Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS Removal success?


  • This topic is locked This topic is locked
25 replies to this topic

#1 EEEO

EEEO

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 04 March 2010 - 04:11 PM

Chain of events:

Symptoms:
-Browser issues--Chrome wouldn't load pages, Firefox and IE would redirect to various sites.
-Various programs would not launch, or would begin to launch and have fatal error.

Dowloaded and ran the following (not necessarily in this order):
SUPERAntiSpyware
Ad-Aware
SpybotSD
Malwarebytes' Anti-Malware

Regained browser and program functionality temporarily. Virus must have reinstalled.

Ran ComboFix.

Subsequently found this site and discovered TDSS exhibited behavior exactly like what I was experiencing.

Downloaded tdsskiller and ran it. It didn't find any instances of TDSS.

Twice while browsing this site, Chrome has locked up, so I shut it down and when I try to restart Chrome, the entire system reboots!

Also, in preparation, I tried to run Defogger, but Daemon tools still seems to be running.
I did run dds and have the two logs it produced. ("Attach" file is attached)
I TRIED to run gmer, but it has an error shortly after startup while beginning its scan and quits*.
*Edited to add that I did have success in running gmer and I do have a log, but it's larger than what I can upload as an attachment.

I'm not entirely convinced this machine is clean!

Thank you in advance.

DDS Log results:

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Eric Oberg\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Eric Oberg\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Eric Oberg\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\ScanSoft\PAPERP~1\PDFC!\PdfCreateHook.exe
C:\Documents and Settings\Eric Oberg\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [PPScheduler] c:\program files\scansoft\paperport\PPScheduler.exe
uRun: [Google Update] "c:\documents and settings\eric oberg\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258075489812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ericob~1\applic~1\mozilla\firefox\profiles\0jdrwpti.default\
FF - plugin: c:\documents and settings\eric oberg\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2009-11-12 156800]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 Imakaut;Imakaut; [x]
S4 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2009-11-12 5248]

=============== Created Last 30 ================

2010-03-04 19:59:42 26 ----a-w- c:\documents and settings\eric oberg\defogger_reenable
2010-03-04 18:50:36 0 d-sha-r- C:\cmdcons
2010-03-04 18:49:48 98816 ----a-w- c:\windows\sed.exe
2010-03-04 18:49:48 77312 ----a-w- c:\windows\MBR.exe
2010-03-04 18:49:48 261632 ----a-w- c:\windows\PEV.exe
2010-03-04 18:49:48 161792 ----a-w- c:\windows\SWREG.exe
2010-03-04 18:49:42 0 d-----w- C:\ComboFix
2010-03-03 05:56:03 0 d-----w- c:\program files\TrendMicro
2010-03-03 05:45:19 0 d-----w- c:\docume~1\ericob~1\applic~1\Malwarebytes
2010-03-03 05:45:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 05:45:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-03 05:45:13 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-03 05:45:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-03 05:08:28 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-03 05:08:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-01 09:58:54 3748 ----a-w- c:\windows\system32\gapocra.dat
2010-02-24 23:23:57 0 d-sh--w- c:\documents and settings\eric oberg\IECompatCache
2010-02-24 14:35:15 0 d-----w- c:\windows\system32\XPSViewer
2010-02-24 14:34:39 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-02-24 14:34:39 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-02-24 14:34:39 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-02-24 14:34:39 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-02-24 14:34:39 117760 ------w- c:\windows\system32\prntvpt.dll
2010-02-24 14:34:38 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-02-24 14:34:38 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-02-24 14:31:50 0 d-----w- c:\program files\MSXML 6.0
2010-02-23 09:00:33 0 d-----w- c:\windows\system32\KB905474
2010-02-22 15:17:43 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-22 02:02:42 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-22 02:02:28 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-22 02:02:28 0 d-----w- c:\docume~1\ericob~1\applic~1\SUPERAntiSpyware.com
2010-02-22 02:01:50 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-22 02:00:40 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-22 02:00:12 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-22 01:59:59 0 d-----w- c:\program files\Lavasoft
2010-02-21 21:44:04 10752 ----a-w- c:\windows\DCEBoot.exe
2010-02-21 21:38:21 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys

==================== Find3M ====================

2010-02-01 05:52:38 30892 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-21 19:14:06 2720585 ----a-w- c:\windows\system32\fojmcrashe.dll
2009-12-21 19:14:06 1969853 ----a-w- c:\windows\system32\gapocra.dll
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35:35 33280 ----a-w- c:\windows\system32\csrsrv.dll

============= FINISH: 14:47:45.03 ===============



Attached Files


Edited by EEEO, 04 March 2010 - 07:38 PM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:47 PM

Posted 07 March 2010 - 03:36 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 EEEO

EEEO
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 07 March 2010 - 07:15 PM

Like I stated in my first post, I may have eradicated the problem, but I though that I had before, and I hadn't. Currently I have only one issue which I can't explain, which is Google Chrome randomly locking up(in that the windows are unresponsive but I can still close the program with the "X"), and when I subsequently try to re-start Chrome, the computer reboots itself. I'm NOT confident that I've completely cleaned my computer at this point!

DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Eric Oberg at 17:55:49.48 on Sun 03/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.554 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\uTorrent\utorrent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Eric Oberg\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Eric Oberg\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Eric Oberg\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [PPScheduler] c:\program files\scansoft\paperport\PPScheduler.exe
uRun: [Google Update] "c:\documents and settings\eric oberg\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258075489812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ericob~1\applic~1\mozilla\firefox\profiles\0jdrwpti.default\
FF - plugin: c:\documents and settings\eric oberg\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 Imakaut;Imakaut; [x]

=============== Created Last 30 ================

2010-03-05 00:51:25 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-04 23:03:46 0 d-----w- c:\windows\system32\appmgmt
2010-03-04 23:03:18 0 d-----w- c:\windows\SxsCaPendDel
2010-03-04 19:59:42 26 ----a-w- c:\documents and settings\eric oberg\defogger_reenable
2010-03-04 18:50:36 0 d-sha-r- C:\cmdcons
2010-03-04 18:49:48 98816 ----a-w- c:\windows\sed.exe
2010-03-04 18:49:48 77312 ----a-w- c:\windows\MBR.exe
2010-03-04 18:49:48 261632 ----a-w- c:\windows\PEV.exe
2010-03-04 18:49:48 161792 ----a-w- c:\windows\SWREG.exe
2010-03-04 18:49:42 0 d-----w- C:\ComboFix
2010-03-03 05:56:03 0 d-----w- c:\program files\TrendMicro
2010-03-03 05:45:19 0 d-----w- c:\docume~1\ericob~1\applic~1\Malwarebytes
2010-03-03 05:45:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-03 05:08:28 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-03 05:08:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-01 09:58:54 3748 ----a-w- c:\windows\system32\gapocra.dat
2010-02-24 23:23:57 0 d-sh--w- c:\documents and settings\eric oberg\IECompatCache
2010-02-24 14:35:15 0 d-----w- c:\windows\system32\XPSViewer
2010-02-24 14:34:39 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-02-24 14:34:39 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-02-24 14:34:39 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-02-24 14:34:39 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-02-24 14:34:39 117760 ------w- c:\windows\system32\prntvpt.dll
2010-02-24 14:34:38 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-02-24 14:34:38 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-02-24 14:31:50 0 d-----w- c:\program files\MSXML 6.0
2010-02-23 09:00:33 0 d-----w- c:\windows\system32\KB905474
2010-02-22 02:02:42 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-22 02:02:28 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-22 02:02:28 0 d-----w- c:\docume~1\ericob~1\applic~1\SUPERAntiSpyware.com
2010-02-22 02:01:50 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-21 21:44:04 10752 ----a-w- c:\windows\DCEBoot.exe
2010-02-21 21:38:21 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys

==================== Find3M ====================

2010-02-01 05:52:38 30892 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-21 19:14:06 2720585 ----a-w- c:\windows\system32\fojmcrashe.dll
2009-12-21 19:14:06 1969853 ----a-w- c:\windows\system32\gapocra.dll
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35:35 33280 ----a-w- c:\windows\system32\csrsrv.dll

============= FINISH: 17:56:04.98 ===============

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:47 PM

Posted 08 March 2010 - 03:52 PM

Hello, EEEO
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:47 PM

Posted 13 March 2010 - 03:32 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:47 PM

Posted 13 March 2010 - 02:42 PM

Reopened by user request.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 EEEO

EEEO
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 13 March 2010 - 02:52 PM

I ran ComboFix as requested and the report follows:

ComboFix 10-03-13.01 - Eric Oberg 03/13/2010 13:43:03.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.552 [GMT -6:00]
Running from: c:\documents and settings\Eric Oberg\Desktop\schrauber.exe
.

((((((((((((((((((((((((( Files Created from 2010-02-13 to 2010-03-13 )))))))))))))))))))))))))))))))
.

