Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stopzillia 12 infections


  • This topic is locked This topic is locked
14 replies to this topic

#1 malo

malo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 15 January 2010 - 01:14 PM

I opened e-mail from ups with a file "I know stupid stupid" was waiting for package thought was strange -opened anyway. Nothing there when opened, then I decide to google. Quick avg scan= clean, adware= ok and updated, malwarebytes downloaded found 7-8 infected files, downloaded Stopzille noted 13 infections , did kasp. online scan critical areas ok. Avg full scan move 42 problems to vault then got error blue screen
things I have done
Safe mode
malwarebytes detected one object,
Trojain remover found file avg8-avgssie.dll (left over from older avg?)

Regular start up
downloaded SUPERantispyware full scan ok,
malware bytes =many scans =removed 17 infections
windows defender=ok noted not started,
Stopzille noted 13 infections still.

Safe mode
malwarebytes =ok secound time ,
adware removed file also noted update gone from yesterday ,
spybot =ok,
ran DDS ,
avg stopped as unable to scan files(all files locked not tested) ,
trojan remover =ok,

Reg start up windows
denfender not started,
downloaded Prevx 3.o scan =ok,
MRT full scan =ok , avg full scan = ok ,
AVG full scan = ok
stopzille 12 infections (winrar 3.61-multi\zip { fraudsmith -I deleted} and 3 files internet Pro having to do with sdra.64.exe host files )

included avg file and DSS secound time in safe mode - would you want first DDS ?
Thankyou for your help

Attached Files


Edited by malo, 15 January 2010 - 01:17 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:28 AM

Posted 21 January 2010 - 08:32 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 malo

malo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 21 January 2010 - 09:55 PM

Thankyou MOle,
I see it is very busy here.
malo

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:28 AM

Posted 22 January 2010 - 07:36 AM

Hi malo,

Can you post the two MBAM logs that you reference in your post. They are found in the Logs tab on the MBAM console.


Also, please run the RootRepeal rootkit scanner

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open on your desktop.
  • Click the tab.
  • Click the button.
  • Check all seven boxes:
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 malo

malo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 22 January 2010 - 12:28 PM

Sorry had I aslo found and moved files lowsce to recyling bin and cookies4 file from oprea avg popup saying it accessed file information - found tracking cookie.advertising detected on open Thanking for taking a look at the logs
Malo
DDS found on first scan before malwarebytes scan
uRun: [userinit] c:\users\gary\appdata\roaming\sdra64.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

Windows defender is not being enabled at startup RTP is checked

I had done several scans with MBAM I copied first scan and results of infections with the other scans I hope that is ok.

Malwarebytes' Anti-Malware 1.44
Database version: 3556
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

1/13/2010 5:34:10 PM
mbam-log-2010-01-13 (17-34-10).txt


Scan type: Quick Scan
Objects scanned: 98894
Time elapsed: 16 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0


Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Users\gary\AppData\Local\Nlizcl.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipaqucejalafo (Trojan.Hiloti) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbogula (Trojan.Agent.U) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\gary\AppData\Local\Nlizcl.dll (Trojan.Hiloti) -> Delete on reboot.
C:\Users\gary\AppData\Local\Temp\~TM2EC2.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Users\gary\AppData\Local\ugipucovotuket.dll (Trojan.Agent.U) -> Delete on reboot.
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rarype32.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\gary\AppData\Roaming\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.

1/13/2010 8:46:34 PM
mbam-log-2010-01-13 (20-46-34).txt


Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Trojan.Agent) -> Quarantined and deleted successfully.

1/13/2010 8:54:45 PM
mbam-log-2010-01-13 (20-54-45).txt


Scan type: Quick Scan
Objects scanned: 100012
Time elapsed: 7 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Trojan.Agent) -> Quarantined and deleted successfully.

1/13/2010 9:55:13 PM
mbam-log-2010-01-13 (21-55-13).txt


Scan type: Quick Scan
Objects scanned: 100191
Time elapsed: 10 minute(s), 10 second(s)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Trojan.Agent) -> Quarantined and deleted successfully.

