418

Files moved on Reboot...

Registry entries deleted on Reboot...







GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-28 15:56:02
Windows 5.1.2600 Service Pack 3
Running: bs4fdnoe.exe; Driver: C:\DOCUME~1\Devin\LOCALS~1\Temp\axtdapod.sys


---- System - GMER 1.0.15 ----

SSDT F7A715A6 ZwCreateKey
SSDT F7A7159C ZwCreateThread
SSDT F7A715AB ZwDeleteKey
SSDT F7A715B5 ZwDeleteValueKey
SSDT F7A715BA ZwLoadKey
SSDT F7A71588 ZwOpenProcess
SSDT F7A7158D ZwOpenThread
SSDT F7A715C4 ZwReplaceKey
SSDT F7A715BF ZwRestoreKey
SSDT F7A715B0 ZwSetValueKey
SSDT F7A71597 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DRIVERS\ati2mtag.sys section is writeable [0xF5A9E000, 0x1A51FA, 0xE8000020]

---- Devices - GMER 1.0.15 ----

Device \Driver\00000147 -> \Driver\atapi \Device\Harddisk0\DR0 86B3E170

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION 278F7AEF3D099E83772F179AE8A0C3A7B6338916AF889E1288FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667C038D530D6EB3452BA7FD869164D679415AB5F0CE5D11FD23C22BE99ECB860635DCD61C330409995CFFCEB718068DC6E4E1B36440B76856BB601E7B8F982FBAB16CA69D76BA052288244A8EEB10AAC72C96123E66D687594F0CCCC98EFA4EA6F777D3DC3EBC6F6370063B08B8070D37632A4560089D38628FE6474C4C3522C57261B5937C594095E190B16B43FC4F9A5A3AD15E10D4CA6816B48780FA5A78D11B7814AA344CBDD3B918E7B1DF392982F30E8B99D5D4413823520078CF4A3364F372E34BE64149E70A0641CBCD8CB01475B67AF0E1297E010CD35E29544271E47A443500357F84B2773AAC04FDD45D3A51FDDFACD7481F7111AF3E148DEF912327109672E0369B387A9A0CBD225B488856825AEBC062613F275F06E05C046334E0669DAC200B9FD4056A9B18A0538E9A5173A7480798843282E6007729819F4DCBDF31C071CA1A405824EF9FE86CF174C023E8A80B7926B22869C3E78CCE621A3E6DB3305D93AF48CAAB840F96BDF823EF1F5C168DA9243DC3223B844F484D4EC4476BA8AED051010BD3CB68A23327248234B7F293239D7D2DD163246DE2D00858CBFE3AAC1656

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----









Logfile of random's system information tool 1.06 (written by random/random)
Run by Devin at 2009-11-28 15:57:21
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 18 GB (23%) free of 76 GB
Total RAM: 1023 MB (55% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:26 PM, on 11/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Devin\Desktop\bs4fdnoe.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Devin\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Devin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games – Matchmaking) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} (DyynoX Class) - http://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CAB
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (MSN Games – Game Chat) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1156300706609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156304524812
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...k.cab102118.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 5552 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-08-01 61440]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-11-13 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]

