Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with hijack.system.hidden


  • This topic is locked This topic is locked
14 replies to this topic

#1 TheLivingDead

TheLivingDead

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 07 December 2009 - 01:15 AM

Referred from here: http://www.bleepingcomputer.com/forums/t/261766/infected-with-hijacksystemhidden/ ~ OB

Hello. I was instructed to run DDS and RootRepeal and post the logs here by boopme. Here they are:

Attach text:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/21/2009 9:01:11 PM
System Uptime: 12/6/2009 10:08:03 PM (3 hours ago)

Motherboard: Hewlett-Packard | | 090Ch
Processor: Intel® Pentium® 4 CPU 3.20GHz | XU1 PROCESSOR | 3192/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 114 GiB total, 109.013 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Scan
Device ID: USB\VID_043D&PID_0065&MI_00\6&269E90EC&0&0000
Manufacturer:
Name: Scan
PNP Device ID: USB\VID_043D&PID_0065&MI_00\6&269E90EC&0&0000
Service:

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Logitech-compatible Mouse PS/2
Device ID: ACPI\PNP0F13\4&369939D9&0
Manufacturer: Logitech
Name: Logitech-compatible Mouse PS/2
PNP Device ID: ACPI\PNP0F13\4&369939D9&0
Service: i8042prt

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Apple Application Support
Apple Software Update
Ask Toolbar
BitTorrent
Broadcom NetXtreme Ethernet Controller
Dream Aquarium
Free FLV Player V0.05
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Intel® Extreme Graphics 2 Driver
Java™ 6 Update 17
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
MouseWare 9.76
Mozilla Firefox (3.5.5)
QuickTime
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SoundMAX
SUPERAntiSpyware Free Edition
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Zune Desktop Theme

==== Event Viewer Messages From Past Week ========

12/5/2009 5:06:42 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
12/5/2009 5:06:42 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/5/2009 5:06:42 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/5/2009 5:06:42 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/5/2009 5:06:42 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/5/2009 5:05:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/5/2009 5:05:37 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/4/2009 5:07:30 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
12/2/2009 7:16:01 PM, error: Service Control Manager [7034] - The Windows Audio service terminated unexpectedly. It has done this 1 time(s).
12/2/2009 7:16:01 PM, error: Service Control Manager [7034] - The Logical Disk Manager service terminated unexpectedly. It has done this 1 time(s).
12/2/2009 7:16:01 PM, error: Service Control Manager [7034] - The Error Reporting Service service terminated unexpectedly. It has done this 1 time(s).
12/2/2009 7:16:01 PM, error: Service Control Manager [7034] - The DHCP Client service terminated unexpectedly. It has done this 1 time(s).
12/2/2009 7:16:01 PM, error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s).
12/2/2009 7:16:01 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 1 time(s).
12/2/2009 3:44:06 PM, error: Service Control Manager [7023] - The Time Windows service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
12/2/2009 12:31:33 PM, error: DCOM [10000] - Unable to start a DCOM Server: {FB7199AB-79BF-11D2-8D94-0000F875C541}. The error: "%2" Happened while starting this command: C:\Program Files\Messenger\msmsgs.exe -Embedding
12/2/2009 11:42:08 PM, error: Windows Update Agent [20] -
12/2/2009 11:40:50 PM, error: System Error [1003] - Error code 1000007e, parameter1 c0000005, parameter2 f77ba74d, parameter3 f7b31c68, parameter4 f7b31964.

==== End Of File ===========================




DDS Text:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Start at 1:02:29.89 on Mon 12/07/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.644 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MouseWare\system\em_exec.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Start\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\start\applic~1\mozilla\firefox\profiles\xswklhid.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.searchslate.com/wp.ashx?ref=home&id=165
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S2 zgxfjnado;Time Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-8-21 14336]

=============== Created Last 30 ================

2009-12-06 00:51:39 0 d--h--w- c:\windows\PIF
2009-11-29 09:00:21 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-25 11:55:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-25 11:55:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-23 00:09:57 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-23 00:09:48 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-23 00:09:48 0 d-----w- c:\docume~1\start\applic~1\SUPERAntiSpyware.com
2009-11-23 00:09:24 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-22 22:21:55 0 d-----w- c:\docume~1\start\applic~1\Malwarebytes
2009-11-22 22:21:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 22:21:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-22 22:21:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 22:21:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-22 11:00:12 94208 ----a-w- c:\windows\Dream Aquarium.scr
2009-11-22 11:00:10 0 d-----w- c:\program files\Dream Aquarium
2009-11-22 08:12:58 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-22 08:05:00 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-11-22 08:05:00 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-11-22 08:02:38 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-11-22 08:02:37 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-11-22 08:02:36 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-11-22 08:02:09 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-22 08:00:19 0 d-----w- c:\windows\system32\PreInstall
2009-11-22 08:00:18 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2009-11-22 08:00:17 0 d--h--w- c:\windows\$hf_mig$
2009-11-22 02:20:03 135168 ----a-w- c:\windows\system32\igfxres.dll
2009-11-22 02:17:28 187392 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
2009-11-22 02:17:28 187392 ----a-w- c:\windows\system32\drivers\b57xp32.sys
2009-11-22 02:17:27 0 d-----w- c:\program files\Broadcom
2009-11-22 02:15:34 0 d-----w- c:\program files\common files\Logitech
2009-11-22 02:15:33 0 d-----w- c:\program files\MouseWare
2009-11-22 02:11:54 0 d-----w- c:\windows\system32\URTTemp
2009-11-22 02:10:48 0 d--h--w- c:\program files\Marvell-HP
2009-11-22 02:09:43 0 d-sh--w- c:\windows\ftpcache
2009-11-22 02:08:56 0 d-----w- C:\hp_LJP2014_Full_Solution_ROW
2009-11-22 02:08:20 0 d-----w- c:\windows\system32\ReinstallBackups
2009-11-22 02:07:52 0 d-----w- C:\Intel
2009-11-22 02:04:41 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-11-22 02:02:07 8192 ----a-w- c:\windows\REGLOCS.OLD
2009-11-22 02:01:04 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2009-11-22 01:58:00 0 d-sh--w- c:\documents and settings\all users\DRM
2009-11-22 01:57:39 0 d--h--w- c:\program files\WindowsUpdate
2009-11-22 01:57:06 0 d-----w- c:\program files\common files\MSSoap
2009-11-22 01:55:37 0 d-----w- c:\program files\Online Services
2009-11-22 01:55:28 0 d-----w- c:\program files\MSN Gaming Zone
2009-11-22 01:55:01 0 d-----w- c:\program files\Windows NT
2009-11-22 00:54:39 0 d-----w- c:\docume~1\start\applic~1\BitTorrent
2009-11-22 00:54:33 0 d-----w- c:\program files\BitTorrent
2009-11-22 00:05:04 0 d-----w- c:\program files\Analog Devices
2009-11-21 23:53:02 0 d-----w- c:\docume~1\start\applic~1\Blitware
2009-11-21 17:47:12 0 d-----w- c:\program files\common files\ODBC
2009-11-21 17:47:09 0 d-----w- c:\program files\common files\SpeechEngines
2009-11-21 17:46:44 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-11-29 21:52:57 90112 ----a-w- c:\windows\DUMP31ae.tmp
2009-11-29 08:22:17 90112 ----a-w- c:\windows\DUMP3102.tmp
2009-11-25 04:23:50 65636 ----a-w- c:\windows\fonts\EnglischeSchTDemBol.ttf
2009-11-25 03:14:00 70464 ----a-w- c:\windows\fonts\Gothic Flourish.ttf
2009-11-22 01:56:04 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-03-21 14:06:58 165988 --sha-r- c:\windows\system32\okhqukw.dll

============= FINISH: 1:02:42.14 ===============



RootRepeal Report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/07 01:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE12F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BFC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEDA3C000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xee2130b0

Hidden Services
-------------------
Service Name: zgxfjnado
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

==EOF==



Thank you for any help! :(

Attached Files


Edited by Orange Blossom, 18 December 2009 - 10:38 PM.