1/14/2010 1:32:06 AM
mbam-log-2010-01-14 (01-32-06).txt

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

1/14/2010 9:13:02 AM
mbam-log-2010-01-14 (09-13-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 222659
Time elapsed: 35 minute(s), 53 second(s)


Files Infected:
C:\Users\gary\Documents\xp\unzipped\YAAI_2.0.3.488\YAAI_2.0.3.488\YAAI.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

1/15/2010 9:01:04 PM
mbam-log-2010-01-15 (21-01-04).txt

Scan type: Quick Scan
Objects scanned: 15
Time elapsed: 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/22 11:30
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8FD11000 Size: 45056 File Visible: No Signed: -
Status: -

Name: dump_msahci.sys
Image Path: C:\Windows\System32\Drivers\dump_msahci.sys
Address: 0x8FD1C000 Size: 40960 File Visible: No Signed: -
Status: -

Processes
-------------------
Path: SYSTEM
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1504 Status: Locked to the Windows API!

SSDT
-------------------
#: 042 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5b1cc

#: 078 Function Name: NtCreateThread
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5b206

#: 194 Function Name: NtOpenProcess
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5b51a

#: 201 Function Name: NtOpenThread
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5b3f6

#: 210 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5b292

#: 289 Function Name: NtSetContextThread
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5b18e

#: 334 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0x8f3a20b0

#: 335 Function Name: NtTerminateThread
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5b316

#: 358 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5b34e

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5bcec

#: 241 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5bd60

#: 301 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5bc78

#: 397 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5bc36

#: 403 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5be4c

#: 418 Function Name: NtUserGetForegroundWindow
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5bb42

#: 428 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5bb90

#: 430 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5bbc2

#: 442 Function Name: NtUserGetRawInputData
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5bc04

#: 504 Function Name: NtUserQueryWindow
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5bef0

#: 531 Function Name: NtUserSetClipboardData
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5be1c

#: 573 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5be9a

#: 617 Function Name: NtUserWindowFromPoint
Status: Hooked by "C:\Windows\System32\drivers\pxrts.sys" at address 0x8fd5bf6a

==EOF==



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:28 AM

Posted 22 January 2010 - 04:04 PM

If you notice the MBAM logs you can see MBAM attempting deletion and quarantine on the same entry a number of times before it was successful. This usually means there is more there than just a trojan.

Please run Combofix and let's take a look.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#7 malo

malo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 22 January 2010 - 10:07 PM

I turned off windows defender off but shows it is enabled, did you want me to try again. windows said IE not default browser is this normal?
Thankyou,
malo

ComboFix 10-01-21.08 - gary 01/22/2010 21:30:41.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3034.1912 [GMT -5:00]
Running from: c:\users\gary\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\gary\AppData\Local\{11E6E1C4-CF1D-4EAA-9AD8-E1619789722D}
c:\users\gary\AppData\Local\{11E6E1C4-CF1D-4EAA-9AD8-E1619789722D}\chrome.manifest
c:\users\gary\AppData\Local\{11E6E1C4-CF1D-4EAA-9AD8-E1619789722D}\chrome\content\_cfg.js
c:\users\gary\AppData\Local\{11E6E1C4-CF1D-4EAA-9AD8-E1619789722D}\chrome\content\overlay.xul
c:\users\gary\AppData\Local\{11E6E1C4-CF1D-4EAA-9AD8-E1619789722D}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2009-12-23 to 2010-01-23 )))))))))))))))))))))))))))))))
.

