Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unwelcome popups & redirects


  • This topic is locked This topic is locked
19 replies to this topic

#1 Jenny Gray

Jenny Gray

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 24 February 2010 - 02:36 AM

A Google search led me to a nasty website the other day and ever since then, I've been getting popups. Not ads. But fully-maximized browser windows open which then redirect me to different websites. If I'm working in IE at the time, then a new IE window opens up. If I'm working in Firefox, then a Firefox window opens.

Also, when I click on a link in a Google search, I'm sometimes redirected somewhere I don't want to go (i.e. not the site I clicked on).

I've run multiple antivirus and spyware tests, but I still have the problem.

Posted below is a DDS log. Also see attached. (I've tried to run GMER a few times, but it keeps crashing my system so I'm unable to provide you with that report.)

I'd really appreciate any help you can give me. I'm going crazy here! wacko.gif


DDS (Ver_09-12-01.01) - NTFSx86
Run by Dell User at 18:13:18.39 on Tue 02/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2284 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\xampp\apache\bin\httpd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe
C:\xampp\apache\bin\httpd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grease_Monkey\gm4ie.exe
C:\Documents and Settings\Dell User\Desktop\My Stuff\Software 2008.12.08\Other Software\PureText\puretext20_x86\PureText.exe
C:\Program Files\FlashMute\FlashMute.exe
C:\Program Files\EDIMAX\Common\RaUI.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dell User\Desktop\Popup malware problem\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: NuSphere ToolBar: {0f62d223-9206-4ea3-9ea8-d0f3c7c82aca} - c:\program files\nusphere\phped\NuSphereIEBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [GM4IE] c:\program files\grease_monkey\gm4ie.exe
uRun: [PureText] "c:\documents and settings\dell user\desktop\my stuff\software 2008.12.08\other software\puretext\puretext20_x86\PureText.exe"
uRun: [FlashMute] c:\program files\flashmute\FlashMute.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [DU Meter] c:\program files\du meter\DUMeter.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Nuance.ctfmngr] c:\program files\nuance\naturallyspeaking10\program\ctfmngr.exe /restore
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\dellus~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\dellus~1\startm~1\programs\startup\dragon~1.lnk - c:\program files\nuance\naturallyspeaking10\program\natspeak.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\edimax\common\RaUI.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: dreamhost.com
Trusted Zone: dreamhost.com\panel
Trusted Zone: google.com
Trusted Zone: msacp.com
Trusted Zone: msacp.com\re
Trusted Zone: mturk.com\www
Trusted Zone: newdream.net
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dellus~1\applic~1\mozilla\firefox\profiles\1200hmg3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\dell user\application data\mozilla\firefox\profiles\1200hmg3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff30\gears.dll
FF - plugin: c:\documents and settings\dell user\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\dell user\application data\mozilla\firefox\profiles\1200hmg3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-25 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-25 27784]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-8 353680]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2009-10-10 24640]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-25 297752]
R2 ToolTipFixer;ToolTipFixer;c:\program files\neosmart technologies\tooltipfixer\ToolTipFixer.exe [2008-10-14 61952]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 aeaudio2;AE USB Audio Driver2 (WDM);c:\windows\system32\drivers\AEAudio2.sys [2009-9-14 113664]
R3 aeaudiol;AE USB Audio Driver-Lower (WDM);c:\windows\system32\drivers\AEAudioL.sys [2009-9-14 15104]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

=============== Created Last 30 ================

2010-02-23 20:47:42 0 d-----w- c:\docume~1\dellus~1\applic~1\QuickScan
2010-02-22 04:31:22 0 d-----w- c:\program files\TrendMicro
2010-02-05 19:50:47 0 d-----w- c:\program files\FlashMute

==================== Find3M ====================

2010-02-10 00:27:10 19416 ----a-w- c:\windows\fonts\cairo.ttf
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 18:14:40.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:26 AM

Posted 25 February 2010 - 05:46 PM

Hello, Jenny Gray.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 Jenny Gray

Jenny Gray
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 26 February 2010 - 10:02 AM

Hi aommaster, I really appreciate the help. Here are the the contents of the three files you requested. I've pasted them below AND attached them, in case that's easier for you.