BC AdBot (Login to Remove)

 


#2 TheLivingDead

TheLivingDead
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 18 December 2009 - 07:17 PM

Hello. I was instructed to run DDS and RootRepeal and post the logs here by boopme. I can't seem to get rid of hijack.system.hidden. I've used SuperAntiSpyware, Malwarebytes and many other programs that I can't remember right now. It's affecting my sound card (making it disappear all together until I restart), my mouse properties, random pop ups related to what I've been searching for recently and every now and then completely freezing up my computer. PLEASE if anyone can help me as quickly as possible because the last time I got this I had to re-install windows because it just kept shutting my computer on and off. Here are the logs:

Attach text:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/21/2009 9:01:11 PM
System Uptime: 12/6/2009 10:08:03 PM (3 hours ago)

Motherboard: Hewlett-Packard | | 090Ch
Processor: Intel® Pentium® 4 CPU 3.20GHz | XU1 PROCESSOR | 3192/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 114 GiB total, 109.013 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Scan
Device ID: USB\VID_043D&PID_0065&MI_00\6&269E90EC&0&0000
Manufacturer:
Name: Scan
PNP Device ID: USB\VID_043D&PID_0065&MI_00\6&269E90EC&0&0000
Service:

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Logitech-compatible Mouse PS/2
Device ID: ACPI\PNP0F13\4&369939D9&0
Manufacturer: Logitech
Name: Logitech-compatible Mouse PS/2
PNP Device ID: ACPI\PNP0F13\4&369939D9&0
Service: i8042prt

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Apple Application Support
Apple Software Update
Ask Toolbar
BitTorrent
Broadcom NetXtreme Ethernet Controller
Dream Aquarium
Free FLV Player V0.05
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Intel® Extreme Graphics 2 Driver
Java™ 6 Update 17
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
MouseWare 9.76
Mozilla Firefox (3.5.5)
QuickTime
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SoundMAX
SUPERAntiSpyware Free Edition
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Zune Desktop Theme

==== Event Viewer Messages From Past Week ========

12/5/2009 5:06:42 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
12/5/2009 5:06:42 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/5/2009 5:06:42 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/5/2009 5:06:42 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/5/2009 5:06:42 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/5/2009 5:05:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/5/2009 5:05:37 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/4/2009 5:07:30 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
12/2/2009 7:16:01 PM, error: Service Control Manager [7034] - The Windows Audio service terminated unexpectedly. It has done this 1 time(s).
12/2/2009 7:16:01 PM, error: Service Control Manager [7034] - The Logical Disk Manager service terminated unexpectedly. It has done this 1 time(s).
12/2/2009 7:16:01 PM, error: Service Control Manager [7034] - The Error Reporting Service service terminated unexpectedly. It has done this 1 time(s).
12/2/2009 7:16:01 PM, error: Service Control Manager [7034] - The DHCP Client service terminated unexpectedly. It has done this 1 time(s).
12/2/2009 7:16:01 PM, error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s).
12/2/2009 7:16:01 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 1 time(s).
12/2/2009 3:44:06 PM, error: Service Control Manager [7023] - The Time Windows service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
12/2/2009 12:31:33 PM, error: DCOM [10000] - Unable to start a DCOM Server: {FB7199AB-79BF-11D2-8D94-0000F875C541}. The error: "%2" Happened while starting this command: C:\Program Files\Messenger\msmsgs.exe -Embedding
12/2/2009 11:42:08 PM, error: Windows Update Agent [20] -
12/2/2009 11:40:50 PM, error: System Error [1003] - Error code 1000007e, parameter1 c0000005, parameter2 f77ba74d, parameter3 f7b31c68, parameter4 f7b31964.

==== End Of File ===========================




DDS Text:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Start at 1:02:29.89 on Mon 12/07/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.644 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MouseWare\system\em_exec.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Start\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\start\applic~1\mozilla\firefox\profiles\xswklhid.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.searchslate.com/wp.ashx?ref=home&id=165
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S2 zgxfjnado;Time Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-8-21 14336]

=============== Created Last 30 ================

2009-12-06 00:51:39 0 d--h--w- c:\windows\PIF
2009-11-29 09:00:21 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-25 11:55:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-25 11:55:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-23 00:09:57 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-23 00:09:48 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-23 00:09:48 0 d-----w- c:\docume~1\start\applic~1\SUPERAntiSpyware.com
2009-11-23 00:09:24 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-22 22:21:55 0 d-----w- c:\docume~1\start\applic~1\Malwarebytes
2009-11-22 22:21:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 22:21:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-22 22:21:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 22:21:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-22 11:00:12 94208 ----a-w- c:\windows\Dream Aquarium.scr
2009-11-22 11:00:10 0 d-----w- c:\program files\Dream Aquarium
2009-11-22 08:12:58 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-22 08:05:00 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-11-22 08:05:00 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-11-22 08:02:38 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-11-22 08:02:37 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-11-22 08:02:36 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-11-22 08:02:09 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-22 08:00:19 0 d-----w- c:\windows\system32\PreInstall
2009-11-22 08:00:18 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2009-11-22 08:00:17 0 d--h--w- c:\windows\$hf_mig$
2009-11-22 02:20:03 135168 ----a-w- c:\windows\system32\igfxres.dll
2009-11-22 02:17:28 187392 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
2009-11-22 02:17:28 187392 ----a-w- c:\windows\system32\drivers\b57xp32.sys
2009-11-22 02:17:27 0 d-----w- c:\program files\Broadcom
2009-11-22 02:15:34 0 d-----w- c:\program files\common files\Logitech
2009-11-22 02:15:33 0 d-----w- c:\program files\MouseWare
2009-11-22 02:11:54 0 d-----w- c:\windows\system32\URTTemp
2009-11-22 02:10:48 0 d--h--w- c:\program files\Marvell-HP
2009-11-22 02:09:43 0 d-sh--w- c:\windows\ftpcache
2009-11-22 02:08:56 0 d-----w- C:\hp_LJP2014_Full_Solution_ROW
2009-11-22 02:08:20 0 d-----w- c:\windows\system32\ReinstallBackups
2009-11-22 02:07:52 0 d-----w- C:\Intel
2009-11-22 02:04:41 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-11-22 02:02:07 8192 ----a-w- c:\windows\REGLOCS.OLD
2009-11-22 02:01:04 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2009-11-22 01:58:00 0 d-sh--w- c:\documents and settings\all users\DRM
2009-11-22 01:57:39 0 d--h--w- c:\program files\WindowsUpdate
2009-11-22 01:57:06 0 d-----w- c:\program files\common files\MSSoap
2009-11-22 01:55:37 0 d-----w- c:\program files\Online Services
2009-11-22 01:55:28 0 d-----w- c:\program files\MSN Gaming Zone
2009-11-22 01:55:01 0 d-----w- c:\program files\Windows NT
2009-11-22 00:54:39 0 d-----w- c:\docume~1\start\applic~1\BitTorrent
2009-11-22 00:54:33 0 d-----w- c:\program files\BitTorrent
2009-11-22 00:05:04 0 d-----w- c:\program files\Analog Devices
2009-11-21 23:53:02 0 d-----w- c:\docume~1\start\applic~1\Blitware
2009-11-21 17:47:12 0 d-----w- c:\program files\common files\ODBC
2009-11-21 17:47:09 0 d-----w- c:\program files\common files\SpeechEngines
2009-11-21 17:46:44 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-11-29 21:52:57 90112 ----a-w- c:\windows\DUMP31ae.tmp
2009-11-29 08:22:17 90112 ----a-w- c:\windows\DUMP3102.tmp
2009-11-25 04:23:50 65636 ----a-w- c:\windows\fonts\EnglischeSchTDemBol.ttf
2009-11-25 03:14:00 70464 ----a-w- c:\windows\fonts\Gothic Flourish.ttf
2009-11-22 01:56:04 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-03-21 14:06:58 165988 --sha-r- c:\windows\system32\okhqukw.dll

