Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Internet Security 2010, Virtumonde, Vundo and so forth


  • This topic is locked This topic is locked
12 replies to this topic

#1 62rad

62rad

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 04 March 2010 - 08:21 AM

Hello and thanks in advance for your help...

I am using WinXP, have been working on my own computers for a long time, but know enough to know I may not know just what I'm doing, LOL! I am certainly flying by the seat of my pants on this one.


I have been battling the XP Internet Security 2010, Virtumonde, Vundo and so forth for a number of days. I used the Virtumonde and Vundo removal tools after rkill. This was not detected by AdAware or Search & Destroy and only seen by Avast after the infection.

This thing wiped my Restore Points and backups and isolated the box from security sites, so I had to download to flash and move files between machines.

I used MBAM several times with much agony (blocked updates and filename changes and such) followed by a linux disc of Avira Rescue. I ran Spyware Doctor and it brought my 2.1G AMD with 2 G of RAM to it’s knees and then would not boot completely afterward. I remedied that with the MS Malware Remover followed by the Onecare Live Safety Center Deal in Safe Mode. SAS has been run several times now, too.

Once Booting again I deleted and reinstalled a new copy of MBAM and SAS with only MBAM complaining about asyncmac.sys which I let it delete and then ran System File Checker which never really said it fixed anything but never really complained either.

I would like someone who knows better to look at my HiJackThis log and tell me whether or not I have cleaned this thing. I still have two entries in my startup that I have disabled in MSCONFIG that say there is no dll available to load… I think that’s a good thing, of sorts, right?

There is a folder on my desktop named Virt_U_Monde… it is supposed to be there as it was where I was keeping all of my app downloads in one bucket.

I know this sounds simple but I have spent every free minute since this time Tuesday *a week ago* ripping my hair out on this, so… I am tired, I am toasted and I could about scream right now… **Please be gentle** 8-/








Last MBAM log:


Malwarebytes' Anti-Malware 1.44
Database version: 3818
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

3/3/2010 10:18:04 AM
mbam-log-2010-03-03 (10-18-04).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 271611
Time elapsed: 42 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asyncmac (Trojan.MultipleAV) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\system32\drivers\asyncmac.sys (Trojan.MultipleAV) -> Quarantined and deleted successfully.
D:\WINDOWS\ServicePackFiles\i386\asyncmac.sys (Trojan.MultipleAV) -> Quarantined and deleted successfully.




Here is my HiJackThis log::




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:02 AM, on 3/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
D:\Program Files\SOYO\HW Monitor\Itesmart.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\ResChanger XP\ResChangerXP.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\Logi_MwX.Exe
D:\Program Files\Ahead\InCD\InCD.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
D:\WINDOWS\Mixer.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
D:\Program Files\FinePixViewer\QuickDCF.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {930ec151-e672-4c34-bda0-9d7607fa9e77} - solenoda.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [23C3F5C0] d:\docume~1\r1\locals~1\tempor~1\content.ie5\mipt5sq1\speedu~1.exe /m="D:\DOCUME~1\r1\LOCALS~1\TEMPOR~1\Content.IE5\MIPT5SQ1\SPEEDU~1.EXE" /k=""
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SmartGuardian] D:\Program Files\SOYO\HW Monitor\Itesmart.exe
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [ResChangerXP] "D:\Program Files\ResChanger XP\ResChangerXP.exe"
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [REGSHAVE] "D:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [InCD] "D:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [HPHUPD04] "D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "D:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = D:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Highlight - D:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - D:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - D:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - D:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - D:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://D:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Zoom &In - D:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - D:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1267369556750
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O20 - AppInit_DLLs: d:\windows\system32\zudeyuwi.dll vevesojo.dll d:\windows\system32\jodumadi.dll d:\windows\system32\ d:\windows\system32\pimenuda.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: kobahelof - {333e1370-c889-49b1-ab92-52b5f9af2148} - d:\windows\system32\jodumadi.dll (file missing)
O21 - SSODL: guzejatom - {2c86b1b4-5747-4e7c-ad3e-d3ff6bd5db30} - d:\windows\system32\teteripe.dll (file missing)
O21 - SSODL: pulesujot - {d9a83d92-7ee2-4a7e-8dd7-70cde08a24bb} - d:\windows\system32\pimenuda.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {333e1370-c889-49b1-ab92-52b5f9af2148} - d:\windows\system32\jodumadi.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {2c86b1b4-5747-4e7c-ad3e-d3ff6bd5db30} - d:\windows\system32\teteripe.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {d9a83d92-7ee2-4a7e-8dd7-70cde08a24bb} - d:\windows\system32\pimenuda.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - D:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Pml Driver HPH11 - HP - D:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9379 bytes



Thanks so much for reading!