RSIT - log.txt


Logfile of random's system information tool 1.06 (written by random/random)
Run by Dell User at 2010-02-25 19:56:46
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 21 GB (14%) free of 153 GB
Total RAM: 3070 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:02 PM, on 2/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Documents and Settings\Dell User\Desktop\My Stuff\Software 2008.12.08\Other Software\PureText\puretext20_x86\PureText.exe
C:\Program Files\Grease_Monkey\gm4ie.exe
C:\Program Files\FlashMute\FlashMute.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EDIMAX\Common\RaUI.exe
C:\xampp\apache\bin\httpd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\xampp\apache\bin\httpd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\xampp\xampp-control.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dell User\Desktop\Popup malware problem\RSIT.exe
C:\Program Files\trend micro\Dell User.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: NuSphere ToolBar - {0F62D223-9206-4EA3-9EA8-D0F3C7C82ACA} - C:\Program Files\NuSphere\PhpED\NuSphereIEBar.dll
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking10\Ereg.ini
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Nuance.ctfmngr] C:\Program Files\Nuance\NaturallySpeaking10\Program\ctfmngr.exe /restore
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [PureText] "C:\Documents and Settings\Dell User\Desktop\My Stuff\Software 2008.12.08\Other Software\PureText\puretext20_x86\PureText.exe"
O4 - HKCU\..\Run: [GM4IE] C:\Program Files\Grease_Monkey\gm4ie.exe
O4 - HKCU\..\Run: [FlashMute] C:\Program Files\FlashMute\FlashMute.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking10\Program\natspeak.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Wireless Utility.lnk = C:\Program Files\EDIMAX\Common\RaUI.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://panel.dreamhost.com
O15 - Trusted Zone: *.dreamhost.com
O15 - Trusted Zone: *.newdream.net
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\httpd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: ToolTipFixer - NeoSmart Technologies - C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8777 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-11 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-11 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]
{0F62D223-9206-4EA3-9EA8-D0F3C7C82ACA} - NuSphere ToolBar - C:\Program Files\NuSphere\PhpED\NuSphereIEBar.dll [2008-12-03 512632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"DNS7reminder"=C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe -r C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking10\Ereg.ini []
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-11-13 981904]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot []
"Nuance.ctfmngr"=C:\Program Files\Nuance\NaturallySpeaking10\Program\ctfmngr.exe [2008-07-27 46440]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start []
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup []
"IAAnotif"=C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe [2004-06-29 135168]
"DU Meter"=C:\Program Files\DU Meter\DUMeter.exe [2003-06-22 1297920]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-12-13 2043160]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-08-25 339968]
"Acrobat Assistant 7.0"=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"PureText"=C:\Documents and Settings\Dell User\Desktop\My Stuff\Software 2008.12.08\Other Software\PureText\puretext20_x86\PureText.exe [2003-08-21 28672]
"GM4IE"=C:\Program Files\Grease_Monkey\gm4ie.exe [2006-07-23 61440]
"FlashMute"=C:\Program Files\FlashMute\FlashMute.exe [2006-03-11 221184]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
Wireless Utility.lnk - C:\Program Files\EDIMAX\Common\RaUI.exe

C:\Documents and Settings\Dell User\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Dragon NaturallySpeaking.lnk - C:\Program Files\Nuance\NaturallySpeaking10\Program\natspeak.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-08-18 11952]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\NuSphere\PhpED\Srv.exe"="C:\Program Files\NuSphere\PhpED\Srv.exe:*:Enabled:NuSphere PhpED SRV web server"
"C:\Program Files\NuSphere\PhpED\debugger\DbgListener.exe"="C:\Program Files\NuSphere\PhpED\debugger\DbgListener.exe:*:Enabled:NuSphere PhpED Dbg Listener"
"C:\Program Files\NuSphere\PhpED\phped.exe"="C:\Program Files\NuSphere\PhpED\phped.exe:*:Enabled:NuSphere PhpED Embedded browser"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-02-25 19:56:46 ----D---- C:\rsit
2010-02-25 19:56:46 ----D---- C:\Program Files\trend micro
2010-02-24 16:59:25 ----SHD---- C:\RECYCLER
2010-02-24 14:15:18 ----D---- C:\Program Files\ESET
2010-02-24 14:00:30 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$
2010-02-24 08:48:32 ----D---- C:\Program Files\Panda Security
2010-02-24 08:08:42 ----A---- C:\WINDOWS\zip.exe
2010-02-24 08:08:42 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-02-24 08:08:42 ----A---- C:\WINDOWS\SWSC.exe
2010-02-24 08:08:42 ----A---- C:\WINDOWS\SWREG.exe
2010-02-24 08:08:42 ----A---- C:\WINDOWS\sed.exe
2010-02-24 08:08:42 ----A---- C:\WINDOWS\PEV.exe
2010-02-24 08:08:42 ----A---- C:\WINDOWS\NIRCMD.exe
2010-02-24 08:08:42 ----A---- C:\WINDOWS\MBR.exe
2010-02-24 08:08:42 ----A---- C:\WINDOWS\grep.exe
2010-02-24 08:08:26 ----D---- C:\WINDOWS\ERDNT
2010-02-24 08:06:37 ----D---- C:\Qoobox
2010-02-24 07:52:14 ----D---- C:\Documents and Settings\Dell User\Application Data\Malwarebytes
2010-02-24 07:52:07 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-02-24 07:52:07 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-02-23 17:19:29 ----A---- C:\WINDOWS\system32\javaws.exe
2010-02-23 17:19:29 ----A---- C:\WINDOWS\system32\javaw.exe
2010-02-23 17:19:29 ----A---- C:\WINDOWS\system32\java.exe
2010-02-23 17:16:50 ----D---- C:\Config.Msi
2010-02-23 15:47:42 ----D---- C:\Documents and Settings\Dell User\Application Data\QuickScan
2010-02-23 13:01:28 ----D---- C:\Program Files\Windows Live Safety Center
2010-02-21 23:31:22 ----D---- C:\Program Files\TrendMicro
2010-02-10 14:29:23 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-02-10 14:29:17 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-02-10 14:26:21 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-02-10 14:26:15 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-02-10 14:26:10 ----HDC---- C:\WINDOWS\$NtUninstallKB978251$
2010-02-10 14:26:03 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-02-10 14:25:49 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-02-10 14:25:40 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-02-10 14:25:27 ----HDC---- C:\WINDOWS\$NtUninstallKB977165$
2010-02-05 14:50:47 ----D---- C:\Program Files\FlashMute