C:\Documents and Settings\Devin\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-09-23 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Steam\steamapps\drew87\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\drew87\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\lilharbaugh420\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\lilharbaugh420\counter-strike source\hl2.exe:*:Disabled:hl2"
"C:\Program Files\EA Games\Ultima Online Mondain's Legacy\uog\42\client.exe"="C:\Program Files\EA Games\Ultima Online Mondain's Legacy\uog\42\client.exe:*:Enabled:Ultima Online Client"
"C:\Program Files\Steam\Steam.exe"="C:\Program Files\Steam\Steam.exe:*:Enabled:Steam"
"C:\Program Files\GameSpy Arcade\Aphex.exe"="C:\Program Files\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\Program Files\Microsoft Games\Age of Empires\EMPIRES.EXE"="C:\Program Files\Microsoft Games\Age of Empires\EMPIRES.EXE:*:Enabled:Age of Empires"
"C:\Program Files\Microsoft Games\Age of Empires\EMPIRESX.EXE"="C:\Program Files\Microsoft Games\Age of Empires\EMPIRESX.EXE:*:Enabled:Age of Empires, the Rise of Rome"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Steam\steamapps\drew87\team fortress 2\hl2.exe"="C:\Program Files\Steam\steamapps\drew87\team fortress 2\hl2.exe:*:Enabled:hl2"
"C:\Program Files\apc_host.exe"="C:\Program Files\apc_host.exe:*:Enabled:Remote Desktop Control - Host Module"
"C:\Program Files\TVersity\Media Server\MediaServer.exe"="C:\Program Files\TVersity\Media Server\MediaServer.exe:*:Enabled:TVersity Media Server"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Program Files\World of Warcraft Public Test\Launcher.exe"="C:\Program Files\World of Warcraft Public Test\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe"="C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\Documents and Settings\Devin\Local Settings\Application Data\Dyyno Receiver\DPPM.exe"="C:\Documents and Settings\Devin\Local Settings\Application Data\Dyyno Receiver\DPPM.exe:*:Enabled:Dyyno Plugin Receiver"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\World of Warcraft\Launcher.exe"="C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\World of Warcraft\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Steam\steamapps\drew87\darwinia demo\darwinia.exe"="C:\Program Files\Steam\steamapps\drew87\darwinia demo\darwinia.exe:*:Enabled:Darwinia Demo"
"C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe"="C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10072-to-0.2.0.10083-enUS-downloader.exe"="C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10072-to-0.2.0.10083-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft Public Test\wow-0.2.0.10083-to-0.2.0.10116-enUS-downloader.exe"="C:\Program Files\World of Warcraft Public Test\wow-0.2.0.10083-to-0.2.0.10116-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10116-to-0.2.0.10128-enUS-downloader.exe"="C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10116-to-0.2.0.10128-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10128-to-0.2.0.10147-enUS-downloader.exe"="C:\Program Files\World of Warcraft Public Test\WoW-0.2.0.10128-to-0.2.0.10147-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Documents and Settings\Devin\Desktop\utorrent.exe"="C:\Documents and Settings\Devin\Desktop\utorrent.exe:*:Enabled:µTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-11-28 12:44:18 ----D---- C:\_OTM
2009-11-28 12:39:05 ----D---- C:\Program Files\ERUNT
2009-11-27 14:35:24 ----D---- C:\Documents and Settings\Devin\Application Data\WinRAR
2009-11-27 13:50:07 ----D---- C:\WINDOWS\ERUNT
2009-11-27 13:41:34 ----D---- C:\SDFix
2009-11-26 13:20:42 ----D---- C:\rsit
2009-11-18 04:38:57 ----D---- C:\Program Files\SpywareBlaster
2009-11-17 14:06:47 ----A---- C:\ark.txt
2009-11-17 14:01:38 ----A---- C:\RootRepeal report 11-17-09 (14-01-38).txt
2009-11-17 10:03:55 ----SHD---- C:\found.000
2009-11-15 12:50:21 ----D---- C:\Program Files\ESET
2009-11-15 06:26:21 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-15 06:26:01 ----D---- C:\Program Files\SUPERAntiSpyware
2009-11-15 06:26:01 ----D---- C:\Documents and Settings\Devin\Application Data\SUPERAntiSpyware.com
2009-11-13 12:55:02 ----D---- C:\Documents and Settings\Devin\Application Data\Malwarebytes
2009-11-13 06:45:35 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-13 06:11:06 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-11-13 00:43:10 ----A---- C:\WINDOWS\ntbtlog.txt
2009-11-07 01:39:47 ----D---- C:\WINDOWS\Sun
2009-11-07 01:39:47 ----D---- C:\Documents and Settings\Devin\Application Data\Sun
2009-11-06 01:15:44 ----D---- C:\Documents and Settings\All Users\Application Data\Blizzard Entertainment
2009-11-03 16:24:59 ----D---- C:\Program Files\Avira
2009-11-03 16:24:59 ----D---- C:\Documents and Settings\All Users\Application Data\Avira

