Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus – Exclusive to Firefox


  • Please log in to reply
38 replies to this topic

#1 BeefyT

BeefyT

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:01 AM

Posted 07 December 2009 - 01:27 AM

A few weeks ago, I started being redirected to a couple random rogue program sites that keep you trapped in a never-ending loop of dialogue boxes unless you download the software (Which I did NOT do)… otherwise you would either have to “End Task/Process” to the browser or get a CTRL+W (for Firefox) in at the right time to shut the tab down. I was pretty much limited to viewing cached pages only in order to view any Google search results.

In my frustration in looking for solutions I had run combofix before reading the dangers of using it unsupervised. Luckily I have not had any undesirable results from running it (that I know of... Also, because it could be related, I should also mention that I disabled a hidden Non-Plug and Play Driver "catchme").

After several scans with Malwarebytes’ Anti Malware, Spybot – Search & Destroy, SUPERAntiSpyware and Ad-Aware, a few items were found with each; but none have completely removed the problem. I rarely use Internet Explorer, but I have tested both browsers (IE and FF) as well as other search engines to be sure the redirection issue is limited to Google searches when using Firefox. The redirection now only occurs maybe 1 in 5 times vs. every time; and rather than to just rogue virus scanner sites it goes to sometimes seemingly search related sites or completely random sites all-together. Please see attached DDS and RootRepeal logs. Thank you for your anticipated help! -BeefyT


DDS (Ver_09-12-01.01) - NTFSx86
Run by Beefyt at 21:49:46.36 on Sun 12/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.287 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Beefyt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: {03589C76-643D-4CB7-9D79-9F4C12B5B324} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - hxxp://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab
DPF: {FC6703A7-5B7E-4f58-BE6D-2693AA3906AE} - hxxp://h30155.www3.hp.com/ediags/hpna/66/install/gtdownhp.cab?1,0,0,94
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\beefyt\applic~1\mozilla\firefox\profiles\xkcp48hy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\beefyt\application data\mozilla\firefox\profiles\xkcp48hy.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-14 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 74480]
R3 EuMusDesignVirtualAudioCableWdm_ads;Audio Recorder Platinum Digital (WDM);c:\windows\system32\drivers\vacadskd.sys [2009-11-12 40832]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S2 gupdate1c951b2331b2a00;Google Update Service (gupdate1c951b2331b2a00);c:\program files\google\update\GoogleUpdate.exe [2008-11-28 133104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]

=============== Created Last 30 ================

2009-12-07 03:48:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-07 03:33:36 696832 ----a-w- c:\windows\isRS-000.tmp
2009-11-23 23:48:41 0 d-----w- c:\program files\Safer Networking
2009-11-23 05:10:23 0 d-sha-r- C:\cmdcons
2009-11-23 05:08:48 98816 ----a-w- c:\windows\sed.exe
2009-11-23 05:08:48 77312 ----a-w- c:\windows\MBR.exe
2009-11-23 05:08:48 260608 ----a-w- c:\windows\PEV.exe
2009-11-23 05:08:48 161792 ----a-w- c:\windows\SWREG.exe
2009-11-22 22:03:40 82 ----a-w- c:\windows\wininit.ini
2009-11-14 22:03:49 0 d-----w- c:\docume~1\beefyt\applic~1\Malwarebytes
2009-11-14 22:03:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 22:03:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-14 22:03:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 22:03:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-14 21:53:18 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-14 17:28:12 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-14 17:27:51 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-14 17:24:10 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-14 17:23:18 0 d-----w- c:\program files\Lavasoft
2009-11-13 17:44:37 0 d-----w- c:\windows\Cache
2009-11-13 17:44:34 0 d-----w- c:\program files\Coupons
2009-11-12 19:07:04 40832 ----a-w- c:\windows\system32\drivers\vacadskd.sys
2009-11-12 19:07:02 0 d-----w- c:\program files\Audio Recorder Platinum
2009-11-12 18:27:20 0 d-----w- c:\docume~1\beefyt\applic~1\Any Audio Converter
2009-11-12 18:27:14 0 d-----w- c:\program files\Any Audio Converter

==================== Find3M ====================

2009-10-14 18:15:48 1636 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-26 19:23:10 64152 ----a-w- c:\windows\fonts\WORSS___.TTF
2009-09-26 19:22:58 58312 ----a-w- c:\windows\fonts\WorstveldSlingExtraOblique.ttf
2009-09-26 19:22:58 58296 ----a-w- c:\windows\fonts\WorstveldSlingExtra.ttf
2009-09-26 19:22:58 56932 ----a-w- c:\windows\fonts\WorstveldSlingExtra2Oblique.ttf
2009-09-26 19:22:52 18612 ----a-w- c:\windows\fonts\rabiohead.ttf
2009-09-25 23:28:12 31396 ----a-w- c:\windows\fonts\Scrap-Casual.ttf

============= FINISH: 21:50:56.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:01 PM

Posted 20 December 2009 - 03:18 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log
Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 BeefyT

BeefyT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:01 AM

Posted 21 December 2009 - 01:06 AM

Thank You! I will reply with details and the updated logs shortly. -BeefyT-

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:01 PM

Posted 21 December 2009 - 01:51 AM

Okay, I will wait for your logs :(

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 BeefyT

BeefyT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:01 AM

Posted 22 December 2009 - 12:20 AM

Ok so the additional details since my initial post are:

In an attempt to close a tab that had been redirected to download more rogue software ("Internet Security 2010"), I inadvertently clicked and infected my computer with it. I ended up having to use my last known good configuration to reboot then removed it with Malwarebytes’ Anti Malware. Other than that I am having the same problems; only I'm back to almost exclusive viewing of cached pages when searching with Google in Firefox. Let me know if you need me to expand on that anymore.