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 04 March 2010 - 11:05 AM

Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




NEXT


Please download OTS by OldTimer and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • At File Age set it to 90 Days
  • In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.
  • In the Files Created Within and Files Modified Within section, set it to File Age
  • At the bottom, tick on all Safe List and Use Company Name WhiteList option
  • Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
      Reg - Disabled MS Config Items
      Reg - Drivers32
      Reg - Ext
      Reg - IE Explorer Bar
      Reg - NetSvcs
      Reg - Safeboot Minimal
      Reg - Safeboot Network
      File - Lop Check
      File - Purity Scan
    • Please copy/paste below script into Custom Scans box
      CODE
      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      /md5stop
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
  • Do NOT change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..




NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results




ATTACH these logs in your next reply

1. OTS
2. GMER

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 62rad

62rad
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 04 March 2010 - 04:55 PM

Thanks for your reply... sorry I took so long. It has been a busy day.

Here are your attachments as requested.

Thanks again for your help.

Attached Files



#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 04 March 2010 - 10:35 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 62rad

62rad
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 05 March 2010 - 07:40 AM

Good Morning! Thanks for hanging with me...

Here is the combofix log. Has it removed the whatever-it-is that's been buggering my machine? What is it, anyways???



Thanks again



ComboFix 10-03-04.05 - r1 03/05/2010 6:56.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1594 [GMT -5:00]
Running from: d:\documents and settings\r1\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1368 [VPS 100304-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\Administrator\My Documents\potter.reg
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
d:\documents and settings\r1\Local Settings\Temporary Internet Files\j8bNy1P.jpg
d:\documents and settings\r1\Local Settings\Temporary Internet Files\MLymm.jpg
d:\documents and settings\r1\Local Settings\Temporary Internet Files\p2MBp.jpg
d:\documents and settings\r1\Local Settings\Temporary Internet Files\yppM6b8A.jpg
d:\program files\INSTALL.LOG
D:\setup.exe
d:\windows\system32\reboot.txt
d:\windows\system32\setup.ini
d:\windows\system32\VB40032.DLL
d:\windows\Tasks\deantdps.job