======List of files/folders modified in the last 1 months======

2009-11-28 12:46:40 ----D---- C:\WINDOWS\temp
2009-11-28 12:46:35 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-28 12:46:10 ----D---- C:\WINDOWS\erdnt
2009-11-28 12:45:04 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-28 12:44:21 ----D---- C:\WINDOWS\system32
2009-11-28 12:39:05 ----AD---- C:\Program Files
2009-11-27 13:59:50 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-27 13:50:07 ----D---- C:\WINDOWS
2009-11-26 20:59:22 ----D---- C:\Documents and Settings\Devin\Application Data\LimeWire
2009-11-24 15:54:10 ----D---- C:\Program Files\Full Tilt Poker
2009-11-23 09:47:25 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-11-23 09:40:02 ----D---- C:\Program Files\PokerStars
2009-11-22 15:48:49 ----D---- C:\Documents and Settings\Devin\Application Data\mIRC
2009-11-22 14:12:04 ----D---- C:\Program Files\mIRC
2009-11-18 08:21:17 ----D---- C:\WINDOWS\system32\drivers
2009-11-17 13:39:12 ----D---- C:\WINDOWS\Prefetch
2009-11-17 12:43:02 ----D---- C:\WINDOWS\system32\config
2009-11-17 12:42:41 ----D---- C:\WINDOWS\system32\wbem
2009-11-17 12:42:41 ----D---- C:\WINDOWS\Registration
2009-11-17 10:21:31 ----SHD---- C:\System Volume Information
2009-11-17 10:21:31 ----D---- C:\WINDOWS\system32\Restore
2009-11-16 08:07:21 ----SHD---- C:\WINDOWS\Installer
2009-11-16 08:07:21 ----HD---- C:\Program Files\InstallShield Installation Information
2009-11-16 08:07:20 ----SHD---- C:\Config.Msi
2009-11-16 08:07:19 ----D---- C:\Program Files\Electronic Arts
2009-11-15 12:50:25 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-15 06:25:47 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-11-15 00:25:47 ----SD---- C:\WINDOWS\Tasks
2009-11-13 00:43:44 ----D---- C:\Documents and Settings
2009-11-13 00:38:11 ----D---- C:\Program Files\Steam
2009-11-12 17:17:10 ----D---- C:\Program Files\World of Warcraft
2009-11-09 20:09:53 ----D---- C:\WINDOWS\Minidump
2009-11-03 16:25:21 ----HD---- C:\WINDOWS\inf
2009-11-03 16:19:05 ----D---- C:\WINDOWS\WinSxS
2009-11-02 12:25:55 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 NPPTNT2;NPPTNT2; \??\C:\WINDOWS\system32\npptNT2.sys []
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-07-16 12032]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-07-28 55656]
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2008-03-18 8413]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2008-09-23 3331072]
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2003-03-04 145408]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-07-02 1063936]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-07-02 202368]
R3 Pcouffin;Low level access layer for CD devices; C:\WINDOWS\System32\Drivers\Pcouffin.sys [2007-06-26 39488]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 21248]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-06-18 578176]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-07-02 631680]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter; \??\C:\WINDOWS\system32\drivers\NSDriver.sys []
S3 axtdapod;axtdapod; \??\C:\DOCUME~1\Devin\LOCALS~1\Temp\axtdapod.sys []
S3 bvrp_pci;bvrp_pci; \??\C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\Devin\LOCALS~1\Temp\catchme.sys []
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2003-07-16 12160]
S3 rootrepeal;rootrepeal; \??\C:\WINDOWS\system32\drivers\rootrepeal.sys []
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WlanUIG;2Wire 802.11g USB Driver; C:\WINDOWS\system32\DRIVERS\WlanUIG.sys [2007-01-08 347648]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-09-23 581632]
R2 pgsql-8.3;PostgreSQL Database Server 8.3; C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
R2 spkrmon;spkrmon; C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe [2003-06-16 61440]
R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-09-23 593920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------



Can I put these things as attachements so they dont take up so much space? thx for help so far (=

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:31 PM

Posted 28 November 2009 - 05:58 PM

Yes, you can the logs if you wish.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#9 meowmix1

meowmix1
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 28 November 2009 - 07:14 PM

Done with that but now I keep getting a weird pop up to a bing search result for service temporarily unavailable and the search engine redirect stuff still.
The temp DLL error is gone now though


ComboFix 09-11-28.01 - Devin 11/28/2009 17:26.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.633 [GMT -6:00]
Running from: c:\documents and settings\Devin\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\PeoplePC\Toolbar\PPCToolbar.dll
c:\windows\f96ac0e5-19d2-42c5-8f68-eb7a99861769.ocx
c:\windows\system32\2419169505.dat
c:\windows\system32\2d2ca2ce-704a-428c-8cbe-0736b29190aa.dll
c:\windows\system32\3154234750.dat
c:\windows\ucexobuz.dll

Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ntfs.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.