============= FINISH: 1:02:42.14 ===============



RootRepeal Report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/07 01:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE12F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BFC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEDA3C000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xee2130b0

Hidden Services
-------------------
Service Name: zgxfjnado
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

==EOF==



Thank you for any help!!! thumbup2.gif

- Joe

Attached Files



#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:33 PM

Posted 20 December 2009 - 03:17 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log
Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 TheLivingDead

TheLivingDead
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 20 December 2009 - 03:40 PM

Hi there! Thank you so much for helping me. :(

Here are the new logs:

DDS TEXT:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Start at 15:00:31.89 on Sun 12/20/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.644 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Start\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\start\applic~1\mozilla\firefox\profiles\xswklhid.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.searchslate.com/wp.ashx?ref=home&id=165
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S2 hiozupd;Installer Task;c:\windows\system32\svchost.exe -k netsvcs [2008-8-21 14336]
S2 zgxfjnado;Time Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-8-21 14336]

=============== Created Last 30 ================

2009-12-16 03:03:58 754 ----a-w- c:\windows\WORDPAD.INI
2009-12-06 00:51:39 0 d--h--w- c:\windows\PIF
2009-11-29 09:00:21 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-25 11:55:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-25 11:55:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-23 00:09:57 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-23 00:09:48 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-23 00:09:48 0 d-----w- c:\docume~1\start\applic~1\SUPERAntiSpyware.com
2009-11-23 00:09:24 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-22 22:21:55 0 d-----w- c:\docume~1\start\applic~1\Malwarebytes
2009-11-22 22:21:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 22:21:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-22 22:21:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 22:21:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-22 11:00:12 94208 ----a-w- c:\windows\Dream Aquarium.scr
2009-11-22 11:00:10 0 d-----w- c:\program files\Dream Aquarium
2009-11-22 08:12:58 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-22 08:05:00 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-11-22 08:05:00 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-11-22 08:02:38 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-11-22 08:02:37 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-11-22 08:02:36 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-11-22 08:02:09 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-22 08:00:19 0 d-----w- c:\windows\system32\PreInstall
2009-11-22 08:00:18 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2009-11-22 08:00:17 0 d--h--w- c:\windows\$hf_mig$
2009-11-22 02:20:03 135168 ----a-w- c:\windows\system32\igfxres.dll
2009-11-22 02:17:28 187392 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
2009-11-22 02:17:28 187392 ----a-w- c:\windows\system32\drivers\b57xp32.sys
2009-11-22 02:17:27 0 d-----w- c:\program files\Broadcom
2009-11-22 02:15:34 0 d-----w- c:\program files\common files\Logitech
2009-11-22 02:15:33 0 d-----w- c:\program files\MouseWare
2009-11-22 02:11:54 0 d-----w- c:\windows\system32\URTTemp
2009-11-22 02:10:48 0 d--h--w- c:\program files\Marvell-HP
2009-11-22 02:09:43 0 d-sh--w- c:\windows\ftpcache
2009-11-22 02:08:56 0 d-----w- C:\hp_LJP2014_Full_Solution_ROW
2009-11-22 02:08:20 0 d-----w- c:\windows\system32\ReinstallBackups
2009-11-22 02:07:52 0 d-----w- C:\Intel
2009-11-22 02:04:41 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-11-22 02:02:07 8192 ----a-w- c:\windows\REGLOCS.OLD
2009-11-22 02:01:04 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2009-11-22 01:58:00 0 d-sh--w- c:\documents and settings\all users\DRM
2009-11-22 01:57:39 0 d--h--w- c:\program files\WindowsUpdate
2009-11-22 01:57:06 0 d-----w- c:\program files\common files\MSSoap
2009-11-22 01:55:37 0 d-----w- c:\program files\Online Services
2009-11-22 01:55:28 0 d-----w- c:\program files\MSN Gaming Zone
2009-11-22 01:55:01 0 d-----w- c:\program files\Windows NT
2009-11-22 00:54:39 0 d-----w- c:\docume~1\start\applic~1\BitTorrent
2009-11-22 00:54:33 0 d-----w- c:\program files\BitTorrent
2009-11-22 00:05:04 0 d-----w- c:\program files\Analog Devices
2009-11-21 23:53:02 0 d-----w- c:\docume~1\start\applic~1\Blitware
2009-11-21 17:47:12 0 d-----w- c:\program files\common files\ODBC
2009-11-21 17:47:09 0 d-----w- c:\program files\common files\SpeechEngines
2009-11-21 17:46:44 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-11-29 21:52:57 90112 ----a-w- c:\windows\DUMP31ae.tmp
2009-11-29 08:22:17 90112 ----a-w- c:\windows\DUMP3102.tmp
2009-11-25 04:23:50 65636 ----a-w- c:\windows\fonts\EnglischeSchTDemBol.ttf
2009-11-25 03:14:00 70464 ----a-w- c:\windows\fonts\Gothic Flourish.ttf
2009-11-22 01:56:04 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-03-21 14:06:58 165988 --sha-r- c:\windows\system32\okhqukw.dll

============= FINISH: 15:00:46.42 ===============



ATTACH TEXT:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/21/2009 9:01:11 PM
System Uptime: 12/20/2009 2:35:11 PM (1 hours ago)

Motherboard: Hewlett-Packard | | 090Ch
Processor: Intel® Pentium® 4 CPU 3.20GHz | XU1 PROCESSOR | 3192/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 114 GiB total, 107.854 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Scan
Device ID: USB\VID_043D&PID_0065&MI_00\6&269E90EC&0&0000
Manufacturer:
Name: Scan
PNP Device ID: USB\VID_043D&PID_0065&MI_00\6&269E90EC&0&0000
Service:

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Logitech-compatible Mouse PS/2
Device ID: ACPI\PNP0F13\4&369939D9&0
Manufacturer: Logitech
Name: Logitech-compatible Mouse PS/2
PNP Device ID: ACPI\PNP0F13\4&369939D9&0
Service: i8042prt