2010-01-23 02:39 . 2010-01-23 02:39 -------- d-----w- c:\users\gary\AppData\Local\temp
2010-01-23 02:39 . 2010-01-23 02:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-21 13:44 . 2010-01-22 16:28 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2010-01-20 00:27 . 2008-11-06 07:03 -------- d-----w- C:\SDFix
2010-01-15 21:09 . 2010-01-15 21:09 -------- d-----w- c:\windows\system32\AGEIA
2010-01-15 21:09 . 2010-01-15 21:09 -------- d-----w- c:\program files\AGEIA Technologies
2010-01-15 21:08 . 2006-09-28 21:05 237848 ----a-w- c:\windows\system32\xactengine2_4.dll
2010-01-15 14:35 . 2010-01-15 14:35 53136 ----a-w- c:\windows\system32\PxSecure.dll
2010-01-15 14:35 . 2010-01-15 14:35 47664 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-01-15 14:35 . 2010-01-15 14:35 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-01-15 14:35 . 2010-01-15 14:35 24496 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-01-15 14:35 . 2010-01-15 14:35 -------- d-----w- c:\program files\Prevx
2010-01-15 14:35 . 2010-01-22 03:41 -------- d-----w- c:\programdata\PrevxCSI
2010-01-14 19:00 . 2010-01-14 19:00 -------- d-----w- c:\program files\Ubisoft
2010-01-14 17:48 . 2010-01-14 17:48 52224 ----a-w- c:\users\gary\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-14 17:48 . 2010-01-14 17:48 117760 ----a-w- c:\users\gary\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-14 17:47 . 2010-01-14 17:47 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-14 17:47 . 2010-01-14 17:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-14 17:47 . 2010-01-14 17:47 -------- d-----w- c:\users\gary\AppData\Roaming\SUPERAntiSpyware.com
2010-01-14 17:46 . 2010-01-15 21:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-14 03:26 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-14 03:26 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-14 03:26 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-14 03:26 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-01-14 03:26 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-14 03:26 . 2010-01-14 03:26 -------- d-----w- c:\program files\Trojan Remover
2010-01-14 03:26 . 2010-01-14 03:26 -------- d-----w- c:\users\gary\AppData\Roaming\Simply Super Software
2010-01-14 03:26 . 2010-01-14 03:26 -------- d-----w- c:\programdata\Simply Super Software
2010-01-14 01:10 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-14 01:10 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 22:12 . 2010-01-13 22:12 -------- d-----w- c:\users\gary\AppData\Roaming\Malwarebytes
2010-01-13 22:12 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-13 22:12 . 2010-01-13 22:12 -------- d-----w- c:\programdata\Malwarebytes
2010-01-13 22:12 . 2010-01-13 22:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 22:12 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 21:57 . 2010-01-13 21:57 -------- d-----w- c:\programdata\SITEguard
2010-01-13 21:54 . 2010-01-13 21:54 -------- d-----w- c:\program files\STOPzilla!
2010-01-13 21:54 . 2010-01-13 21:54 -------- d-----w- c:\program files\Common Files\iS3
2010-01-13 21:54 . 2010-01-23 02:24 -------- d-----w- c:\programdata\STOPzilla!
2010-01-13 21:06 . 2010-01-14 00:11 120 ----a-w- c:\users\gary\AppData\Local\Xxijevinuyo.dat
2010-01-13 21:06 . 2010-01-13 21:06 0 ----a-w- c:\users\gary\AppData\Local\Odomo.bin
2010-01-06 18:31 . 2010-01-06 18:31 -------- d-----w- c:\programdata\Zylom
2010-01-06 18:29 . 2010-01-06 18:29 -------- d-----w- c:\programdata\n7-89-o9-3r-4t-r9
2010-01-06 18:23 . 2010-01-06 18:23 -------- d-----w- c:\users\gary\AppData\Roaming\GameHouse
2010-01-06 18:22 . 2010-01-06 18:22 -------- d-----w- c:\program files\GameHouse
2009-12-30 23:03 . 2009-12-30 23:04 5299337 ----a-w- c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2009-12-30 01:13 . 2009-12-30 01:13 108341 ----a-w- c:\users\gary\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\digitaleditions\digitaleditions.exe
2009-12-29 21:03 . 2009-12-30 23:03 -------- d-----w- c:\programdata\ArcSoft
2009-12-24 18:45 . 2009-12-24 18:45 -------- d-----w- c:\program files\Common Files\SWF Studio
2009-12-24 04:32 . 2009-12-24 04:37 -------- d-----w- c:\program files\Google
2009-12-24 04:32 . 2009-12-24 04:37 -------- d-----w- c:\users\gary\AppData\Local\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 01:47 . 2010-01-23 01:47 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-01-21 13:00 . 2009-07-21 18:09 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 19:00 . 2009-07-12 18:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-14 16:27 . 2009-07-12 18:36 -------- d-----w- c:\program files\WinRAR 3.61 Multi
2010-01-14 16:12 . 2009-10-03 13:46 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-14 05:37 . 2009-11-09 16:51 -------- d-----w- c:\programdata\avg9
2010-01-14 01:13 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-13 21:03 . 2010-01-13 21:03 12 ----a-w- c:\users\gary\AppData\Roaming\mvhgkr.dat
2009-12-31 20:26 . 2009-12-23 03:56 3966744 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2009-12-29 22:38 . 2009-12-17 12:03 -------- d-----w- c:\users\gary\AppData\Roaming\ArcSoft
2009-12-23 19:13 . 2009-12-23 19:13 545424 ----a-r- c:\windows\system32\SZComp5.dll
2009-12-23 19:13 . 2009-12-23 19:13 438928 ----a-r- c:\windows\system32\SZBase5.dll
2009-12-23 19:04 . 2009-12-23 19:04 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-12-17 13:49 . 2009-12-11 15:47 -------- d-----w- c:\program files\Any Video Converter