2010-03-13 17:20 . 2010-03-13 17:20 -------- d-----w- c:\windows\LastGood
2010-03-05 00:52 . 2010-03-05 00:52 52224 ----a-w- c:\documents and settings\Eric Oberg\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-05 00:52 . 2010-03-05 00:52 117760 ----a-w- c:\documents and settings\Eric Oberg\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-05 00:51 . 2010-03-05 00:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-04 23:03 . 2010-03-04 23:09 -------- d-----w- c:\windows\SxsCaPendDel
2010-03-04 18:49 . 2010-03-13 19:42 -------- d-----w- C:\ComboFix
2010-03-03 05:56 . 2010-03-03 05:56 -------- d-----w- c:\program files\TrendMicro
2010-03-03 05:45 . 2010-03-03 05:45 -------- d-----w- c:\documents and settings\Eric Oberg\Application Data\Malwarebytes
2010-03-03 05:45 . 2010-03-03 05:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-03 05:08 . 2010-03-04 23:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-03 05:08 . 2010-03-04 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-01 09:58 . 2010-03-01 09:58 3748 ----a-w- c:\windows\system32\gapocra.dat
2010-02-24 23:23 . 2010-02-24 23:23 -------- d-sh--w- c:\documents and settings\Eric Oberg\IECompatCache
2010-02-24 14:35 . 2010-02-24 14:35 -------- d-----w- c:\windows\system32\XPSViewer
2010-02-24 14:35 . 2010-02-24 14:35 -------- d-----w- c:\program files\MSBuild
2010-02-24 14:35 . 2010-02-24 14:35 -------- d-----w- c:\program files\Reference Assemblies
2010-02-24 14:34 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-02-24 14:34 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-02-24 14:34 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-02-24 14:34 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-02-24 14:34 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-02-24 14:34 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-02-24 14:34 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-02-24 14:34 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-02-24 14:34 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-02-24 14:31 . 2010-02-24 14:31 -------- d-----w- c:\program files\MSXML 6.0
2010-02-23 09:00 . 2010-02-23 09:00 -------- d-----w- c:\windows\system32\KB905474
2010-02-23 09:00 . 2009-03-11 04:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2010-02-23 09:00 . 2009-03-11 04:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2010-02-22 02:02 . 2010-02-22 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-22 02:02 . 2010-03-05 00:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-22 02:02 . 2010-03-05 00:51 -------- d-----w- c:\documents and settings\Eric Oberg\Application Data\SUPERAntiSpyware.com
2010-02-22 02:01 . 2010-02-22 02:01 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-22 01:59 . 2010-03-04 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-21 21:44 . 2010-02-21 21:44 10752 ----a-w- c:\windows\DCEBoot.exe
2010-02-21 21:38 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-21 21:35 . 2010-02-21 21:35 0 ----a-w- c:\windows\nsreg.dat
2010-02-21 21:35 . 2010-02-21 21:35 -------- d-----w- c:\documents and settings\Eric Oberg\Local Settings\Application Data\Mozilla
2010-02-20 09:34 . 2010-02-20 09:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 05:56 . 2009-12-02 16:38 -------- d-----w- c:\documents and settings\Eric Oberg\Application Data\uTorrent
2010-03-04 23:09 . 2009-11-13 16:16 -------- d-----w- c:\program files\DivX
2010-03-04 18:54 . 2009-11-13 18:02 -------- d-----w- c:\program files\Brother
2010-03-04 18:54 . 2009-11-12 23:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-25 09:34 . 2009-11-13 00:42 -------- d-----w- c:\program files\uTorrent
2010-02-24 22:58 . 2009-11-12 23:49 31392 ----a-w- c:\documents and settings\Eric Oberg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-02 04:17 . 2010-02-02 04:17 -------- d-----w- c:\program files\VideoLAN
2010-02-01 05:52 . 2010-02-01 05:52 30892 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-29 17:47 . 2010-01-29 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2010-01-29 17:47 . 2010-01-29 17:47 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-01-29 17:47 . 2009-11-13 01:04 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-29 16:16 . 2010-01-14 18:18 -------- d-----w- c:\documents and settings\Eric Oberg\Application Data\Apple Computer
2010-01-29 16:00 . 2010-01-14 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-21 16:55 . 2010-01-21 16:55 -------- d-----w- c:\documents and settings\Eric Oberg\Application Data\Media Player Classic
2010-01-16 22:33 . 2009-11-13 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-14 18:17 . 2010-01-14 18:17 -------- d-----w- c:\program files\iTunes
2010-01-14 18:17 . 2010-01-14 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-14 18:17 . 2010-01-14 18:17 -------- d-----w- c:\program files\iPod
2010-01-14 18:17 . 2010-01-14 18:14 -------- d-----w- c:\program files\Common Files\Apple
2010-01-14 18:17 . 2010-01-14 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-14 18:16 . 2010-01-14 18:16 -------- d-----w- c:\program files\Bonjour
2010-01-14 18:16 . 2010-01-14 18:16 -------- d-----w- c:\program files\QuickTime
2010-01-14 18:16 . 2010-01-14 18:16 -------- d-----w- c:\program files\Apple Software Update
2009-12-31 16:14 . 2004-08-04 01:07 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2009-12-21 19:14 2720585 ----a-w- c:\windows\system32\fojmcrashe.dll
2009-12-21 19:14 . 2009-12-21 19:14 1969853 ----a-w- c:\windows\system32\gapocra.dll
2009-12-21 19:14 . 2004-08-04 01:07 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 12:58 . 2009-11-12 22:56 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-04 01:07 33280 ----a-w- c:\windows\system32\csrsrv.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-03-04_19.02.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-13 17:18 . 2010-03-13 17:18 16384 c:\windows\Temp\Perflib_Perfdata_5c4.dat
+ 2010-03-05 00:51 . 2010-03-05 00:51 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2010-02-22 02:02 . 2010-02-22 02:02 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2010-02-22 02:02 . 2010-02-22 02:02 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2010-03-05 00:51 . 2010-03-05 00:51 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-11-13 01:07 . 2010-03-05 01:59 23558 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
- 2009-11-13 01:07 . 2009-11-16 20:37 23558 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
+ 2009-11-13 01:07 . 2010-03-05 01:59 25214 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Distiller.exe
- 2009-11-13 01:07 . 2009-11-16 20:37 25214 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Distiller.exe
- 2010-02-22 02:02 . 2010-02-22 02:02 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2010-03-05 00:51 . 2010-03-05 00:51 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
- 2009-11-13 01:07 . 2009-11-16 20:37 7278 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_ELEMENTS_DT.exe
+ 2009-11-13 01:07 . 2010-03-05 01:59 7278 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_ELEMENTS_DT.exe
- 2009-11-13 01:07 . 2009-11-16 20:37 295606 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_Standard.exe
+ 2009-11-13 01:07 . 2010-03-05 01:59 295606 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_Standard.exe
+ 2009-11-13 01:07 . 2010-03-05 01:59 295606 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_3D.exe
- 2009-11-13 01:07 . 2009-11-16 20:37 295606 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_3D.exe
+ 2009-11-13 01:07 . 2010-03-05 01:59 295606 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe
- 2009-11-13 01:07 . 2009-11-16 20:37 295606 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe
+ 2010-03-05 00:51 . 2010-03-05 00:51 1583616 c:\windows\Installer\14d35f.msi
+ 2009-11-28 03:16 . 2009-11-28 03:16 10935296 c:\windows\Installer\8ee42.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPScheduler"="c:\program files\ScanSoft\PaperPort\PPScheduler.exe" [2005-02-28 98304]
"Google Update"="c:\documents and settings\Eric Oberg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-13 135664]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-02-28 36864]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-02-28 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-13 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-29 110592]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-1-4 724992]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S3 Imakaut;Imakaut; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2025429265-1801674531-1003Core.job
- c:\documents and settings\Eric Oberg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-13 01:17]

