Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacked, and SPTD.sys problems


  • This topic is locked This topic is locked
7 replies to this topic

#1 Almander

Almander

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 25 February 2010 - 02:31 PM

Brief History and problem description:

On 2/22/2010 this computer would not boot. When SPTD.SYS was loaded at startup thw computer would BSOD, and restart indefinately.

Was able to boot by not loading sptd.sys.
Renamed sptd.sys, and computer was able to boot normally.

Now that computer boots, IE and Firefox browser searches are hijacked (Chrome is dead, will not even run). Usually after a few search engine searches, a result link directs to random pages that are not relavent to the link. Examples are to .com urls such as i-mall200, pronto, 123findsite, etc...

I noticed that my Java installation is a bit out of date, was going to try and uninstall then reinstall newer version. But I thought I would give this a shot first.

DDT.TXT DEtails Follow
-----------------------------------------------------------------------------
DDS (Ver_09-12-01.01) - NTFSx86
Run by aland at 11:34:50.49 on Thu 02/25/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.821 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PDF Complete\pdfsty.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wootalyzer\woot.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\aland\Start Menu\Programs\Startup\procexp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
F:\Downloads\Antivir - AntiSpy\BleepingComputer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: HttpWatch Basic: {f1f69322-008f-4895-b2bf-ad194219825a} - c:\program files\httpwatch\httpwatchsc.dll
EB: HttpWatch Basic: {2b4c4770-27fd-4a09-b17d-33ca580965fb} - c:\program files\httpwatch\httpwatch.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Wootalyzer] "c:\program files\wootalyzer\woot.exe" /boot
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
StartupFolder: c:\documents and settings\aland\start menu\programs\startup\procexp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {D103E85B-5D67-42c1-8C83-F01079DBAB26} - {2B4C4770-27FD-4A09-B17D-33CA580965FB} - c:\program files\httpwatch\httpwatch.dll
Trusted Zone: msn.com\zone
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6045C5E3-3653-4262-9E3E-0DA3A22A2C1D} - hxxp://webserver1/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244050137138
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aland\applic~1\mozilla\firefox\profiles\j3us9raz.default\
FF - component: c:\program files\httpwatch\firefox\components\httpwatchff.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys [2009-8-20 20352]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 74480]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\VCdRom.sys [2009-6-2 8576]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100224.009\naveng.sys [2010-2-24 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100224.009\navex15.sys [2010-2-24 1324720]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]

=============== Created Last 30 ================

2010-02-25 18:32:38 20 ----a-w- c:\documents and settings\aland\defogger_reenable
2010-02-24 22:57:58 0 d-----w- c:\windows\system32\appmgmt
2010-02-05 21:52:20 0 d-----w- c:\temp\music
2010-01-29 20:47:17 0 d-----w- c:\program files\RealVNC

==================== Find3M ====================

2010-01-07 23:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

============= FINISH: 11:45:34.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:58 AM

Posted 25 February 2010 - 03:39 PM

Good evening. smile.gif

Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Go here and click the Download EXE button at the top and save the file to your Desktop - the file is randomly named to try to sidestep the actions of certain malicious files.
Double click the file to begin:
  • If you get a pop-up regarding rootkit activity and are asked if you want to scan, click No.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for
    • Sections
    • IAT/EAT
    • Show All
    • All drives except your main one, which is usually C:\.
  • Click the Scan button on the right and OK any pop-up that you may see regarding rootkit activity.
  • When the scan has completed, (you'll have time for a snack and a cuppa!), click the Save... button and again save the log with any name to a handy location.
Post the contents of the log(s) into your next reply. The Preview option on the forum may show the whole log(s) being posted, but they sometimes get cut down when the actual post is made, so please check the post once it is completed.

So long, and thanks for all the fish.

 

 


#3 Almander

Almander
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 26 February 2010 - 11:14 AM

Good Morning,

Eset Scan produced nothing.

I am having problems getting gmer to complete.

When running gmer the system will simply hang, or reset after about an hour. Still trying, but it is not looking hopeful.

Edited by Almander, 26 February 2010 - 11:16 AM.


#4 Almander

Almander
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 26 February 2010 - 12:11 PM

I cannot sem to get gmer to work, am trying in safe mode now. I am including 2 log files in this message that are produced when gmer starts up.

Hopefully the rootkits identified help...

