Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desk top icons will not do anything


  • This topic is locked This topic is locked
33 replies to this topic

#1 race fan

race fan

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 02 March 2010 - 08:31 PM

I have a XP system that had a virus and was declared clean on the virus, trojan, spyware forum. It worked fine for a day. I uninstalled f-secure and installed eset smart security and it has given me trouble sense. I believe the f-secure did not completely uninstall. Now when the windows loads, it comes up to the desk top fine, but when I click on something it sits and spins. If I start it in the safe mode, I can get to any program. I have updated and rerun the Malwarebytes and super spyware programs and they came back clean. I need some direction on what to do next.

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:28 AM

Posted 02 March 2010 - 08:57 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Let's make sure F-Secure fully uninstalled first.

Download this zip file from F-Secure and run the program

The PC will reboot during the process.

When you have done this please attempt to download DDS

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

If this now downloads then you are probably fixed. Let me know if not and we will try something else.
Posted Image
m0le is a proud member of UNITE

#3 race fan

race fan
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 02 March 2010 - 09:19 PM

The Zip file link from f-secure will not connect. Is there another way to get to it.

Disreguard this. I shorten up the link and worked my way in that way. I have it running now.

Edited by race fan, 02 March 2010 - 09:31 PM.


#4 race fan

race fan
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 02 March 2010 - 09:59 PM

Here is the DDS log. I did not post the attach log unless you need it. I do have it.
It still does not do anything but spin when I click on something on the desk top unless I am in the safe mode.
I beleave that the first program removed more of the f-secure because there is less icons in my lower right tray.


DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL
Run by Mom & Dad at 20:49:04.84 on Tue 03/02/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2037.1665 [GMT -6:00]

SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\userinit.exe
C:\Windows\Explorer.EXE
C:\Users\Mom & Dad\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.myembarq.com/index.php
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [LenovoRegistration] c:\swtools\lenovowelcome\lenovoregistration.exe /inif="c:\swshare\leadertech.ini"
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [LPManager] c:\progra~1\lenovo\lenovo~1\LPMGR.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [Warning: do not remove it! (system)] cfpsys.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

S0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-1-1 33920]
S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
S2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-11-16 735960]
S2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-12-18 38240]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2006-12-14 569344]
S3 b57nd60x;%SvcDispName%;c:\windows\system32\drivers\b57nd60x.sys [2008-9-28 179712]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-28 21504]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2006-9-13 35264]

=============== Created Last 30 ================

2010-03-03 02:33:54 0 d--h--we C:\G
2010-03-02 20:23:14 1732 ----a-w- C:\tvtpktfilter.dat
2010-03-02 18:27:05 0 d-----w- C:\E
2010-02-26 01:30:13 0 d-----w- C:\D
2010-02-25 23:56:33 0 d-----w- C:\B
2010-02-25 23:55:28 0 d-----w- c:\programdata\F-Secure
2010-02-24 01:56:38 0 d-----w- C:\C
2010-02-23 02:30:51 0 d-----w- c:\users\mom&da~1\appdata\roaming\ESET
2010-02-23 02:29:04 0 d-----w- c:\programdata\ESET
2010-02-21 14:47:06 0 d-----w- c:\program files\ESET
2010-02-21 08:22:39 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-21 08:22:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-21 08:22:38 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-21 08:22:38 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-21 08:22:38 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-21 08:22:38 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-21 08:22:38 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-21 08:22:38 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-21 08:22:38 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-21 03:34:35 0 d-sh--w- C:\$RECYCLE.BIN
2010-02-10 20:30:01 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-10 20:30:00 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-10 20:29:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-10 20:29:55 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-10 14:31:13 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 14:31:12 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 14:31:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 14:31:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-08 02:53:07 0 d-----w- c:\users\mom&da~1\appdata\roaming\Malwarebytes
2010-02-08 02:53:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-08 02:53:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-08 02:53:01 0 d-----w- c:\programdata\Malwarebytes
2010-02-08 02:53:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-08 02:35:21 0 d-----w- C:\A
2010-02-07 19:13:29 0 d-----w- c:\programdata\Office Genuine Advantage