2010-03-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2025429265-1801674531-1003UA.job
- c:\documents and settings\Eric Oberg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-13 01:17]

2010-03-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-02-23 04:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Eric Oberg\Application Data\Mozilla\Firefox\Profiles\0jdrwpti.default\
FF - plugin: c:\documents and settings\Eric Oberg\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-13 13:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2828)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-03-13 13:48:15
ComboFix-quarantined-files.txt 2010-03-13 19:48
ComboFix2.txt 2010-03-04 19:05

Pre-Run: 14,496,632,832 bytes free
Post-Run: 14,497,054,720 bytes free

- - End Of File - - EB53CFDC5E41DAB21629531027A68F3F

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:47 PM

Posted 13 March 2010 - 03:03 PM

Hi,

Please navigate to C:\Qoobox and post back with the content of Combofix2.txt.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 EEEO

EEEO
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 13 March 2010 - 03:05 PM

ComboFix2 log:

ComboFix 10-03-03.09 - Eric Oberg 03/04/2010 12:55:11.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.645 [GMT -6:00]
Running from: c:\documents and settings\Eric Oberg\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\4DW4R3sv.dat
c:\windows\system32\Vb40032.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-03 05:56 . 2010-03-03 05:56 388096 ----a-r- c:\documents and settings\Eric Oberg\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-03 05:56 . 2010-03-03 05:56 -------- d-----w- c:\program files\TrendMicro
2010-03-03 05:45 . 2010-03-03 05:45 -------- d-----w- c:\documents and settings\Eric Oberg\Application Data\Malwarebytes
2010-03-03 05:45 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 05:45 . 2010-03-03 05:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-03 05:45 . 2010-03-03 05:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-03 05:45 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-03 05:08 . 2010-03-03 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-03 05:08 . 2010-03-03 05:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-01 09:58 . 2010-03-01 09:58 3748 ----a-w- c:\windows\system32\gapocra.dat
2010-02-24 23:23 . 2010-02-24 23:23 -------- d-sh--w- c:\documents and settings\Eric Oberg\IECompatCache
2010-02-24 14:35 . 2010-02-24 14:35 -------- d-----w- c:\windows\system32\XPSViewer
2010-02-24 14:35 . 2010-02-24 14:35 -------- d-----w- c:\program files\MSBuild
2010-02-24 14:35 . 2010-02-24 14:35 -------- d-----w- c:\program files\Reference Assemblies
2010-02-24 14:34 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-02-24 14:34 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-02-24 14:34 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-02-24 14:34 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-02-24 14:34 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-02-24 14:34 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-02-24 14:34 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-02-24 14:34 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-02-24 14:34 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-02-24 14:31 . 2010-02-24 14:31 -------- d-----w- c:\program files\MSXML 6.0
2010-02-23 09:00 . 2010-02-23 09:00 -------- d-----w- c:\windows\system32\KB905474
2010-02-23 09:00 . 2009-03-11 04:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2010-02-23 09:00 . 2009-03-11 04:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2010-02-22 15:17 . 2010-02-22 02:01 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-22 02:03 . 2010-02-22 02:03 52224 ----a-w- c:\documents and settings\Eric Oberg\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-22 02:03 . 2010-03-03 04:26 117760 ----a-w- c:\documents and settings\Eric Oberg\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-22 02:02 . 2010-02-22 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-22 02:02 . 2010-02-22 02:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-22 02:02 . 2010-02-22 02:02 -------- d-----w- c:\documents and settings\Eric Oberg\Application Data\SUPERAntiSpyware.com
2010-02-22 02:00 . 2010-02-22 02:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-22 02:00 . 2010-02-22 02:00 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-22 02:00 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-22 01:59 . 2010-02-22 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-22 01:59 . 2010-02-22 02:00 -------- d-----w- c:\program files\Lavasoft
2010-02-21 21:44 . 2010-02-21 21:44 10752 ----a-w- c:\windows\DCEBoot.exe
2010-02-21 21:38 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-21 21:35 . 2010-02-21 21:35 0 ----a-w- c:\windows\nsreg.dat
2010-02-21 21:35 . 2010-02-21 21:35 -------- d-----w- c:\documents and settings\Eric Oberg\Local Settings\Application Data\Mozilla
2010-02-20 09:34 . 2010-02-20 09:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 18:54 . 2009-11-13 18:02 -------- d-----w- c:\program files\Brother
2010-03-04 18:54 . 2009-11-12 23:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-04 18:47 . 2009-12-02 16:38 -------- d-----w- c:\documents and settings\Eric Oberg\Application Data\uTorrent
2010-03-04 18:40 . 2010-02-02 04:29 -------- d-----w- c:\documents and settings\Eric Oberg\Application Data\vlc
2010-02-25 09:34 . 2009-11-13 00:42 -------- d-----w- c:\program files\uTorrent
2010-02-24 22:58 . 2009-11-12 23:49 31392 ----a-w- c:\documents and settings\Eric Oberg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-02 04:17 . 2010-02-02 04:17 -------- d-----w- c:\program files\VideoLAN
2010-02-01 05:52 . 2010-02-01 05:52 30892 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-29 17:47 . 2010-01-29 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2010-01-29 17:47 . 2010-01-29 17:47 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-01-29 17:47 . 2009-11-13 01:04 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-29 16:16 . 2010-01-14 18:18 -------- d-----w- c:\documents and settings\Eric Oberg\Application Data\Apple Computer
2010-01-29 16:00 . 2010-01-14 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-21 16:55 . 2010-01-21 16:55 -------- d-----w- c:\documents and settings\Eric Oberg\Application Data\Media Player Classic
2010-01-16 22:33 . 2009-11-13 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-14 18:17 . 2010-01-14 18:17 -------- d-----w- c:\program files\iTunes
2010-01-14 18:17 . 2010-01-14 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-14 18:17 . 2010-01-14 18:17 -------- d-----w- c:\program files\iPod
2010-01-14 18:17 . 2010-01-14 18:14 -------- d-----w- c:\program files\Common Files\Apple
2010-01-14 18:17 . 2010-01-14 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-14 18:16 . 2010-01-14 18:16 -------- d-----w- c:\program files\Bonjour
2010-01-14 18:16 . 2010-01-14 18:16 -------- d-----w- c:\program files\QuickTime
2010-01-14 18:16 . 2010-01-14 18:16 -------- d-----w- c:\program files\Apple Software Update
2010-01-04 18:29 . 2010-01-04 18:28 -------- d-----w- c:\program files\Common Files\Intuit
2010-01-04 18:28 . 2010-01-04 18:28 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-01-04 18:28 . 2010-01-04 18:28 -------- d-----w- c:\program files\Intuit
2009-12-31 16:14 . 2004-08-04 01:07 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2009-12-21 19:14 2720585 ----a-w- c:\windows\system32\fojmcrashe.dll
2009-12-21 19:14 . 2009-12-21 19:14 1969853 ----a-w- c:\windows\system32\gapocra.dll
2009-12-21 19:14 . 2004-08-04 01:07 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 12:58 . 2009-11-12 22:56 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-04 01:07 33280 ----a-w- c:\windows\system32\csrsrv.dll
.