==== System Restore Points ===================

RP1: 12/12/2009 11:47:15 PM - System Checkpoint
RP2: 12/14/2009 4:04:50 AM - System Checkpoint
RP3: 12/15/2009 5:15:16 AM - System Checkpoint
RP4: 12/16/2009 5:47:37 AM - System Checkpoint
RP5: 12/17/2009 4:02:24 PM - System Checkpoint
RP6: 12/18/2009 7:55:32 PM - System Checkpoint
RP7: 12/20/2009 2:07:57 AM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Apple Application Support
Apple Software Update
Ask Toolbar
BitTorrent
Broadcom NetXtreme Ethernet Controller
Dream Aquarium
Free FLV Player V0.05
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Intel® Extreme Graphics 2 Driver
Java™ 6 Update 17
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
MouseWare 9.76
Mozilla Firefox (3.5.6)
QuickTime
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SoundMAX
SUPERAntiSpyware Free Edition
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
WinZip 14.0
Zune Desktop Theme

==== Event Viewer Messages From Past Week ========

12/16/2009 11:00:15 AM, error: Service Control Manager [7023] - The Time Windows service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
12/16/2009 11:00:15 AM, error: Service Control Manager [7023] - The Installer Task service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
12/16/2009 11:00:09 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
12/16/2009 10:33:31 AM, error: DCOM [10000] - Unable to start a DCOM Server: {FB7199AB-79BF-11D2-8D94-0000F875C541}. The error: "%2" Happened while starting this command: C:\Program Files\Messenger\msmsgs.exe -Embedding
12/15/2009 11:44:55 AM, error: Service Control Manager [7034] - The Windows Audio service terminated unexpectedly. It has done this 1 time(s).
12/15/2009 11:44:55 AM, error: Service Control Manager [7034] - The Logical Disk Manager service terminated unexpectedly. It has done this 1 time(s).
12/15/2009 11:44:55 AM, error: Service Control Manager [7034] - The Fast User Switching Compatibility service terminated unexpectedly. It has done this 1 time(s).
12/15/2009 11:44:55 AM, error: Service Control Manager [7034] - The Error Reporting Service service terminated unexpectedly. It has done this 1 time(s).
12/15/2009 11:44:55 AM, error: Service Control Manager [7034] - The DHCP Client service terminated unexpectedly. It has done this 1 time(s).
12/15/2009 11:44:55 AM, error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s).
12/15/2009 11:44:55 AM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 1 time(s).
12/15/2009 11:44:55 AM, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.

==== End Of File ===========================


GMER LOG:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-20 15:35:35
Windows 5.1.2600 Service Pack 3
Running: zjnmlefj.exe; Driver: C:\DOCUME~1\Start\LOCALS~1\Temp\pxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEEE630B0]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes JMP 0171ADDD
.text C:\WINDOWS\System32\svchost.exe[1048] NETAPI32.dll!NetpwPathCanonicalize 5B86A3A9 5 Bytes JMP 0171AD74
.text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes JMP 0064ADDD

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] hiozupd <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] zgxfjnado <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\hiozupd@DisplayName Installer Task
Reg HKLM\SYSTEM\CurrentControlSet\Services\hiozupd@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\hiozupd@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\hiozupd@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\hiozupd@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\hiozupd@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\hiozupd@Description Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Reg HKLM\SYSTEM\CurrentControlSet\Services\hiozupd\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\hiozupd\Parameters@ServiceDll C:\WINDOWS\system32\okhqukw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\zgxfjnado@DisplayName Time Windows
Reg HKLM\SYSTEM\CurrentControlSet\Services\zgxfjnado@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\zgxfjnado@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\zgxfjnado@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\zgxfjnado@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\zgxfjnado@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\zgxfjnado@Description Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\zgxfjnado\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\zgxfjnado\Parameters@ServiceDll C:\WINDOWS\system32\okhqukw.dll
Reg HKLM\SYSTEM\ControlSet002\Services\hiozupd@DisplayName Installer Task
Reg HKLM\SYSTEM\ControlSet002\Services\hiozupd@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\hiozupd@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\hiozupd@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\hiozupd@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\hiozupd@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\hiozupd@Description Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Reg HKLM\SYSTEM\ControlSet002\Services\hiozupd\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hiozupd\Parameters@ServiceDll C:\WINDOWS\system32\okhqukw.dll
Reg HKLM\SYSTEM\ControlSet002\Services\zgxfjnado@DisplayName Time Windows
Reg HKLM\SYSTEM\ControlSet002\Services\zgxfjnado@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\zgxfjnado@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\zgxfjnado@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\zgxfjnado@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\zgxfjnado@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\zgxfjnado@Description Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\zgxfjnado\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\zgxfjnado\Parameters@ServiceDll C:\WINDOWS\system32\okhqukw.dll
Reg HKLM\SYSTEM\ControlSet003\Services\zgxfjnado@DisplayName Time Windows
Reg HKLM\SYSTEM\ControlSet003\Services\zgxfjnado@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\zgxfjnado@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\zgxfjnado@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\zgxfjnado@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\zgxfjnado@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\zgxfjnado@Description Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet003\Services\zgxfjnado\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\zgxfjnado\Parameters@ServiceDll C:\WINDOWS\system32\okhqukw.dll
Reg HKLM\SYSTEM\ControlSet004\Services\hiozupd@DisplayName Installer Task
Reg HKLM\SYSTEM\ControlSet004\Services\hiozupd@Type 32
Reg HKLM\SYSTEM\ControlSet004\Services\hiozupd@Start 2
Reg HKLM\SYSTEM\ControlSet004\Services\hiozupd@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\hiozupd@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet004\Services\hiozupd@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet004\Services\hiozupd@Description Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Reg HKLM\SYSTEM\ControlSet004\Services\hiozupd\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\hiozupd\Parameters@ServiceDll C:\WINDOWS\system32\okhqukw.dll
Reg HKLM\SYSTEM\ControlSet004\Services\zgxfjnado@DisplayName Time Windows
Reg HKLM\SYSTEM\ControlSet004\Services\zgxfjnado@Type 32
Reg HKLM\SYSTEM\ControlSet004\Services\zgxfjnado@Start 2
Reg HKLM\SYSTEM\ControlSet004\Services\zgxfjnado@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\zgxfjnado@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet004\Services\zgxfjnado@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet004\Services\zgxfjnado@Description Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet004\Services\zgxfjnado\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\zgxfjnado\Parameters@ServiceDll C:\WINDOWS\system32\okhqukw.dll

---- EOF - GMER 1.0.15 ----



There you go. Thank you very much!

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:33 PM

Posted 20 December 2009 - 03:46 PM

Hello TheLivingDead,

P2P WARNING
-------------------
Going over your logs I noticed that you have BitTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


UNINSTALL PROGRAMS
--------------------------------
Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.
Ask Toolbar

If you are unsure of how to use Add or Remove Programs, then please see this tutorial:
How To Remove An Installed Program From Your Computer


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 TheLivingDead

TheLivingDead
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 20 December 2009 - 08:40 PM

Ok. Here ya go.