==================== Find3M ====================

2010-02-23 02:29:42 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-23 02:29:42 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-23 02:29:41 86016 ----a-w- c:\windows\inf\infstor.dat
2010-01-14 17:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-08 14:13:12 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-24 22:30:12 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-11-17 09:19:27 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-09-28 18:11:50 174 --sh--w- c:\program files\desktop.ini
2006-11-02 12:42:07 30674 ------w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ------w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ------w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ------w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ------w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ------w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ------w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ------w- c:\windows\inf\perflib\0000\perfc.dat
2009-04-04 01:41:57 88 --sh--r- c:\windows\system32\28D6056FDC.sys
2003-10-02 00:04:08 121856 --sh--w- c:\windows\system32\cfpsys.exe
2008-11-21 20:54:21 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008112120081122\index.dat

============= FINISH: 20:51:22.61 ===============


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:28 AM

Posted 03 March 2010 - 06:10 PM

The DDS scan seems fine.

Run Gmer so we can check for rootkits. After that is clean (hopefully) we can then attempt a fix to revert your desktop to its correct state.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#6 race fan

race fan
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 03 March 2010 - 07:23 PM

Here is the GMER log.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-03 18:20:48
Windows 6.0.6002 Service Pack 2
Running: bgcb0rmk.exe; Driver: C:\Users\MOM&DA~1\AppData\Local\Temp\kwlyypow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:28 AM

Posted 03 March 2010 - 08:05 PM

Okay, let's try and sort out the desktop problem then.

There's quite a few reasons for this so this could take some time.

First,

Download Microsoft's TweakUI and install it.

Go to the Repair option and click Rebuild Icons

Let me know if that fixes it.
Posted Image
m0le is a proud member of UNITE

#8 race fan

race fan
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 03 March 2010 - 09:39 PM

This computer is getting weirder. The TweakUI would not run in the safe mode. So I rebooted into normal mode and tried to run it. I double clicked on the icon and the screen flashed and then went into a foggy state where I can see everything yet but with a haze and the hour glass is still going after 5 minutes. The only way I have been able to get out of it is to hold the power button down.

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:28 AM

Posted 04 March 2010 - 05:09 PM

Can you run Combofix and let's see if anything's snuck back in

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#10 race fan

race fan
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 04 March 2010 - 07:59 PM

Here is the combo fix log.

ComboFix 10-03-04.02 - Mom & Dad 03/04/2010 18:49:10.2.2 - x86 NETWORK
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2037.1519 [GMT -6:00]
Running from: c:\users\Mom & Dad\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\VB40032.DLL

