Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32:rootkit-gen(RTK)


  • Please log in to reply
28 replies to this topic

#1 haley6412

haley6412

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:40 PM

Posted 21 December 2009 - 06:36 PM

I am hoping someone can help me clean this computer up. Last week had vundo.gen.bw, this week Avast has something like 30 files in its chest all stating part of win32:rootkit-gen(RTK) is in them with original location being: C:\WINDOWS\SYSTEM32\DRIVERS and have different names such as aec.sys, asyncmac.sys, hidgame.sys, HTTP.sys, just to name a few. First ran CCleaner, then superantispyware and then MBAM all of which found some vundo files. I don't have any more popups and able to log in without looping, but feel this virus is still on here. Desktop is still inactivated and I am unable to start up in safe mode. I was able to get the DDS logs but rootrepeal will not start up. I will be patiently awaiting further instructions. Thanks in advance.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Brenda at 3:36:28.90 on Mon 12/21/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.28 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 091220-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brenda.D30VVD11\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = cdn
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uCustomizeSearch =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {12C1127D-DFDD-4BD9-B5E3-39E31BA3D415} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103472 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15 (.NET CLR 3.5.30729)" -"http://coursewareobjects.elsevier.com/objects/elr/Wold/geriatric4e/testpage.html"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uPolicies-explorer: <NO NAME> =
IE: &Search - ?p=ZJ
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - hxxp://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v50/pool/pool.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {41D1977F-4161-4720-800F-EA4903983A38} - hxxp://www.worldwinner.com/games/v43/jigsaw/jigsaw.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://www.king.com/ctl/kingcomie.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://mirror.worldwinner.com/games/v44/bjattack/bjattack.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100410953574
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37967.7015972222
DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - hxxp://www.worldwinner.com/games/v41/hangman/hangman.cab
DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} - hxxp://www.worldwinner.com/games/v42/tilecity/tilecity.cab
DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} - hxxp://www.worldwinner.com/games/v45/royal/royal.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v52/wwspades/wwspades.cab
DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - hxxp://fdl.msn.com/public/chat/msnchat4.cab
DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4028.cab
TCP: {DE128FEA-82D6-409C-93FF-814890A3A438} = 68.87.68.162,68.87.74.162
Filter: text/html - {9c232cee-7d2b-4590-9277-a1ea09863128} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: zqpgkr.dll c:\windows\system32\gehuseda.dll kekuzevi.dll pomogehi.dll c:\windows\system32\pegugefu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\opnlJccd
LSA: Notification Packages = scecli wemipipo.dll nojavofa.dll
mASetup: 0ef09f0d-ecd6-4b9b-add6-0d87830f65d4 - c:\windows\system32\baaxmmn.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brenda~1.d30\applic~1\mozilla\firefox\profiles\97fm34ls.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\brenda.d30vvd11\application data\mozilla\firefox\profiles\97fm34ls.default\extensions\{d02b1e87-a8c6-433f-9b5c-2cec4a072736}\components\susfox3.dll
FF - plugin: g:\realplayer\netscape6\nppl3260.dll
FF - plugin: g:\realplayer\netscape6\nprjplug.dll
FF - plugin: g:\realplayer\netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-13 114768]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-11-28 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-13 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-13 138680]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-11-28 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-11-28 144704]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2001-8-6 28672]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-13 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-13 352920]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-11-28 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-11-28 35272]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\msikbd2k.sys [2000-10-3 6942]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-7-11 23153]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-8-26 223128]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-11-28 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-11-28 40552]
S3 pcx2nd5;Toshiba PCX2000 USB Cable Modem networking driver (NDIS);c:\windows\system32\drivers\pcx2nd5.sys [2002-7-27 17648]
S3 pcx2unic;Toshiba PCX2000 USB Cable Modem WDM driver;c:\windows\system32\drivers\pcx2unic.sys [2002-7-27 69456]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-11-28 606736]