======List of files/folders modified in the last 1 months======

2010-02-25 19:57:02 ----D---- C:\WINDOWS\Prefetch
2010-02-25 19:56:46 ----RD---- C:\Program Files
2010-02-25 18:45:09 ----D---- C:\WINDOWS\Temp
2010-02-25 15:58:43 ----D---- C:\Program Files\Mozilla Firefox
2010-02-25 14:13:42 ----D---- C:\WINDOWS\Internet Logs
2010-02-24 19:35:19 ----D---- C:\WINDOWS\system32\drivers
2010-02-24 14:15:21 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-02-24 14:15:21 ----D---- C:\WINDOWS\system32\CatRoot2
2010-02-24 14:10:28 ----D---- C:\WINDOWS
2010-02-24 14:10:01 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-02-24 14:09:36 ----D---- C:\WINDOWS\system32
2010-02-24 14:08:33 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-24 14:00:49 ----HD---- C:\WINDOWS\inf
2010-02-24 14:00:47 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-02-24 14:00:46 ----D---- C:\WINDOWS\ie8updates
2010-02-24 14:00:39 ----HD---- C:\WINDOWS\$hf_mig$
2010-02-24 14:00:35 ----A---- C:\WINDOWS\imsins.BAK
2010-02-24 08:37:25 ----SH---- C:\boot.ini
2010-02-24 08:37:25 ----A---- C:\WINDOWS\win.ini
2010-02-24 08:37:25 ----A---- C:\WINDOWS\system.ini
2010-02-24 08:37:24 ----D---- C:\WINDOWS\pss
2010-02-24 08:29:43 ----SD---- C:\WINDOWS\Tasks
2010-02-24 08:23:12 ----D---- C:\WINDOWS\AppPatch
2010-02-24 08:23:11 ----D---- C:\Program Files\Common Files
2010-02-24 08:13:37 ----SHD---- C:\System Volume Information
2010-02-24 08:13:37 ----D---- C:\WINDOWS\system32\Restore
2010-02-23 17:28:35 ----D---- C:\WINDOWS\SxsCaPendDel
2010-02-23 17:22:35 ----RSD---- C:\WINDOWS\Fonts
2010-02-23 17:21:41 ----SHD---- C:\WINDOWS\Installer
2010-02-23 17:19:47 ----D---- C:\Documents and Settings\Dell User\Application Data\Move Networks
2010-02-23 17:19:14 ----D---- C:\Program Files\Java
2010-02-23 17:18:26 ----D---- C:\WINDOWS\WinSxS
2010-02-23 17:17:55 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-02-23 15:37:02 ----D---- C:\WINDOWS\BDOSCAN8
2010-02-23 14:21:15 ----D---- C:\$AVG8.VAULT$
2010-02-22 13:28:02 ----A---- C:\WINDOWS\winamp.ini
2010-02-21 23:07:13 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-02-21 23:04:53 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-02 18:22:32 ----A---- C:\WINDOWS\NeroDigital.ini
2010-02-01 14:26:20 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-08-18 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-08-18 27784]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 ISODrive;ISO DVD/CD-ROM Device Driver; \??\C:\Program Files\UltraISO\drivers\ISODrive.sys []
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2008-11-13 353680]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.7.5.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-03-05 21361]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 aeaudio2;AE USB Audio Driver2 (WDM); C:\WINDOWS\system32\drivers\aeaudio2.sys [2009-03-25 113664]
R3 aeaudiol;AE USB Audio Driver-Lower (WDM); C:\WINDOWS\system32\drivers\aeaudiol.sys [2009-03-25 15104]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-25 787456]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-04-29 186112]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntelC51;IntelC51; C:\WINDOWS\system32\DRIVERS\IntelC51.sys [2004-03-05 1233525]
R3 IntelC52;IntelC52; C:\WINDOWS\system32\DRIVERS\IntelC52.sys [2004-03-05 647929]
R3 IntelC53;IntelC53; C:\WINDOWS\system32\DRIVERS\IntelC53.sys [2004-03-05 60949]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mohfilt;mohfilt; C:\WINDOWS\system32\DRIVERS\mohfilt.sys [2004-03-05 37048]
R3 RT61;Ralink RT61 Wireless Driver; C:\WINDOWS\system32\DRIVERS\RT61.sys [2008-03-05 491648]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-04-09 612352]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 catchme;catchme; \??\C:\DOCUME~1\DELLUS~1\LOCALS~1\Temp\catchme.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apache2.2;Apache2.2; C:\xampp\apache\bin\httpd.exe [2009-08-05 24640]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-08-25 389120]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-18 297752]
R2 IAANTMon;IAA Event Monitor; C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe [2004-06-29 73852]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-10-11 153376]
R2 spkrmon;spkrmon; C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe [2003-08-28 61440]
R2 ToolTipFixer;ToolTipFixer; C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe [2008-10-14 61952]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2008-11-13 2405776]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2004-08-25 516096]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe /svc []
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-12-08 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-04-16 91184]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