2009-11-28 18:44 . 2009-11-28 18:44 -------- d-----w- C:\_OTM
2009-11-28 18:39 . 2009-11-28 18:39 -------- d-----w- c:\program files\ERUNT
2009-11-27 19:59 . 2009-11-27 19:59 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-11-27 19:50 . 2009-11-27 19:50 -------- d-----w- c:\windows\ERUNT
2009-11-27 19:41 . 2009-11-27 20:44 -------- d-----w- C:\SDFix
2009-11-26 19:20 . 2009-11-26 19:20 -------- d-----w- C:\rsit
2009-11-18 10:38 . 2009-11-23 15:47 -------- d-----w- c:\program files\SpywareBlaster
2009-11-17 18:42 . 2009-11-17 18:42 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-17 16:03 . 2009-11-17 16:03 -------- d-----w- C:\found.000
2009-11-16 14:07 . 2009-11-16 14:07 1026 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-11-15 18:50 . 2009-11-15 18:50 -------- d-----w- c:\program files\ESET
2009-11-15 12:27 . 2009-11-23 15:48 117760 ----a-w- c:\documents and settings\Devin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-15 12:26 . 2009-11-15 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-15 12:26 . 2009-11-15 12:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-15 12:26 . 2009-11-15 12:26 -------- d-----w- c:\documents and settings\Devin\Application Data\SUPERAntiSpyware.com
2009-11-13 18:55 . 2009-11-13 18:55 -------- d-----w- c:\documents and settings\Devin\Application Data\Malwarebytes
2009-11-13 12:45 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 12:45 . 2009-11-16 14:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-13 12:45 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 12:11 . 2009-11-13 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-13 06:35 . 2009-11-13 23:32 -------- d-----w- c:\documents and settings\Devin\Local Settings\Application Data\hanfyd
2009-11-11 22:50 . 2009-11-11 22:50 -------- d-----w- c:\documents and settings\Devin\Local Settings\Application Data\Blizzard Entertainment
2009-11-07 07:39 . 2009-11-07 07:39 -------- d-----w- c:\windows\Sun
2009-11-06 07:15 . 2009-11-06 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-11-03 22:25 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-03 22:25 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-03 22:25 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-03 22:25 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-03 22:24 . 2009-11-03 22:24 -------- d-----w- c:\program files\Avira
2009-11-03 22:24 . 2009-11-03 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 02:59 . 2008-09-22 19:48 -------- d-----w- c:\documents and settings\Devin\Application Data\LimeWire
2009-11-24 21:54 . 2009-08-18 21:13 -------- d-----w- c:\program files\Full Tilt Poker
2009-11-23 15:47 . 2009-10-13 00:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-23 15:40 . 2008-09-15 16:45 -------- d-----w- c:\program files\PokerStars
2009-11-22 21:48 . 2009-08-02 10:17 -------- d-----w- c:\documents and settings\Devin\Application Data\mIRC
2009-11-22 20:12 . 2009-10-03 04:04 -------- d-----w- c:\program files\mIRC
2009-11-16 14:07 . 2006-08-22 05:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-16 14:07 . 2008-10-14 04:22 -------- d-----w- c:\program files\Electronic Arts
2009-11-15 12:25 . 2008-12-08 02:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-13 06:38 . 2006-08-23 01:34 -------- d-----w- c:\program files\Steam
2009-11-12 23:17 . 2008-10-31 20:21 -------- d-----w- c:\program files\World of Warcraft
2009-10-13 23:32 . 2009-08-01 10:49 -------- d-----w- c:\program files\PokerTracker 3
2009-10-13 01:06 . 2009-10-13 00:56 -------- d-----w- c:\program files\Poker Tracker V2
2009-10-10 16:25 . 2006-08-23 05:43 44864 -c--a-w- c:\documents and settings\Willy Wonka\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 23:46 . 2009-09-11 23:46 147456 ----a-w- c:\documents and settings\Devin\Application Data\Absolute Poker\DownLoad\liveupdate.exe
2009-09-03 19:37 . 2008-09-11 06:08 44864 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-09-14 13:34 . 2008-09-14 13:12 83 ----a-w- c:\program files\APC_HostConnections.log
2008-09-14 13:07 . 2008-09-14 13:07 3287032 ----a-w- c:\program files\remote-desktop-control.exe
2008-09-14 12:54 . 2008-09-14 12:54 0 ----a-w- c:\program files\adminaccount.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe MSRun" [X]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-11-13 1312080]

c:\documents and settings\Devin\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Steam\\steamapps\\drew87\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\lilharbaugh420\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\EA Games\\Ultima Online Mondain's Legacy\\uog\\42\\client.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\drew87\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Documents and Settings\\Devin\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\drew87\\darwinia demo\\darwinia.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Documents and Settings\\Devin\\Desktop\\utorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/3/2009 4:25 PM 108289]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [9/19/2008 2:03 AM 65536]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]
S3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [12/25/2007 3:20 AM 347648]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-mIRC - c:\program files\mIRC\uninstall.exe _?=c:\program files\mIRC
AddRemove-Steam App 440 - c:\program files\Steam\steam.exe steam://uninstall/440