=============== Created Last 30 ================

2009-12-21 06:21:58 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-21 06:21:54 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 06:21:54 0 dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-21 01:55:39 196864 -c--a-w- c:\windows\system32\drivers\rdpdr.sys
2009-12-21 01:55:39 196864 -c--a-w- c:\windows\system32\dllcache\rdpdr.sys
2009-12-21 01:21:38 59904 -c--a-w- c:\windows\system32\drivers\atmarpc.sys
2009-12-21 01:21:38 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys
2009-12-21 01:17:46 14336 -c--a-w- c:\windows\system32\drivers\asyncmac.sys
2009-12-21 01:17:46 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys
2009-12-12 09:24:58 262144 ---ha-w- c:\documents and settings\brenda.d30vvd11\ntuser.dat.LOG1
2009-12-12 09:24:58 0 ---ha-w- c:\documents and settings\brenda.d30vvd11\ntuser.dat.LOG2
2009-12-12 09:24:33 158208 -c--a-w- c:\windows\system32\dllcache\msconfig.exe
2009-12-12 09:24:32 502272 -c--a-w- c:\windows\system32\dllcache\winlogon.exe
2009-12-12 09:24:31 815104 -c--a-w- c:\windows\system32\dllcache\mmc.exe
2009-12-12 09:24:31 14336 -c--a-w- c:\windows\system32\dllcache\svchost.exe
2009-12-12 09:24:30 13312 -c--a-w- c:\windows\system32\dllcache\lsass.exe
2009-12-12 09:24:29 514560 -c--a-w- c:\windows\system32\dllcache\logonui.exe
2009-12-12 09:24:28 388608 -c--a-w- c:\windows\system32\dllcache\cmd.exe
2009-12-12 09:24:28 146432 -c--a-w- c:\windows\system32\dllcache\regedit.exe
2009-12-12 09:24:24 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2009-12-12 09:24:24 24576 -c--a-w- c:\windows\system32\dllcache\userinit.exe
2009-12-12 07:56:20 0 dc----w- C:\VundoFix Backups
2009-12-11 08:29:38 0 -c--a-w- c:\windows\system32\292.exe
2009-12-11 08:09:38 0 -c--a-w- c:\windows\system32\153.exe
2009-12-11 07:49:38 0 -c--a-w- c:\windows\system32\3902.exe
2009-12-11 07:29:37 0 -c--a-w- c:\windows\system32\14604.exe
2009-12-11 07:09:37 0 -c--a-w- c:\windows\system32\32391.exe
2009-12-11 06:49:37 0 -c--a-w- c:\windows\system32\5436.exe
2009-12-11 06:29:36 0 -c--a-w- c:\windows\system32\4827.exe
2009-12-11 06:09:36 0 -c--a-w- c:\windows\system32\11942.exe
2009-12-11 05:49:35 0 -c--a-w- c:\windows\system32\2995.exe
2009-12-11 05:29:35 0 -c--a-w- c:\windows\system32\491.exe
2009-12-11 05:09:34 0 -c--a-w- c:\windows\system32\9961.exe
2009-12-11 04:49:34 0 -c--a-w- c:\windows\system32\16827.exe
2009-12-11 04:29:34 0 -c--a-w- c:\windows\system32\23281.exe
2009-12-11 04:09:33 0 -c--a-w- c:\windows\system32\28145.exe
2009-12-11 03:49:33 0 -c--a-w- c:\windows\system32\5705.exe
2009-12-11 03:29:32 0 -c--a-w- c:\windows\system32\24464.exe
2009-12-11 03:09:31 0 -c--a-w- c:\windows\system32\26962.exe
2009-12-11 02:49:31 0 -c--a-w- c:\windows\system32\29358.exe
2009-12-11 02:29:30 0 -c--a-w- c:\windows\system32\11478.exe
2009-12-11 02:09:30 0 -c--a-w- c:\windows\system32\15724.exe
2009-12-11 01:49:30 0 -c--a-w- c:\windows\system32\19169.exe
2009-12-11 01:29:29 0 -c--a-w- c:\windows\system32\26500.exe
2009-12-11 01:09:29 0 -c--a-w- c:\windows\system32\6334.exe
2009-12-11 00:49:28 0 -c--a-w- c:\windows\system32\18467.exe

==================== Find3M ====================

2009-11-01 05:40:13 99760 -c--a-w- c:\docume~1\brenda~1.d30\applic~1\GDIPFONTCACHEV1.DAT
2009-10-29 07:45:38 916480 -c--a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00:55 75776 -c--a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 25088 -c--a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:53:29 266752 -c--a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54:17 69632 -c--a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 112128 -c--a-w- c:\windows\system32\rastls.dll
2007-12-24 16:17:55 5632 -csha-w- c:\program files\Thumbs.db
2003-12-16 18:52:00 40960 -c--a-r- c:\program files\qldb32.wll
2003-12-04 19:00:00 108544 -c--a-r- c:\program files\Favorites.mdb
2003-12-04 19:00:00 1009 -c--a-r- c:\program files\00000001.url
2003-03-15 04:43:40 23040 -c--a-w- c:\program files\nCASEAdsUninstaller.exe
2002-07-28 05:49:56 1496800 -c--a-w- c:\program files\hypno15.exe
2002-07-28 01:08:25 105325 -c--a-w- c:\program files\Driver for Cable Modem.zip
2002-07-27 00:22:27 436255 -c--a-w- c:\program files\PopUpStopper26.exe
2002-07-26 21:20:57 2835884 -c--a-w- c:\program files\iMeshV3.exe
2002-07-16 03:28:37 453568 -c--a-w- c:\program files\PopUpStopper.exe
2002-06-26 00:53:05 700416 -c--a-w- c:\program files\winmx322.exe
2000-12-12 15:17:40 100432 -c----w- c:\program files\Win2000PPAHotfix.exe
2008-12-24 08:47:23 933125 -csha-w- c:\windows\system32\dccJlnpo.ini2

============= FINISH: 3:37:55.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:40 AM

Posted 29 December 2009 - 07:41 PM

Hello haley6412,

I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection.

In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove one of these.
McAfee antivirus or Avast antivirus .

***********


Please update Malwarebytes, run it and post its log.