Here are the (3) requested logs: Thank You! -BeefyT-

DDS (Ver_09-12-01.01) - NTFSx86
Run by Beefyt at 21:20:34.41 on Mon 12/21/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.104 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Beefyt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: {03589C76-643D-4CB7-9D79-9F4C12B5B324} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [SpybotDeletingA1838] command.com /c del "c:\windows\SchedLgU.Txt"
mRunOnce: [SpybotDeletingC7721] cmd.exe /c del "c:\windows\SchedLgU.Txt"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - hxxp://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab
DPF: {FC6703A7-5B7E-4f58-BE6D-2693AA3906AE} - hxxp://h30155.www3.hp.com/ediags/hpna/66/install/gtdownhp.cab?1,0,0,94
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\beefyt\applic~1\mozilla\firefox\profiles\xkcp48hy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\beefyt\application data\mozilla\firefox\profiles\xkcp48hy.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-14 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 74480]
R3 EuMusDesignVirtualAudioCableWdm_ads;Audio Recorder Platinum Digital (WDM);c:\windows\system32\drivers\vacadskd.sys [2009-11-12 40832]
S2 gupdate1c951b2331b2a00;Google Update Service (gupdate1c951b2331b2a00);c:\program files\google\update\GoogleUpdate.exe [2008-11-28 133104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2009-12-07 21:56:04 0 d-----w- c:\documents and settings\beefyt\Tracing
2009-12-07 21:51:15 0 d-----w- c:\program files\Microsoft
2009-12-07 21:50:51 0 d-----w- c:\program files\Windows Live SkyDrive
2009-12-07 21:46:48 0 d-----w- c:\program files\common files\Windows Live
2009-12-07 03:48:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-23 23:48:41 0 d-----w- c:\program files\Safer Networking
2009-11-23 05:10:23 0 d-sha-r- C:\cmdcons
2009-11-23 05:08:48 98816 ----a-w- c:\windows\sed.exe
2009-11-23 05:08:48 77312 ----a-w- c:\windows\MBR.exe
2009-11-23 05:08:48 260608 ----a-w- c:\windows\PEV.exe
2009-11-23 05:08:48 161792 ----a-w- c:\windows\SWREG.exe
2009-11-22 22:03:40 172 ----a-w- c:\windows\wininit.ini

==================== Find3M ====================

2009-12-20 19:51:09 1636 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-18 19:46:25 153004 ----a-w- c:\windows\fonts\KidsFirstPrintFont.ttf
2009-12-18 19:46:16 38136 ----a-w- c:\windows\fonts\Zachary.ttf
2009-12-18 19:46:06 28432 ----a-w- c:\windows\fonts\DOVES.TTF
2009-12-18 19:45:56 23020 ----a-w- c:\windows\fonts\homework smart.TTF
2009-12-18 19:45:55 22540 ----a-w- c:\windows\fonts\homework normal.TTF
2009-12-15 00:08:18 1524 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-03 23:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 23:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 17:27:44 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-14 17:27:41 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-26 19:23:10 64152 ----a-w- c:\windows\fonts\WORSS___.TTF
2009-09-26 19:22:58 58312 ----a-w- c:\windows\fonts\WorstveldSlingExtraOblique.ttf
2009-09-26 19:22:58 58296 ----a-w- c:\windows\fonts\WorstveldSlingExtra.ttf
2009-09-26 19:22:58 56932 ----a-w- c:\windows\fonts\WorstveldSlingExtra2Oblique.ttf
2009-09-26 19:22:52 18612 ----a-w- c:\windows\fonts\rabiohead.ttf
2009-09-25 23:28:12 31396 ----a-w- c:\windows\fonts\Scrap-Casual.ttf

============= FINISH: 21:21:31.20 ===============

-
Here's attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/29/2003 4:51:23 PM
System Uptime: 12/14/2009 6:35:13 PM (171 hours ago)

Motherboard: Shuttle Inc | | AK32
Processor: AMD Athlon™ XP 1900+ | Socket A | 1601/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 115 GiB total, 26.852 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: catchme
Device ID: ROOT\LEGACY_CATCHME\0000
Manufacturer:
Name: catchme
PNP Device ID: ROOT\LEGACY_CATCHME\0000
Service: catchme