1. Normal Boot:
---------------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-02-25 12:07:36
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\aland\LOCALS~1\Temp\pxtdrpog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 89D4DA9A

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----



2. Safe Mode Boot:
---------------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-02-26 10:05:18
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdrpog.sys


---- Devices - GMER 1.0.15 ----

Device -> \Driver\iaStor \Device\Harddisk0\DR0 89B01A9A

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----





#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:58 AM

Posted 26 February 2010 - 04:01 PM

Good evening. smile.gif

I think that is probably a good indicator of the issue. Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#6 Almander

Almander
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 26 February 2010 - 06:46 PM

Thanks,

It seems to have helped. Will post more details next week.

ComboFix 10-02-26.01 - Administrator 02/26/2010 16:26:41.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1186 [GMT -7:00]
Running from: F:\Downloads\Antivir - AntiSpy\BleepingComputer\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\RECYCLER\S-1-5-21-730180358-1858697911-3449708897-500
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\images
C:\WINDOWS\system32\images\toolbar\calendar.gif
C:\WINDOWS\system32\images\toolbar\crlogo.gif
C:\WINDOWS\system32\images\toolbar\export.gif
C:\WINDOWS\system32\images\toolbar\export_over.gif
C:\WINDOWS\system32\images\toolbar\exportd.gif
C:\WINDOWS\system32\images\toolbar\First.gif
C:\WINDOWS\system32\images\toolbar\first_over.gif
C:\WINDOWS\system32\images\toolbar\Firstd.gif
C:\WINDOWS\system32\images\toolbar\gotopage.gif
C:\WINDOWS\system32\images\toolbar\gotopage_over.gif
C:\WINDOWS\system32\images\toolbar\gotopaged.gif
C:\WINDOWS\system32\images\toolbar\grouptree.gif
C:\WINDOWS\system32\images\toolbar\grouptree_over.gif
C:\WINDOWS\system32\images\toolbar\grouptreed.gif
C:\WINDOWS\system32\images\toolbar\grouptreepressed.gif
C:\WINDOWS\system32\images\toolbar\Last.gif
C:\WINDOWS\system32\images\toolbar\last_over.gif
C:\WINDOWS\system32\images\toolbar\Lastd.gif
C:\WINDOWS\system32\images\toolbar\Next.gif
C:\WINDOWS\system32\images\toolbar\next_over.gif
C:\WINDOWS\system32\images\toolbar\Nextd.gif
C:\WINDOWS\system32\images\toolbar\Prev.gif
C:\WINDOWS\system32\images\toolbar\prev_over.gif
C:\WINDOWS\system32\images\toolbar\Prevd.gif
C:\WINDOWS\system32\images\toolbar\print.gif
C:\WINDOWS\system32\images\toolbar\print_over.gif
C:\WINDOWS\system32\images\toolbar\printd.gif
C:\WINDOWS\system32\images\toolbar\Refresh.gif
C:\WINDOWS\system32\images\toolbar\refresh_over.gif
C:\WINDOWS\system32\images\toolbar\refreshd.gif
C:\WINDOWS\system32\images\toolbar\Search.gif
C:\WINDOWS\system32\images\toolbar\search_over.gif
C:\WINDOWS\system32\images\toolbar\searchd.gif
C:\WINDOWS\system32\images\toolbar\up.gif
C:\WINDOWS\system32\images\toolbar\up_over.gif
C:\WINDOWS\system32\images\toolbar\upd.gif
C:\WINDOWS\system32\images\tree\begindots.gif
C:\WINDOWS\system32\images\tree\beginminus.gif
C:\WINDOWS\system32\images\tree\beginplus.gif
C:\WINDOWS\system32\images\tree\blank.gif
C:\WINDOWS\system32\images\tree\blankdots.gif
C:\WINDOWS\system32\images\tree\dots.gif
C:\WINDOWS\system32\images\tree\lastdots.gif
C:\WINDOWS\system32\images\tree\lastminus.gif
C:\WINDOWS\system32\images\tree\lastplus.gif
C:\WINDOWS\system32\images\tree\Magnify.gif
C:\WINDOWS\system32\images\tree\minus.gif
C:\WINDOWS\system32\images\tree\minusbox.gif
C:\WINDOWS\system32\images\tree\plus.gif
C:\WINDOWS\system32\images\tree\plusbox.gif
C:\WINDOWS\system32\images\tree\singleminus.gif
C:\WINDOWS\system32\images\tree\singleplus.gif
C:\WINDOWS\system32\Thumbs.db
E:\Autorun.inf
F:\install.exe