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
d:\windows\system32\drivers\asyncmac.sys was missing
Restored copy from - d:\windows\system32\dllcache\asyncmac.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-05 11:59 . 2006-02-28 12:00 14336 ----a-w- d:\windows\system32\drivers\asyncmac.sys
2010-03-05 11:59 . 2006-02-28 12:00 14336 ----a-w- d:\windows\system32\dllcache\asyncmac.sys
2010-03-04 20:25 . 2010-03-04 20:25 -------- d-----w- d:\program files\ERUNT
2010-03-03 21:07 . 2010-03-03 21:07 -------- d-----w- d:\program files\Trend Micro
2010-03-03 16:13 . 2004-08-04 05:56 116224 ----a-w- d:\windows\system32\dllcache\xrxwiadr.dll
2010-03-03 16:13 . 2001-08-18 03:37 27648 ----a-w- d:\windows\system32\dllcache\xrxftplt.exe
2010-03-03 16:13 . 2001-08-18 03:36 23040 ----a-w- d:\windows\system32\dllcache\xrxwbtmp.dll
2010-03-03 16:13 . 2001-08-18 03:36 17408 ----a-w- d:\windows\system32\dllcache\xrxscnui.dll
2010-03-03 16:13 . 2001-08-18 03:37 4608 ----a-w- d:\windows\system32\dllcache\xrxflnch.exe
2010-03-03 16:13 . 2001-08-18 03:37 99865 ----a-w- d:\windows\system32\dllcache\xlog.exe
2010-03-03 16:13 . 2001-08-17 17:11 16970 ----a-w- d:\windows\system32\dllcache\xem336n5.sys
2010-03-03 16:13 . 2004-08-04 03:29 19455 ----a-w- d:\windows\system32\dllcache\wvchntxx.sys
2010-03-03 16:11 . 2001-08-17 18:52 7040 ----a-w- d:\windows\system32\dllcache\tandqic.sys
2010-03-03 16:10 . 2001-08-18 03:36 9216 ----a-w- d:\windows\system32\dllcache\rsmgrstr.dll
2010-03-03 16:04 . 2001-08-18 03:36 121344 ----a-w- d:\windows\system32\dllcache\phvfwext.dll
2010-03-03 16:03 . 2001-08-18 03:36 123776 ----a-w- d:\windows\system32\dllcache\nv3.dll
2010-03-03 16:02 . 2001-08-17 18:53 4992 ----a-w- d:\windows\system32\dllcache\loop.sys
2010-03-03 16:01 . 2001-08-18 03:36 89088 ----a-w- d:\windows\system32\dllcache\hpgt33.dll
2010-03-03 16:00 . 2001-08-18 03:36 6216 ----a-w- d:\windows\system32\dllcache\divaci.dll
2010-03-03 15:59 . 2001-08-17 18:51 13824 ----a-w- d:\windows\system32\dllcache\bulltlp3.sys
2010-03-03 15:58 . 2001-08-17 19:07 101888 ----a-w- d:\windows\system32\dllcache\adpu160m.sys
2010-03-03 13:12 . 2010-01-07 21:07 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 13:12 . 2010-01-07 21:07 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-03-03 04:32 . 2010-03-03 04:32 52224 ----a-w- d:\documents and settings\r1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-03 04:32 . 2010-03-03 16:32 117760 ----a-w- d:\documents and settings\r1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-03 04:30 . 2010-03-03 04:30 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-03 04:30 . 2010-03-03 04:30 -------- d-----w- d:\program files\SUPERAntiSpyware
2010-03-03 04:30 . 2010-03-03 04:30 -------- d-----w- d:\documents and settings\r1\Application Data\SUPERAntiSpyware.com
2010-03-03 04:17 . 2010-03-03 04:17 -------- d-----w- d:\program files\Common Files\Wise Installation Wizard
2010-03-03 03:24 . 2010-03-03 03:24 1256 ----a-w- d:\windows\system32\drivers\ulvxnhqq.dat
2010-03-03 03:14 . 2010-03-03 03:14 374 ----a-w- d:\windows\system32\drivers\mhiiabcv.dat
2010-03-03 01:24 . 2010-03-03 01:24 -------- d-----w- d:\program files\Windows Live Safety Center
2010-03-01 14:59 . 2010-03-01 14:59 -------- d-----w- d:\windows\system32
2010-02-28 16:32 . 2010-02-28 16:32 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-02-28 01:07 . 2010-02-28 01:07 -------- d-----w- d:\documents and settings\r1\Application Data\Malwarebytes
2010-02-28 01:07 . 2010-02-28 01:07 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-27 22:00 . 2010-02-27 22:00 -------- d-----w- d:\windows\system32\config\systemprofile\Local Settings\Application Data\Threat Expert
2010-02-26 05:01 . 2010-02-26 05:01 -------- d-----w- d:\documents and settings\r1\Local Settings\Application Data\Threat Expert
2010-02-26 00:03 . 2010-02-26 00:03 -------- d-----w- D:\VundoFix Backups
2010-02-25 22:31 . 2010-02-25 22:31 -------- d-----w- d:\documents and settings\All Users\Application Data\TEMP
2010-02-25 17:39 . 2010-02-25 17:39 -------- d-sh--w- d:\documents and settings\Administrator\IETldCache
2010-02-25 17:00 . 2010-02-25 17:00 -------- d-sh--w- d:\windows\system32\config\systemprofile\IETldCache
2010-02-25 17:00 . 2010-02-25 17:00 -------- d-sh--w- d:\windows\system32\config\systemprofile\PrivacIE
2010-02-25 17:00 . 2010-02-25 17:00 -------- d-----w- d:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 02:41 . 2010-02-02 02:41 -------- d-----w- d:\documents and settings\r1\Application Data\VirtualStore
2010-01-27 13:06 . 2010-01-27 13:06 -------- d-----w- d:\program files\CPUID
2010-01-24 01:23 . 2009-01-03 12:16 495680 ----a-w- d:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2001-08-23 17:00 . 2004-07-03 06:28 45124 --sha-r- d:\windows\ntdetect.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2003-12-13 33792]
"TrueImageMonitor.exe"="d:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 988701]
"SmartGuardian"="d:\program files\SOYO\HW Monitor\Itesmart.exe" [2002-05-24 163840]
"SiSUSBRG"="d:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"Share-to-Web Namespace Daemon"="d:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"ResChangerXP"="d:\program files\ResChanger XP\ResChangerXP.exe" [2002-02-14 600576]
"RemoteControl"="d:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"REGSHAVE"="d:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2004-07-04 98304]
"NvMediaCenter"="NvMCTray.dll" [2004-07-15 81920]
"NeroFilterCheck"="d:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 19968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]
"InCD"="d:\program files\Ahead\InCD\InCD.exe" [2005-01-27 1381376]
"HPHUPD04"="d:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 49152]
"HPDJ Taskbar Utility"="d:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416]
"C-Media Mixer"="Mixer.exe" [2002-10-15 1818624]
"Acronis Scheduler2 Service"="d:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 118784]