***********


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

Edited by SifuMike, 29 December 2009 - 07:50 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 haley6412

haley6412
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:40 PM

Posted 30 December 2009 - 09:25 PM

Hi, thanks for the fast response. I deleted avast as advised, but was wondering if you could recommend an antivirus program besides what I decided to keep (McAfee). Below are the logs that you requested.


Malwarebytes' Anti-Malware 1.43
Database version: 3460
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/30/2009 9:09:29 PM
mbam-log-2009-12-30 (21-09-29).txt

Scan type: Quick Scan
Objects scanned: 140024
Time elapsed: 9 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2009-12-30 21:18:23
Windows 5.1.2600 Service Pack 2
Running: pso4es79.exe; Driver: C:\DOCUME~1\BRENDA~1.D30\LOCALS~1\Temp\uxddqpob.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwEnumerateKey [0xF9745D48]
SSDT sptd.sys ZwEnumerateValueKey [0xF97460C0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF737678A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF7376738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF737674C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF73767CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7376710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF7376724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF737679E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF7376776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF7376762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF73767F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF73767E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF73767B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82BA5EB0

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat 824C54F8

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:40 AM

Posted 30 December 2009 - 10:11 PM

Hi haley6412,

I deleted avast as advised, but was wondering if you could recommend an antivirus program besides what I decided to keep (McAfee).



I hope you did not delete Avast. You should have uninstalled Avast, as that removes all of it.




We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your McAfee SecurityCenter before running ComboFix, as it will prevent it from running.

To Disable McAfee Security Center
Posted Image

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop. <==IMPORTANT

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log. The log will be save as C:\ComboFix.txt

Edited by SifuMike, 03 January 2010 - 01:39 AM.
insert quote

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 haley6412

haley6412
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:40 PM

Posted 03 January 2010 - 01:24 AM

Sorry for the incorrect terminology... I did uninstall Avast.



ComboFix 10-01-02.01 - Brenda 01/03/2010 0:41.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.102 [GMT -5:00]
Running from: c:\documents and settings\Brenda.D30VVD11\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brenda.D30VVD11\Application Data\inst.exe
c:\program files\Common
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Readme.txt
c:\windows\system32\11478.exe
c:\windows\system32\11942.exe
c:\windows\system32\14604.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\3902.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\components
c:\windows\system32\dccJlnpo.ini
c:\windows\system32\dccJlnpo.ini2
c:\windows\system32\pr1ze5.dlltmp
c:\windows\Tasks\jvdlesfm.job
c:\windows\Tasks\qlngyagv.job

.
((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))
.