------- Sigcheck -------

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-04 07:07 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPScheduler"="c:\program files\ScanSoft\PaperPort\PPScheduler.exe" [2005-02-28 98304]
"Google Update"="c:\documents and settings\Eric Oberg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-13 135664]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-11-13 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-03-13 81920]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-02-28 36864]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-02-28 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-13 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-29 110592]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-1-4 724992]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [11/12/2009 6:41 PM 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [11/12/2009 6:41 PM 5248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1229232]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S3 Imakaut;Imakaut; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-03-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 02:01]

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2025429265-1801674531-1003Core.job
- c:\documents and settings\Eric Oberg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-13 01:17]

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2025429265-1801674531-1003UA.job
- c:\documents and settings\Eric Oberg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-13 01:17]

2010-03-04 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-02-23 04:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Eric Oberg\Application Data\Mozilla\Firefox\Profiles\0jdrwpti.default\
FF - plugin: c:\documents and settings\Eric Oberg\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1412)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\brsvc01a.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-03-04 13:05:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-04 19:05

Pre-Run: 13,396,946,944 bytes free
Post-Run: 13,806,186,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3F716F852D457994EF4A66374FAB8306


#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:47 PM

Posted 13 March 2010 - 03:10 PM

Hi,

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 EEEO

EEEO
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 13 March 2010 - 03:27 PM

Ran TDSSKiller as requested and the log contents follow:

14:26:19:415 2532 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
14:26:19:415 2532 ================================================================================
14:26:19:415 2532 SystemInfo:

14:26:19:415 2532 OS Version: 5.1.2600 ServicePack: 2.0
14:26:19:415 2532 Product type: Workstation
14:26:19:415 2532 ComputerName: EOS-51875D09518
14:26:19:415 2532 UserName: Eric Oberg
14:26:19:415 2532 Windows directory: C:\WINDOWS
14:26:19:415 2532 Processor architecture: Intel x86
14:26:19:415 2532 Number of processors: 2
14:26:19:415 2532 Page size: 0x1000
14:26:19:415 2532 Boot type: Normal boot
14:26:19:415 2532 ================================================================================
14:26:19:415 2532 UnloadDriverW: NtUnloadDriver error 2
14:26:19:415 2532 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:26:19:431 2532 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
14:26:19:431 2532 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:26:19:431 2532 wfopen_ex: Trying to KLMD file open
14:26:19:431 2532 wfopen_ex: File opened ok (Flags 2)
14:26:19:431 2532 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
14:26:19:431 2532 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:26:19:431 2532 wfopen_ex: Trying to KLMD file open
14:26:19:431 2532 wfopen_ex: File opened ok (Flags 2)
14:26:19:431 2532 Initialize success
14:26:19:431 2532
14:26:19:431 2532 Scanning Services ...
14:26:19:681 2532 GetAdvancedServicesInfo: Raw services enum returned 309 services
14:26:19:696 2532
14:26:19:696 2532 Scanning Kernel memory ...
14:26:19:696 2532 Devices to scan: 8
14:26:19:696 2532
14:26:19:696 2532 Driver Name: Disk
14:26:19:696 2532 IRP_MJ_CREATE : F7875C30
14:26:19:696 2532 IRP_MJ_CREATE_NAMED_PIPE : 804F9709
14:26:19:696 2532 IRP_MJ_CLOSE : F7875C30
14:26:19:696 2532 IRP_MJ_READ : F786FD9B
14:26:19:696 2532 IRP_MJ_WRITE : F786FD9B
14:26:19:696 2532 IRP_MJ_QUERY_INFORMATION : 804F9709
14:26:19:696 2532 IRP_MJ_SET_INFORMATION : 804F9709
14:26:19:696 2532 IRP_MJ_QUERY_EA : 804F9709
14:26:19:696 2532 IRP_MJ_SET_EA : 804F9709
14:26:19:696 2532 IRP_MJ_FLUSH_BUFFERS : F7870366
14:26:19:696 2532 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9709
14:26:19:696 2532 IRP_MJ_SET_VOLUME_INFORMATION : 804F9709
14:26:19:696 2532 IRP_MJ_DIRECTORY_CONTROL : 804F9709
14:26:19:696 2532 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9709
14:26:19:696 2532 IRP_MJ_DEVICE_CONTROL : F787044D
14:26:19:696 2532 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7873FC3
14:26:19:696 2532 IRP_MJ_SHUTDOWN : F7870366
14:26:19:696 2532 IRP_MJ_LOCK_CONTROL : 804F9709
14:26:19:696 2532 IRP_MJ_CLEANUP : 804F9709
14:26:19:696 2532 IRP_MJ_CREATE_MAILSLOT : 804F9709
14:26:19:696 2532 IRP_MJ_QUERY_SECURITY : 804F9709
14:26:19:696 2532 IRP_MJ_SET_SECURITY : 804F9709
14:26:19:696 2532 IRP_MJ_POWER : F7871EF3
14:26:19:696 2532 IRP_MJ_SYSTEM_CONTROL : F7876A24
14:26:19:696 2532 IRP_MJ_DEVICE_CHANGE : 804F9709
14:26:19:696 2532 IRP_MJ_QUERY_QUOTA : 804F9709
14:26:19:696 2532 IRP_MJ_SET_QUOTA : 804F9709
14:26:19:696 2532 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:26:19:696 2532
14:26:19:696 2532 Driver Name: Disk
14:26:19:696 2532 IRP_MJ_CREATE : F7875C30
14:26:19:696 2532 IRP_MJ_CREATE_NAMED_PIPE : 804F9709
14:26:19:696 2532 IRP_MJ_CLOSE : F7875C30
14:26:19:696 2532 IRP_MJ_READ : F786FD9B
14:26:19:696 2532 IRP_MJ_WRITE : F786FD9B
14:26:19:696 2532 IRP_MJ_QUERY_INFORMATION : 804F9709
14:26:19:696 2532 IRP_MJ_SET_INFORMATION : 804F9709
14:26:19:696 2532 IRP_MJ_QUERY_EA : 804F9709
14:26:19:696 2532 IRP_MJ_SET_EA : 804F9709
14:26:19:696 2532 IRP_MJ_FLUSH_BUFFERS : F7870366
14:26:19:696 2532 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9709
14:26:19:696 2532 IRP_MJ_SET_VOLUME_INFORMATION : 804F9709
14:26:19:696 2532 IRP_MJ_DIRECTORY_CONTROL : 804F9709
14:26:19:696 2532 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9709
14:26:19:696 2532 IRP_MJ_DEVICE_CONTROL : F787044D
14:26:19:696 2532 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7873FC3
14:26:19:696 2532 IRP_MJ_SHUTDOWN : F7870366
14:26:19:696 2532 IRP_MJ_LOCK_CONTROL : 804F9709
14:26:19:696 2532 IRP_MJ_CLEANUP : 804F9709