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 17:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F5F170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7514f28
\Driver\ACPI -> ACPI.sys @ 0xf7487cb8
\Driver\atapi -> atapi.sys @ 0xf743f7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf734bbb0
PacketIndicateHandler -> NDIS.sys @ 0xf733aa0d
SendHandler -> NDIS.sys @ 0xf734eb40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="278F7AEF3D099E83772F179AE8A0C3A7B6338916AF889E1288FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667C038D530D6EB3452BA7FD869164D679415AB5F0CE5D11FD23C22BE99ECB860635DCD61C330409995CFFCEB718068DC6E4E1B36440B76856BB601E7B8F982FBAB16CA69D76BA052288244A8EEB10AAC72C96123E66D687594F0CCCC98EFA4EA6F777D3DC3EBC6F6370063B08B8070D37632A4560089D38628FE6474C4C3522C57261B5937C594095E190B16B43FC4F9A5A3AD15E10D4CA6816B48780FA5A78D11B7814AA344CBDD3B918E7B1DF392982F30E8B99D5D4413823520078CF4A3364F372E34BE64149E70A0641CBCD8CB01475B67AF0E1297E010CD35E29544271E47A443500357F84B2773AAC04FDD45D3A51FDDFACD7481F7111AF3E148DEF912327109672E0369B387A9A0CBD225B488856825AEBC062613F275F06E05C046334E0669DAC200B9FD4056A9B18A0538E9A5173A7480798843282E6007729819F4DCBDF31C071CA1A405824EF9FE86CF174C023E8A80B7926B22869C3E78CCE621A3E6DB3305D93AF48CAAB840F96BDF823EF1F5C168DA9243DC3223B844F484D4EC4476BA8AED051010BD3CB68A23327248234B7F293239D7D2DD163246DE2D00858CBFE3AAC1656C4F21499F0556F0023BC6493CF5C21C8684A5BB783689FEE83E6C57EF3BF321D38D2B7954FEDD2EA0E981A285C743B406779C7D6E0AA97CA56E817EB6D555E5648FA88841D4C8DC902BED2AFC5B9E60DBB4C86A8A02288BA5EFDE1E24596A408FA259D56526DA57E8DA175B582F74DFE4482432561D2277299E8CBEB7E6EEA69A9372E6575408D71359FE506008195951C21D2C6FA0676DC2DD841103E54EEEA0341B613D087E01508A1B4C716E1457A3B8935309967D015E1336E72FFE2BD38D5D6E1354AB195531D4D2337F2F20C4B443DFC2694C9A29B7A6053876A15BF5A4E87EE9ECEEECBE9DA5060D8CD8ADF32F7E4C3F6BD1AD3EDD07C79F288067D87BB4CD7C6BC43F884F6A8288B3C0DF1C930C942D7B7DD60137A5C8DBA8100DE27AA4547FC6E38BE2D6988F75A17F8D53360FEC951EE6E811FCF8474FEC8BBD60E11E7FD18D477F6315A66549986FC31ABDB2F9A8E7ECED77BAF9F68103702000410D2DF1DD2F7D814291B19C6C31C0CF2720D637042F239C51A6FE1D08810D557F5E3404EC9E1C1A685894AC872AF73BC08A11B6B014F650777FF9F030441259D507594F825BA66DE6FD235AE6829205AE262A4140C48FC4330CF57043836F64D17CDBC07C721BA0708BE5A91CA46ABAE92C189497ADC41062D4F7B29BCD9C3857B8696749312C3A8A0BDBC34C420FCDBDD64693B27FA3ACB6E776F0A8F3C2F719"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1680)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
.
**************************************************************************
.
Completion time: 2009-11-28 18:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-29 00:00

Pre-Run: 18,479,697,920 bytes free
Post-Run: 18,392,072,192 bytes free

- - End Of File - - 747BFBC1E461E461529E04DFAEE339A7

Edited by meowmix1, 28 November 2009 - 07:24 PM.