d:\documents and settings\r1\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - d:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Microtek Scanner Finder.lnk - d:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2003-3-1 303104]
Logitech Desktop Messenger.lnk - d:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-6-8 169472]
Exif Launcher.lnk - d:\program files\FinePixViewer\QuickDCF.exe [2006-3-15 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 21:41 72208 ----a-w- d:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt\0sprestrt\0sprestrt\0sprestrt\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\WINDOWS\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;d:\windows\system32\drivers\aswSP.sys [5/10/2008 6:00 AM 114768]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [5/10/2008 6:00 AM 20560]
R2 cpuz132;cpuz132;d:\windows\system32\drivers\cpuz132_x32.sys [1/27/2010 8:06 AM 12672]
R2 IOPort;IOPort;d:\windows\system32\drivers\IOPORT.SYS [11/27/1998 4:57 PM 6144]
R2 LBeepKE;LBeepKE;d:\windows\system32\drivers\LBeepKE.sys [12/18/2008 10:17 PM 10384]
R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;d:\windows\system32\drivers\getnd5b.sys [11/25/2005 5:02 PM 44544]
R3 iteio;iteio;d:\windows\system32\drivers\Iteio.sys [11/26/2005 7:52 AM 3680]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S1 dttgeozo;dttgeozo;\??\d:\windows\system32\drivers\dttgeozo.sys --> d:\windows\system32\drivers\dttgeozo.sys [?]
S1 pznwfnol;pznwfnol;\??\d:\windows\system32\drivers\pznwfnol.sys --> d:\windows\system32\drivers\pznwfnol.sys [?]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;d:\windows\system32\drivers\AliEhci.sys [3/21/2004 8:21 PM 106168]
S2 nvTUNEP;nVidia WDM TVTuner;d:\windows\system32\drivers\NVTUNEP.SYS [5/16/2004 3:07 PM 20640]
S2 nvtvSND;nVidia WDM TVAudio Crossbar;d:\windows\system32\drivers\NVTVSND.SYS [5/16/2004 3:07 PM 22640]
S3 aliroothub;USB 2.0 Root Hub;d:\windows\system32\drivers\AliRtHub.sys [3/21/2004 8:21 PM 5337]
S3 SiSV;SiSV;d:\windows\system32\drivers\SiSV.sys [4/26/2004 10:29 PM 50432]
.
Contents of the 'Scheduled Tasks' folder

2005-04-21 d:\windows\Tasks\Symantec NetDetect.job
- d:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-04-25 17:24]

2010-02-25 d:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- d:\program files\Spybot - Search & Destroy\SpybotSD.exe [2004-05-12 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.npr.org/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &Highlight - d:\windows\WEB\highlight.htm
IE: &Links List - d:\windows\WEB\urllist.htm
IE: I&mages List - d:\windows\Web\imglist.htm
IE: Open Frame in &New Window - d:\windows\WEB\frm2new.htm
IE: Open Picture in &Microsoft PhotoDraw - d:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
IE: Zoom &In - d:\windows\WEB\zoomin.htm
IE: Zoom O&ut - d:\windows\WEB\zoomout.htm
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{930ec151-e672-4c34-bda0-9d7607fa9e77} - solenoda.dll
HKCU-Run-RealPlayer - d:\program files\Real\RealOne Player\realplay.exe
HKCU-Run-PhotoShow Deluxe Media Manager - d:\progra~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
SharedTaskScheduler-{333e1370-c889-49b1-ab92-52b5f9af2148} - d:\windows\system32\jodumadi.dll
SharedTaskScheduler-{2c86b1b4-5747-4e7c-ad3e-d3ff6bd5db30} - d:\windows\system32\teteripe.dll
SharedTaskScheduler-{d9a83d92-7ee2-4a7e-8dd7-70cde08a24bb} - d:\windows\system32\pimenuda.dll
SSODL-kobahelof-{333e1370-c889-49b1-ab92-52b5f9af2148} - d:\windows\system32\jodumadi.dll
SSODL-guzejatom-{2c86b1b4-5747-4e7c-ad3e-d3ff6bd5db30} - d:\windows\system32\teteripe.dll
SSODL-pulesujot-{d9a83d92-7ee2-4a7e-8dd7-70cde08a24bb} - d:\windows\system32\pimenuda.dll
MSConfigStartUp-zeharufof - d:\windows\system32\pimenuda.dll
MSConfigStartUp-zuwasivili - tawagifi.dll
AddRemove-Ad-aware 6 Personal - d:\progra~1\LAVASOFT\AD-AWA~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-05 07:02
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
d:\windows\system32\WININET.dll
d:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
d:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(916)
d:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3172)
d:\windows\system32\WININET.dll
d:\windows\system32\msi.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Ahead\InCD\InCDsrv.exe
d:\program files\Alwil Software\Avast4\aswUpdSv.exe
d:\program files\Alwil Software\Avast4\ashServ.exe
d:\program files\Common Files\Acronis\Schedule2\schedul2.exe
d:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\wscntfy.exe
d:\program files\Canon\CAL\CALMAIN.exe
d:\program files\Alwil Software\Avast4\ashMaiSv.exe
d:\windows\Logi_MwX.Exe
d:\windows\Mixer.exe
d:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
.
**************************************************************************
.
Completion time: 2010-03-05 07:04:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-05 12:04