------------------------------------------------------------------

RSIT - info.txt


info.txt logfile of random's system information tool 1.06 2010-02-25 19:57:03

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Adobe Acrobat 7.0 Professional-->msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Andrea Electronics USB Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{96793F18-9880-4E50-A89B-D42A591CD8D3}\SETUP.EXE" -Remove
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AutoHotkey 1.0.48.05-->C:\Program Files\AutoHotkey\uninst.exe
AVG Free 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Broadcom Gigabit Integrated Controller-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033
Canon MF4100 Series-->"C:\WINDOWS\system32\CanonMF Uninstaller Information\{239A8D60-270B-42e8-82D3-60D70A2942E0}\misc\DelDrv.exe" /U:{239A8D60-270B-42e8-82D3-60D70A2942E0} /L0x0000
Creative DVD Audio Plugin for Audigy Series-->"C:\Program Files\Creative\CTDPlugin\CTUIDVD.exe " -u
CSE HTML Validator Lite v6.52-->"C:\Program Files\NuSphere\PhpED\CSE Validator Lite 65\unins000.exe"
CuteFTP 8 Professional-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{91F34319-08DE-457A-99C0-0BCDFAC145B9}\Setup.exe" -l0x9
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Dragon NaturallySpeaking 10-->MsiExec.exe /I{E7712E53-7A7F-46EB-AA13-70D5987D30F2}
DU Meter-->"C:\Program Files\DU Meter\unins000.exe"
Edimax Wireless LAN-->C:\Program Files\InstallShield Installation Information\{FAB1F336-1B7C-4057-A7BC-2922CD82A781}\setup.exe -runfromtemp -l0x0009 -removeonly
ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
freeSSHd 1.0.9-->"C:\Program Files\freeSSHd\unins000.exe"
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
HashCalc 2.02-->"C:\Program Files\HashCalc\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
HiJackThis-->MsiExec.exe /X{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
Intel Application Accelerator-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\Setup.exe" -l0409 -INTELUNINST
Intel® 537EP V9x DF PCI Modem-->rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
InterVideo WinDVD 7-->"C:\Program Files\InstallShield Installation Information\{90885A82-9673-49EA-AB39-AF776639C67C}\setup.exe" REMOVEALL
IsoBuster 1.5-->"C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
Java™ 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Jetcast 3.0.2-->C:\Program Files\Jetcast\uninst.exe
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MemoryLifter-->MsiExec.exe /X{2E821791-CFA8-455E-91C5-8D251C082C03}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{20110409-6000-11D3-8CFE-0150048383C9}
Mozilla Embedded Browser version 2.0-->"C:\Program Files\NuSphere\Mozilla Browser\unins000.exe"
Mozilla Firefox (3.0.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
Nero 6 Ultra Edition-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NuSphere PhpED version 5.6-->"C:\Program Files\NuSphere\PhpED\unins000.exe"
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PerformanceTest v7.0-->"C:\Program Files\PerformanceTest\unins000.exe"
Php Documentor version 1.4.2 for NuSphere PhpED-->"C:\Program Files\NuSphere\PhpED\phpDocumentor\unins000.exe"
php-5.2.6 for NuSphere PhpED-->"C:\Program Files\NuSphere\PhpED\php5\unins000.exe"
Polystyle 2.0zo (trial) for NuSphere PhpED-->"C:\Program Files\NuSphere\PhpED\polystyle\unins000.exe"
QuickTime Alternative 2.7.0-->"C:\Program Files\QuickTime Alternative\unins000.exe"
SeaTools for Windows-->MsiExec.exe /I{98613C99-1399-416C-A07C-1EE1C585D872}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
SnagIt 7-->C:\Program Files\TechSmith\SnagIt 7\SIUNINST.EXE
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
ToolTipFixer 2.0-->C:\Program Files\NeoSmart Technologies\ToolTipFixer\uninstall.exe
UltraISO Premium V9.33-->"C:\Program Files\UltraISO\unins000.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB973874)-->"C:\WINDOWS\ie8updates\KB973874-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VC 9.0 Runtime-->MsiExec.exe /I{A040AC77-C1AA-4CC9-8931-9F648AF178F6}
Visual C++ Runtime for Dragon NaturallySpeaking-->MsiExec.exe /I{4A5A427F-BA39-4BF0-9A47-9999FBE60C9F}
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
XviD 1.1 final uninstall-->"C:\Program Files\XviD\unins000.exe"
ZoneAlarm-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

======Security center information======

AV: AVG Anti-Virus Free
FW: ZoneAlarm Firewall

======System event log======

Computer Name: DELL-56D11FB247
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 15561
Source Name: Service Control Manager
Time Written: 20100223135049.000000-300
Event Type: error
User:

Computer Name: DELL-56D11FB247
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 15558
Source Name: Service Control Manager
Time Written: 20100223135049.000000-300
Event Type: error
User:

Computer Name: DELL-56D11FB247
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 15555
Source Name: Service Control Manager
Time Written: 20100223135048.000000-300
Event Type: error
User:

Computer Name: DELL-56D11FB247
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 15552
Source Name: Service Control Manager
Time Written: 20100223135048.000000-300
Event Type: error
User:

Computer Name: DELL-56D11FB247
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 15549
Source Name: Service Control Manager
Time Written: 20100223135048.000000-300
Event Type: error
User:

=====Application event log=====

Computer Name: DELL-56D11FB247
Event Code: 1002
Message: Hanging application iexplore.exe, version 7.0.6000.16762, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 343
Source Name: Application Hang
Time Written: 20090201034546.000000-300
Event Type: error
User:

Computer Name: DELL-56D11FB247
Event Code: 1002
Message: Hanging application winamp.exe, version 5.0.0.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 342
Source Name: Application Hang
Time Written: 20090131234052.000000-300
Event Type: error
User:

Computer Name: DELL-56D11FB247
Event Code: 1002
Message: Hanging application iexplore.exe, version 7.0.6000.16762, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 341
Source Name: Application Hang
Time Written: 20090131005557.000000-300
Event Type: error
User:

Computer Name: DELL-56D11FB247
Event Code: 1000
Message: Faulting application acrobat.exe, version 7.0.0.1333, faulting module acrobat.dll, version 7.0.0.1333, fault address 0x0013e7d1.

Record Number: 335
Source Name: Application Error
Time Written: 20090129070639.000000-300
Event Type: error
User:

Computer Name: DELL-56D11FB247
Event Code: 1000
Message: Faulting application iexplore.exe, version 7.0.6000.16762, faulting module mshtml.dll, version 7.0.6000.16788, fault address 0x000b1796.

Record Number: 333
Source Name: Application Error
Time Written: 20090129061446.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Adobe\AGL
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0304
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"tvdumpflags"=8

-----------------EOF-----------------


----------------------------------------------------------------------

GMER - gmer.txt


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-26 08:28:01
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\DELLUS~1\LOCALS~1\Temp\kgpyrpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xA6A338D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA6A306E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xA6A3D490]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xA6A33E90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xA6A33F80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA6A30C70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xA6A3DD10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xA6A3DAC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xA6A3E230]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xA6A3E2B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA6A30AD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xA6A3E970]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xA6A3E3D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xA6A334F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xA6A3E7C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA6A30EA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xA6A3D800]

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  log.txt   24.13KB   14 downloads
  • Attached File  info.txt   22.38KB   13 downloads
  • Attached File  gmer.txt   2.48KB   14 downloads


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:26 AM

Posted 26 February 2010 - 01:26 PM

Hi!

You can just copy and paste the logs into your reply. No need to attach them (unless I ask otherwise) smile.gif

It appears that you've run Combofix. Please post up the contents of C:\combofix.txt

Also, are you still having the redirects and popups?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 Jenny Gray

Jenny Gray
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 26 February 2010 - 04:32 PM

Yes, I ran combofix. You caught me. whistling.gif

I also ran about 4 different virus programs, including Panda, which report nothing.

The popups continue. One thing I notice about them is that they know what websites I've visited. They'll say things like "Hello Gmail User," or they'll relate to a Google search I just did. Also, they only appear when I'm online. They either look for an active internet connection, or an open browser window. I'm not sure which.

Haven't had a redirect in a while.



ComboFix 10-02-23.04 - Dell User 02/24/2010 8:17.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2675 [GMT -5:00]
Running from: c:\documents and settings\Dell User\Desktop\Popup malware problem\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log

.
((((((((((((((((((((((((( Files Created from 2010-01-24 to 2010-02-24 )))))))))))))))))))))))))))))))
.