2009-12-21 06:21 . 2009-12-30 19:55 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-21 06:21 . 2009-12-31 01:56 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-21 06:21 . 2009-12-30 19:54 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 01:55 . 2004-08-04 06:01 196864 -c--a-w- c:\windows\system32\drivers\rdpdr.sys
2009-12-21 01:55 . 2004-08-04 06:01 196864 -c--a-w- c:\windows\system32\dllcache\rdpdr.sys
2009-12-21 01:21 . 2004-08-04 05:58 59904 -c--a-w- c:\windows\system32\drivers\atmarpc.sys
2009-12-21 01:21 . 2004-08-04 05:58 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys
2009-12-21 01:17 . 2004-08-04 06:05 14336 -c--a-w- c:\windows\system32\drivers\asyncmac.sys
2009-12-21 01:17 . 2004-08-04 06:05 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys
2009-12-13 07:58 . 2009-12-13 07:58 -------- dc----w- c:\program files\Alwil Software
2009-12-12 09:24 . 2009-03-19 19:06 158208 -c--a-w- c:\windows\system32\dllcache\msconfig.exe
2009-12-12 09:24 . 2009-03-19 19:06 502272 -c--a-w- c:\windows\system32\dllcache\winlogon.exe
2009-12-12 09:24 . 2009-03-19 19:06 815104 -c--a-w- c:\windows\system32\dllcache\mmc.exe
2009-12-12 09:24 . 2009-03-19 19:06 14336 -c--a-w- c:\windows\system32\dllcache\svchost.exe
2009-12-12 09:24 . 2009-03-19 19:06 13312 -c--a-w- c:\windows\system32\dllcache\lsass.exe
2009-12-12 09:24 . 2009-03-19 19:06 514560 -c--a-w- c:\windows\system32\dllcache\logonui.exe
2009-12-12 09:24 . 2009-03-19 19:06 388608 -c--a-w- c:\windows\system32\dllcache\cmd.exe
2009-12-12 09:24 . 2009-03-19 19:06 146432 -c--a-w- c:\windows\system32\dllcache\regedit.exe
2009-12-12 09:24 . 2009-03-19 19:06 24576 -c--a-w- c:\windows\system32\dllcache\userinit.exe
2009-12-12 09:24 . 2009-03-19 19:06 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2009-12-12 07:56 . 2009-12-12 07:56 -------- dc----w- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 01:55 . 2009-12-31 01:55 5061520 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-27 19:58 . 2005-12-31 22:06 -------- dc----w- c:\documents and settings\Brenda.D30VVD11\Application Data\LimeWire
2009-12-21 08:52 . 2009-12-21 00:53 52224 -c--a-w- c:\documents and settings\Brenda.D30VVD11\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-21 08:52 . 2009-03-21 00:51 117760 -c--a-w- c:\documents and settings\Brenda.D30VVD11\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-14 00:54 . 2003-05-07 22:06 -------- dc----w- c:\program files\Lavasoft
2009-12-14 00:54 . 2005-08-13 02:34 -------- dc----w- c:\documents and settings\Brenda.D30VVD11\Application Data\Lavasoft
2009-12-12 18:51 . 2009-03-04 10:43 -------- dc----w- c:\program files\CleanUp!
2009-12-11 12:12 . 2008-11-28 12:03 -------- dc----w- c:\program files\McAfee
2009-12-01 06:28 . 2009-11-10 03:36 -------- dc----w- c:\documents and settings\Brenda.D30VVD11\Application Data\Tutor
2009-11-22 00:17 . 2008-10-05 21:37 -------- dc----w- c:\documents and settings\Brenda.D30VVD11\Application Data\U3
2009-11-10 03:35 . 2009-11-10 03:28 -------- dc----w- c:\program files\Tutor 6
2009-11-08 18:27 . 2005-12-31 22:03 -------- dc----w- c:\program files\LimeWire
2009-10-29 07:45 . 2004-01-08 20:23 916480 -c--a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00 . 2004-08-04 07:56 75776 -c--a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 07:56 25088 -c--a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 06:00 263552 -c--a-w- c:\windows\system32\drivers\HTTP.sys
2009-10-13 10:53 . 2001-08-18 12:00 266752 -c--a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2001-08-18 12:00 69632 -c--a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2001-08-18 12:00 112128 -c--a-w- c:\windows\system32\rastls.dll
2009-10-10 03:44 . 2009-09-20 02:54 1 -c--a-w- c:\documents and settings\Brenda.D30VVD11\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2007-12-24 16:17 . 2007-12-24 16:17 5632 -csha-w- c:\program files\Thumbs.db
2003-12-16 18:52 . 2004-04-03 01:35 40960 -c--a-r- c:\program files\qldb32.wll
2003-12-04 19:00 . 2004-04-03 01:35 108544 -c--a-r- c:\program files\Favorites.mdb
2003-12-04 19:00 . 2004-04-03 01:35 1009 -c--a-r- c:\program files\00000001.url
2003-03-15 04:43 . 2003-03-15 04:43 23040 -c--a-w- c:\program files\nCASEAdsUninstaller.exe
2002-07-28 05:49 . 2002-07-28 05:49 1496800 -c--a-w- c:\program files\hypno15.exe
2002-07-28 01:08 . 2002-07-28 01:08 105325 -c--a-w- c:\program files\Driver for Cable Modem.zip
2002-07-27 00:22 . 2002-07-27 00:22 436255 -c--a-w- c:\program files\PopUpStopper26.exe
2002-07-26 21:20 . 2002-07-26 21:20 2835884 -c--a-w- c:\program files\iMeshV3.exe
2002-07-16 03:28 . 2002-07-16 03:28 453568 -c--a-w- c:\program files\PopUpStopper.exe
2002-06-26 00:53 . 2002-06-26 00:52 700416 -c--a-w- c:\program files\winmx322.exe
2000-12-12 15:17 . 2000-12-13 22:22 100432 -c----w- c:\program files\Win2000PPAHotfix.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2004-08-04 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 -c--a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk
backup=c:\windows\pss\Camio Viewer 2000.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Brenda.D30VVD11^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Brenda.D30VVD11\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Brenda.D30VVD11^Start Menu^Programs^Startup^Emerald PopStop.lnk]
path=c:\documents and settings\Brenda.D30VVD11\Start Menu\Programs\Startup\Emerald PopStop.lnk
backup=c:\windows\pss\Emerald PopStop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTWinModem1]
ltmsg.exe 9 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 00:51 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]
2001-03-28 06:00 102400 -c--a-w- c:\program files\Creative\SBLive\Program\AHQINIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-05-14 02:05 623888 -c--a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
2001-12-06 21:48 53248 -c--a-w- c:\dell\BLDBUBG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 -c----w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTouch]
2001-09-23 12:14 163840 -c--a-w- c:\windows\DellMMKb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 13:14 206112 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 18:20 290088 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2009-09-17 19:29 645328 -c----w- c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2005-05-09 19:32 53248 -c--a-w- c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2001-07-25 15:00 184376 -c--a-w- c:\program files\Microsoft Money\System\Money Express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 -c--a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 21:40 155648 -c--a-w- c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2001-08-31 04:56 1404928 -c--a-w- c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-10-06 19:16 741376 -c--a-w- c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 19:09 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-04-11 18:17 236016 -c--a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-20 02:34 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-01-15 21:17 1830128 -c--a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-18 02:32 68856 -c--a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-06-28 04:54 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 -c--a-w- c:\windows\Updreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2003-06-27 16:38 1486848 -c--a-w- c:\program files\Yahoo!\Messenger\YPager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*:Disabled:BitLord