Pre-Run: 7,292,305,408 bytes free
Post-Run: 7,158,267,904 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect y /NoExecute=OptIn
C:\="Microsoft Windows"

- - End Of File - - F3652FED17930D5E1D13E02772D85CE9

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 05 March 2010 - 10:26 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
KillAll::

Driver::
dttgeozo
pznwfnol


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 62rad

62rad
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 05 March 2010 - 11:00 AM

I created the file. I then shutdown my intenet connection and AV, Firewall and SAS. I moved the file to combofix and it ran. When it got to rebooting the system then hung on 'Shutting Down Windows'. The monitor has now gone to sleep and it is just sitting there.

Should I go ahead and hit the reset to force a reboot?


Edit:

Nevermond... must be mechanical as it rebooted after 15 minutes. Just what I need now is a mechanical issue too, eh? <HEADSLAP> That box has always been rock solid until this, too.

I have finished the scans and will log-off this box and finish up on the other.

Edited by 62rad, 05 March 2010 - 11:38 AM.


#8 62rad

62rad
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 05 March 2010 - 11:48 AM

Here ya go:

ComboFix 10-03-04.05 - r1 03/05/2010 10:37:44.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1653 [GMT -5:00]
Running from: d:\documents and settings\r1\Desktop\Combo-Fix.exe
Command switches used :: d:\documents and settings\r1\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100305-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_dttgeozo
-------\Service_pznwfnol