14:26:19:696 2532 IRP_MJ_CREATE_MAILSLOT : 804F9709
14:26:19:696 2532 IRP_MJ_QUERY_SECURITY : 804F9709
14:26:19:696 2532 IRP_MJ_SET_SECURITY : 804F9709
14:26:19:696 2532 IRP_MJ_POWER : F7871EF3
14:26:19:696 2532 IRP_MJ_SYSTEM_CONTROL : F7876A24
14:26:19:696 2532 IRP_MJ_DEVICE_CHANGE : 804F9709
14:26:19:696 2532 IRP_MJ_QUERY_QUOTA : 804F9709
14:26:19:696 2532 IRP_MJ_SET_QUOTA : 804F9709
14:26:19:712 2532 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:26:19:712 2532
14:26:19:712 2532 Driver Name: usbstor
14:26:19:712 2532 IRP_MJ_CREATE : F7C04218
14:26:19:712 2532 IRP_MJ_CREATE_NAMED_PIPE : 804F9709
14:26:19:712 2532 IRP_MJ_CLOSE : F7C04218
14:26:19:712 2532 IRP_MJ_READ : F7C0423C
14:26:19:712 2532 IRP_MJ_WRITE : F7C0423C
14:26:19:712 2532 IRP_MJ_QUERY_INFORMATION : 804F9709
14:26:19:712 2532 IRP_MJ_SET_INFORMATION : 804F9709
14:26:19:712 2532 IRP_MJ_QUERY_EA : 804F9709
14:26:19:712 2532 IRP_MJ_SET_EA : 804F9709
14:26:19:712 2532 IRP_MJ_FLUSH_BUFFERS : 804F9709
14:26:19:712 2532 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9709
14:26:19:712 2532 IRP_MJ_SET_VOLUME_INFORMATION : 804F9709
14:26:19:712 2532 IRP_MJ_DIRECTORY_CONTROL : 804F9709
14:26:19:712 2532 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9709
14:26:19:712 2532 IRP_MJ_DEVICE_CONTROL : F7C04180
14:26:19:712 2532 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7BFF9E6
14:26:19:712 2532 IRP_MJ_SHUTDOWN : 804F9709
14:26:19:712 2532 IRP_MJ_LOCK_CONTROL : 804F9709
14:26:19:712 2532 IRP_MJ_CLEANUP : 804F9709
14:26:19:712 2532 IRP_MJ_CREATE_MAILSLOT : 804F9709
14:26:19:712 2532 IRP_MJ_QUERY_SECURITY : 804F9709
14:26:19:712 2532 IRP_MJ_SET_SECURITY : 804F9709
14:26:19:712 2532 IRP_MJ_POWER : F7C035F0
14:26:19:712 2532 IRP_MJ_SYSTEM_CONTROL : F7C01A6E
14:26:19:712 2532 IRP_MJ_DEVICE_CHANGE : 804F9709
14:26:19:712 2532 IRP_MJ_QUERY_QUOTA : 804F9709
14:26:19:712 2532 IRP_MJ_SET_QUOTA : 804F9709
14:26:19:712 2532 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
14:26:19:712 2532
14:26:19:712 2532 Driver Name: Disk
14:26:19:712 2532 IRP_MJ_CREATE : F7875C30
14:26:19:712 2532 IRP_MJ_CREATE_NAMED_PIPE : 804F9709
14:26:19:712 2532 IRP_MJ_CLOSE : F7875C30
14:26:19:712 2532 IRP_MJ_READ : F786FD9B
14:26:19:712 2532 IRP_MJ_WRITE : F786FD9B
14:26:19:712 2532 IRP_MJ_QUERY_INFORMATION : 804F9709
14:26:19:712 2532 IRP_MJ_SET_INFORMATION : 804F9709
14:26:19:712 2532 IRP_MJ_QUERY_EA : 804F9709
14:26:19:712 2532 IRP_MJ_SET_EA : 804F9709
14:26:19:712 2532 IRP_MJ_FLUSH_BUFFERS : F7870366
14:26:19:712 2532 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9709
14:26:19:712 2532 IRP_MJ_SET_VOLUME_INFORMATION : 804F9709
14:26:19:712 2532 IRP_MJ_DIRECTORY_CONTROL : 804F9709
14:26:19:712 2532 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9709
14:26:19:712 2532 IRP_MJ_DEVICE_CONTROL : F787044D
14:26:19:712 2532 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7873FC3
14:26:19:712 2532 IRP_MJ_SHUTDOWN : F7870366
14:26:19:712 2532 IRP_MJ_LOCK_CONTROL : 804F9709
14:26:19:712 2532 IRP_MJ_CLEANUP : 804F9709
14:26:19:712 2532 IRP_MJ_CREATE_MAILSLOT : 804F9709
14:26:19:712 2532 IRP_MJ_QUERY_SECURITY : 804F9709
14:26:19:712 2532 IRP_MJ_SET_SECURITY : 804F9709
14:26:19:712 2532 IRP_MJ_POWER : F7871EF3
14:26:19:712 2532 IRP_MJ_SYSTEM_CONTROL : F7876A24
14:26:19:712 2532 IRP_MJ_DEVICE_CHANGE : 804F9709
14:26:19:712 2532 IRP_MJ_QUERY_QUOTA : 804F9709
14:26:19:712 2532 IRP_MJ_SET_QUOTA : 804F9709
14:26:19:712 2532 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:26:19:712 2532
14:26:19:712 2532 Driver Name: Disk
14:26:19:712 2532 IRP_MJ_CREATE : F7875C30
14:26:19:712 2532 IRP_MJ_CREATE_NAMED_PIPE : 804F9709
14:26:19:712 2532 IRP_MJ_CLOSE : F7875C30
14:26:19:712 2532 IRP_MJ_READ : F786FD9B
14:26:19:712 2532 IRP_MJ_WRITE : F786FD9B
14:26:19:712 2532 IRP_MJ_QUERY_INFORMATION : 804F9709
14:26:19:712 2532 IRP_MJ_SET_INFORMATION : 804F9709
14:26:19:712 2532 IRP_MJ_QUERY_EA : 804F9709
14:26:19:712 2532 IRP_MJ_SET_EA : 804F9709
14:26:19:712 2532 IRP_MJ_FLUSH_BUFFERS : F7870366