R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [8/26/2006 1:03 PM 643072]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/15/2009 4:17 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 4:17 PM 55024]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\msikbd2k.sys [10/3/2000 3:18 PM 6942]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\SYSTEM32\DRIVERS\SMC1211.sys [7/11/2001 11:06 AM 23153]
R3 vaxscsi;vaxscsi;c:\windows\SYSTEM32\DRIVERS\vaxscsi.sys [8/26/2006 1:09 PM 223128]
S3 pcx2nd5;Toshiba PCX2000 USB Cable Modem networking driver (NDIS);c:\windows\SYSTEM32\DRIVERS\pcx2nd5.sys [7/27/2002 8:15 PM 17648]
S3 pcx2unic;Toshiba PCX2000 USB Cable Modem WDM driver;c:\windows\SYSTEM32\DRIVERS\pcx2unic.sys [7/27/2002 8:16 PM 69456]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 4:17 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-28 17:22]

2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-28 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = cdn
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uCustomizeSearch =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=ZJ
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: {DE128FEA-82D6-409C-93FF-814890A3A438} = 68.87.68.162,68.87.74.162
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://www.king.com/ctl/kingcomie.cab
FF - ProfilePath - c:\documents and settings\Brenda.D30VVD11\Application Data\Mozilla\Firefox\Profiles\97fm34ls.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\Brenda.D30VVD11\Application Data\Mozilla\Firefox\Profiles\97fm34ls.default\extensions\{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}\components\susfox3.dll
FF - plugin: g:\realplayer\Netscape6\nppl3260.dll
FF - plugin: g:\realplayer\Netscape6\nprjplug.dll
FF - plugin: g:\realplayer\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-DAEMON Tools-1033 - c:\program files\D-Tools\daemon.exe
MSConfigStartUp-Drag'n'Drop_Autolaunch - c:\program files\Iomega HotBurn\Autolaunch.exe
MSConfigStartUp-Eac_Download - c:\program files\Common Files\eAcceleration\download.exe
MSConfigStartUp-EbatesMoeMoneyMaker0 - c:\program files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
MSConfigStartUp-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe
MSConfigStartUp-KAZAA - c:\program files\KaZaA\kazaa.exe
MSConfigStartUp-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
MSConfigStartUp-OpwareSE2 - c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-POINTER - point32.exe
MSConfigStartUp-Pop-Up Stopper - c:\progra~1\PANICW~1\POP-UP~1\dpps2.exe
MSConfigStartUp-RunDLL - c:\windows\Downloaded Program Files\bridge.dll
MSConfigStartUp-SkyscapeBBDM - c:\program files\Common Files\Skyscape\BlackBerry\SkyscapeBBDM.exe
MSConfigStartUp-Smax4 - c:\documents and settings\Brenda.D30VVD11\Application Data\Google\kjzna1562565.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
MSConfigStartUp-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe
MSConfigStartUp-WT GameChannel - c:\program files\WildTangent\Apps\GameChannel.exe
ActiveSetup-0ef09f0d-ecd6-4b9b-add6-0d87830f65d4 - c:\windows\system32\baaxmmn.exe
AddRemove-Davis's Drug Search for Nurses, 11e - c:\program files\FA Davis\Davis's Drug Search for Nurses
AddRemove-Instant Text V Pro - c:\insttext\Exe32\UndoIT32



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-03 00:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x82BA5EB0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x82ba5eb0
\Driver\ACPI -> ACPI.sys @ 0xf9732cb8
\Driver\atapi -> atapi.sys @ 0xf96ef2f0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
NDIS: SMC EZ Card 10/100 PCI (SMC1211 Series) -> SendCompleteHandler -> NDIS.sys @ 0xf95e4bc3
PacketIndicateHandler -> NDIS.sys @ 0xf95f0b21
SendHandler -> NDIS.sys @ 0xf95e4d33
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f3,e4,40,4d,40,ff,b1,48,93,38,ef,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f3,e4,40,4d,40,ff,b1,48,93,38,ef,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
@DACL=(02 0000)
"UserFaultCheck"=expand:"%systemroot%\\system32\\dumprep 0 -u"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\AutorunsDisabled]
@DACL=(02 0000)
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(972)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Nhksrv.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\windows\System32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\windows\System32\nvsvc32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-01-03 01:14:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-03 06:14

Pre-Run: 26,645,450,752 bytes free
Post-Run: 26,510,663,680 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Temp XP" /fastdetect /NoExecute=OptIn
[spybotsd]
timeout.old=30

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - DDF8D0DB2DA6DF12AE6B05B1DCE6AC89

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:40 AM

Posted 03 January 2010 - 03:37 PM

Hi haley6412,

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


You need to disable your McAfee SecurityCenter before running ComboFix, as it will prevent it from running.

To Disable McAfee Security Center
Posted Image


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Folder:: 
C:\VundoFix Backups

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000000


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
The combofix log can also be found at C:\ComboFix.txt.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 haley6412

haley6412
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:40 PM

Posted 03 January 2010 - 10:16 PM

ComboFix 10-01-03.03 - Brenda 01/03/2010 21:38:20.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.98 [GMT -5:00]
Running from: c:\documents and settings\Brenda.D30VVD11\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brenda.D30VVD11\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups

.
((((((((((((((((((((((((( Files Created from 2009-12-04 to 2010-01-04 )))))))))))))))))))))))))))))))
.