.
((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-05 00:54 . 2010-03-05 00:54 -------- d-----w- c:\users\Mom & Dad\AppData\Local\temp
2010-03-05 00:47 . 2010-03-05 00:48 -------- d-----w- C:\32788R22FWJFW
2010-03-04 02:29 . 2010-03-04 02:29 -------- d-----w- C:\F
2010-03-03 02:33 . 2010-03-03 02:33 -------- d-----w- C:\G
2010-03-02 20:23 . 2010-03-02 20:23 1732 ----a-w- C:\tvtpktfilter.dat
2010-03-02 18:27 . 2010-03-02 18:27 -------- d-----w- C:\E
2010-02-26 01:30 . 2010-02-26 01:30 -------- d-----w- C:\D
2010-02-25 23:56 . 2010-02-25 23:56 -------- d-----w- C:\B
2010-02-25 23:55 . 2010-02-25 23:56 -------- d-----w- c:\programdata\F-Secure
2010-02-24 01:56 . 2010-02-24 01:56 -------- d-----w- C:\C
2010-02-23 02:22 . 2010-02-23 02:22 -------- d-----w- c:\users\Mom & Dad\AppData\Local\Adobe
2010-02-21 14:47 . 2010-02-23 02:29 -------- d-----w- c:\program files\ESET
2010-02-21 08:22 . 2009-12-04 18:29 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-21 08:22 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-21 08:22 . 2009-12-04 18:28 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-21 08:22 . 2009-12-04 18:28 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-21 08:22 . 2009-12-04 18:28 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-21 08:22 . 2009-12-04 18:28 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-21 08:22 . 2009-12-04 18:28 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-21 08:22 . 2009-12-04 18:28 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-21 08:22 . 2009-12-04 18:27 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-11 01:26 . 2010-02-11 01:26 -------- d-----w- c:\users\Sarah\AppData\Roaming\Malwarebytes
2010-02-10 20:30 . 2009-12-08 20:01 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-10 20:30 . 2009-12-08 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-10 20:29 . 2009-12-04 15:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-10 20:29 . 2009-12-04 15:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-10 14:31 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 14:31 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 14:31 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 14:31 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 13:25 . 2010-02-11 00:04 52224 ----a-w- c:\users\Sarah\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-10 13:25 . 2010-02-11 00:04 117760 ----a-w- c:\users\Sarah\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-10 13:24 . 2010-02-10 13:24 -------- d-----w- c:\users\Sarah\AppData\Roaming\SUPERAntiSpyware.com
2010-02-08 02:53 . 2010-02-08 02:53 -------- d-----w- c:\users\Mom & Dad\AppData\Roaming\Malwarebytes
2010-02-08 02:53 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-08 02:53 . 2010-02-08 02:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-08 02:53 . 2010-02-08 02:53 -------- d-----w- c:\programdata\Malwarebytes
2010-02-08 02:53 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-08 02:35 . 2010-02-08 02:35 -------- d-----w- C:\A
2010-02-07 19:13 . 2010-02-07 19:13 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-02-07 19:12 . 2010-02-07 19:12 -------- d-----w- c:\users\Sarah\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-26 01:56 . 2010-01-22 01:13 117760 ----a-w- c:\users\Mom & Dad\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-26 01:55 . 2010-01-22 01:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-24 01:55 . 2008-09-28 14:00 99400 ----a-w- c:\users\Sarah\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-21 20:00 . 2009-10-03 22:36 -------- d-----w- c:\users\Mom & Dad\AppData\Roaming\Skype
2010-02-21 18:11 . 2008-09-25 11:50 99400 ----a-w- c:\users\Mom & Dad\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-21 18:03 . 2007-03-03 16:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-21 18:02 . 2007-03-03 16:59 -------- d-----w- c:\program files\ThinkVantage
2010-02-21 18:01 . 2007-03-03 17:04 -------- d-----w- c:\programdata\Corel
2010-02-21 18:01 . 2007-03-03 17:04 -------- d-----w- c:\programdata\Borland
2010-02-21 17:56 . 2009-02-13 22:04 -------- d-----w- c:\users\Mom & Dad\AppData\Roaming\Corel
2010-02-21 17:56 . 2007-03-03 17:05 -------- d-----w- c:\program files\Corel
2010-02-21 14:38 . 2009-10-03 22:41 -------- d-----w- c:\users\Mom & Dad\AppData\Roaming\skypePM
2010-02-21 09:16 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-21 09:01 . 2007-03-03 17:26 -------- d-----w- c:\programdata\Microsoft Help
2010-02-08 03:37 . 2007-03-03 16:57 -------- d-----w- c:\program files\Google
2010-01-23 23:45 . 2009-03-08 21:19 -------- d-----w- c:\program files\QuickTime
2010-01-23 23:40 . 2008-10-21 02:37 -------- d-----w- c:\program files\Common Files\Apple
2010-01-23 22:15 . 2009-10-03 22:04 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-01-23 22:14 . 2010-01-23 22:14 -------- d-----w- c:\program files\Microsoft
2010-01-23 05:23 . 2009-11-01 22:07 -------- d-----w- c:\users\Sarah\AppData\Roaming\Skype
2010-01-23 02:55 . 2009-11-10 01:39 -------- d-----w- c:\users\Sarah\AppData\Roaming\skypePM
2010-01-22 02:50 . 2007-03-03 17:17 -------- d-----w- c:\programdata\Symantec
2010-01-22 02:50 . 2007-03-03 17:17 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-22 01:13 . 2010-01-22 01:13 52224 ----a-w- c:\users\Mom & Dad\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-22 01:12 . 2010-01-22 01:12 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-22 01:12 . 2010-01-22 01:12 -------- d-----w- c:\users\Mom & Dad\AppData\Roaming\SUPERAntiSpyware.com
2010-01-22 01:11 . 2010-01-22 01:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-21 03:15 . 2009-02-15 16:04 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 17:12 . 2009-10-03 21:33 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-08 14:13 . 2010-01-08 14:13 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2010-01-02 06:38 . 2010-01-22 00:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 00:32 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 00:32 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 00:32 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-24 22:30 . 2009-02-13 22:04 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-18 21:02 . 2009-12-18 21:02 38240 ----a-w- c:\windows\system32\drivers\epfwwfp.sys
2009-12-18 21:02 . 2009-12-18 21:02 135048 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-04-04 01:41 . 2009-02-13 22:04 88 --sh--r- c:\windows\System32\28D6056FDC.sys
2003-10-02 00:04 . 2003-10-02 00:04 121856 --sh--w- c:\windows\System32\cfpsys.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-10 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Mouse Suite 98 Daemon"="ICO.EXE" [2006-09-29 49152]
"LenovoRegistration"="c:\swtools\LenovoWelcome\LenovoRegistration.exe" [2006-12-29 32768]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"LPManager"="c:\progra~1\Lenovo\LENOVO~1\LPMGR.exe" [2007-01-31 120368]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-11-16 217176]
"Warning: do not remove it! (system)"="cfpsys.exe" [2003-10-02 121856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:1b,34,6e,09,c1,42,ca,01