ComboFix 09-12-20.03 - Start 12/20/2009 20:34:12.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.609 [GMT -5:00]
Running from: c:\documents and settings\Start\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\msssc.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-12 09:58 . 2009-12-12 09:58 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-12-06 00:51 . 2009-12-06 00:51 -------- d--h--w- c:\windows\PIF
2009-11-29 09:00 . 2009-11-29 09:00 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-25 12:03 . 2009-11-25 12:03 -------- d-----w- c:\program files\FLV Player
2009-11-25 12:02 . 2009-11-25 12:02 -------- d-----w- c:\windows\Sun
2009-11-25 11:55 . 2009-11-25 11:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-25 11:55 . 2009-11-25 11:55 -------- d-----w- c:\program files\Java
2009-11-25 11:55 . 2009-11-25 11:55 152576 ----a-w- c:\documents and settings\Start\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-25 11:55 . 2009-11-25 11:55 79488 ----a-w- c:\documents and settings\Start\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-24 02:52 . 2009-11-24 02:52 -------- d-----w- c:\documents and settings\Start\Application Data\Apple Computer
2009-11-24 02:51 . 2009-11-28 22:59 15072 ----a-w- c:\documents and settings\Start\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\program files\QuickTime
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\program files\Common Files\Apple
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\documents and settings\Start\Local Settings\Application Data\Apple
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\program files\Apple Software Update
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-23 00:27 . 2009-11-23 00:27 -------- d-----w- c:\documents and settings\Start\Local Settings\Application Data\Apple Computer
2009-11-23 00:10 . 2009-11-28 09:24 117760 ----a-w- c:\documents and settings\Start\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-23 00:09 . 2009-11-23 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-23 00:09 . 2009-12-06 03:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-23 00:09 . 2009-11-23 00:09 -------- d-----w- c:\documents and settings\Start\Application Data\SUPERAntiSpyware.com
2009-11-23 00:09 . 2009-11-23 00:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-22 22:21 . 2009-11-22 22:21 -------- d-----w- c:\documents and settings\Start\Application Data\Malwarebytes
2009-11-22 22:21 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 22:21 . 2009-11-22 22:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 22:21 . 2009-11-22 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-22 22:21 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-22 11:00 . 2006-10-09 17:00 94208 ----a-w- c:\windows\Dream Aquarium.scr
2009-11-22 11:00 . 2009-11-22 11:00 -------- d-----w- c:\program files\Dream Aquarium
2009-11-22 08:12 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-22 08:05 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-11-22 08:05 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-11-22 08:02 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-11-22 08:02 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-11-22 08:02 . 2009-08-04 14:20 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-11-22 08:02 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-22 08:00 . 2008-07-09 07:38 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2009-11-22 08:00 . 2009-11-23 11:01 -------- d--h--w- c:\windows\$hf_mig$
2009-11-22 03:13 . 2009-11-22 03:13 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-22 03:13 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Start\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-22 03:13 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-22 03:13 . 2009-11-22 03:13 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-22 03:12 . 2009-11-22 03:14 -------- d-----w- c:\documents and settings\Start\Local Settings\Application Data\Adobe
2009-11-22 03:12 . 2009-11-22 03:12 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-22 02:20 . 2005-09-20 18:31 135168 ----a-w- c:\windows\system32\igfxres.dll
2009-11-22 02:18 . 2007-10-23 14:27 110592 ----a-w- c:\documents and settings\Start\Application Data\U3\temp\cleanup.exe
2009-11-22 02:17 . 2008-11-27 00:37 187392 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
2009-11-22 02:17 . 2008-11-27 00:37 187392 ----a-w- c:\windows\system32\drivers\b57xp32.sys
2009-11-22 02:17 . 2009-11-22 02:17 -------- d-----w- c:\program files\Broadcom
2009-11-22 02:11 . 2009-11-22 02:12 -------- d-----w- c:\windows\system32\URTTemp
2009-11-22 02:10 . 2009-11-22 02:13 -------- d--h--w- c:\program files\Marvell-HP
2009-11-22 02:09 . 2009-11-22 02:09 -------- d-sh--w- c:\windows\ftpcache
2009-11-22 02:08 . 2009-11-22 02:09 -------- d-----w- C:\hp_LJP2014_Full_Solution_ROW
2009-11-22 02:08 . 2009-11-22 02:17 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-22 02:08 . 2009-11-22 02:08 -------- d-----w- c:\program files\Intel
2009-11-22 02:07 . 2009-11-22 02:07 -------- d-----w- C:\Intel
2009-11-22 02:05 . 2008-05-02 15:41 3493888 ---ha-w- c:\documents and settings\Start\Application Data\U3\temp\Launchpad Removal.exe
2009-11-22 02:04 . 2009-12-15 05:29 -------- d-----w- c:\documents and settings\Start\Application Data\U3
2009-11-22 02:04 . 2008-04-14 08:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-11-22 02:03 . 2009-11-22 02:03 -------- d-----w- c:\documents and settings\Start
2009-11-22 02:02 . 2009-11-22 02:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Microsoft
2009-11-22 02:02 . 2009-11-22 02:02 -------- d-sh--w- c:\documents and settings\NetworkService
2009-11-22 02:00 . 2008-08-21 12:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 19:33 . 2009-11-22 00:54 -------- d-----w- c:\documents and settings\Start\Application Data\BitTorrent
2009-11-29 21:52 . 2009-11-21 17:40 90112 ----a-w- c:\windows\DUMP31ae.tmp
2009-11-29 08:22 . 2009-11-21 17:40 90112 ----a-w- c:\windows\DUMP3102.tmp
2009-11-25 04:24 . 2009-11-22 00:54 -------- d-----w- c:\program files\BitTorrent
2009-11-23 04:13 . 2009-11-22 01:58 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-22 21:56 . 2009-11-21 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-22 02:15 . 2009-11-22 02:15 -------- d-----w- c:\program files\Common Files\Logitech
2009-11-22 02:15 . 2009-11-22 02:15 -------- d-----w- c:\program files\MouseWare
2009-11-22 02:15 . 2009-11-22 02:15 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-22 01:59 . 2009-11-22 01:59 -------- d-----w- c:\program files\microsoft frontpage
2009-11-22 01:56 . 2009-11-22 01:56 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-22 00:05 . 2009-11-22 02:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-22 00:05 . 2009-11-22 00:05 -------- d-----w- c:\program files\Analog Devices
2009-11-21 23:59 . 2009-11-21 23:59 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-11-21 23:53 . 2009-11-21 23:53 -------- d-----w- c:\documents and settings\Start\Application Data\Blitware
2009-11-21 23:29 . 2009-11-21 23:29 0 ----a-w- c:\windows\nsreg.dat
2009-10-10 07:07 . 2009-11-28 09:19 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-09-25 05:37 . 2008-08-21 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2008-08-21 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-03-21 14:06 . 2008-08-21 12:00 165988 --sha-r- c:\windows\system32\okhqukw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-28 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 19968]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 23:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1095:TCP"= 1095:TCP:qwrgtg
"3866:TCP"= 3866:TCP:jidlqkc

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 2:42 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 2:42 PM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 2:42 PM 7408]
S2 hiozupd;Installer Task;c:\windows\system32\svchost.exe -k netsvcs [8/21/2008 7:00 AM 14336]
S2 zgxfjnado;Time Windows;c:\windows\system32\svchost.exe -k netsvcs [8/21/2008 7:00 AM 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - APPMGMT

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
zgxfjnado
hiozupd
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Start\Application Data\Mozilla\Firefox\Profiles\xswklhid.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.searchslate.com/wp.ashx?ref=home&id=165
.
- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 20:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hiozupd]
"ServiceDll"="c:\windows\system32\okhqukw.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zgxfjnado]
"ServiceDll"="c:\windows\system32\okhqukw.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-12-20 20:37:55
ComboFix-quarantined-files.txt 2009-12-21 01:37

Pre-Run: 115,779,940,352 bytes free
Post-Run: 115,770,810,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=4 LastKnownGood=2 Sets=1,2,3,4
- - End Of File - - 46C4F9E455AA467EFF7C96C0BCCBFBEA

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:33 PM

Posted 21 December 2009 - 03:44 AM

Hello TheLivingDead,

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hiozupd]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zgxfjnado]

File::
c:\windows\system32\okhqukw.dll

NetSvc::
zgxfjnado
hiozupd
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Now please run MBAM, update it first and run a full scan. Please post me the results.