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:31 PM

Posted 29 November 2009 - 05:37 AM

I can see that you are still infected with a nasty rootkit, so you need to know the following information.

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    :filefind
    atapi.sys
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

unite.jpg


#11 meowmix1

meowmix1
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 29 November 2009 - 02:37 PM

Well that sucks but I guess I want to continue with trying to clean it.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 13:31 on 29/11/2009 by Devin (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [17:29 13/08/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\erdnt\cache\atapi.sys --a--- 95360 bytes [23:54 28/11/2009] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 95360 bytes [06:03 22/08/2006] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys --a--c 86912 bytes [06:03 22/08/2006] [06:27 29/08/2002] 95B858761A00E1D4F81F79A0DA019ACA
C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys --a--c 86912 bytes [06:03 22/08/2006] [06:27 29/08/2002] 95B858761A00E1D4F81F79A0DA019ACA

-=End Of File=-

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:31 PM

Posted 29 November 2009 - 03:05 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FileLook::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys
C:\WINDOWS\system32\drivers\atapi.sys
C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
DirLook::
c:\documents and settings\Devin\Local Settings\Application Data\hanfyd

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#13 meowmix1

meowmix1
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 29 November 2009 - 03:58 PM

Ok.
Edit: oh I have a question. Could this of effected the other computers hooked up to same router? I think I had networking turned off though


ComboFix 09-11-28.01 - Devin 11/29/2009 14:28.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.630 [GMT -6:00]
Running from: c:\documents and settings\Devin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Devin\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-28 18:44 . 2009-11-28 18:44 -------- d-----w- C:\_OTM
2009-11-28 18:39 . 2009-11-28 18:39 -------- d-----w- c:\program files\ERUNT
2009-11-27 19:59 . 2009-11-27 19:59 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-11-27 19:50 . 2009-11-27 19:50 -------- d-----w- c:\windows\ERUNT
2009-11-27 19:41 . 2009-11-27 20:44 -------- d-----w- C:\SDFix
2009-11-26 19:20 . 2009-11-26 19:20 -------- d-----w- C:\rsit
2009-11-18 10:38 . 2009-11-23 15:47 -------- d-----w- c:\program files\SpywareBlaster
2009-11-17 18:42 . 2009-11-17 18:42 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-17 16:03 . 2009-11-17 16:03 -------- d-----w- C:\found.000
2009-11-16 14:07 . 2009-11-16 14:07 1026 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-11-15 18:50 . 2009-11-15 18:50 -------- d-----w- c:\program files\ESET
2009-11-15 12:27 . 2009-11-23 15:48 117760 ----a-w- c:\documents and settings\Devin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-15 12:26 . 2009-11-15 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-15 12:26 . 2009-11-15 12:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-15 12:26 . 2009-11-15 12:26 -------- d-----w- c:\documents and settings\Devin\Application Data\SUPERAntiSpyware.com
2009-11-13 18:55 . 2009-11-13 18:55 -------- d-----w- c:\documents and settings\Devin\Application Data\Malwarebytes
2009-11-13 12:45 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 12:45 . 2009-11-16 14:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-13 12:45 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 12:11 . 2009-11-13 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-13 06:35 . 2009-11-13 23:32 -------- d-----w- c:\documents and settings\Devin\Local Settings\Application Data\hanfyd
2009-11-11 22:50 . 2009-11-11 22:50 -------- d-----w- c:\documents and settings\Devin\Local Settings\Application Data\Blizzard Entertainment
2009-11-07 07:39 . 2009-11-07 07:39 -------- d-----w- c:\windows\Sun
2009-11-06 07:15 . 2009-11-06 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-11-03 22:25 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-03 22:25 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-03 22:25 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-03 22:25 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-03 22:24 . 2009-11-03 22:24 -------- d-----w- c:\program files\Avira
2009-11-03 22:24 . 2009-11-03 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 02:59 . 2008-09-22 19:48 -------- d-----w- c:\documents and settings\Devin\Application Data\LimeWire
2009-11-24 21:54 . 2009-08-18 21:13 -------- d-----w- c:\program files\Full Tilt Poker
2009-11-23 15:47 . 2009-10-13 00:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-23 15:40 . 2008-09-15 16:45 -------- d-----w- c:\program files\PokerStars
2009-11-22 21:48 . 2009-08-02 10:17 -------- d-----w- c:\documents and settings\Devin\Application Data\mIRC
2009-11-22 20:12 . 2009-10-03 04:04 -------- d-----w- c:\program files\mIRC
2009-11-16 14:07 . 2006-08-22 05:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-16 14:07 . 2008-10-14 04:22 -------- d-----w- c:\program files\Electronic Arts
2009-11-15 12:25 . 2008-12-08 02:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-13 06:38 . 2006-08-23 01:34 -------- d-----w- c:\program files\Steam
2009-11-12 23:17 . 2008-10-31 20:21 -------- d-----w- c:\program files\World of Warcraft
2009-10-13 23:32 . 2009-08-01 10:49 -------- d-----w- c:\program files\PokerTracker 3
2009-10-13 01:06 . 2009-10-13 00:56 -------- d-----w- c:\program files\Poker Tracker V2
2009-10-10 16:25 . 2006-08-23 05:43 44864 -c--a-w- c:\documents and settings\Willy Wonka\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 23:46 . 2009-09-11 23:46 147456 ----a-w- c:\documents and settings\Devin\Application Data\Absolute Poker\DownLoad\liveupdate.exe
2009-09-03 19:37 . 2008-09-11 06:08 44864 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-09-14 13:34 . 2008-09-14 13:12 83 ----a-w- c:\program files\APC_HostConnections.log
2008-09-14 13:07 . 2008-09-14 13:07 3287032 ----a-w- c:\program files\remote-desktop-control.exe
2008-09-14 12:54 . 2008-09-14 12:54 0 ----a-w- c:\program files\adminaccount.ini
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\ServicePackFiles\i386\atapi.sys ---
Company: Microsoft Corporation
File Description: IDE/ATAPI Port Driver
File Version: 5.1.2600.5512 (xpsp.080413-2108)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: atapi.sys
File size: 96512
Created time: 2004-08-04 05:59
Modified time: 2008-04-13 18:40
MD5: 9F3A2F5AA6875C72BF062C712CFA2674
SHA1: A719156E8AD67456556A02C34E762944234E7A44