----- BITS: Possible infected sites -----

hxxp://surfcontrol-slc
.
((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-02-26 23:26:12 . 2010-02-26 09:00:00 259440 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30b406.vdb\ECMSVR32.DLL
2010-02-26 23:26:12 . 2009-12-08 00:01:37 2747440 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30b406.vdb\CCERASER.DLL
2010-02-26 23:26:12 . 2009-12-02 18:16:05 1324720 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30b406.vdb\NAVEX15.SYS
2010-02-26 23:26:12 . 2009-12-02 18:15:56 84912 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30b406.vdb\NAVENG.SYS
2010-02-26 23:26:12 . 2009-11-10 22:48:06 1647984 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30b406.vdb\NAVEX32A.DLL
2010-02-26 23:26:12 . 2009-11-10 22:48:05 177520 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30b406.vdb\NAVENG32.DLL
2010-02-26 23:26:12 . 2009-08-18 00:15:34 102448 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30b406.vdb\ERASER.SYS
2010-02-26 23:26:12 . 2009-08-18 00:15:31 371248 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30b406.vdb\EECTRL.SYS
2010-02-26 23:23:47 . 2009-11-10 22:48:06 1647984 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30ac11.vdb\NAVEX32A.DLL
2010-02-26 23:23:46 . 2010-02-22 09:00:00 259440 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30ac11.vdb\ECMSVR32.DLL
2010-02-26 23:23:46 . 2009-12-08 00:01:37 2747440 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30ac11.vdb\CCERASER.DLL
2010-02-26 23:23:46 . 2009-12-02 18:16:05 1324720 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30ac11.vdb\NAVEX15.SYS
2010-02-26 23:23:46 . 2009-12-02 18:15:56 84912 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30ac11.vdb\NAVENG.SYS
2010-02-26 23:23:46 . 2009-11-10 22:48:05 177520 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30ac11.vdb\NAVENG32.DLL
2010-02-26 23:23:46 . 2009-08-18 00:15:34 102448 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30ac11.vdb\ERASER.SYS
2010-02-26 23:23:46 . 2009-08-18 00:15:31 371248 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30ac11.vdb\EECTRL.SYS
2010-02-26 23:08:21 . 2010-02-26 23:08:21 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\SampleView
2010-02-26 22:53:29 . 2010-02-26 22:53:29 -------- d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Symantec
2010-02-26 22:50:12 . 2010-02-26 22:50:12 -------- d-sh--w- C:\Documents and Settings\Administrator\PrivacIE
2010-02-26 17:00:23 . 2010-02-26 23:21:08 -------- d-----w- C:\Documents and Settings\LocalService\Local Settings\Application Data\Temp
2010-02-25 20:39:03 . 2010-02-26 23:20:01 118784 ----a-w- C:\WINDOWS\system32\chg.exe
2010-02-24 21:41:10 . 2010-02-24 21:41:10 -------- d-sh--w- C:\Documents and Settings\NetworkService\IETldCache
2010-02-15 17:17:00 . 2010-02-15 17:17:15 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
2010-02-05 21:52:20 . 2010-02-05 21:55:43 -------- d-----w- C:\temp\music
2010-01-29 20:47:17 . 2010-01-29 20:47:17 -------- d-----w- C:\Program Files\RealVNC
2010-01-29 19:55:45 . 2010-01-29 19:55:55 3897916 ----a-w- C:\Documents and Settings\aland\Application Data\Research In Motion\BlackBerry\SR_MM_English.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-26 23:24:11 . 2009-06-02 18:32:30 -------- d-----w- C:\Program Files\Symantec AntiVirus
2010-02-25 20:58:44 . 2010-01-05 17:25:33 117760 ----a-w- C:\Documents and Settings\aland\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-22 17:44:39 . 2009-12-29 17:00:09 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-02-22 17:44:22 . 2009-12-29 17:01:04 5115824 ----a-w- C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-17 20:14:58 . 2009-08-14 16:22:55 256 ----a-w- C:\WINDOWS\system32\pool.bin
2010-02-17 18:29:07 . 2009-08-13 23:04:05 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Research In Motion
2010-02-17 18:29:07 . 2009-08-11 15:27:43 -------- d-----w- C:\Program Files\Research In Motion
2010-02-09 18:47:12 . 2009-06-03 20:01:27 -------- d-----w- C:\Program Files\Common Files\Wise Installation Wizard
2010-02-02 21:12:23 . 2009-07-29 21:00:28 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Google Updater
2010-01-30 03:20:12 . 2009-07-29 21:00:27 -------- d-----w- C:\Program Files\Google
2010-01-20 18:45:13 . 2009-06-08 22:39:46 -------- d-----w- C:\Program Files\Common Files\Adobe AIR
2010-01-20 18:45:06 . 2009-11-10 22:48:34 38208 ----a-w- C:\Documents and Settings\aland\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-20 18:30:26 . 2009-06-02 21:23:43 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2010-01-20 18:26:02 . 2009-06-03 17:49:23 1733568 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2010-01-20 18:23:34 . 2010-01-20 18:20:26 -------- d-----w- C:\Program Files\Microsoft Visual Studio 2008 SDK
2010-01-15 20:31:55 . 2009-06-02 21:29:49 72280 ----a-w- C:\Documents and Settings\aland\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-15 00:53:38 . 2009-07-13 21:54:22 412280 ----a-w- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-13 15:58:35 . 2010-01-05 17:26:08 52224 ----a-w- C:\Documents and Settings\aland\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-13 15:57:21 . 2010-01-05 17:24:58 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2010-01-11 21:25:34 . 2010-01-11 21:25:34 -------- d-----w- C:\Documents and Settings\aland\Application Data\j2 Global
2010-01-11 21:24:53 . 2010-01-11 21:24:13 -------- d-----w- C:\Program Files\eFax Messenger 4.4
2010-01-11 21:24:49 . 2010-01-11 21:24:49 -------- d-----w- C:\Documents and Settings\aland\Application Data\eFax Messenger
2010-01-11 21:24:46 . 2010-01-11 21:24:46 -------- d-----w- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.4 Setup
2010-01-11 21:24:46 . 2010-01-11 21:24:40 -------- d-----w- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.4 Output
2010-01-08 22:24:37 . 2009-10-15 22:42:48 -------- d-----w- C:\Documents and Settings\aland\Application Data\FileZilla
2010-01-08 22:16:03 . 2010-01-08 22:16:03 -------- d-----w- C:\Program Files\PADI
2010-01-08 17:48:41 . 2010-01-08 17:36:58 -------- d-----w- C:\Program Files\ShowTraf
2010-01-08 17:38:06 . 2010-01-08 17:38:04 -------- d-----w- C:\Program Files\WinPcap
2010-01-08 17:32:45 . 2009-12-17 19:43:33 -------- d-----w- C:\Program Files\Charles
2010-01-07 23:07:14 . 2009-12-29 17:00:11 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07:04 . 2009-12-29 17:00:14 19160 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-01-07 21:00:17 . 2010-01-07 21:00:09 -------- d-----w- C:\Program Files\Fiddler2
2010-01-05 17:35:33 . 2010-01-05 17:35:24 52224 ----a-w- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-05 17:35:33 . 2010-01-05 17:34:50 117760 ----a-w- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-05 17:32:39 . 2010-01-05 17:32:39 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-01-05 17:25:16 . 2010-01-05 17:25:16 -------- d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-05 17:24:58 . 2010-01-05 17:24:58 -------- d-----w- C:\Documents and Settings\aland\Application Data\SUPERAntiSpyware.com
2010-01-05 17:13:38 . 2009-08-20 23:45:30 -------- d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
2009-12-31 16:28:36 . 2009-12-31 16:28:35 -------- d-----w- C:\Program Files\Windows Defender
2009-12-29 23:53:23 . 2009-12-29 23:53:23 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2009-12-29 17:00:17 . 2009-12-29 17:00:17 -------- d-----w- C:\Documents and Settings\aland\Application Data\Malwarebytes
2009-12-29 17:00:10 . 2009-12-29 17:00:10 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-12-28 21:39:37 . 2009-06-03 17:49:26 18368 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2009-12-23 01:08:36 . 2009-06-29 19:55:23 1324 ----a-w- C:\WINDOWS\system32\d3d9caps.dat
2009-12-17 18:43:54 . 2009-12-17 18:43:54 212 ----a-w- C:\WINDOWS\ildasmfnt.bin
2009-05-01 21:02:48 . 2009-05-01 21:02:48 1044480 ----a-w- C:\Program Files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02:48 . 2009-05-01 21:02:48 200704 ----a-w- C:\Program Files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-11-20 21:30:44 2363392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-07-20 18:57:00 1626112]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-07-20 18:57:00 8466432]
"PDF Complete"="C:\Program Files\PDF Complete\pdfsty.exe" [2007-08-11 02:30:32 331288]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2006-05-12 18:50:16 1138688]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-31 20:44:26 761856]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-07-10 17:53:08 872448]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 22:33:22 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-10-08 02:48:40 125368]
"BlackBerryAutoUpdate"="C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 05:29:16 623960]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2009-09-05 07:54:42 417792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2009-09-21 22:36:12 305440]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 10:08:38 35696]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 18:08:30 935288]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-20 13:38:02 16384512]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2006-01-17 04:26:44 86016]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-04 02:20:12 866584]
"eFax 4.4"="C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 20:25:48 95744]