==== System Restore Points ===================

RP206: 9/23/2009 3:58:55 AM - System Checkpoint
RP207: 9/24/2009 4:58:55 AM - System Checkpoint
RP208: 9/25/2009 5:58:58 AM - System Checkpoint
RP209: 9/26/2009 6:58:58 AM - System Checkpoint
RP210: 9/27/2009 8:51:45 AM - System Checkpoint
RP211: 9/28/2009 9:13:35 AM - System Checkpoint
RP212: 9/29/2009 9:43:59 AM - System Checkpoint
RP213: 9/30/2009 10:00:15 AM - System Checkpoint
RP214: 10/1/2009 12:02:14 PM - System Checkpoint
RP215: 10/2/2009 12:59:09 PM - System Checkpoint
RP216: 10/3/2009 1:25:07 PM - System Checkpoint
RP217: 10/4/2009 1:59:18 PM - System Checkpoint
RP218: 10/5/2009 2:55:54 PM - System Checkpoint
RP219: 10/6/2009 6:08:16 PM - System Checkpoint
RP220: 10/7/2009 6:55:46 PM - System Checkpoint
RP221: 10/8/2009 7:07:48 PM - System Checkpoint
RP222: 10/9/2009 7:24:29 PM - System Checkpoint
RP223: 10/10/2009 7:55:51 PM - System Checkpoint
RP224: 10/11/2009 8:11:49 PM - System Checkpoint
RP225: 10/12/2009 8:53:12 PM - System Checkpoint
RP226: 10/13/2009 9:53:16 PM - System Checkpoint
RP227: 10/14/2009 10:53:15 PM - System Checkpoint
RP228: 10/15/2009 11:56:22 PM - System Checkpoint
RP229: 10/17/2009 12:53:14 AM - System Checkpoint
RP230: 10/18/2009 1:53:19 AM - System Checkpoint
RP231: 10/19/2009 2:53:12 AM - System Checkpoint
RP232: 10/20/2009 2:56:49 AM - System Checkpoint
RP233: 10/21/2009 3:57:20 AM - System Checkpoint
RP234: 10/22/2009 4:57:01 AM - System Checkpoint
RP235: 10/23/2009 5:56:50 AM - System Checkpoint
RP236: 10/24/2009 6:56:49 AM - System Checkpoint
RP237: 10/25/2009 7:56:49 AM - System Checkpoint
RP238: 10/26/2009 9:08:32 AM - System Checkpoint
RP239: 10/27/2009 9:20:34 AM - System Checkpoint
RP240: 10/28/2009 5:41:37 PM - System Checkpoint
RP241: 10/29/2009 6:21:11 PM - System Checkpoint
RP242: 10/30/2009 6:52:19 PM - System Checkpoint
RP243: 10/31/2009 6:53:29 PM - System Checkpoint
RP244: 11/1/2009 7:52:20 PM - System Checkpoint
RP245: 11/2/2009 7:53:27 PM - System Checkpoint
RP246: 11/3/2009 8:52:23 PM - System Checkpoint
RP247: 11/4/2009 10:02:37 PM - System Checkpoint
RP248: 11/5/2009 4:22:55 PM - Software Distribution Service 3.0
RP249: 11/6/2009 4:51:51 PM - System Checkpoint
RP250: 11/7/2009 5:51:43 PM - System Checkpoint
RP251: 11/8/2009 5:23:17 PM - System Checkpoint
RP252: 11/9/2009 6:00:11 PM - System Checkpoint
RP253: 11/10/2009 6:51:53 PM - System Checkpoint
RP254: 11/11/2009 7:54:50 PM - System Checkpoint
RP255: 11/12/2009 8:57:47 PM - System Checkpoint
RP256: 11/14/2009 12:30:07 AM - System Checkpoint
RP257: 11/15/2009 1:25:58 AM - System Checkpoint
RP258: 11/16/2009 2:25:54 AM - System Checkpoint
RP259: 11/17/2009 2:43:22 AM - System Checkpoint
RP260: 11/18/2009 3:43:19 AM - System Checkpoint
RP261: 11/19/2009 3:45:04 AM - System Checkpoint
RP262: 11/20/2009 4:06:54 AM - System Checkpoint
RP263: 11/21/2009 4:54:59 AM - System Checkpoint
RP264: 11/22/2009 6:11:34 AM - System Checkpoint
RP265: 11/23/2009 6:22:39 PM - System Checkpoint
RP266: 11/25/2009 12:20:40 AM - System Checkpoint
RP267: 12/2/2009 8:46:53 PM - System Checkpoint
RP268: 12/4/2009 1:01:30 AM - System Checkpoint
RP269: 12/5/2009 1:06:24 AM - System Checkpoint
RP270: 12/6/2009 2:06:36 AM - System Checkpoint
RP271: 12/6/2009 8:46:57 PM - Installed Java™ 6 Update 17
RP272: 12/7/2009 9:12:59 PM - System Checkpoint
RP273: 12/8/2009 10:11:58 PM - System Checkpoint
RP274: 12/9/2009 11:30:31 PM - System Checkpoint
RP275: 12/11/2009 1:32:07 AM - System Checkpoint
RP276: 12/12/2009 1:56:11 AM - System Checkpoint
RP277: 12/13/2009 2:56:15 AM - System Checkpoint
RP278: 12/14/2009 3:56:17 AM - System Checkpoint
RP279: 12/15/2009 7:54:44 PM - System Checkpoint
RP280: 12/17/2009 9:01:05 AM - System Checkpoint
RP281: 12/18/2009 9:40:32 AM - System Checkpoint
RP282: 12/19/2009 2:42:22 PM - System Checkpoint
RP283: 12/20/2009 7:25:39 PM - System Checkpoint
RP284: 12/21/2009 7:40:01 PM - System Checkpoint

==== Installed Programs ======================

7-Zip 4.44 beta
7300_Help
7300Trb
7400
802.11g Wireless LAN
802.11g Wireless LAN Adapter
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0.9
Adobe Shockwave Player
AiO_Scan
AiOSoftware
Any Audio Converter 2.0.5
Apple Mobile Device Support
Apple Software Update
Audacity 1.3.2 (Unicode)
AudibleManager
Audio Recorder Platinum 4.21
BufferChm
Camera Access Library
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX (E)
CDex extraction audio
ClamWin Free Antivirus 0.95.3
Coupon Printer for Windows
Cucusoft DVD to iPod + iPod Video Converter Suite 3.16.3.29
Cucusoft DVD to iPod Converter 5.23
Destinations
Digimax Viewer 1.0
Director
Drivers Install For Linksys Easylink Advisor
Easy CD Creator 5 Platinum
Excel Password Recovery Master 3.0
Fax
FileZilla (remove only)
FileZilla Client 3.1.2
Foxit Reader
Free Word Excel Password Wizard
Free YouTube to Mp3 Converter version 3.1
Google Earth
Google Update Helper
Google Updater
GoToMeeting 4.0.0.320
Grau Software Conversion Tables 8.0
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Home Plan Pro
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Image Zone 4.7
HP Image Zone Express
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Update
HPSystemDiagnostics
Interbank FX Trader 4.00
iSpring Free 4.2
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 17
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
K-Lite Codec Pack 5.0.0 (Full)
Letter Linker
Linksys EasyLink Advisor 1.6 (0032)
Malwarebytes' Anti-Malware
MGI PhotoSuite III SE (Remove Only)
Microsoft .NET Compact Framework 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft ActiveSync
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 4.1
Microsoft IntelliType Pro 2.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Meeting 2005
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Media Content
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
MixMeister BPM Analyzer 1.0
MovieEdit Task
Mozilla Firefox (3.5.6)
Mozilla Thunderbird (1.0.7)
MSVCRT
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6 Service Pack 2 (KB954459)
NewzToolz v2.0.0
PhotoStitch
POINT
PrimoPDF
PrimoPDF Redistribution Package
ProductContext
QFolder
QuickTime
RAW Image Task 2.2
Readme
RunAlyzer
SAMSUNG CDMA Modem Driver Set
Samsung Digimax 350SE Camera
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Scan
ScannerCopy
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB934062)
Security Update for Office 2007 (KB947801)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Segoe UI
SiSoftware Sandra Professional 2004 (Jagged Online Ltd Edition)
Skype web features
Skype™ 4.1
Spybot - Search & Destroy
Super Bounce Out! from GameHouse
Super Collapse! from GameHouse
Super GameHouse Solitaire
Super Glinx! from GameHouse
Super Nisqually from GameHouse
Super TextTwist
Super WhatWord from GameHouse
SUPERAntiSpyware Free Edition
Taskbar Shuffle version 2.5
TrayApp
Uninstall 1.0.0.1
Unload
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb953463)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB955839)
URGE
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visualboy Advance 1.6a
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
XML Paper Specification Shared Components Pack 1.0
YanCEyWare Reader 2.12
YwReaderSetup

==== Event Viewer Messages From Past Week ========

12/19/2009 1:27:04 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
12/19/2009 1:24:33 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
12/19/2009 1:22:22 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
12/14/2009 5:48:42 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ppa3

==== End Of File ===========================

-
and Gmer.log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2009-12-21 21:51:56
Windows 5.1.2600 Service Pack 2
Running: 9r70vosm.exe; Driver: C:\DOCUME~1\Beefyt\LOCALS~1\Temp\fxtdrpoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:01 PM

Posted 22 December 2009 - 04:06 AM

Hello BeefyT,

Your logs show you have been running Combofix. Please post me the log you will find at c:\combofix.txt

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for unsupervised use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Please download HostsXpert 4.2
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:
@echo off
(ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print) >>Log1.txt
start notepad Log1.txt
del %0
  • Go to the File menu at the top of the Notepad and select Save as.
  • Select save in: desktop
  • Fill in File name: test.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate and double-click tast.bat on the desktop.
  • A notepad opens, copy and paste the content it (log1.txt) to your reply.