--- c:\windows\system32\drivers\atapi.sys ---
Company: Microsoft Corporation
File Description: IDE/ATAPI Port Driver
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: atapi.sys
File size: 95360
Created time: 2006-08-22 06:03
Modified time: 2004-08-04 05:59
MD5: CDFE4411A69C224BD1D11B2DA92DAC51
SHA1: A42FBFEB5A4D94118B483D7F18113AA8C329A052


--- c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys ---
Company: Microsoft Corporation
File Description: IDE/ATAPI Port Driver
File Version: 5.1.2600.1106 (xpsp1.020828-1920)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: atapi.sys
File size: 86912
Created time: 2006-08-22 06:03
Modified time: 2002-08-29 06:27
MD5: 95B858761A00E1D4F81F79A0DA019ACA
SHA1: 008BBADC55FB145C32B240644083059677681025


--- c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys ---
Company: Microsoft Corporation
File Description: IDE/ATAPI Port Driver
File Version: 5.1.2600.1106 (xpsp1.020828-1920)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: atapi.sys
File size: 86912
Created time: 2006-08-22 06:03
Modified time: 2002-08-29 06:27
MD5: 95B858761A00E1D4F81F79A0DA019ACA
SHA1: 008BBADC55FB145C32B240644083059677681025

---- Directory of c:\documents and settings\Devin\Local Settings\Application Data\hanfyd ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe MSRun" [X]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-11-13 1312080]