2009-12-21 06:21 . 2009-12-30 19:55 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-21 06:21 . 2009-12-31 01:56 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-21 06:21 . 2009-12-30 19:54 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 01:55 . 2004-08-04 06:01 196864 -c--a-w- c:\windows\system32\drivers\rdpdr.sys
2009-12-21 01:55 . 2004-08-04 06:01 196864 -c--a-w- c:\windows\system32\dllcache\rdpdr.sys
2009-12-21 01:21 . 2004-08-04 05:58 59904 -c--a-w- c:\windows\system32\drivers\atmarpc.sys
2009-12-21 01:21 . 2004-08-04 05:58 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys
2009-12-21 01:17 . 2004-08-04 06:05 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys
2009-12-21 01:17 . 2004-08-04 06:05 14336 -c----w- c:\windows\system32\drivers\asyncmac.sys
2009-12-13 07:58 . 2009-12-13 07:58 -------- dc----w- c:\program files\Alwil Software
2009-12-12 09:24 . 2009-03-19 19:06 158208 -c--a-w- c:\windows\system32\dllcache\msconfig.exe
2009-12-12 09:24 . 2009-03-19 19:06 502272 -c--a-w- c:\windows\system32\dllcache\winlogon.exe
2009-12-12 09:24 . 2009-03-19 19:06 815104 -c--a-w- c:\windows\system32\dllcache\mmc.exe
2009-12-12 09:24 . 2009-03-19 19:06 14336 -c--a-w- c:\windows\system32\dllcache\svchost.exe
2009-12-12 09:24 . 2009-03-19 19:06 13312 -c--a-w- c:\windows\system32\dllcache\lsass.exe
2009-12-12 09:24 . 2009-03-19 19:06 514560 -c--a-w- c:\windows\system32\dllcache\logonui.exe
2009-12-12 09:24 . 2009-03-19 19:06 388608 -c--a-w- c:\windows\system32\dllcache\cmd.exe
2009-12-12 09:24 . 2009-03-19 19:06 146432 -c--a-w- c:\windows\system32\dllcache\regedit.exe
2009-12-12 09:24 . 2009-03-19 19:06 24576 -c--a-w- c:\windows\system32\dllcache\userinit.exe
2009-12-12 09:24 . 2009-03-19 19:06 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 01:55 . 2009-12-31 01:55 5061520 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-27 19:58 . 2005-12-31 22:06 -------- dc----w- c:\documents and settings\Brenda.D30VVD11\Application Data\LimeWire
2009-12-21 08:52 . 2009-12-21 00:53 52224 -c--a-w- c:\documents and settings\Brenda.D30VVD11\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-21 08:52 . 2009-03-21 00:51 117760 -c--a-w- c:\documents and settings\Brenda.D30VVD11\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-14 00:54 . 2003-05-07 22:06 -------- dc----w- c:\program files\Lavasoft
2009-12-14 00:54 . 2005-08-13 02:34 -------- dc----w- c:\documents and settings\Brenda.D30VVD11\Application Data\Lavasoft
2009-12-12 18:51 . 2009-03-04 10:43 -------- dc----w- c:\program files\CleanUp!
2009-12-11 12:12 . 2008-11-28 12:03 -------- dc----w- c:\program files\McAfee
2009-12-01 06:28 . 2009-11-10 03:36 -------- dc----w- c:\documents and settings\Brenda.D30VVD11\Application Data\Tutor
2009-11-22 00:17 . 2008-10-05 21:37 -------- dc----w- c:\documents and settings\Brenda.D30VVD11\Application Data\U3
2009-11-10 03:35 . 2009-11-10 03:28 -------- dc----w- c:\program files\Tutor 6
2009-11-08 18:27 . 2005-12-31 22:03 -------- dc----w- c:\program files\LimeWire
2009-10-29 07:45 . 2004-01-08 20:23 916480 -c----w- c:\windows\system32\wininet.dll
2009-10-21 06:00 . 2004-08-04 07:56 75776 -c--a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 07:56 25088 -c--a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 06:00 263552 -c--a-w- c:\windows\system32\drivers\HTTP.sys
2009-10-13 10:53 . 2001-08-18 12:00 266752 -c--a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2001-08-18 12:00 69632 -c--a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2001-08-18 12:00 112128 -c--a-w- c:\windows\system32\rastls.dll
2009-10-10 03:44 . 2009-09-20 02:54 1 -c--a-w- c:\documents and settings\Brenda.D30VVD11\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2007-12-24 16:17 . 2007-12-24 16:17 5632 -csha-w- c:\program files\Thumbs.db
2003-12-16 18:52 . 2004-04-03 01:35 40960 -c--a-r- c:\program files\qldb32.wll
2003-12-04 19:00 . 2004-04-03 01:35 108544 -c--a-r- c:\program files\Favorites.mdb
2003-12-04 19:00 . 2004-04-03 01:35 1009 -c--a-r- c:\program files\00000001.url
2003-03-15 04:43 . 2003-03-15 04:43 23040 -c--a-w- c:\program files\nCASEAdsUninstaller.exe
2002-07-28 05:49 . 2002-07-28 05:49 1496800 -c--a-w- c:\program files\hypno15.exe
2002-07-28 01:08 . 2002-07-28 01:08 105325 -c--a-w- c:\program files\Driver for Cable Modem.zip
2002-07-27 00:22 . 2002-07-27 00:22 436255 -c--a-w- c:\program files\PopUpStopper26.exe
2002-07-26 21:20 . 2002-07-26 21:20 2835884 -c--a-w- c:\program files\iMeshV3.exe
2002-07-16 03:28 . 2002-07-16 03:28 453568 -c--a-w- c:\program files\PopUpStopper.exe
2002-06-26 00:53 . 2002-06-26 00:52 700416 -c--a-w- c:\program files\winmx322.exe
2000-12-12 15:17 . 2000-12-13 22:22 100432 -c----w- c:\program files\Win2000PPAHotfix.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2004-08-04 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 -c--a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk
backup=c:\windows\pss\Camio Viewer 2000.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Brenda.D30VVD11^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Brenda.D30VVD11\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Brenda.D30VVD11^Start Menu^Programs^Startup^Emerald PopStop.lnk]
path=c:\documents and settings\Brenda.D30VVD11\Start Menu\Programs\Startup\Emerald PopStop.lnk
backup=c:\windows\pss\Emerald PopStop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTWinModem1]
ltmsg.exe 9 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 00:51 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]
2001-03-28 06:00 102400 -c--a-w- c:\program files\Creative\SBLive\Program\AHQINIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-05-14 02:05 623888 -c--a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
2001-12-06 21:48 53248 -c--a-w- c:\dell\BLDBUBG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 -c----w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTouch]
2001-09-23 12:14 163840 -c--a-w- c:\windows\DellMMKb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 13:14 206112 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 18:20 290088 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2009-09-17 19:29 645328 -c----w- c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2005-05-09 19:32 53248 -c--a-w- c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2001-07-25 15:00 184376 -c--a-w- c:\program files\Microsoft Money\System\Money Express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 -c--a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 21:40 155648 -c--a-w- c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2001-08-31 04:56 1404928 -c--a-w- c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-10-06 19:16 741376 -c--a-w- c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 19:09 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-04-11 18:17 236016 -c--a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-20 02:34 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-01-15 21:17 1830128 -c--a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-18 02:32 68856 -c--a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-06-28 04:54 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 -c--a-w- c:\windows\Updreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2003-06-27 16:38 1486848 -c--a-w- c:\program files\Yahoo!\Messenger\YPager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*:Disabled:BitLord