In your next reply please include the following:
  • combofix.txt
  • log1.txt

Edited by elise025, 22 December 2009 - 08:11 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 BeefyT

BeefyT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:01 AM

Posted 22 December 2009 - 10:04 AM

... I had run combofix before reading the dangers of using it unsupervised. Luckily I have not had any undesirable results from running it (that I know of... Also, because it could be related, I should also mention that I disabled a hidden Non-Plug and Play Driver "catchme").


Hi Elise,

Do you want me to rerun combofix and post that log along with log1.txt. Or just post the combofix.txt I had previously run (on 11/25/09)?

Also, at this point, should I do/undo anything with the "catchme" driver I mentioned above?

-BeefyT-

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:01 PM

Posted 22 December 2009 - 10:32 AM

I don't want you to re-run Combofix, just post me the log from the last run.

Disabling catchme.sys was not a good idea, it is the userland rootkit detection driver (used by gmer, combofix among others). It would be good if you could undo that.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 BeefyT

BeefyT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:01 AM

Posted 22 December 2009 - 01:52 PM

Ok, I've re-enabled catchme.sys (Please let me know if you want me to rerun gmer with that enabled).
When I try to "Restore MS Hosts File" with HostsXpert I get the following: "Error: Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts." (screenshot attached) - Should I try in Safe Mode?

Here is the previously run ComboFix.txt: (Log1.txt is below also)

ComboFix 09-11-24.02 - Beefyt 11/25/2009 13:22.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.123 [GMT -7:00]
Running from: c:\documents and settings\Beefyt\Desktop\combofix.exe
.

((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.

2009-11-23 23:48 . 2009-11-23 23:48 -------- d-----w- c:\program files\Safer Networking
2009-11-14 22:03 . 2009-11-14 22:03 -------- d-----w- c:\documents and settings\Beefyt\Application Data\Malwarebytes
2009-11-14 22:03 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 22:03 . 2009-11-14 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-14 22:03 . 2009-11-14 22:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-14 22:03 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 21:53 . 2009-11-14 17:27 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-14 17:28 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-14 17:26 . 2009-11-23 22:41 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-14 17:26 . 2009-11-23 22:41 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-14 17:26 . 2009-11-23 22:41 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-14 17:26 . 2009-11-23 22:41 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-14 17:26 . 2009-11-23 22:41 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-14 17:26 . 2009-11-23 22:41 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-14 17:24 . 2009-11-14 17:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-14 17:24 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-14 17:23 . 2009-11-14 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-14 17:23 . 2009-11-14 17:23 -------- d-----w- c:\program files\Lavasoft
2009-11-13 17:44 . 2009-11-13 17:44 -------- d-----w- c:\windows\Cache
2009-11-13 17:44 . 2009-11-13 17:44 -------- d-----w- c:\program files\Coupons
2009-11-12 19:07 . 2008-04-10 01:12 40832 ----a-w- c:\windows\system32\drivers\vacadskd.sys
2009-11-12 19:07 . 2009-11-12 19:10 -------- d-----w- c:\program files\Audio Recorder Platinum
2009-11-12 18:27 . 2009-11-12 18:28 -------- d-----w- c:\documents and settings\Beefyt\Application Data\Any Audio Converter
2009-11-12 18:27 . 2009-11-12 18:28 -------- d-----w- c:\program files\Any Audio Converter
2009-11-12 18:04 . 2009-11-12 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2009-11-12 18:04 . 2009-11-12 18:04 -------- d-----w- c:\documents and settings\Beefyt\Application Data\MSN6
2009-11-10 17:47 . 2009-11-10 17:47 -------- d-----w- c:\program files\Common Files\Skype
2009-11-02 03:24 . 2009-11-02 03:24 -------- d-----w- c:\documents and settings\Beefyt\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 16:47 . 2008-06-07 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-25 16:45 . 2009-06-13 19:35 117760 ----a-w- c:\documents and settings\Beefyt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-25 16:42 . 2008-04-23 00:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-25 05:30 . 2009-01-16 18:25 -------- d-----w- c:\program files\Taskbar Shuffle
2009-11-24 00:32 . 2007-05-20 01:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-23 22:41 . 2009-11-14 17:27 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-11-23 22:41 . 2009-11-14 17:27 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-11-23 22:41 . 2009-11-14 17:27 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-11-23 22:41 . 2009-11-14 17:27 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-11-23 22:41 . 2009-11-14 17:27 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-11-23 22:41 . 2009-11-14 17:27 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-11-23 22:41 . 2009-11-14 17:27 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-11-23 22:41 . 2009-11-14 17:27 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-23 22:41 . 2009-11-14 17:27 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-23 22:41 . 2009-11-14 17:27 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-19 22:01 . 2009-02-12 16:56 -------- d-----w- c:\documents and settings\Beefyt\Application Data\Skype
2009-11-14 17:27 . 2009-11-14 17:27 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-14 17:27 . 2009-11-14 17:27 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-14 17:27 . 2009-11-14 17:27 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-11-14 17:27 . 2009-11-14 17:27 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-14 17:27 . 2009-11-14 17:27 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-11-14 17:27 . 2009-11-14 17:27 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-11-14 17:27 . 2009-11-14 17:27 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-11-14 17:27 . 2009-11-14 17:27 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-11-14 17:27 . 2009-11-14 17:27 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-14 00:43 . 2009-07-27 23:48 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-10 17:48 . 2009-02-12 16:52 -------- d-----r- c:\program files\Skype
2009-11-10 17:46 . 2009-02-12 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-10 14:54 . 2006-08-12 18:24 -------- d-----w- c:\program files\ClamWin
2009-10-14 18:15 . 2006-12-27 20:58 1636 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-27 20:47 . 2004-07-08 04:51 343552 -c--a-w- c:\documents and settings\Beefyt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-23 23:09 . 2009-06-22 15:13 66 ----a-w- c:\documents and settings\Beefyt\Application Data\isfree4_1.tmp
2009-09-01 04:39 . 2009-09-01 04:28 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-08-28 16:44 . 2009-08-28 16:44 1924440 ----a-w- c:\documents and settings\Beefyt\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-23_05.22.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-23 00:28 . 2009-11-25 16:29 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-04-23 00:28 . 2008-04-23 00:28 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-04-23 00:28 . 2009-11-25 16:29 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2008-04-23 00:28 . 2008-04-23 00:28 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-11-03 86016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-27 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-25 16:42 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)
"usnjsvc"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/14/2009 10:28 AM 64288]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 3:03 PM 74480]
R3 EuMusDesignVirtualAudioCableWdm_ads;Audio Recorder Platinum Digital (WDM);c:\windows\system32\drivers\vacadskd.sys [11/12/2009 12:07 PM 40832]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 3:51 PM 4096]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 3:03 PM 9968]
S2 gupdate1c951b2331b2a00;Google Update Service (gupdate1c951b2331b2a00);c:\program files\Google\Update\GoogleUpdate.exe [11/28/2008 4:36 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 4:17 AM 1184912]
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-11-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-07 18:57]