C:\Documents and Settings\aland\Start Menu\Programs\Startup\
procexp.exe [2008-4-15 3523624]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2009-6-3 69632]
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 04:19:02 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 16:13:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-01-13 15:57:20 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 tclondrv;tclondrv;C:\WINDOWS\system32\drivers\tclondrv.sys [8/20/2009 4:45:00 PM 20352]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12/22/2008 11:06:00 AM 9968]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05:58 AM 74480]
R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\VCdRom.sys [6/2/2009 11:51:04 AM 8576]
R2 msftesql$SQL2K5;SQL Server FullText Search (SQL2K5);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [6/22/2007 8:22:56 AM 95592]
R2 MSSQL$SQL2K5;SQL Server (SQL2K5);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 9:31:10 PM 29263712]
R2 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [10/20/2009 11:19:44 AM 50704]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files\PDF Complete\pdfsvc.exe [6/2/2009 10:37:56 AM 540184]
R2 ReportServer$SQL2K5;SQL Server Reporting Services (SQL2K5);C:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe [11/24/2008 10:26:50 PM 14688]
R2 SavRoam;SAVRoam;C:\Program Files\Symantec AntiVirus\SavRoam.exe [10/7/2007 7:48:36 PM 116664]
R2 WinDefend;Windows Defender;C:\Program Files\Windows Defender\MsMpEng.exe [11/3/2006 7:19:58 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/24/2010 5:36:02 PM 102448]
S2 gupdate1ca108fb9255f04;Google Update Service (gupdate1ca108fb9255f04);C:\Program Files\Google\Update\GoogleUpdate.exe [7/29/2009 2:01:19 PM 133104]
S3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06:02 AM 7408]
S3 SQLAgent$SQL2K5;SQL Server Agent (SQL2K5);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [11/24/2008 9:31:08 PM 346976]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 5:17:54 AM 2805000]
S4 sptd;sptd;C:\WINDOWS\system32\Drivers\sptd.sys --> C:\WINDOWS\system32\Drivers\sptd.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-11-20 21:28:40 451872 ----a-w- C:\Program Files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-02-26 C:\WINDOWS\Tasks\Google Software Updater.job
- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-29 21:00:27 . 2010-02-02 21:12:19]