In your next reply, please include the following:
  • Combofix.txt
  • MBAM log
  • A descripion of any remaining problems.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 TheLivingDead

TheLivingDead
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 21 December 2009 - 12:58 PM

Hello! Everything appears to be fine right now. Normally my sound card goes out after a couple hours but it hasn't and I'm not seeing the pop ups anymore. I ran a scan with Malwarebytes and it found nothing. Restarted the computer and scanned again just to be sure and still nothing. :( Here are the logs you asked for:

COMBOFIX.TXT

ComboFix 09-12-20.04 - Start 12/21/2009 4:33.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.643 [GMT -5:00]
Running from: c:\documents and settings\Start\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Start\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\okhqukw.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\okhqukw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_RDPWD
-------\Service_TDTCP
-------\Legacy_hiozupd
-------\Legacy_zgxfjnado
-------\Service_hiozupd
-------\Service_zgxfjnado


((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-21 02:56 . 2009-12-21 02:56 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-12-12 09:58 . 2009-12-12 09:58 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-12-06 00:51 . 2009-12-06 00:51 -------- d--h--w- c:\windows\PIF
2009-11-29 09:00 . 2009-11-29 09:00 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-25 12:03 . 2009-11-25 12:03 -------- d-----w- c:\program files\FLV Player
2009-11-25 12:02 . 2009-11-25 12:02 -------- d-----w- c:\windows\Sun
2009-11-25 11:55 . 2009-11-25 11:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-25 11:55 . 2009-11-25 11:55 -------- d-----w- c:\program files\Java
2009-11-25 11:55 . 2009-11-25 11:55 152576 ----a-w- c:\documents and settings\Start\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-25 11:55 . 2009-11-25 11:55 79488 ----a-w- c:\documents and settings\Start\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-24 02:52 . 2009-11-24 02:52 -------- d-----w- c:\documents and settings\Start\Application Data\Apple Computer
2009-11-24 02:51 . 2009-11-28 22:59 15072 ----a-w- c:\documents and settings\Start\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\program files\QuickTime
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\program files\Common Files\Apple
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\documents and settings\Start\Local Settings\Application Data\Apple
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\program files\Apple Software Update
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-23 00:27 . 2009-11-23 00:27 -------- d-----w- c:\documents and settings\Start\Local Settings\Application Data\Apple Computer
2009-11-23 00:10 . 2009-11-28 09:24 117760 ----a-w- c:\documents and settings\Start\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-23 00:09 . 2009-11-23 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-23 00:09 . 2009-12-06 03:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-23 00:09 . 2009-11-23 00:09 -------- d-----w- c:\documents and settings\Start\Application Data\SUPERAntiSpyware.com
2009-11-23 00:09 . 2009-11-23 00:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-22 22:21 . 2009-11-22 22:21 -------- d-----w- c:\documents and settings\Start\Application Data\Malwarebytes
2009-11-22 22:21 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 22:21 . 2009-11-22 22:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 22:21 . 2009-11-22 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-22 22:21 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-22 11:00 . 2006-10-09 17:00 94208 ----a-w- c:\windows\Dream Aquarium.scr
2009-11-22 11:00 . 2009-11-22 11:00 -------- d-----w- c:\program files\Dream Aquarium
2009-11-22 08:12 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-22 08:05 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-11-22 08:05 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-11-22 08:02 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-11-22 08:02 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-11-22 08:02 . 2009-08-04 14:20 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-11-22 08:02 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-22 08:00 . 2008-07-09 07:38 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2009-11-22 08:00 . 2009-11-23 11:01 -------- d--h--w- c:\windows\$hf_mig$
2009-11-22 03:13 . 2009-11-22 03:13 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-22 03:13 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Start\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-22 03:13 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-22 03:13 . 2009-11-22 03:13 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-22 03:12 . 2009-11-22 03:14 -------- d-----w- c:\documents and settings\Start\Local Settings\Application Data\Adobe
2009-11-22 03:12 . 2009-11-22 03:12 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-22 02:20 . 2005-09-20 18:31 135168 ----a-w- c:\windows\system32\igfxres.dll
2009-11-22 02:18 . 2007-10-23 14:27 110592 ----a-w- c:\documents and settings\Start\Application Data\U3\temp\cleanup.exe
2009-11-22 02:17 . 2008-11-27 00:37 187392 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
2009-11-22 02:17 . 2008-11-27 00:37 187392 ----a-w- c:\windows\system32\drivers\b57xp32.sys
2009-11-22 02:17 . 2009-11-22 02:17 -------- d-----w- c:\program files\Broadcom
2009-11-22 02:11 . 2009-11-22 02:12 -------- d-----w- c:\windows\system32\URTTemp
2009-11-22 02:10 . 2009-11-22 02:13 -------- d--h--w- c:\program files\Marvell-HP
2009-11-22 02:09 . 2009-11-22 02:09 -------- d-sh--w- c:\windows\ftpcache
2009-11-22 02:08 . 2009-11-22 02:09 -------- d-----w- C:\hp_LJP2014_Full_Solution_ROW
2009-11-22 02:08 . 2009-11-22 02:17 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-22 02:08 . 2009-11-22 02:08 -------- d-----w- c:\program files\Intel
2009-11-22 02:07 . 2009-11-22 02:07 -------- d-----w- C:\Intel
2009-11-22 02:05 . 2008-05-02 15:41 3493888 ---ha-w- c:\documents and settings\Start\Application Data\U3\temp\Launchpad Removal.exe
2009-11-22 02:04 . 2009-12-15 05:29 -------- d-----w- c:\documents and settings\Start\Application Data\U3
2009-11-22 02:04 . 2008-04-14 08:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-11-22 02:03 . 2009-11-22 02:03 -------- d-----w- c:\documents and settings\Start
2009-11-22 02:02 . 2009-11-22 02:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Microsoft
2009-11-22 02:02 . 2009-12-21 02:46 -------- d-sh--w- c:\documents and settings\NetworkService

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 09:30 . 2009-11-21 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-20 19:33 . 2009-11-22 00:54 -------- d-----w- c:\documents and settings\Start\Application Data\BitTorrent
2009-11-29 21:52 . 2009-11-21 17:40 90112 ----a-w- c:\windows\DUMP31ae.tmp
2009-11-29 08:22 . 2009-11-21 17:40 90112 ----a-w- c:\windows\DUMP3102.tmp
2009-11-25 04:24 . 2009-11-22 00:54 -------- d-----w- c:\program files\BitTorrent
2009-11-23 04:13 . 2009-11-22 01:58 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-22 02:15 . 2009-11-22 02:15 -------- d-----w- c:\program files\Common Files\Logitech
2009-11-22 02:15 . 2009-11-22 02:15 -------- d-----w- c:\program files\MouseWare
2009-11-22 02:15 . 2009-11-22 02:15 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-22 01:59 . 2009-11-22 01:59 -------- d-----w- c:\program files\microsoft frontpage
2009-11-22 01:56 . 2009-11-22 01:56 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-22 00:05 . 2009-11-22 02:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-22 00:05 . 2009-11-22 00:05 -------- d-----w- c:\program files\Analog Devices
2009-11-21 23:53 . 2009-11-21 23:53 -------- d-----w- c:\documents and settings\Start\Application Data\Blitware
2009-11-21 23:29 . 2009-11-21 23:29 0 ----a-w- c:\windows\nsreg.dat
2009-10-10 07:07 . 2009-11-28 09:19 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-09-25 05:37 . 2008-08-21 12:00 667136 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2008-08-21 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-21_01.36.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-21 09:39 . 2009-12-21 09:39 16384 c:\windows\Temp\Perflib_Perfdata_1a8.dat
+ 2009-11-21 23:58 . 2009-12-21 02:56 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2009-11-21 23:58 . 2009-11-21 23:59 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-10-28 03:40 . 2009-10-28 03:40 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-28 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 19968]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 23:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1095:TCP"= 1095:TCP:qwrgtg
"3866:TCP"= 3866:TCP:jidlqkc