2010-02-24 12:52 . 2010-02-24 12:52 -------- d-----w- c:\documents and settings\Dell User\Application Data\Malwarebytes
2010-02-24 12:52 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-24 12:52 . 2010-02-24 12:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-24 12:52 . 2010-02-24 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-24 12:52 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 22:18 . 2010-02-23 22:18 152576 ----a-w- c:\documents and settings\Dell User\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-23 22:17 . 2010-02-23 22:18 79488 ----a-w- c:\documents and settings\Dell User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-23 20:47 . 2010-02-23 20:50 -------- d-----w- c:\documents and settings\Dell User\Application Data\QuickScan
2010-02-23 20:47 . 2010-02-23 09:32 632544 ----a-w- c:\documents and settings\Dell User\Application Data\Mozilla\Firefox\Profiles\1200hmg3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-02-23 20:47 . 2010-02-23 09:32 795320 ----a-w- c:\documents and settings\Dell User\Application Data\Mozilla\Firefox\Profiles\1200hmg3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-02-23 18:01 . 2010-02-23 18:03 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-22 04:31 . 2010-02-22 04:31 388096 ----a-r- c:\documents and settings\Dell User\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-22 04:31 . 2010-02-22 04:31 -------- d-----w- c:\program files\TrendMicro
2010-02-05 19:50 . 2010-02-05 19:50 -------- d-----w- c:\program files\FlashMute
2010-01-30 14:57 . 2010-01-30 14:57 -------- d-----w- c:\documents and settings\Default User\Application Data\Trusteer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 13:02 . 2009-08-27 20:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-24 00:30 . 2008-12-07 23:44 44464 ----a-w- c:\documents and settings\Dell User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-23 22:19 . 2009-09-26 18:43 -------- d-----w- c:\documents and settings\Dell User\Application Data\Move Networks
2010-02-23 22:19 . 2008-12-09 01:33 -------- d-----w- c:\program files\Java
2010-02-22 04:07 . 2008-12-09 01:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-22 04:04 . 2008-12-09 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-10 18:46 . 2010-02-10 18:47 2621440 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-12-31 16:50 . 2004-08-12 14:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-12 14:09 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2008-12-05 20:52 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-12 13:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-12 14:02 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-12 14:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-12 14:03 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-12 14:01 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-12 14:01 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-12 13:55 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2008-09-10 0]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 15:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Utility.lnk
backup=c:\windows\pss\Wireless Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dell User^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Dell User\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dell User^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk]
path=c:\documents and settings\Dell User\Start Menu\Programs\Startup\Dragon NaturallySpeaking.lnk
backup=c:\windows\pss\Dragon NaturallySpeaking.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 07:12 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 17:52 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2009-12-13 15:35 2043160 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DU Meter]
2003-06-22 21:38 1297920 ----a-w- c:\program files\DU Meter\DUMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashMute]
2006-03-11 19:49 221184 ----a-w- c:\program files\FlashMute\flashmute.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GM4IE]
2006-07-23 08:32 61440 ----a-w- c:\program files\Grease_Monkey\gm4ie.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2004-06-29 16:23 135168 ----a-w- c:\program files\Intel\Intel Application Accelerator\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2008-09-10 00:23 0 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2008-09-10 00:24 0 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nuance.ctfmngr]
2008-07-28 00:21 46440 ----a-w- c:\program files\Nuance\NaturallySpeaking10\Program\ctfmngr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PureText]
2003-08-21 06:00 28672 ----a-w- c:\documents and settings\Dell User\Desktop\My Stuff\Software 2008.12.08\Other Software\PureText\puretext20_x86\PureText.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2008-09-10 00:27 0 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
2008-11-13 20:18 981904 ----a-w- c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"vsmon"=2 (0x2)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TrkWks"=2 (0x2)
"ToolTipFixer"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"spkrmon"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"ose"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"napagent"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ImapiService"=3 (0x3)
"idsvc"=3 (0x3)
"IAANTMon"=2 (0x2)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"gupdate"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=3 (0x3)
"avg8wd"=2 (0x2)
"AudioSrv"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"Apache2.2"=2 (0x2)
"ALG"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\NuSphere\\PhpED\\Srv.exe"=
"c:\\Program Files\\NuSphere\\PhpED\\debugger\\DbgListener.exe"=
"c:\\Program Files\\NuSphere\\PhpED\\phped.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/25/2009 12:33 PM 335240]
R3 aeaudio2;AE USB Audio Driver2 (WDM);c:\windows\system32\drivers\AEAudio2.sys [9/14/2009 3:26 PM 113664]
R3 aeaudiol;AE USB Audio Driver-Lower (WDM);c:\windows\system32\drivers\AEAudioL.sys [9/14/2009 3:26 PM 15104]
S4 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [10/10/2009 4:51 PM 24640]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/25/2009 12:32 PM 297752]
S4 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S4 ToolTipFixer;ToolTipFixer;c:\program files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe [10/14/2008 12:33 PM 61952]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: dreamhost.com
Trusted Zone: dreamhost.com\panel
Trusted Zone: google.com
Trusted Zone: msacp.com
Trusted Zone: msacp.com\re
Trusted Zone: mturk.com\www
Trusted Zone: newdream.net
FF - ProfilePath - c:\documents and settings\Dell User\Application Data\Mozilla\Firefox\Profiles\1200hmg3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\Dell User\Application Data\Mozilla\Firefox\Profiles\1200hmg3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Dell User\Application Data\Mozilla\Firefox\Profiles\1200hmg3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 08:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A123A9A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74c6852
\Driver\iaStor -> iaStor.sys @ 0xf745daa8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\WININET.dll
.
Completion time: 2010-02-24 08:30:40
ComboFix-quarantined-files.txt 2010-02-24 13:30

Pre-Run: 22,577,262,592 bytes free
Post-Run: 22,684,520,448 bytes free

- - End Of File - - 8686CF9E15610C33878DDAC2FF785601


#6 Jenny Gray

Jenny Gray
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 26 February 2010 - 06:21 PM

I just noticed that the popups occur hourly, like clockwork. Not sure if this helps you, but I thought I'd mention it.