2009-12-17 13:49 . 2009-12-17 13:49 -------- d-----w- c:\users\gary\AppData\Roaming\AnvSoft
2009-12-17 11:56 . 2009-12-17 11:55 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-12-17 11:55 . 2009-12-17 11:55 -------- d-----w- c:\program files\ArcSoft
2009-12-17 11:45 . 2009-12-17 11:45 -------- d-----w- c:\program files\Common Files\AIPTEK HD-DV
2009-12-16 17:27 . 2009-12-11 15:37 -------- d-----w- c:\users\gary\AppData\Roaming\Any Video Converter
2009-12-14 15:24 . 2009-12-14 15:24 163600 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2009-12-14 14:03 . 2009-12-14 13:43 -------- d-----w- c:\users\gary\AppData\Roaming\Coby Media Manager
2009-12-14 13:43 . 2009-12-14 13:43 50098 ----a-r- c:\users\gary\AppData\Roaming\Microsoft\Installer\{3643EF5F-D28D-4B25-9FA1-8859FC303710}\controlPanelIcon.exe
2009-12-14 13:43 . 2009-12-14 13:43 10134 ----a-r- c:\users\gary\AppData\Roaming\Microsoft\Installer\{3643EF5F-D28D-4B25-9FA1-8859FC303710}\SystemFolder_msiexec.exe
2009-12-14 13:41 . 2009-12-14 13:41 -------- d-----w- c:\users\gary\AppData\Roaming\Coby
2009-12-11 17:04 . 2009-07-13 16:47 -------- d-----w- c:\programdata\Microsoft Help
2009-12-11 15:36 . 2009-12-11 15:14 -------- d-----w- c:\program files\AVS4YOU
2009-12-11 15:35 . 2009-12-11 15:15 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-12-11 15:16 . 2009-12-11 15:16 -------- d-----w- c:\users\gary\AppData\Roaming\AVS4YOU
2009-12-11 15:16 . 2009-12-11 15:16 -------- d-----w- c:\programdata\AVS4YOU
2009-12-11 14:26 . 2009-10-06 14:49 -------- d-----w- c:\program files\Opera
2009-12-10 21:11 . 2009-12-10 21:11 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-12-10 21:11 . 2009-12-10 21:11 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-12-10 21:09 . 2009-12-10 21:09 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-12-10 21:09 . 2009-12-10 21:09 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-12-10 21:08 . 2009-12-10 21:08 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-12-10 21:06 . 2009-12-10 21:06 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-12-10 21:06 . 2009-12-10 21:06 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-12-10 21:05 . 2009-12-10 21:05 94208 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-12-10 21:02 . 2009-12-10 21:02 729088 ----a-r- c:\windows\system32\IS3Base5.dll
2009-12-07 21:59 . 2009-12-07 21:59 61328 ----a-r- c:\windows\system32\drivers\SZKG.sys
2009-12-07 21:59 . 2009-12-07 21:59 61328 ----a-r- c:\windows\system32\drivers\is3srv.sys
2009-12-06 17:40 . 2009-07-14 00:37 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-30 14:48 . 2009-11-30 14:48 -------- d-----w- c:\users\gary\AppData\Roaming\InstallShield
2009-11-30 14:48 . 2009-11-30 14:48 -------- d-----w- c:\programdata\EPSON
2009-11-30 14:43 . 2009-11-30 14:42 -------- d-----w- c:\program files\epson
2009-11-30 03:21 . 2009-09-29 02:22 3695616 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-28 01:33 . 2009-11-28 01:33 -------- d-----w- c:\program files\SystemRequirementsLab
2009-11-25 03:29 . 2009-11-25 03:29 -------- d-----w- c:\users\gary\AppData\Roaming\iWinArcade
2009-11-25 03:29 . 2009-11-25 03:29 76800 ----a-w- c:\programdata\iWin Games\DesktopAlerts\WebUpdater.exe
2009-11-25 03:29 . 2009-11-25 03:29 108544 ----a-w- c:\programdata\iWin Games\DesktopAlerts\DesktopAlerts.exe
2009-11-25 03:29 . 2009-10-29 03:07 -------- d-----w- c:\programdata\iWin Games
2009-11-23 02:47 . 2009-09-29 02:21 2353992 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-21 06:40 . 2009-12-10 02:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-10 02:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-10 02:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-10 02:33 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-18 01:18 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-13 22:40 . 2009-07-13 02:14 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-09 16:51 . 2009-07-13 02:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-09 16:51 . 2009-07-13 02:14 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-09 16:51 . 2009-07-13 02:14 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-03 21:43 . 2009-12-10 02:32 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-03 21:42 . 2009-12-10 02:32 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-03 19:41 . 2009-12-10 02:32 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-29 09:17 . 2009-11-28 01:05 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 14:43 . 2009-10-27 14:43 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2009-10-27 14:43 . 2009-10-27 14:43 114688 ----a-w- c:\windows\system32\OpenAL32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 17:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-02-28 17:04 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2008-04-04 17:52 4232968 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2008-04-04 17:52 4232968 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-11 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-11 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-11 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-27 6295552]
"Skytel"="Skytel.exe" [2008-06-25 1826816]
"SecurDisc"="c:\program files\Nero\Nero8\InCD\NBHGui.exe" [2008-02-28 2049320]
"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe" [2008-02-28 1083176]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-31 2033432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]