((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-05 11:59 . 2006-02-28 12:00 14336 ----a-w- d:\windows\system32\dllcache\asyncmac.sys
2010-03-05 11:59 . 2006-02-28 12:00 14336 ------w- d:\windows\system32\drivers\asyncmac.sys
2010-03-04 20:25 . 2010-03-04 20:25 -------- d-----w- d:\program files\ERUNT
2010-03-03 21:07 . 2010-03-03 21:07 -------- d-----w- d:\program files\Trend Micro
2010-03-03 16:13 . 2004-08-04 05:56 116224 ----a-w- d:\windows\system32\dllcache\xrxwiadr.dll
2010-03-03 16:13 . 2001-08-18 03:37 27648 ----a-w- d:\windows\system32\dllcache\xrxftplt.exe
2010-03-03 16:13 . 2001-08-18 03:36 23040 ----a-w- d:\windows\system32\dllcache\xrxwbtmp.dll
2010-03-03 16:13 . 2001-08-18 03:36 17408 ----a-w- d:\windows\system32\dllcache\xrxscnui.dll
2010-03-03 16:13 . 2001-08-18 03:37 4608 ----a-w- d:\windows\system32\dllcache\xrxflnch.exe
2010-03-03 16:13 . 2001-08-18 03:37 99865 ----a-w- d:\windows\system32\dllcache\xlog.exe
2010-03-03 16:13 . 2001-08-17 17:11 16970 ----a-w- d:\windows\system32\dllcache\xem336n5.sys
2010-03-03 16:13 . 2004-08-04 03:29 19455 ----a-w- d:\windows\system32\dllcache\wvchntxx.sys
2010-03-03 16:11 . 2001-08-17 18:52 7040 ----a-w- d:\windows\system32\dllcache\tandqic.sys
2010-03-03 16:10 . 2001-08-18 03:36 9216 ----a-w- d:\windows\system32\dllcache\rsmgrstr.dll
2010-03-03 16:04 . 2001-08-18 03:36 121344 ----a-w- d:\windows\system32\dllcache\phvfwext.dll
2010-03-03 16:03 . 2001-08-18 03:36 123776 ----a-w- d:\windows\system32\dllcache\nv3.dll
2010-03-03 16:02 . 2001-08-17 18:53 4992 ----a-w- d:\windows\system32\dllcache\loop.sys
2010-03-03 16:01 . 2001-08-18 03:36 89088 ----a-w- d:\windows\system32\dllcache\hpgt33.dll
2010-03-03 16:00 . 2001-08-18 03:36 6216 ----a-w- d:\windows\system32\dllcache\divaci.dll
2010-03-03 15:59 . 2001-08-17 18:51 13824 ----a-w- d:\windows\system32\dllcache\bulltlp3.sys
2010-03-03 15:58 . 2001-08-17 19:07 101888 ----a-w- d:\windows\system32\dllcache\adpu160m.sys
2010-03-03 13:12 . 2010-01-07 21:07 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 13:12 . 2010-01-07 21:07 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-03-03 04:32 . 2010-03-03 04:32 52224 ----a-w- d:\documents and settings\r1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-03 04:32 . 2010-03-03 16:32 117760 ----a-w- d:\documents and settings\r1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-03 04:30 . 2010-03-03 04:30 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-03 04:30 . 2010-03-03 04:30 -------- d-----w- d:\program files\SUPERAntiSpyware
2010-03-03 04:30 . 2010-03-03 04:30 -------- d-----w- d:\documents and settings\r1\Application Data\SUPERAntiSpyware.com
2010-03-03 04:17 . 2010-03-03 04:17 -------- d-----w- d:\program files\Common Files\Wise Installation Wizard
2010-03-03 03:24 . 2010-03-03 03:24 1256 ----a-w- d:\windows\system32\drivers\ulvxnhqq.dat
2010-03-03 03:14 . 2010-03-03 03:14 374 ----a-w- d:\windows\system32\drivers\mhiiabcv.dat
2010-03-03 01:24 . 2010-03-03 01:24 -------- d-----w- d:\program files\Windows Live Safety Center
2010-03-01 14:59 . 2010-03-01 14:59 -------- d-----w- d:\windows\system32
2010-02-28 16:32 . 2010-02-28 16:32 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-02-28 01:07 . 2010-02-28 01:07 -------- d-----w- d:\documents and settings\r1\Application Data\Malwarebytes
2010-02-28 01:07 . 2010-02-28 01:07 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-27 22:00 . 2010-02-27 22:00 -------- d-----w- d:\windows\system32\config\systemprofile\Local Settings\Application Data\Threat Expert
2010-02-26 05:01 . 2010-02-26 05:01 -------- d-----w- d:\documents and settings\r1\Local Settings\Application Data\Threat Expert
2010-02-26 00:03 . 2010-02-26 00:03 -------- d-----w- D:\VundoFix Backups
2010-02-25 22:31 . 2010-02-25 22:31 -------- d-----w- d:\documents and settings\All Users\Application Data\TEMP
2010-02-25 17:39 . 2010-02-25 17:39 -------- d-sh--w- d:\documents and settings\Administrator\IETldCache
2010-02-25 17:00 . 2010-02-25 17:00 -------- d-sh--w- d:\windows\system32\config\systemprofile\IETldCache
2010-02-25 17:00 . 2010-02-25 17:00 -------- d-sh--w- d:\windows\system32\config\systemprofile\PrivacIE
2010-02-25 17:00 . 2010-02-25 17:00 -------- d-----w- d:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 02:41 . 2010-02-02 02:41 -------- d-----w- d:\documents and settings\r1\Application Data\VirtualStore
2010-01-27 13:06 . 2010-01-27 13:06 -------- d-----w- d:\program files\CPUID
2010-01-24 01:23 . 2009-01-03 12:16 495680 ----a-w- d:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2001-08-23 17:00 . 2004-07-03 06:28 45124 --sha-r- d:\windows\ntdetect.com
.