#7 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:26 AM

Posted 26 February 2010 - 06:52 PM

Hello, Jenny Gray.
I'll have you run a few tools, you got some interesting logs there tongue.gif

We need to run Defogger
  1. Please download DeFogger to your desktop.
  2. Double click DeFogger to run the tool.
  3. The application window will appear
  4. Click the Disable button to disable your CD Emulation drivers
  5. Click Yes to continue
  6. A 'Finished!' message will appear
  7. Click OK
  8. DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


NEXT:

We need to run an MBR scan
  1. Please download MBR.exe and save it to your root directory (usually C:\).
  2. Now click Start > Run and copy/paste the following text in the box that opens. Do not copy the word "code".
    CODE
    C:\mbr.exe -t
  3. Press enter.
  4. An mbr.log should be created in your root directory. Please post its contents in your next reply.

NEXT:

We need to install the Recovery Console

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  1. Go to Microsoft's website
  2. Select the download that's appropriate for your Operating System
  3. Download the file & save it as it's originally named
  4. Drag the setup package onto ComboFix.exe and drop it.
  5. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  6. At the next promt, click No. We don't want to run a Combofix scan just yet

In your next reply, please include the following:
  • defogger_disable log (if applicable)
  • mbr.exe log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#8 Jenny Gray

Jenny Gray
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 26 February 2010 - 07:57 PM

Uh oh. Interesting in what way? dry.gif

Here's the MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A11FA9A]<<
kernel: MBR read successfully
user & kernel MBR OK


#9 Jenny Gray

Jenny Gray
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 26 February 2010 - 08:11 PM

I installed the Microsoft Recovery Console, but I wasn't able to do it by dropping a setup file over combo.exe. (I couldn't find a setup file on the link you provided.) Instead, I used my original Windows XP CD. Hope this isn't a problem.

#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:26 AM

Posted 27 February 2010 - 01:14 AM

Hi!
QUOTE
Uh oh. Interesting in what way?

Not really a bad way. I think this seems to be a new variant of a rootkit.

Let's clean this up smile.gif

We need to download a fresh copy of Combofix
  1. Please download a fresh copy of ComboFix from one of these locations:
    Link 1
    Link 2

Now, please try running combofix. Post up the log in your next reply.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 Jenny Gray

Jenny Gray
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 27 February 2010 - 02:04 AM

Ooh... okay. I ran the new combofix and here's what I got:


ComboFix 10-02-26.02 - Dell User 02/27/2010 1:35.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2558 [GMT -5:00]
Running from: c:\documents and settings\Dell User\Desktop\Popup malware problem\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))
.

2010-02-27 00:46 . 2010-02-27 00:46 77312 ----a-w- C:\mbr.exe
2010-02-26 00:56 . 2010-02-26 00:57 -------- d-----w- C:\rsit
2010-02-26 00:56 . 2010-02-26 00:57 -------- d-----w- c:\program files\trend micro
2010-02-24 19:15 . 2010-02-24 19:15 -------- d-----w- c:\program files\ESET
2010-02-24 13:48 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-24 13:48 . 2010-02-24 13:48 -------- d-----w- c:\program files\Panda Security
2010-02-24 12:52 . 2010-02-24 12:52 -------- d-----w- c:\documents and settings\Dell User\Application Data\Malwarebytes
2010-02-24 12:52 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-24 12:52 . 2010-02-24 12:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-24 12:52 . 2010-02-24 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-24 12:52 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 22:18 . 2010-02-23 22:18 152576 ----a-w- c:\documents and settings\Dell User\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-23 22:17 . 2010-02-23 22:18 79488 ----a-w- c:\documents and settings\Dell User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-23 20:47 . 2010-02-23 20:50 -------- d-----w- c:\documents and settings\Dell User\Application Data\QuickScan
2010-02-23 20:47 . 2010-02-23 09:32 632544 ----a-w- c:\documents and settings\Dell User\Application Data\Mozilla\Firefox\Profiles\1200hmg3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-02-23 20:47 . 2010-02-23 09:32 795320 ----a-w- c:\documents and settings\Dell User\Application Data\Mozilla\Firefox\Profiles\1200hmg3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-02-23 18:01 . 2010-02-23 18:03 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-22 04:31 . 2010-02-22 04:31 388096 ----a-r- c:\documents and settings\Dell User\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-22 04:31 . 2010-02-22 04:31 -------- d-----w- c:\program files\TrendMicro
2010-02-05 19:50 . 2010-02-05 19:50 -------- d-----w- c:\program files\FlashMute
2010-01-30 14:57 . 2010-01-30 14:57 -------- d-----w- c:\documents and settings\Default User\Application Data\Trusteer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 06:56 . 2009-08-27 20:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-24 00:30 . 2008-12-07 23:44 44464 ----a-w- c:\documents and settings\Dell User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-23 22:19 . 2009-09-26 18:43 -------- d-----w- c:\documents and settings\Dell User\Application Data\Move Networks
2010-02-23 22:19 . 2008-12-09 01:33 -------- d-----w- c:\program files\Java
2010-02-22 04:07 . 2008-12-09 01:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-22 04:04 . 2008-12-09 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-10 18:46 . 2010-02-10 18:47 2621440 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-12-31 16:50 . 2004-08-12 14:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-12 14:09 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2008-12-05 20:52 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-12 13:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-12 14:02 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-12 14:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-02-24_13.27.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-27 06:43 . 2010-02-27 06:43 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat
+ 2008-04-14 00:12 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
- 2008-04-14 00:12 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2001-07-14 22:32 . 2001-07-14 22:32 69632 c:\windows\setupupd\temp\wsdueng.dll
+ 2004-08-12 13:58 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
- 2004-08-12 13:58 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2007-08-13 23:38 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
- 2007-08-13 23:38 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2010-02-24 19:00 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-02-24 19:00 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-02-24 19:00 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2009-08-04 19:06 . 2009-08-04 19:06 132352 c:\windows\Downloaded Program Files\as2stubie.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PureText"="c:\documents and settings\Dell User\Desktop\My Stuff\Software 2008.12.08\Other Software\PureText\puretext20_x86\PureText.exe" [2003-08-21 28672]
"GM4IE"="c:\program files\Grease_Monkey\gm4ie.exe" [2006-07-23 61440]
"FlashMute"="c:\program files\FlashMute\FlashMute.exe" [2006-03-11 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2008-09-10 0]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2008-09-10 0]
"Nuance.ctfmngr"="c:\program files\Nuance\NaturallySpeaking10\Program\ctfmngr.exe" [2008-07-28 46440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-09-10 0]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-09-10 0]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2003-06-22 1297920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-13 2043160]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