2009-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-28 23:36]

2009-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-28 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - hxxp://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab
FF - ProfilePath - c:\documents and settings\Beefyt\Application Data\Mozilla\Firefox\Profiles\xkcp48hy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Beefyt\Application Data\Mozilla\Firefox\Profiles\xkcp48hy.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{03589C76-643D-4CB7-9D79-9F4C12B5B324} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 13:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\System32\wbem\wbemsvc.dll

- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-25 13:41
ComboFix-quarantined-files.txt 2009-11-25 20:41
ComboFix2.txt 2009-11-24 00:55
ComboFix3.txt 2009-11-23 05:27

Pre-Run: 30,787,104,768 bytes free
Post-Run: 30,761,627,648 bytes free

- - End Of File - - 81A1EFDF0399F0121393F6BB15254544


-
And here's Log1.txt:



Windows IP Configuration



Host Name . . . . . . . . . . . . : ralph

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hsd1.ut.comcast.net.



Ethernet adapter Local Area Connection 2:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : TE100-PCBUSR 32-Bit Cardbus PC Card

Physical Address. . . . . . . . . : 00-40-F4-3F-D9-BA



Ethernet adapter Wireless Network Connection 2:



Connection-specific DNS Suffix . : hsd1.ut.comcast.net.

Description . . . . . . . . . . . : Ralink RT2500 Wireless LAN Card

Physical Address. . . . . . . . . : 00-06-F4-0B-65-8E

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.101

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 68.87.85.102

68.87.69.150

Lease Obtained. . . . . . . . . . : Tuesday, December 22, 2009 11:42:15 AM

Lease Expires . . . . . . . . . . : Wednesday, December 23, 2009 11:42:15 AM

Server: cns.cmc.co.denver.comcast.net
Address: 68.87.85.102

Name: google.com
Addresses: 74.125.95.99, 74.125.95.104, 74.125.95.106, 74.125.95.105
74.125.95.103, 74.125.95.147

Server: cns.cmc.co.denver.comcast.net
Address: 68.87.85.102

Name: yahoo.com
Addresses: 209.131.36.159, 209.191.93.53, 69.147.114.224



Pinging google.com [74.125.95.103] with 32 bytes of data:



Reply from 74.125.95.103: bytes=32 time=86ms TTL=51

Reply from 74.125.95.103: bytes=32 time=87ms TTL=51



Ping statistics for 74.125.95.103:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 86ms, Maximum = 87ms, Average = 86ms



Pinging yahoo.com [209.131.36.159] with 32 bytes of data:



Reply from 209.131.36.159: bytes=32 time=93ms TTL=53

Reply from 209.131.36.159: bytes=32 time=82ms TTL=53



Ping statistics for 209.131.36.159:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 82ms, Maximum = 93ms, Average = 87ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x3 ...00 40 f4 3f d9 ba ...... Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
0x20002 ...00 06 f4 0b 65 8e ...... 802.11g Wireless LAN Card - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.101 192.168.1.101 25
192.168.1.101 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.101 192.168.1.101 25
224.0.0.0 240.0.0.0 192.168.1.101 192.168.1.101 25
255.255.255.255 255.255.255.255 192.168.1.101 3 1
255.255.255.255 255.255.255.255 192.168.1.101 192.168.1.101 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

Attached Files



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:01 PM

Posted 22 December 2009 - 01:57 PM

Please post me the log you will find at c:\qoobox\combofix3.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 BeefyT

BeefyT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:01 AM

Posted 22 December 2009 - 02:11 PM

ComboFix3.txt:

ComboFix 09-11-22.04 - Beefyt 11/22/2009 22:13.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.280 [GMT -7:00]
Running from: c:\documents and settings\Beefyt\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Beefyt\Application Data\0200000029583a00697C.manifest
c:\documents and settings\Beefyt\Application Data\0200000029583a00697O.manifest
c:\documents and settings\Beefyt\Application Data\0200000029583a00697P.manifest
c:\documents and settings\Beefyt\Application Data\0200000029583a00697S.manifest
c:\documents and settings\Beefyt\My Documents\ZbThumbnail.info
c:\program files\outlook