R0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2009-07-09 33920]
R1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-01-05 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-01-05 74480]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-11-16 735960]
R2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-12-18 38240]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2006-12-14 569344]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-01-05 7408]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2006-09-13 35264]
S3 b57nd60x;%SvcDispName%;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-19 179712]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-03-04 c:\windows\Tasks\User_Feed_Synchronization-{49CD20A1-4C31-4435-8C95-DA6729846AD4}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myembarq.com/index.php
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 18:54
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-03-04 18:56:43
ComboFix-quarantined-files.txt 2010-03-05 00:56

Pre-Run: 77,865,111,552 bytes free
Post-Run: 77,857,935,360 bytes free

- - End Of File - - D9EB1728AA8322023E289ED882BBE827


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:28 AM

Posted 05 March 2010 - 03:31 PM

Have you any idea what these folders are?

QUOTE
2010-03-04 02:29 . 2010-03-04 02:29 -------- d-----w- C:\F
2010-03-03 02:33 . 2010-03-03 02:33 -------- d-----w- C:\G
2010-03-02 18:27 . 2010-03-02 18:27 -------- d-----w- C:\E
2010-02-26 01:30 . 2010-02-26 01:30 -------- d-----w- C:\D
2010-02-25 23:56 . 2010-02-25 23:56 -------- d-----w- C:\B
2010-02-24 01:56 . 2010-02-24 01:56 -------- d-----w- C:\C

Posted Image
m0le is a proud member of UNITE

#12 race fan

race fan
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 05 March 2010 - 06:36 PM

None. If we need to make them go away lets do it. I have all of my things backed up that I need.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:28 AM

Posted 05 March 2010 - 07:06 PM

I don't like them and they are not system folders so let's remove them.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Folder::
C:\A
C:\F
C:\G
C:\E
C:\D
C:\B
C:\C


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#14 race fan

race fan
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 05 March 2010 - 08:43 PM

Here is the new combo fix log.