c:\users\gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2008-04-04 17:41 96008 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^gary^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2008-06-12 02:16 1454080 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:a9,3f,48,d8,9e,04,ca,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [7/12/2009 9:21 PM 64160]
R0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [1/15/2010 9:35 AM 30280]
R0 szkg5;szkg5;c:\windows\System32\drivers\SZKG.sys [12/7/2009 4:59 PM 61328]
R0 szkgfs;szkgfs;c:\windows\System32\drivers\SZKGFS.sys [12/14/2009 10:24 AM 163600]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [7/12/2009 9:14 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [7/12/2009 9:14 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/9/2009 11:51 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/9/2009 11:51 AM 285392]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [1/15/2010 9:35 AM 6224896]
R2 FsUsbExService;FsUsbExService;c:\windows\System32\FsUsbExService.Exe [7/31/2009 9:00 AM 233472]
R2 pxrts;pxrts;c:\windows\System32\drivers\pxrts.sys [1/15/2010 9:35 AM 47664]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\System32\drivers\e1y6032.sys [7/12/2009 1:48 PM 225920]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\System32\FsUsbExDisk.Sys [7/31/2009 9:00 AM 36608]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\System32\drivers\NETw5v32.sys [7/12/2009 1:51 PM 3658752]
R3 O2MDRDR;O2MDRDR;c:\windows\System32\drivers\o2media.sys [1/14/2008 9:34 PM 48472]
R3 O2SDRDR;O2SDRDR;c:\windows\System32\drivers\o2sd.sys [1/8/2008 4:40 AM 43480]
R3 pxkbf;pxkbf;c:\windows\System32\drivers\pxkbf.sys [1/15/2010 9:35 AM 24496]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S0 is3srv;is3srv;c:\windows\System32\drivers\is3srv.sys [12/7/2009 4:59 PM 61328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2009 11:33 PM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1028432]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [7/11/2009 9:28 PM 1153368]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/20/2008 9:33 PM 21504]
S3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\System32\drivers\hcw72ADFilter.sys [7/29/2009 12:56 PM 27904]
S3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\System32\drivers\hcw72ATV.sys [7/29/2009 12:56 PM 1208448]
S3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\System32\drivers\hcw72DTV.sys [7/29/2009 12:56 PM 1200768]
S3 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2/28/2008 12:04 PM 53032]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FSUSBEXDISK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 18:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 02:21]