2010-02-26 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore1cab73a6b3ee2b0.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-07-29 21:01:19 . 2009-07-29 21:01:14]

2010-02-26 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-07-29 21:01:19 . 2009-07-29 21:01:14]

2010-02-26 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20:06 . 2006-11-04 02:20:06]

2010-02-26 C:\WINDOWS\Tasks\User_Feed_Synchronization-{79450109-9FEE-4950-A409-6526C53982DD}.job
- C:\WINDOWS\system32\msfeedssync.exe [2009-03-08 10:31:54 . 2009-03-08 10:31:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - C:\WINDOWS\system32\GPhotos.scr/200
DPF: {6045C5E3-3653-4262-9E3E-0DA3A22A2C1D} - hxxp://webserver1/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-KB955706_RS9 - C:\WINDOWS\RS9_KB955706_ENU\Hotfix.exe
AddRemove-KB955706_SQL9 - C:\WINDOWS\SQL9_KB955706_ENU\Hotfix.exe
AddRemove-KB955706_SQLTools9 - C:\WINDOWS\SQLTools9_KB955706_ENU\Hotfix.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-26 16:41:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D48A9A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba711852
\Driver\iaStor -> iaStor.sys @ 0xba6541bc
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xba528bb0
PacketIndicateHandler -> NDIS.sys @ 0xba535a21
SendHandler -> NDIS.sys @ 0xba51387b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQL2K5]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQL2K5"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="C:\Program Files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2245824498-3842996343-2741983480-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,15,db,13,4f,9e,cc,2b,41,91,8c,eb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,15,db,13,4f,9e,cc,2b,41,91,8c,eb,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
C:\WINDOWS\system32\WININET.dll
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(896)
C:\WINDOWS\system32\WININET.dll
C:\Program Files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-02-26 16:46:08
ComboFix-quarantined-files.txt 2010-02-26 23:46:01

Pre-Run: 24,570,949,632 bytes free
Post-Run: 25,518,034,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6A700651C68F35A6DDE8DA988C14CB78


#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:58 AM

Posted 27 February 2010 - 06:23 PM

Good evening. smile.gif

QUOTE
Will post more details next week.
OK.

So long, and thanks for all the fish.

 

 


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:58 AM

Posted 04 March 2010 - 05:03 PM

As there has been no reply for the last five days, this thread has been locked.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users