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 2:42 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 2:42 PM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 2:42 PM 7408]
S2 hiozupd;Installer Task;c:\windows\system32\svchost.exe -k netsvcs [8/21/2008 7:00 AM 14336]
S2 zgxfjnado;Time Windows;c:\windows\system32\svchost.exe -k netsvcs [8/21/2008 7:00 AM 14336]
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Start\Application Data\Mozilla\Firefox\Profiles\xswklhid.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.searchslate.com/wp.ashx?ref=home&id=165
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 04:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hiozupd]
"ServiceDll"="c:\windows\system32\okhqukw.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zgxfjnado]
"ServiceDll"="c:\windows\system32\okhqukw.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2916)
c:\program files\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\MouseWare\system\em_exec.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-21 04:43:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 09:42
ComboFix2.txt 2009-12-21 01:37

Pre-Run: 115,770,699,776 bytes free
Post-Run: 115,654,148,096 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=2 Sets=1,2,3,4
- - End Of File - - CFB78B0A811CEBA4A5AED66A22710F73


MBAM LOG

Malwarebytes' Anti-Malware 1.42
Database version: 3402
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/21/2009 12:51:43 PM
mbam-log-2009-12-21 (12-51-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 133358
Time elapsed: 23 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I'll let you know if something happens but as for now everything is running fine. Thank you very much! Happy holidays!!!

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:33 PM

Posted 21 December 2009 - 01:28 PM

Hello TheLivingDead,

Still a few things there that need to go...

TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hiozupd]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zgxfjnado]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1095:TCP"=-
"3866:TCP"=-

File::
c:\windows\system32\okhqukw.dll

NetSvc::
zgxfjnado
hiozupd

Driver::
zgxfjnado
hiozupd
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 TheLivingDead

TheLivingDead
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 21 December 2009 - 03:38 PM

Hi again! Here ya go:

COMBOFIX.TXT

ComboFix 09-12-20.08 - Start 12/21/2009 15:27:26.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.756 [GMT -5:00]
Running from: c:\documents and settings\Start\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Start\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\okhqukw.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HIOZUPD
-------\Legacy_ZGXFJNADO
-------\Service_hiozupd
-------\Service_zgxfjnado


((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-21 09:46 . 2009-12-21 09:46 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-21 02:56 . 2009-12-21 02:56 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-12-12 09:58 . 2009-12-12 09:58 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-12-06 00:51 . 2009-12-06 00:51 -------- d--h--w- c:\windows\PIF
2009-11-29 09:00 . 2009-11-29 09:00 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-25 12:03 . 2009-11-25 12:03 -------- d-----w- c:\program files\FLV Player
2009-11-25 12:02 . 2009-11-25 12:02 -------- d-----w- c:\windows\Sun
2009-11-25 11:55 . 2009-11-25 11:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-25 11:55 . 2009-11-25 11:55 -------- d-----w- c:\program files\Java
2009-11-25 11:55 . 2009-11-25 11:55 152576 ----a-w- c:\documents and settings\Start\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-25 11:55 . 2009-11-25 11:55 79488 ----a-w- c:\documents and settings\Start\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-24 02:52 . 2009-11-24 02:52 -------- d-----w- c:\documents and settings\Start\Application Data\Apple Computer
2009-11-24 02:51 . 2009-11-28 22:59 15072 ----a-w- c:\documents and settings\Start\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\program files\QuickTime
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\program files\Common Files\Apple
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\documents and settings\Start\Local Settings\Application Data\Apple
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\program files\Apple Software Update
2009-11-23 00:28 . 2009-11-23 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-23 00:27 . 2009-11-23 00:27 -------- d-----w- c:\documents and settings\Start\Local Settings\Application Data\Apple Computer
2009-11-23 00:10 . 2009-11-28 09:24 117760 ----a-w- c:\documents and settings\Start\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-23 00:09 . 2009-11-23 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-23 00:09 . 2009-12-21 17:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-23 00:09 . 2009-11-23 00:09 -------- d-----w- c:\documents and settings\Start\Application Data\SUPERAntiSpyware.com
2009-11-23 00:09 . 2009-11-23 00:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-22 22:21 . 2009-11-22 22:21 -------- d-----w- c:\documents and settings\Start\Application Data\Malwarebytes
2009-11-22 22:21 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 22:21 . 2009-12-21 09:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 22:21 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-22 22:21 . 2009-11-22 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-22 11:00 . 2006-10-09 17:00 94208 ----a-w- c:\windows\Dream Aquarium.scr
2009-11-22 11:00 . 2009-11-22 11:00 -------- d-----w- c:\program files\Dream Aquarium
2009-11-22 08:12 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-22 08:05 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-11-22 08:05 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-11-22 08:02 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-11-22 08:02 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-11-22 08:02 . 2009-08-04 14:20 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-11-22 08:02 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-22 08:00 . 2008-07-09 07:38 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2009-11-22 08:00 . 2009-12-21 19:37 -------- d--h--w- c:\windows\$hf_mig$
2009-11-22 03:13 . 2009-11-22 03:13 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-22 03:13 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Start\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-22 03:13 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-22 03:13 . 2009-11-22 03:13 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-22 03:12 . 2009-11-22 03:14 -------- d-----w- c:\documents and settings\Start\Local Settings\Application Data\Adobe
2009-11-22 03:12 . 2009-11-22 03:12 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-22 02:20 . 2005-09-20 18:31 135168 ----a-w- c:\windows\system32\igfxres.dll
2009-11-22 02:18 . 2007-10-23 14:27 110592 ----a-w- c:\documents and settings\Start\Application Data\U3\temp\cleanup.exe
2009-11-22 02:17 . 2008-11-27 00:37 187392 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
2009-11-22 02:17 . 2008-11-27 00:37 187392 ----a-w- c:\windows\system32\drivers\b57xp32.sys
2009-11-22 02:17 . 2009-11-22 02:17 -------- d-----w- c:\program files\Broadcom
2009-11-22 02:11 . 2009-11-22 02:12 -------- d-----w- c:\windows\system32\URTTemp
2009-11-22 02:10 . 2009-11-22 02:13 -------- d--h--w- c:\program files\Marvell-HP
2009-11-22 02:09 . 2009-11-22 02:09 -------- d-sh--w- c:\windows\ftpcache
2009-11-22 02:08 . 2009-11-22 02:09 -------- d-----w- C:\hp_LJP2014_Full_Solution_ROW
2009-11-22 02:08 . 2009-11-22 02:17 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-22 02:08 . 2009-11-22 02:08 -------- d-----w- c:\program files\Intel
2009-11-22 02:07 . 2009-11-22 02:07 -------- d-----w- C:\Intel
2009-11-22 02:05 . 2008-05-02 15:41 3493888 ---ha-w- c:\documents and settings\Start\Application Data\U3\temp\Launchpad Removal.exe
2009-11-22 02:04 . 2009-12-15 05:29 -------- d-----w- c:\documents and settings\Start\Application Data\U3
2009-11-22 02:04 . 2008-04-14 08:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-11-22 02:02 . 2009-11-22 02:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Microsoft
2009-11-22 02:02 . 2009-12-21 09:43 -------- d-sh--w- c:\documents and settings\NetworkService