2010-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 04:32]

2010-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 04:32]

2010-01-22 c:\windows\Tasks\User_Feed_Synchronization-{53A19837-9B74-4DF0-ADFF-4F4953D147C7}.job
- c:\windows\system32\msfeedssync.exe [2009-12-10 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.buffalo.com/scripts/common/index.main?signin=1&lang=us
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NPSStartup - (no file)
AddRemove-Samsung Mobile phone USB driver - c:\windows\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
AddRemove-SAMSUNG Mobile USB Modem - c:\windows\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
AddRemove-SAMSUNG Mobile USB Modem 1.0 - c:\windows\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-22 21:39
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(716)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infql2.dll
.
Completion time: 2010-01-22 21:42:36
ComboFix-quarantined-files.txt 2010-01-23 02:42

Pre-Run: 175,954,767,872 bytes free
Post-Run: 176,414,978,048 bytes free

- - End Of File - - 7B54959BDDDEDF28E7C5A18463227D26


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:28 AM

Posted 22 January 2010 - 10:09 PM

This looks good. Combofix does reset some settings to default, that's quite normal.

I would like you to run an online scanner to mop up anything else.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Posted Image
m0le is a proud member of UNITE

#9 malo

malo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 23 January 2010 - 12:04 PM

Stopzilla started up and popup said I have 34 infections with 7 catchme trojan listed hklm\system\currentcontrolset\services\catchme\enum
along with all old infections ???

wndow defender still not being enable at startup


ESET scan came back with
C:\Users\gary\Documents\xp\My Documents\SetupGamevance.exe a variant of Win32/Adware.Gamevance.AB application


I did not know if you wanted me to check remove infections so I just scanned. I can go back and do again to remove.
This file is from other computer saved ( my documents) to this HD to transfer back to other computet after Windows reinstall. Right now
I have this file on my external HD also.
Thankyou ,
malo

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:28 AM

Posted 23 January 2010 - 12:44 PM

Uninstall StopZilla. You don't have 41 infections. Is that a trial version you are using by any chance?

The ESET scan found the trojan so please rerun and remove that this time.

The file should be removed from anywhere else you may have it. You should be able to run ESET scans on other PCs/laptops. Delete it from the hard drive and if you encounter problems then use this program.

Download and install Unlocker

Navigate to the file you need to remove

SetupGamevance.exe

Then right click and select Unlocker. If this deletes it then you are done. If it is locked then a list will apppear. Just click Unlock All.


When you've done this then we can run the final instructions and finish up. smile.gif

Edited by m0le, 23 January 2010 - 12:45 PM.

Posted Image
m0le is a proud member of UNITE

#11 malo

malo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 23 January 2010 - 03:30 PM

STOPzille is trial version. deleted

ran scan and deleted quarantined file on both drives.

C:\Users\gary\Documents\xp\My Documents\SetupGamevance.exe a variant of Win32/Adware.Gamevance.AB application cleaned by deleting - quarantined
F:\xp\My Documents\SetupGamevance.exe a variant of Win32/Adware.Gamevance.AB application cleaned by deleting - quarantined
malo

Edited by malo, 23 January 2010 - 03:31 PM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:28 AM

Posted 23 January 2010 - 04:20 PM

You don't need Stopzilla. In fact you would be fine with just one antispyware program. Check the last part of this post.

Good job deleting the file, if any problems occur on the other systems then let me know. For now though...


You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it malo, happy surfing!

Cheers.

m0le


Posted Image
m0le is a proud member of UNITE

#13 malo

malo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 23 January 2010 - 04:41 PM

thumbup.gif Thankyou mOle clapping.gif
malo

#14 malo

malo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 25 January 2010 - 10:09 AM

smile.gif
from AVG site
QUOTE
Please note that Windows Defender is only disabled and not removed from the computer.
This is important to prevent conflicts between AVG and Windows Defender. As they are both security applications, they will try to check files you are working with. Since they will do that at the same time, conflicts may arise. These can cause freezing, crashes or slowdown of computer. It is generally not recommend to use more than one security product on one computer.


:blush:avg update must have disabled defender
malo

Edited by malo, 25 January 2010 - 10:49 AM.


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:28 AM

Posted 30 January 2010 - 02:39 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users