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/15/2009 4:17 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 4:17 PM 55024]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\msikbd2k.sys [10/3/2000 3:18 PM 6942]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\SYSTEM32\DRIVERS\SMC1211.sys [7/11/2001 11:06 AM 23153]
S3 pcx2nd5;Toshiba PCX2000 USB Cable Modem networking driver (NDIS);c:\windows\SYSTEM32\DRIVERS\pcx2nd5.sys [7/27/2002 8:15 PM 17648]
S3 pcx2unic;Toshiba PCX2000 USB Cable Modem WDM driver;c:\windows\SYSTEM32\DRIVERS\pcx2unic.sys [7/27/2002 8:16 PM 69456]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 4:17 PM 7408]
S3 vaxscsi;vaxscsi;c:\windows\SYSTEM32\DRIVERS\vaxscsi.sys [8/26/2006 1:09 PM 223128]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [8/26/2006 1:03 PM 643072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-28 17:22]

2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-28 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = cdn
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uCustomizeSearch =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=ZJ
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: {DE128FEA-82D6-409C-93FF-814890A3A438} = 68.87.68.162,68.87.74.162
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://www.king.com/ctl/kingcomie.cab
FF - ProfilePath - c:\documents and settings\Brenda.D30VVD11\Application Data\Mozilla\Firefox\Profiles\97fm34ls.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\Brenda.D30VVD11\Application Data\Mozilla\Firefox\Profiles\97fm34ls.default\extensions\{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}\components\susfox3.dll
FF - plugin: g:\realplayer\Netscape6\nppl3260.dll
FF - plugin: g:\realplayer\Netscape6\nprjplug.dll
FF - plugin: g:\realplayer\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-03 21:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f3,e4,40,4d,40,ff,b1,48,93,38,ef,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f3,e4,40,4d,40,ff,b1,48,93,38,ef,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
@DACL=(02 0000)
"UserFaultCheck"=expand:"%systemroot%\\system32\\dumprep 0 -u"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\AutorunsDisabled]
@DACL=(02 0000)
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2772)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-03 22:00:10
ComboFix-quarantined-files.txt 2010-01-04 03:00
ComboFix2.txt 2010-01-03 06:14

Pre-Run: 26,465,714,176 bytes free
Post-Run: 26,436,554,752 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - CDDCB7145501B2E250712F3860D95AAD

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:40 AM

Posted 04 January 2010 - 12:17 AM

Hi haley6412,

Please do an online scan with Kaspersky WebScanner

Attention!
Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.


Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 haley6412

haley6412
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:40 PM

Posted 05 January 2010 - 09:31 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, January 5, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, January 05, 2010 21:02:21
Records in database: 3344085
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan statistics:
Objects scanned: 98536
Threats found: 10
Infected objects found: 12
Suspicious objects found: 0
Scan duration: 04:50:58


File name / Threat / Threats count
C:\Documents and Settings\Brenda.D30VVD11\Desktop\LimeWire Music\David Allen Coe - bleep bleeper.wma Infected: Trojan-Clicker.WMA.Agent.d 1
C:\Program Files\iMeshV3.exe Infected: not-a-virus:AdWare.Win32.CommonName.p 1
C:\Program Files\iMeshV3.exe Infected: not-a-virus:AdWare.Win32.HotBar.bn 1
C:\Program Files\iMeshV3.exe Infected: not-a-virus:AdWare.Win32.Cydoor 2
C:\Program Files\iMeshV3.exe Infected: not-a-virus:AdWare.Win32.EZula.d 1
C:\Program Files\iMeshV3.exe Infected: not-a-virus:AdWare.Win32.Shime.a 1
C:\Program Files\iMeshV3.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Program Files\iMeshV3.exe Infected: not-a-virus:AdWare.Win32.Gator.1050 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Z8PFBPCE\exe[1].exe Infected: Trojan.Win32.FraudPack.afeg 1
G:\Music\its all right phill collins-xcd.wma Infected: Trojan-Downloader.WMA.Wimad.t 1
G:\Music\its all right phill collins511.wma Infected: Trojan-Downloader.WMA.Wimad.t 1

Selected area has been scanned.

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:40 AM

Posted 06 January 2010 - 02:09 PM

Hi haley6412,


Please close FireFox and Internet Explorer browser before running OTM.

Please download OTM by OldTimer and save it to your desktop.
Double click the icon on your desktop to run it.
(Note: If you are running on Vista, right-click on the file and choose Run As Administrator).


Copy the lines in the code box below to the clipboard by highlighting ALL of them and pressing {b]CTRL + C[/b] (or, after highlighting, right-click and choose Copy):
Do not include the word "Code".

:files
C:\Documents and Settings\Brenda.D30VVD11\Desktop\LimeWire Music\David Allen Coe - bleep bleeper.wma 
C:\Program Files\iMeshV3.exe 
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Z8PFBPCE\exe[1].exe 
G:\Music\its all right phill collins-xcd.wma 
G:\Music\its all right phill collins511.wma 
:commands
[emptytemp]
[Reboot]


Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 haley6412

haley6412
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:40 PM

Posted 06 January 2010 - 09:07 PM

All processes killed
========== FILES ==========
File/Folder C:\Documents and Settings\Brenda.D30VVD11\Desktop\LimeWire Music\David Allen Coe - bleep bleeper.wma not found.
C:\Program Files\iMeshV3.exe moved successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Z8PFBPCE\exe[1].exe moved successfully.
G:\Music\its all right phill collins-xcd.wma moved successfully.
G:\Music\its all right phill collins511.wma moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Brenda
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Brenda.D30VVD11
->Temp folder emptied: 93439328 bytes
->Temporary Internet Files folder emptied: 221879 bytes
->Java cache emptied: 848502 bytes
->FireFox cache emptied: 65860252 bytes

User: BRENDA~1~D30

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Ryan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2821699 bytes
Windows Temp folder emptied: 5831 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 28199730 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 183.00 mb


OTM by OldTimer - Version 3.1.4.0 log created on 01062010_204733

Files moved on Reboot...

Registry entries deleted on Reboot...

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:40 AM

Posted 06 January 2010 - 09:27 PM

Hi haley6412,

I think we have you clean. :(

Please tell me how the computer is running.

If all OK, then we will do the program clean up.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 haley6412

haley6412
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:40 PM

Posted 08 January 2010 - 08:57 PM

Hello SifuMike,

Yes, the computer seems good. Thank you so much for all your help. Ready for instructions on program clean up.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:40 AM

Posted 08 January 2010 - 09:57 PM

Hi haley6412,

I just noticed something. Be back shortly.

Edited by SifuMike, 08 January 2010 - 10:24 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:40 AM

Posted 08 January 2010 - 10:44 PM

Before we do the clean up, I want to check something.

Please download MBR.EXE by GMER.
Save the file in your Root directory (C:\).

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

@echo off
cd\
mbr.exe -t 
start mbr.log

Go to the File menu at the top of the Notepad and select Save as.
Select Save in : desktop
Fill in File name : look.bat
Save as type : All file types (*.*)
Click save .
Close the Notepad .
Locate and double-click look.bat on the desktop.
A notepad opens, copy and paste the content (mbr.log) to your reply.

Edited by SifuMike, 09 January 2010 - 01:28 AM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users