ComboFix 10-03-04.02 - Mom & Dad 03/05/2010 19:30:14.3.2 - x86 MINIMAL
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2037.1647 [GMT -6:00]
Running from: c:\users\Mom & Dad\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-06 01:37 . 2010-03-06 01:37 -------- d-----w- c:\users\Sarah\AppData\Local\temp
2010-03-06 01:37 . 2010-03-06 01:37 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-06 01:37 . 2010-03-06 01:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-04 02:29 . 2010-03-04 02:29 -------- d-----w- C:\F
2010-03-02 20:23 . 2010-03-02 20:23 1732 ----a-w- C:\tvtpktfilter.dat
2010-03-02 18:27 . 2010-03-02 18:27 -------- d-----w- C:\E
2010-02-26 01:30 . 2010-02-26 01:30 -------- d-----w- C:\D
2010-02-25 23:56 . 2010-02-25 23:56 -------- d-----w- C:\B
2010-02-25 23:55 . 2010-02-25 23:56 -------- d-----w- c:\programdata\F-Secure
2010-02-24 01:56 . 2010-02-24 01:56 -------- d-----w- C:\C
2010-02-23 02:22 . 2010-02-23 02:22 -------- d-----w- c:\users\Mom & Dad\AppData\Local\Adobe
2010-02-21 14:47 . 2010-02-23 02:29 -------- d-----w- c:\program files\ESET
2010-02-21 08:22 . 2009-12-04 18:29 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-21 08:22 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-21 08:22 . 2009-12-04 18:28 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-21 08:22 . 2009-12-04 18:28 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-21 08:22 . 2009-12-04 18:28 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-21 08:22 . 2009-12-04 18:28 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-21 08:22 . 2009-12-04 18:28 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-21 08:22 . 2009-12-04 18:28 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-21 08:22 . 2009-12-04 18:27 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-11 01:26 . 2010-02-11 01:26 -------- d-----w- c:\users\Sarah\AppData\Roaming\Malwarebytes
2010-02-10 20:30 . 2009-12-08 20:01 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-10 20:30 . 2009-12-08 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-10 20:29 . 2009-12-04 15:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-10 20:29 . 2009-12-04 15:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-10 14:31 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 14:31 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 14:31 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 14:31 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 13:25 . 2010-02-11 00:04 52224 ----a-w- c:\users\Sarah\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-10 13:25 . 2010-02-11 00:04 117760 ----a-w- c:\users\Sarah\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-10 13:24 . 2010-02-10 13:24 -------- d-----w- c:\users\Sarah\AppData\Roaming\SUPERAntiSpyware.com
2010-02-08 02:53 . 2010-02-08 02:53 -------- d-----w- c:\users\Mom & Dad\AppData\Roaming\Malwarebytes
2010-02-08 02:53 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-08 02:53 . 2010-02-08 02:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-08 02:53 . 2010-02-08 02:53 -------- d-----w- c:\programdata\Malwarebytes
2010-02-08 02:53 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-08 02:35 . 2010-02-08 02:35 -------- d-----w- C:\A
2010-02-07 19:13 . 2010-02-07 19:13 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-02-07 19:12 . 2010-02-07 19:12 -------- d-----w- c:\users\Sarah\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-26 01:56 . 2010-01-22 01:13 117760 ----a-w- c:\users\Mom & Dad\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-26 01:55 . 2010-01-22 01:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-24 01:55 . 2008-09-28 14:00 99400 ----a-w- c:\users\Sarah\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-21 20:00 . 2009-10-03 22:36 -------- d-----w- c:\users\Mom & Dad\AppData\Roaming\Skype
2010-02-21 18:11 . 2008-09-25 11:50 99400 ----a-w- c:\users\Mom & Dad\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-21 18:03 . 2007-03-03 16:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-21 18:02 . 2007-03-03 16:59 -------- d-----w- c:\program files\ThinkVantage
2010-02-21 18:01 . 2007-03-03 17:04 -------- d-----w- c:\programdata\Corel
2010-02-21 18:01 . 2007-03-03 17:04 -------- d-----w- c:\programdata\Borland
2010-02-21 17:56 . 2009-02-13 22:04 -------- d-----w- c:\users\Mom & Dad\AppData\Roaming\Corel
2010-02-21 17:56 . 2007-03-03 17:05 -------- d-----w- c:\program files\Corel
2010-02-21 14:38 . 2009-10-03 22:41 -------- d-----w- c:\users\Mom & Dad\AppData\Roaming\skypePM
2010-02-21 09:16 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-21 09:01 . 2007-03-03 17:26 -------- d-----w- c:\programdata\Microsoft Help
2010-02-08 03:37 . 2007-03-03 16:57 -------- d-----w- c:\program files\Google