((((((((((((((((((((((((((((( SnapShot@2010-03-05_12.02.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-05 16:26 . 2010-03-05 16:26 16384 d:\windows\Temp\Perflib_Perfdata_6a4.dat
+ 2010-03-05 16:26 . 2010-03-05 16:26 16384 d:\windows\Temp\Perflib_Perfdata_10c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2003-12-13 33792]
"TrueImageMonitor.exe"="d:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 988701]
"SmartGuardian"="d:\program files\SOYO\HW Monitor\Itesmart.exe" [2002-05-24 163840]
"SiSUSBRG"="d:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"Share-to-Web Namespace Daemon"="d:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"ResChangerXP"="d:\program files\ResChanger XP\ResChangerXP.exe" [2002-02-14 600576]
"RemoteControl"="d:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"REGSHAVE"="d:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2004-07-04 98304]
"NvMediaCenter"="NvMCTray.dll" [2004-07-15 81920]
"NeroFilterCheck"="d:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 19968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]
"InCD"="d:\program files\Ahead\InCD\InCD.exe" [2005-01-27 1381376]
"HPHUPD04"="d:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 49152]
"HPDJ Taskbar Utility"="d:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416]
"C-Media Mixer"="Mixer.exe" [2002-10-15 1818624]
"Acronis Scheduler2 Service"="d:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 118784]

d:\documents and settings\r1\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - d:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Microtek Scanner Finder.lnk - d:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2003-3-1 303104]
Logitech Desktop Messenger.lnk - d:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-6-8 169472]
Exif Launcher.lnk - d:\program files\FinePixViewer\QuickDCF.exe [2006-3-15 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 21:41 72208 ----a-w- d:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt\0sprestrt\0sprestrt\0sprestrt\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\WINDOWS\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;d:\windows\system32\drivers\aswSP.sys [5/10/2008 6:00 AM 114768]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [5/10/2008 6:00 AM 20560]
R2 cpuz132;cpuz132;d:\windows\system32\drivers\cpuz132_x32.sys [1/27/2010 8:06 AM 12672]
R2 IOPort;IOPort;d:\windows\system32\drivers\IOPORT.SYS [11/27/1998 4:57 PM 6144]
R2 LBeepKE;LBeepKE;d:\windows\system32\drivers\LBeepKE.sys [12/18/2008 10:17 PM 10384]
R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;d:\windows\system32\drivers\getnd5b.sys [11/25/2005 5:02 PM 44544]
R3 iteio;iteio;d:\windows\system32\drivers\Iteio.sys [11/26/2005 7:52 AM 3680]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;d:\windows\system32\drivers\AliEhci.sys [3/21/2004 8:21 PM 106168]
S2 nvTUNEP;nVidia WDM TVTuner;d:\windows\system32\drivers\NVTUNEP.SYS [5/16/2004 3:07 PM 20640]
S2 nvtvSND;nVidia WDM TVAudio Crossbar;d:\windows\system32\drivers\NVTVSND.SYS [5/16/2004 3:07 PM 22640]
S3 aliroothub;USB 2.0 Root Hub;d:\windows\system32\drivers\AliRtHub.sys [3/21/2004 8:21 PM 5337]
S3 SiSV;SiSV;d:\windows\system32\drivers\SiSV.sys [4/26/2004 10:29 PM 50432]
.
Contents of the 'Scheduled Tasks' folder

2005-04-21 d:\windows\Tasks\Symantec NetDetect.job
- d:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-04-25 17:24]

2010-02-25 d:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- d:\program files\Spybot - Search & Destroy\SpybotSD.exe [2004-05-12 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.npr.org/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &Highlight - d:\windows\WEB\highlight.htm
IE: &Links List - d:\windows\WEB\urllist.htm
IE: I&mages List - d:\windows\Web\imglist.htm
IE: Open Frame in &New Window - d:\windows\WEB\frm2new.htm
IE: Open Picture in &Microsoft PhotoDraw - d:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
IE: Zoom &In - d:\windows\WEB\zoomin.htm
IE: Zoom O&ut - d:\windows\WEB\zoomout.htm
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-05 11:27
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
d:\windows\system32\WININET.dll
d:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
d:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(916)
d:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3068)
d:\windows\system32\WININET.dll
d:\windows\system32\msi.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Ahead\InCD\InCDsrv.exe
d:\program files\Alwil Software\Avast4\aswUpdSv.exe
d:\program files\Alwil Software\Avast4\ashServ.exe
d:\program files\Common Files\Acronis\Schedule2\schedul2.exe
d:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\wscntfy.exe
d:\program files\Canon\CAL\CALMAIN.exe
d:\program files\Alwil Software\Avast4\ashMaiSv.exe
d:\windows\Logi_MwX.Exe
d:\windows\Mixer.exe
d:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
.
**************************************************************************
.
Completion time: 2010-03-05 11:29:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-05 16:29
ComboFix2.txt 2010-03-05 12:04