.
((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-14 22:03 . 2009-11-14 22:03 -------- d-----w- c:\documents and settings\Beefyt\Application Data\Malwarebytes
2009-11-14 22:03 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 22:03 . 2009-11-14 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-14 22:03 . 2009-11-14 22:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-14 22:03 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 21:53 . 2009-11-14 17:27 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-14 17:28 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-14 17:26 . 2009-11-14 17:26 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-14 17:26 . 2009-11-14 17:26 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-14 17:26 . 2009-11-14 17:26 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-14 17:26 . 2009-11-14 17:26 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-14 17:26 . 2009-11-14 17:26 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-14 17:24 . 2009-11-14 17:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-14 17:24 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-14 17:23 . 2009-11-14 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-14 17:23 . 2009-11-14 17:23 -------- d-----w- c:\program files\Lavasoft
2009-11-13 17:44 . 2009-11-13 17:44 -------- d-----w- c:\windows\Cache
2009-11-13 17:44 . 2009-11-13 17:44 -------- d-----w- c:\program files\Coupons
2009-11-12 19:07 . 2008-04-10 01:12 40832 ----a-w- c:\windows\system32\drivers\vacadskd.sys
2009-11-12 19:07 . 2009-11-12 19:10 -------- d-----w- c:\program files\Audio Recorder Platinum
2009-11-12 18:27 . 2009-11-12 18:28 -------- d-----w- c:\documents and settings\Beefyt\Application Data\Any Audio Converter
2009-11-12 18:27 . 2009-11-12 18:28 -------- d-----w- c:\program files\Any Audio Converter
2009-11-12 18:04 . 2009-11-12 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2009-11-12 18:04 . 2009-11-12 18:04 -------- d-----w- c:\documents and settings\Beefyt\Application Data\MSN6
2009-11-10 17:47 . 2009-11-10 17:47 -------- d-----w- c:\program files\Common Files\Skype
2009-11-02 03:24 . 2009-11-02 03:24 -------- d-----w- c:\documents and settings\Beefyt\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 08:19 . 2008-06-07 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-20 14:51 . 2009-01-16 18:25 -------- d-----w- c:\program files\Taskbar Shuffle
2009-11-20 00:23 . 2009-06-13 19:35 117760 ----a-w- c:\documents and settings\Beefyt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-19 22:01 . 2009-02-12 16:56 -------- d-----w- c:\documents and settings\Beefyt\Application Data\Skype
2009-11-14 17:08 . 2008-04-23 00:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-14 00:43 . 2009-07-27 23:48 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-14 00:43 . 2007-05-20 01:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-10 17:48 . 2009-02-12 16:52 -------- d-----r- c:\program files\Skype
2009-11-10 17:46 . 2009-02-12 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-10 14:54 . 2006-08-12 18:24 -------- d-----w- c:\program files\ClamWin
2009-10-14 18:15 . 2006-12-27 20:58 1636 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-27 20:47 . 2004-07-08 04:51 343552 -c--a-w- c:\documents and settings\Beefyt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-23 23:09 . 2009-06-22 15:13 66 ----a-w- c:\documents and settings\Beefyt\Application Data\isfree4_1.tmp
2009-09-01 04:39 . 2009-09-01 04:28 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-08-28 16:44 . 2009-08-28 16:44 1924440 ----a-w- c:\documents and settings\Beefyt\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-11-03 86016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-27 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"gupdate1c951b2331b2a00"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"usnjsvc"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/14/2009 10:28 AM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 3:03 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 3:03 PM 74480]
R3 EuMusDesignVirtualAudioCableWdm_ads;Audio Recorder Platinum Digital (WDM);c:\windows\system32\drivers\vacadskd.sys [11/12/2009 12:07 PM 40832]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 3:51 PM 4096]
S4 gupdate1c951b2331b2a00;Google Update Service (gupdate1c951b2331b2a00);c:\program files\Google\Update\GoogleUpdate.exe [11/28/2008 4:36 PM 133104]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 4:17 AM 1179232]
.
Contents of the 'Scheduled Tasks' folder

2009-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-11-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-07 18:57]

2009-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-28 23:36]

2009-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-28 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - hxxp://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab
FF - ProfilePath - c:\documents and settings\Beefyt\Application Data\Mozilla\Firefox\Profiles\xkcp48hy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Beefyt\Application Data\Mozilla\Firefox\Profiles\xkcp48hy.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{03589C76-643D-4CB7-9D79-9F4C12B5B324} - (no file)
Notify-WgaLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 22:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-22 22:27
ComboFix-quarantined-files.txt 2009-11-23 05:27

Pre-Run: 30,449,127,424 bytes free
Post-Run: 30,827,397,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 84865CB063D05EEDFDE846E27BAD2075

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:01 PM

Posted 22 December 2009 - 02:18 PM

Hello BeefyT,

Please delete any copy of Combofix you might still have on your computer first!!

COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 BeefyT

BeefyT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:01 AM

Posted 22 December 2009 - 02:57 PM

Today's ComboFix.txt:

ComboFix 09-11-22.04 - Beefyt 11/22/2009 22:13.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.280 [GMT -7:00]
Running from: c:\documents and settings\Beefyt\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Beefyt\Application Data\0200000029583a00697C.manifest
c:\documents and settings\Beefyt\Application Data\0200000029583a00697O.manifest
c:\documents and settings\Beefyt\Application Data\0200000029583a00697P.manifest
c:\documents and settings\Beefyt\Application Data\0200000029583a00697S.manifest
c:\documents and settings\Beefyt\My Documents\ZbThumbnail.info
c:\program files\outlook