c:\documents and settings\Dell User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2008-7-27 2807144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-12-8 25214]
Wireless Utility.lnk - c:\program files\EDIMAX\Common\RaUI.exe [2009-3-5 716800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 15:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\NuSphere\\PhpED\\Srv.exe"=
"c:\\Program Files\\NuSphere\\PhpED\\debugger\\DbgListener.exe"=
"c:\\Program Files\\NuSphere\\PhpED\\phped.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/24/2010 8:48 AM 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/25/2009 12:33 PM 335240]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [10/10/2009 4:51 PM 24640]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/25/2009 12:32 PM 297752]
R2 ToolTipFixer;ToolTipFixer;c:\program files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe [10/14/2008 12:33 PM 61952]
R3 aeaudio2;AE USB Audio Driver2 (WDM);c:\windows\system32\drivers\AEAudio2.sys [9/14/2009 3:26 PM 113664]
R3 aeaudiol;AE USB Audio Driver-Lower (WDM);c:\windows\system32\drivers\AEAudioL.sys [9/14/2009 3:26 PM 15104]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: dreamhost.com
Trusted Zone: dreamhost.com\panel
Trusted Zone: google.com
Trusted Zone: msacp.com
Trusted Zone: msacp.com\re
Trusted Zone: mturk.com\www
Trusted Zone: newdream.net
FF - ProfilePath - c:\documents and settings\Dell User\Application Data\Mozilla\Firefox\Profiles\1200hmg3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\Dell User\Application Data\Mozilla\Firefox\Profiles\1200hmg3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Dell User\Application Data\Mozilla\Firefox\Profiles\1200hmg3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 01:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(584)
c:\windows\system32\WININET.dll
c:\program files\FlashMute\mutelib.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2010-02-27 02:00:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-27 07:00

Pre-Run: 22,112,878,592 bytes free
Post-Run: 22,247,284,736 bytes free

- - End Of File - - 028A547F652081C9FF4B823449A59F83


#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:26 AM

Posted 27 February 2010 - 02:40 AM

Hi!

The log looks promising. Are you still getting those popups?

Please run a fresh GMER and MBR scan and post the logs in your next reply smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 Jenny Gray

Jenny Gray
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 27 February 2010 - 12:02 PM

You, sir, are a genius. The popup problem appears to be cured. thumbup.gif

Here are the two logs you requested:

MBR

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
kernel: MBR read successfully
user & kernel MBR OK

GMER

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-27 10:49:40
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\DELLUS~1\LOCALS~1\Temp\kgpyrpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xA20558D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA20526E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xA205F490]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xA2055E90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xA2055F80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA2052C70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xA205FD10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xA205FAC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xA2060230]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xA20602B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA2052AD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xA2060970]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xA20603D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xA20554F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xA20607C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA2052EA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xA205F800]

---- EOF - GMER 1.0.15 ----


#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:26 AM

Posted 27 February 2010 - 12:32 PM

Hello, Jenny Gray.
Thank you smile.gif

Let's make sure that the virus hasn't left anything on your system. After that, we'll clean up and you'll be good to go smile.gif
We need to run a Panda Active Scan
  1. Please go here to run Panda's ActiveScan
  2. Once you are on the Panda site click the Scan your PC button
  3. Click the big Scan Now button
  4. If it wants to install an ActiveX component allow it
  5. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  6. When download is complete, click on My Computer to start the scan
  7. When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

In your next reply, please include the following:
  • ActiveScan Report

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 Jenny Gray

Jenny Gray
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 27 February 2010 - 08:49 PM

PandaScan says I'm clean.

I'm not sure how you did it, but you're my hero. clapping.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users