2010-01-23 23:45 . 2009-03-08 21:19 -------- d-----w- c:\program files\QuickTime
2010-01-23 23:40 . 2008-10-21 02:37 -------- d-----w- c:\program files\Common Files\Apple
2010-01-23 22:15 . 2009-10-03 22:04 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-01-23 22:14 . 2010-01-23 22:14 -------- d-----w- c:\program files\Microsoft
2010-01-23 05:23 . 2009-11-01 22:07 -------- d-----w- c:\users\Sarah\AppData\Roaming\Skype
2010-01-23 02:55 . 2009-11-10 01:39 -------- d-----w- c:\users\Sarah\AppData\Roaming\skypePM
2010-01-22 02:50 . 2007-03-03 17:17 -------- d-----w- c:\programdata\Symantec
2010-01-22 02:50 . 2007-03-03 17:17 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-22 01:13 . 2010-01-22 01:13 52224 ----a-w- c:\users\Mom & Dad\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-22 01:12 . 2010-01-22 01:12 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-22 01:12 . 2010-01-22 01:12 -------- d-----w- c:\users\Mom & Dad\AppData\Roaming\SUPERAntiSpyware.com
2010-01-22 01:11 . 2010-01-22 01:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-21 03:15 . 2009-02-15 16:04 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 17:12 . 2009-10-03 21:33 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-08 14:13 . 2010-01-08 14:13 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2010-01-02 06:38 . 2010-01-22 00:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 00:32 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 00:32 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 00:32 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-24 22:30 . 2009-02-13 22:04 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-18 21:02 . 2009-12-18 21:02 38240 ----a-w- c:\windows\system32\drivers\epfwwfp.sys
2009-12-18 21:02 . 2009-12-18 21:02 135048 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-04-04 01:41 . 2009-02-13 22:04 88 --sh--r- c:\windows\System32\28D6056FDC.sys
2003-10-02 00:04 . 2003-10-02 00:04 121856 --sh--w- c:\windows\System32\cfpsys.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-03-05_00.54.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-03 16:58 . 2010-03-05 01:44 54254 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2007-03-03 16:58 . 2010-02-26 03:14 54254 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2010-03-04 02:28 . 2010-03-04 03:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-03-05 01:42 . 2010-03-06 01:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-03-05 01:42 . 2010-03-06 01:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-03-04 02:28 . 2010-03-04 03:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-10 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Mouse Suite 98 Daemon"="ICO.EXE" [2006-09-29 49152]
"LenovoRegistration"="c:\swtools\LenovoWelcome\LenovoRegistration.exe" [2006-12-29 32768]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"LPManager"="c:\progra~1\Lenovo\LENOVO~1\LPMGR.exe" [2007-01-31 120368]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-11-16 217176]
"Warning: do not remove it! (system)"="cfpsys.exe" [2003-10-02 121856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:1b,34,6e,09,c1,42,ca,01

R0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2009-07-09 33920]
R1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-01-05 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-01-05 74480]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-11-16 735960]
R2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-12-18 38240]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2006-12-14 569344]
R3 b57nd60x;%SvcDispName%;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-19 179712]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-01-05 7408]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2006-09-13 35264]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\User_Feed_Synchronization-{49CD20A1-4C31-4435-8C95-DA6729846AD4}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myembarq.com/index.php
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-05 19:37
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-03-05 19:41:08
ComboFix-quarantined-files.txt 2010-03-06 01:41
ComboFix2.txt 2010-03-05 00:56

Pre-Run: 77,341,360,128 bytes free
Post-Run: 77,216,923,648 bytes free

- - End Of File - - 216FB0A34064D47C1D402FA9427167C7


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:28 AM

Posted 05 March 2010 - 08:50 PM

Nothing happened there. Let's take a look inside one of the folders for clues.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :dir
    C:\A /s

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

This may be a large log depending on what the folder has inside it, this may slow down the scan a bit.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users