.
((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-14 22:03 . 2009-11-14 22:03 -------- d-----w- c:\documents and settings\Beefyt\Application Data\Malwarebytes
2009-11-14 22:03 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 22:03 . 2009-11-14 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-14 22:03 . 2009-11-14 22:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-14 22:03 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 21:53 . 2009-11-14 17:27 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-14 17:28 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-14 17:26 . 2009-11-14 17:26 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-14 17:26 . 2009-11-14 17:26 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-14 17:26 . 2009-11-14 17:26 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-14 17:26 . 2009-11-14 17:26 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-14 17:26 . 2009-11-14 17:26 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-14 17:24 . 2009-11-14 17:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-14 17:24 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-14 17:23 . 2009-11-14 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-14 17:23 . 2009-11-14 17:23 -------- d-----w- c:\program files\Lavasoft
2009-11-13 17:44 . 2009-11-13 17:44 -------- d-----w- c:\windows\Cache
2009-11-13 17:44 . 2009-11-13 17:44 -------- d-----w- c:\program files\Coupons
2009-11-12 19:07 . 2008-04-10 01:12 40832 ----a-w- c:\windows\system32\drivers\vacadskd.sys
2009-11-12 19:07 . 2009-11-12 19:10 -------- d-----w- c:\program files\Audio Recorder Platinum
2009-11-12 18:27 . 2009-11-12 18:28 -------- d-----w- c:\documents and settings\Beefyt\Application Data\Any Audio Converter
2009-11-12 18:27 . 2009-11-12 18:28 -------- d-----w- c:\program files\Any Audio Converter
2009-11-12 18:04 . 2009-11-12 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2009-11-12 18:04 . 2009-11-12 18:04 -------- d-----w- c:\documents and settings\Beefyt\Application Data\MSN6
2009-11-10 17:47 . 2009-11-10 17:47 -------- d-----w- c:\program files\Common Files\Skype
2009-11-02 03:24 . 2009-11-02 03:24 -------- d-----w- c:\documents and settings\Beefyt\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 08:19 . 2008-06-07 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-20 14:51 . 2009-01-16 18:25 -------- d-----w- c:\program files\Taskbar Shuffle
2009-11-20 00:23 . 2009-06-13 19:35 117760 ----a-w- c:\documents and settings\Beefyt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-19 22:01 . 2009-02-12 16:56 -------- d-----w- c:\documents and settings\Beefyt\Application Data\Skype
2009-11-14 17:08 . 2008-04-23 00:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-14 00:43 . 2009-07-27 23:48 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-14 00:43 . 2007-05-20 01:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-10 17:48 . 2009-02-12 16:52 -------- d-----r- c:\program files\Skype
2009-11-10 17:46 . 2009-02-12 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-10 14:54 . 2006-08-12 18:24 -------- d-----w- c:\program files\ClamWin
2009-10-14 18:15 . 2006-12-27 20:58 1636 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-27 20:47 . 2004-07-08 04:51 343552 -c--a-w- c:\documents and settings\Beefyt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-23 23:09 . 2009-06-22 15:13 66 ----a-w- c:\documents and settings\Beefyt\Application Data\isfree4_1.tmp
2009-09-01 04:39 . 2009-09-01 04:28 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-08-28 16:44 . 2009-08-28 16:44 1924440 ----a-w- c:\documents and settings\Beefyt\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-11-03 86016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-27 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"gupdate1c951b2331b2a00"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"usnjsvc"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/14/2009 10:28 AM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 3:03 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 3:03 PM 74480]
R3 EuMusDesignVirtualAudioCableWdm_ads;Audio Recorder Platinum Digital (WDM);c:\windows\system32\drivers\vacadskd.sys [11/12/2009 12:07 PM 40832]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 3:51 PM 4096]
S4 gupdate1c951b2331b2a00;Google Update Service (gupdate1c951b2331b2a00);c:\program files\Google\Update\GoogleUpdate.exe [11/28/2008 4:36 PM 133104]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 4:17 AM 1179232]
.
Contents of the 'Scheduled Tasks' folder

2009-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-11-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-07 18:57]

2009-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-28 23:36]

2009-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-28 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - hxxp://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab
FF - ProfilePath - c:\documents and settings\Beefyt\Application Data\Mozilla\Firefox\Profiles\xkcp48hy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Beefyt\Application Data\Mozilla\Firefox\Profiles\xkcp48hy.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{03589C76-643D-4CB7-9D79-9F4C12B5B324} - (no file)
Notify-WgaLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 22:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-22 22:27
ComboFix-quarantined-files.txt 2009-11-23 05:27

Pre-Run: 30,449,127,424 bytes free
Post-Run: 30,827,397,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 84865CB063D05EEDFDE846E27BAD2075

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:01 PM

Posted 22 December 2009 - 03:01 PM

Sorry, but I don't think this is today's combofix log :(

ComboFix 09-11-22.04 - Beefyt 11/22/2009 22:13.1.1 - x86

The bolded part in the quote is the date, this is the oldest log you had.

The new one can be found at c:\combofix.txt Please post it in your next reply :(

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 BeefyT

BeefyT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:01 AM

Posted 22 December 2009 - 03:14 PM

Oops :( Must of missed the key and had the old stuff on the clipboard. Sorry. Here it is: :(

ComboFix 09-12-21.08 - Beefyt 12/22/2009 12:33:05.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.257 [GMT -7:00]
Running from: c:\documents and settings\Beefyt\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Beefyt\Start Menu\Internet Security 2010.lnk
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx

.
((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))
.

2009-12-22 16:11 . 2009-12-22 18:29 -------- d-----w- C:\HostsXpert
2009-12-07 21:56 . 2009-12-07 21:56 -------- d-----w- c:\documents and settings\Beefyt\Tracing
2009-12-07 21:51 . 2009-12-07 21:51 -------- d-----w- c:\program files\Microsoft
2009-12-07 21:50 . 2009-12-07 21:50 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-07 21:50 . 2009-12-07 21:51 -------- d-----w- c:\program files\Windows Live
2009-12-07 21:46 . 2009-12-07 21:46 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-07 03:48 . 2009-12-07 03:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-07 03:44 . 2009-12-07 03:44 152576 ----a-w- c:\documents and settings\Beefyt\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-07 03:44 . 2009-12-07 03:44 79488 ----a-w- c:\documents and settings\Beefyt\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-07 03:33 . 2009-12-07 03:33 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-23 23:48 . 2009-11-23 23:48 -------- d-----w- c:\program files\Safer Networking