c:\documents and settings\Devin\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Steam\\steamapps\\drew87\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\lilharbaugh420\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\EA Games\\Ultima Online Mondain's Legacy\\uog\\42\\client.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\drew87\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Documents and Settings\\Devin\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\drew87\\darwinia demo\\darwinia.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Documents and Settings\\Devin\\Desktop\\utorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/3/2009 4:25 PM 108289]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [9/19/2008 2:03 AM 65536]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]
S3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [12/25/2007 3:20 AM 347648]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 14:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F5F170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7514f28
\Driver\ACPI -> ACPI.sys @ 0xf7487cb8
\Driver\atapi -> atapi.sys @ 0xf743f7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf734bbb0
PacketIndicateHandler -> NDIS.sys @ 0xf733aa0d
SendHandler -> NDIS.sys @ 0xf734eb40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="278F7AEF3D099E83772F179AE8A0C3A7B6338916AF889E1288FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667C038D530D6EB3452BA7FD869164D679415AB5F0CE5D11FD23C22BE99ECB860635DCD61C330409995CFFCEB718068DC6E4E1B36440B76856BB601E7B8F982FBAB16CA69D76BA052288244A8EEB10AAC72C96123E66D687594F0CCCC98EFA4EA6F777D3DC3EBC6F6370063B08B8070D37632A4560089D38628FE6474C4C3522C57261B5937C594095E190B16B43FC4F9A5A3AD15E10D4CA6816B48780FA5A78D11B7814AA344CBDD3B918E7B1DF392982F30E8B99D5D4413823520078CF4A3364F372E34BE64149E70A0641CBCD8CB01475B67AF0E1297E010CD35E29544271E47A443500357F84B2773AAC04FDD45D3A51FDDFACD7481F7111AF3E148DEF912327109672E0369B387A9A0CBD225B488856825AEBC062613F275F06E05C046334E0669DAC200B9FD4056A9B18A0538E9A5173A7480798843282E6007729819F4DCBDF31C071CA1A405824EF9FE86CF174C023E8A80B7926B22869C3E78CCE621A3E6DB3305D93AF48CAAB840F96BDF823EF1F5C168DA9243DC3223B844F484D4EC4476BA8AED051010BD3CB68A23327248234B7F293239D7D2DD163246DE2D00858CBFE3AAC1656C4F21499F0556F0023BC6493CF5C21C8684A5BB783689FEE83E6C57EF3BF321D38D2B7954FEDD2EA0E981A285C743B406779C7D6E0AA97CA56E817EB6D555E5648FA88841D4C8DC902BED2AFC5B9E60DBB4C86A8A02288BA5EFDE1E24596A408FA259D56526DA57E8DA175B582F74DFE4482432561D2277299E8CBEB7E6EEA69A9372E6575408D71359FE506008195951C21D2C6FA0676DC2DD841103E54EEEA0341B613D087E01508A1B4C716E1457A3B8935309967D015E1336E72FFE2BD38D5D6E1354AB195531D4D2337F2F20C4B443DFC2694C9A29B7A6053876A15BF5A4E87EE9ECEEECBE9DA5060D8CD8ADF32F7E4C3F6BD1AD3EDD07C79F288067D87BB4CD7C6BC43F884F6A8288B3C0DF1C930C942D7B7DD60137A5C8DBA8100DE27AA4547FC6E38BE2D6988F75A17F8D53360FEC951EE6E811FCF8474FEC8BBD60E11E7FD18D477F6315A66549986FC31ABDB2F9A8E7ECED77BAF9F68103702000410D2DF1DD2F7D814291B19C6C31C0CF2720D637042F239C51A6FE1D08810D557F5E3404EC9E1C1A685894AC872AF73BC08A11B6B014F650777FF9F030441259D507594F825BA66DE6FD235AE6829205AE262A4140C48FC4330CF57043836F64D17CDBC07C721BA0708BE5A91CA46ABAE92C189497ADC41062D4F7B29BCD9C3857B8696749312C3A8A0BDBC34C420FCDBDD64693B27FA3ACB6E776F0A8F3C2F719"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3580)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-29 14:54
ComboFix-quarantined-files.txt 2009-11-29 20:54
ComboFix2.txt 2009-11-29 00:00

Pre-Run: 18,381,484,032 bytes free
Post-Run: 18,380,783,616 bytes free

- - End Of File - - CB0EFD07324CD82EEECBEAD178979136

Edited by meowmix1, 29 November 2009 - 04:13 PM.


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:31 PM

Posted 30 November 2009 - 05:05 AM

oh I have a question. Could this of effected the other computers hooked up to same router? I think I had networking turned off though


If the computers are not setup to be networked with each other then I don't think it would affect you other machines.

  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.

CMD /K COPY /V "C:\WINDOWS\ServicePackFiles\i386\atapi.sys" "C:\atapi.sys"

  • The command prompt will pop up and it should say 1 file(s) copied.


Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Script Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Then please post back with C:\avenger.txt.

unite.jpg


#15 meowmix1

meowmix1
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 30 November 2009 - 05:58 AM

Hmm ok I did everything you said but the first time it restarted when it got to windows sign I got blue screen, tried it again same thing but safe mode works. Should I system restore to before I did it?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users