Pre-Run: 7,172,636,672 bytes free
Post-Run: 7,118,602,240 bytes free

- - End Of File - - 69F8954DD81A6460753FC976F409AE12






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:47 AM, on 3/5/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
D:\Program Files\SOYO\HW Monitor\Itesmart.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\ResChanger XP\ResChangerXP.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\WINDOWS\Logi_MwX.Exe
D:\Program Files\Ahead\InCD\InCD.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\FinePixViewer\QuickDCF.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SmartGuardian] D:\Program Files\SOYO\HW Monitor\Itesmart.exe
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [ResChangerXP] "D:\Program Files\ResChanger XP\ResChangerXP.exe"
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [REGSHAVE] "D:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [InCD] "D:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [HPHUPD04] "D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = D:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = D:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = D:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = D:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Highlight - D:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - D:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: I&mages List - D:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - D:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://D:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Zoom &In - D:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - D:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1267369556750
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - D:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Pml Driver HPH11 - HP - D:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8159 bytes

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 06 March 2010 - 12:44 AM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

How's the computer now? smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 62rad

62rad
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 06 March 2010 - 09:24 AM

Hello again,

The computer seems to be running rather well, but I have refrained from doing anything that involves file creation or exchanging files with any other computers... don't want to get any other boxes sick.

I am amazed that, considering I have run scanner after scanner for a week and a half now, ESET found more bad stuff in my old mail archives and even found one or two on my old Win98SE partition. It's not like I run without antivirus protection and I run S&D and AdAware from time to time, too. Incredible.

Thanks for helping.

Here are the ESET results... Note that the reference to Virt_U_Monde on the desktop is a folder I created for putting all the stuff I was downloading for fixer tools and such. I Named it that so that malware would not recognize the name... not sure it would have mattered but I did it that way anyhow.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ac902f48fee1d149b82e8387d5302564
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-03-06 02:02:23
# local_time=2010-03-06 09:02:23 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 145856 145856 0 0
# compatibility_mode=769 16775141 100 98 0 203242280 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=146134
# found=8
# cleaned=4
# scan_time=5020
C:\WINDOWS\Application Data\Identities\{1AF781A0-B0AC-11D6-9D12-96527190A971}\Microsoft\Outlook Express\Ralph's Mail.dbx Win32/Klez.E worm (unable to clean) A759E571AECCE27ACF9C3A072CE3F839 I
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) B00CCB642D94E5367707D6FEDC238195 C
D:\Documents and Settings\r1\Local Settings\Application Data\Identities\{774C9B9E-E751-403B-81B1-629FA758B2C1}\Microsoft\Outlook Express\Apr06.dbx HTML/Phishing.gen trojan (unable to clean) 8FB01F3CEBB742420A14FAD6E903493F I
D:\Documents and Settings\r1\Local Settings\Application Data\Identities\{774C9B9E-E751-403B-81B1-629FA758B2C1}\Microsoft\Outlook Express\Feb08.dbx HTML/Phishing.gen trojan (unable to clean) 1112755ABD292F8869981BEEE969ED44 I
D:\Documents and Settings\r1\Local Settings\Application Data\Identities\{774C9B9E-E751-403B-81B1-629FA758B2C1}\Microsoft\Outlook Express\Ralph's Mail.dbx Win32/Klez.E worm (unable to clean) E9342C78C42EAB4B1298343D89B5822E I
D:\Documents and Settings\r1\Desktop\Virt_U_Monde\exeHelper.com probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 9AEDF6EE46FE2FAC99566477E2830A28 C
D:\Program Files\Qualcomm\Eudora Pro\old in.fol\Old In 6.fol\Old In 6.mbx.XXX Win32/Netsky.O worm 10E3A55F53862AB68EA394E880605B61 C
D:\System Volume Information\_restore{B5D51277-5DE5-42DB-920B-96CB0D9BB888}\RP12\A0021896.com probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 9AEDF6EE46FE2FAC99566477E2830A28 C

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 06 March 2010 - 01:18 PM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread smile.gif



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 62rad

62rad
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 07 March 2010 - 09:05 PM

Hello,

Well, I've been driving it around the block off and on today and it seems to be running pretty darned good, actually. I'm still surprised that it took so many scanners to find it all. I think I'll get into the family's other boxes with a bunch of scanners as they've been using the same protection, or lack of protection.

What, exactly, was this thing's name?

At any rate... Thanks so much to you for helping. I might have, would have, figured it clean a long time ago only to crash and burn later. Who knows if I would have spread something. But I guess you know that, huh? ;-)

Seriously, many thanks to you and to BleepingComputer for providing this service. It is appreciated.

Thanks.


#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 08 March 2010 - 07:16 AM

You're very much welcome.. It was some bad rogue security program bundled with some trojans smile.gif

I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users