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-22 16:41 . 2009-01-16 18:25 -------- d-----w- c:\program files\Taskbar Shuffle
2009-12-21 20:47 . 2008-06-07 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-20 19:51 . 2006-12-27 20:58 1636 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-19 20:57 . 2009-06-22 15:13 66 ----a-w- c:\documents and settings\Beefyt\Application Data\isfree4_1.tmp
2009-12-18 20:13 . 2007-03-15 14:01 -------- d-----w- c:\documents and settings\Beefyt\Application Data\Image Zone Express
2009-12-15 00:08 . 2006-07-16 17:52 1524 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-14 23:55 . 2009-02-12 16:56 -------- d-----w- c:\documents and settings\Beefyt\Application Data\Skype
2009-12-12 23:15 . 2009-11-13 17:44 -------- d-----w- c:\program files\Coupons
2009-12-11 23:57 . 2009-06-13 19:35 117760 ----a-w- c:\documents and settings\Beefyt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-07 21:52 . 2005-11-11 04:59 -------- d-----w- c:\program files\MSN Messenger
2009-12-07 03:47 . 2006-06-13 03:17 -------- d-----w- c:\program files\Java
2009-12-07 03:36 . 2009-11-14 22:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 23:14 . 2009-11-14 22:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 23:13 . 2009-11-14 22:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 21:11 . 2008-06-07 16:31 -------- d-----w- c:\program files\Google
2009-11-25 16:42 . 2008-04-23 00:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 00:32 . 2007-05-20 01:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-14 22:03 . 2009-11-14 22:03 -------- d-----w- c:\documents and settings\Beefyt\Application Data\Malwarebytes
2009-11-14 22:03 . 2009-11-14 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-14 17:28 . 2009-11-14 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-14 17:27 . 2009-11-14 17:27 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-14 17:27 . 2009-11-14 17:27 93360 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-14 17:27 . 2009-11-14 17:27 554280 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-11-14 17:27 . 2009-11-14 21:53 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-14 17:27 . 2009-11-14 17:27 15880 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-14 17:27 . 2009-11-14 17:27 212480 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-11-14 17:27 . 2009-11-14 17:27 283944 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-11-14 17:27 . 2009-11-14 17:27 1223976 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-11-14 17:27 . 2009-11-14 17:27 242984 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-11-14 17:27 . 2009-11-14 17:27 5908024 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-09-27 20:47 . 2004-07-08 04:51 343552 -c----w- c:\documents and settings\Beefyt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-11-23_05.22.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-22 16:40 . 2009-12-22 16:40 16384 c:\windows\temp\Perflib_Perfdata_724.dat
+ 2009-07-26 23:44 . 2009-07-26 23:44 48448 c:\windows\system32\sirenacm.dll
- 2003-11-29 23:51 . 2008-05-19 16:10 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-11-29 23:51 . 2009-12-12 15:35 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-11-29 23:51 . 2009-12-12 15:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-11-29 23:51 . 2008-05-19 16:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-12-02 22:26 . 2009-12-12 15:35 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2003-11-29 23:51 . 2008-05-19 16:10 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-12-07 21:51 . 2009-12-07 21:51 27136 c:\windows\Installer\3e94792.msi
+ 2009-12-07 21:50 . 2009-12-07 21:50 83456 c:\windows\Installer\3e94779.msi
+ 2009-12-07 21:50 . 2009-12-07 21:50 58880 c:\windows\Installer\3e94773.msi
+ 2009-12-07 21:50 . 2009-12-07 21:50 62304 c:\windows\Installer\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}\IconWlc.exe
+ 2008-04-23 00:28 . 2009-11-25 16:29 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-04-23 00:28 . 2008-04-23 00:28 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-04-23 00:28 . 2008-04-23 00:28 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-04-23 00:28 . 2009-11-25 16:29 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-12-07 21:51 . 2009-12-07 21:51 80395 c:\windows\Installer\{A85FD55B-891B-4314-97A5-EA96C0BD80B5}\MsblIco.Exe
+ 2009-12-03 21:14 . 2009-12-03 21:14 25214 c:\windows\Installer\{9074AFC0-CFDA-11DE-B484-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2009-12-03 21:14 . 2009-12-03 21:14 25214 c:\windows\Installer\{9074AFC0-CFDA-11DE-B484-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2009-12-03 21:14 . 2009-12-03 21:14 25214 c:\windows\Installer\{9074AFC0-CFDA-11DE-B484-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-12-03 21:14 . 2009-12-03 21:14 25214 c:\windows\Installer\{9074AFC0-CFDA-11DE-B484-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-12-03 21:14 . 2009-12-03 21:14 25214 c:\windows\Installer\{9074AFC0-CFDA-11DE-B484-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2009-12-03 21:14 . 2009-12-03 21:14 25214 c:\windows\Installer\{9074AFC0-CFDA-11DE-B484-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2009-12-03 21:14 . 2009-12-03 21:14 25214 c:\windows\Installer\{9074AFC0-CFDA-11DE-B484-005056806466}\ARPPRODUCTICON.exe
+ 2009-12-07 03:48 . 2009-12-07 03:47 149280 c:\windows\system32\javaws.exe
+ 2009-12-07 03:48 . 2009-12-07 03:47 145184 c:\windows\system32\javaw.exe
+ 2009-12-07 03:48 . 2009-12-07 03:47 145184 c:\windows\system32\java.exe
+ 2003-11-29 16:22 . 2009-12-22 15:52 876744 c:\windows\system32\FNTCACHE.DAT
+ 2009-12-07 03:47 . 2009-12-07 03:47 537600 c:\windows\Installer\955d4.msi
+ 2009-12-07 21:51 . 2009-12-07 21:51 430080 c:\windows\Installer\3e947a0.msi
+ 2009-12-07 21:51 . 2009-12-07 21:51 155648 c:\windows\Installer\3e94798.msi
+ 2009-12-07 21:51 . 2009-12-07 21:51 140288 c:\windows\Installer\3e9478c.msi
+ 2009-12-07 21:50 . 2009-12-07 21:50 202752 c:\windows\Installer\3e94785.msi
+ 2009-12-07 21:50 . 2009-12-07 21:50 152576 c:\windows\Installer\3e9477f.msi
+ 2009-12-07 21:50 . 2009-12-07 21:50 107008 c:\windows\Installer\3e9476d.msi
+ 2009-12-07 21:49 . 2009-12-07 21:49 301056 c:\windows\Installer\3e94767.msi
+ 2009-12-03 21:14 . 2009-12-03 21:14 1258496 c:\windows\Installer\3cdfb2.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-11-03 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-07 149280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-27 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-25 16:42 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 12:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)
"usnjsvc"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/14/2009 10:28 AM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 3:03 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 3:03 PM 74480]
R3 EuMusDesignVirtualAudioCableWdm_ads;Audio Recorder Platinum Digital (WDM);c:\windows\system32\drivers\vacadskd.sys [11/12/2009 12:07 PM 40832]
S2 gupdate1c951b2331b2a00;Google Update Service (gupdate1c951b2331b2a00);c:\program files\Google\Update\GoogleUpdate.exe [11/28/2008 4:36 PM 133104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 4:17 AM 1184912]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 3:51 PM 4096]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - hxxp://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab
FF - ProfilePath - c:\documents and settings\Beefyt\Application Data\Mozilla\Firefox\Profiles\xkcp48hy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Beefyt\Application Data\Mozilla\Firefox\Profiles\xkcp48hy.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{03589C76-643D-4CB7-9D79-9F4C12B5B324} - (no file)
MSConfigStartUp-A00F2332C0B7 - c:\docume~1\Beefyt\LOCALS~1\Temp\_A00F2332C0B7.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-22 12:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-854245398-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2009-12-22 12:46:30
ComboFix-quarantined-files.txt 2009-12-22 19:46
ComboFix2.txt 2009-12-22 16:10
ComboFix3.txt 2009-11-24 00:55
ComboFix4.txt 2009-12-22 19:09

Pre-Run: 29,067,845,632 bytes free
Post-Run: 29,116,792,832 bytes free

- - End Of File - - 7D4CC4C5D30174B14802F423C805C8AC




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users