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 09:30 . 2009-11-21 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-20 19:33 . 2009-11-22 00:54 -------- d-----w- c:\documents and settings\Start\Application Data\BitTorrent
2009-11-25 04:24 . 2009-11-22 00:54 -------- d-----w- c:\program files\BitTorrent
2009-11-23 04:13 . 2009-11-22 01:58 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-22 02:15 . 2009-11-22 02:15 -------- d-----w- c:\program files\Common Files\Logitech
2009-11-22 02:15 . 2009-11-22 02:15 -------- d-----w- c:\program files\MouseWare
2009-11-22 02:15 . 2009-11-22 02:15 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-22 01:59 . 2009-11-22 01:59 -------- d-----w- c:\program files\microsoft frontpage
2009-11-22 01:56 . 2009-11-22 01:56 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-22 00:05 . 2009-11-22 02:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-22 00:05 . 2009-11-22 00:05 -------- d-----w- c:\program files\Analog Devices
2009-11-21 23:53 . 2009-11-21 23:53 -------- d-----w- c:\documents and settings\Start\Application Data\Blitware
2009-11-21 23:29 . 2009-11-21 23:29 0 ----a-w- c:\windows\nsreg.dat
2009-10-20 16:20 . 2008-08-21 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-10 07:07 . 2009-11-28 09:19 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-09-25 05:37 . 2008-08-21 12:00 667136 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2008-08-21 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-21_01.36.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-21 20:32 . 2009-12-21 20:32 16384 c:\windows\Temp\Perflib_Perfdata_198.dat
+ 2008-08-21 12:00 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
- 2008-08-21 12:00 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2009-11-22 08:00 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
- 2009-11-22 08:00 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2008-08-21 12:00 . 2009-12-21 20:23 52764 c:\windows\system32\perfc009.dat
- 2008-08-21 12:00 . 2009-11-29 22:37 52764 c:\windows\system32\perfc009.dat
+ 2009-11-21 23:58 . 2009-12-21 02:56 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2009-11-21 23:58 . 2009-11-21 23:59 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-08-21 12:00 . 2008-08-21 12:00 75776 c:\windows\system32\dllcache\strmfilt.dll
+ 2008-08-21 12:00 . 2009-10-21 05:38 75776 c:\windows\system32\dllcache\strmfilt.dll
+ 2008-08-21 12:00 . 2009-10-12 13:38 79872 c:\windows\system32\dllcache\raschap.dll
- 2008-08-21 12:00 . 2008-08-21 12:00 79872 c:\windows\system32\dllcache\raschap.dll
+ 2008-08-21 12:00 . 2009-10-21 05:38 25088 c:\windows\system32\dllcache\httpapi.dll
- 2008-08-21 12:00 . 2009-11-29 22:37 380350 c:\windows\system32\perfh009.dat
+ 2008-08-21 12:00 . 2009-12-21 20:23 380350 c:\windows\system32\perfh009.dat
+ 2009-10-28 03:40 . 2009-10-28 03:40 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-08-21 12:00 . 2009-09-25 05:37 667136 c:\windows\system32\dllcache\wininet.dll
+ 2008-08-21 12:00 . 2009-10-29 05:38 667136 c:\windows\system32\dllcache\wininet.dll
+ 2008-08-21 12:00 . 2009-08-25 09:17 354816 c:\windows\system32\dllcache\winhttp.dll
+ 2008-08-21 12:00 . 2009-10-29 05:38 627712 c:\windows\system32\dllcache\urlmon.dll
- 2008-08-21 12:00 . 2009-09-25 05:37 627712 c:\windows\system32\dllcache\urlmon.dll
+ 2008-08-21 12:00 . 2009-10-12 13:38 149504 c:\windows\system32\dllcache\rastls.dll
+ 2008-08-21 12:00 . 2009-10-13 10:30 270336 c:\windows\system32\dllcache\oakley.dll
- 2008-08-21 12:00 . 2008-08-21 12:00 270336 c:\windows\system32\dllcache\oakley.dll
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\system32\dllcache\http.sys
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\Driver Cache\i386\http.sys
+ 2008-08-21 12:00 . 2009-07-31 15:05 1372672 c:\windows\system32\msxml6.dll
+ 2008-08-21 12:00 . 2009-10-29 05:38 1509888 c:\windows\system32\dllcache\shdocvw.dll
- 2008-08-21 12:00 . 2009-09-25 05:37 1509888 c:\windows\system32\dllcache\shdocvw.dll
+ 2008-08-21 12:00 . 2009-07-31 15:05 1372672 c:\windows\system32\dllcache\msxml6.dll
+ 2008-08-21 12:00 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
- 2008-08-21 12:00 . 2009-10-19 23:53 3070976 c:\windows\system32\dllcache\mshtml.dll
+ 2008-08-21 12:00 . 2009-10-29 19:08 3070976 c:\windows\system32\dllcache\mshtml.dll
+ 2009-11-22 08:10 . 2009-12-01 20:06 25966024 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-21 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 19968]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-25 149280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 23:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 2:42 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 2:42 PM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 2:42 PM 7408]
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Start\Application Data\Mozilla\Firefox\Profiles\xswklhid.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.searchslate.com/wp.ashx?ref=home&id=165
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 15:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(608)
c:\program files\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\MouseWare\system\em_exec.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-21 15:36:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 20:36
ComboFix2.txt 2009-12-21 09:43
ComboFix3.txt 2009-12-21 01:37

Pre-Run: 115,651,969,024 bytes free
Post-Run: 115,622,330,368 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=2 Sets=1,2,3,4
- - End Of File - - 425842A9BAF8F916226025BD4A68AB9D

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:33 PM

Posted 22 December 2009 - 04:35 AM

Hello TheLivingDead,

Okay, that looks a lot better, any problems left?

INSTALL ANTIVIRUS
---------------------------
I don't see an Anti Virus Program running on your machine

Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Push the Posted Image button.
  • Push Posted Image
In your next reply, please include the following:
  • ESET online scan results

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 TheLivingDead

TheLivingDead
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 22 December 2009 - 07:04 PM

Nope, I'm not having any of the problems I was having before. I downloaded Avast. Here's the ESET results:

C:\Qoobox\Quarantine\C\WINDOWS\system32\okhqukw.dll.vir a variant of Win32/Conficker.AE worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{C955F5AC-0AB2-4835-9626-3143E852B17B}\RP7\A0006596.dll a variant of Win32/Conficker.AE worm cleaned by deleting - quarantined

Edited by TheLivingDead, 22 December 2009 - 07:04 PM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:33 PM

Posted 23 December 2009 - 06:16 AM

Hello TheLivingDead,

Looks great!

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
  • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
  • Delete DDS, GMER (this is a random named file) and RootRepeal.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 TheLivingDead

TheLivingDead
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 23 December 2009 - 10:46 AM

Awesome! Thank you SOOOOO much for for your help and time Elise! Happy holidays to you and yours! :(

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:33 PM

Posted 23 December 2009 - 11:01 AM

Same to you, happy I could help you :(

This topic will now be closed, if you need it re-opened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users