14:26:19:712 2532 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9709
14:26:19:712 2532 IRP_MJ_SET_VOLUME_INFORMATION : 804F9709
14:26:19:712 2532 IRP_MJ_DIRECTORY_CONTROL : 804F9709
14:26:19:712 2532 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9709
14:26:19:712 2532 IRP_MJ_DEVICE_CONTROL : F787044D
14:26:19:712 2532 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7873FC3
14:26:19:712 2532 IRP_MJ_SHUTDOWN : F7870366
14:26:19:712 2532 IRP_MJ_LOCK_CONTROL : 804F9709
14:26:19:712 2532 IRP_MJ_CLEANUP : 804F9709
14:26:19:712 2532 IRP_MJ_CREATE_MAILSLOT : 804F9709
14:26:19:712 2532 IRP_MJ_QUERY_SECURITY : 804F9709
14:26:19:712 2532 IRP_MJ_SET_SECURITY : 804F9709
14:26:19:712 2532 IRP_MJ_POWER : F7871EF3
14:26:19:712 2532 IRP_MJ_SYSTEM_CONTROL : F7876A24
14:26:19:712 2532 IRP_MJ_DEVICE_CHANGE : 804F9709
14:26:19:712 2532 IRP_MJ_QUERY_QUOTA : 804F9709
14:26:19:712 2532 IRP_MJ_SET_QUOTA : 804F9709
14:26:19:712 2532 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:26:19:728 2532
14:26:19:728 2532 Driver Name: Disk
14:26:19:728 2532 IRP_MJ_CREATE : F7875C30
14:26:19:728 2532 IRP_MJ_CREATE_NAMED_PIPE : 804F9709
14:26:19:728 2532 IRP_MJ_CLOSE : F7875C30
14:26:19:728 2532 IRP_MJ_READ : F786FD9B
14:26:19:728 2532 IRP_MJ_WRITE : F786FD9B
14:26:19:728 2532 IRP_MJ_QUERY_INFORMATION : 804F9709
14:26:19:728 2532 IRP_MJ_SET_INFORMATION : 804F9709
14:26:19:728 2532 IRP_MJ_QUERY_EA : 804F9709
14:26:19:728 2532 IRP_MJ_SET_EA : 804F9709
14:26:19:728 2532 IRP_MJ_FLUSH_BUFFERS : F7870366
14:26:19:728 2532 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9709
14:26:19:728 2532 IRP_MJ_SET_VOLUME_INFORMATION : 804F9709
14:26:19:728 2532 IRP_MJ_DIRECTORY_CONTROL : 804F9709
14:26:19:728 2532 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9709
14:26:19:728 2532 IRP_MJ_DEVICE_CONTROL : F787044D
14:26:19:728 2532 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7873FC3
14:26:19:728 2532 IRP_MJ_SHUTDOWN : F7870366
14:26:19:728 2532 IRP_MJ_LOCK_CONTROL : 804F9709
14:26:19:728 2532 IRP_MJ_CLEANUP : 804F9709
14:26:19:728 2532 IRP_MJ_CREATE_MAILSLOT : 804F9709
14:26:19:728 2532 IRP_MJ_QUERY_SECURITY : 804F9709
14:26:19:728 2532 IRP_MJ_SET_SECURITY : 804F9709
14:26:19:728 2532 IRP_MJ_POWER : F7871EF3
14:26:19:728 2532 IRP_MJ_SYSTEM_CONTROL : F7876A24
14:26:19:728 2532 IRP_MJ_DEVICE_CHANGE : 804F9709
14:26:19:728 2532 IRP_MJ_QUERY_QUOTA : 804F9709
14:26:19:728 2532 IRP_MJ_SET_QUOTA : 804F9709
14:26:19:728 2532 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:26:19:728 2532
14:26:19:728 2532 Driver Name: atapi
14:26:19:728 2532 IRP_MJ_CREATE : F777C572
14:26:19:728 2532 IRP_MJ_CREATE_NAMED_PIPE : 804F9709
14:26:19:728 2532 IRP_MJ_CLOSE : F777C572
14:26:19:728 2532 IRP_MJ_READ : 804F9709
14:26:19:728 2532 IRP_MJ_WRITE : 804F9709
14:26:19:728 2532 IRP_MJ_QUERY_INFORMATION : 804F9709
14:26:19:728 2532 IRP_MJ_SET_INFORMATION : 804F9709
14:26:19:728 2532 IRP_MJ_QUERY_EA : 804F9709
14:26:19:728 2532 IRP_MJ_SET_EA : 804F9709
14:26:19:728 2532 IRP_MJ_FLUSH_BUFFERS : 804F9709
14:26:19:728 2532 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9709
14:26:19:728 2532 IRP_MJ_SET_VOLUME_INFORMATION : 804F9709
14:26:19:728 2532 IRP_MJ_DIRECTORY_CONTROL : 804F9709
14:26:19:728 2532 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9709
14:26:19:728 2532 IRP_MJ_DEVICE_CONTROL : F777C592
14:26:19:728 2532 IRP_MJ_INTERNAL_DEVICE_CONTROL : F77787B4
14:26:19:728 2532 IRP_MJ_SHUTDOWN : 804F9709
14:26:19:728 2532 IRP_MJ_LOCK_CONTROL : 804F9709
14:26:19:728 2532 IRP_MJ_CLEANUP : 804F9709
14:26:19:728 2532 IRP_MJ_CREATE_MAILSLOT : 804F9709
14:26:19:728 2532 IRP_MJ_QUERY_SECURITY : 804F9709
14:26:19:728 2532 IRP_MJ_SET_SECURITY : 804F9709
14:26:19:728 2532 IRP_MJ_POWER : F777C5BC
14:26:19:728 2532 IRP_MJ_SYSTEM_CONTROL : F7783164
14:26:19:728 2532 IRP_MJ_DEVICE_CHANGE : 804F9709
14:26:19:728 2532 IRP_MJ_QUERY_QUOTA : 804F9709
14:26:19:728 2532 IRP_MJ_SET_QUOTA : 804F9709
14:26:19:728 2532 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
14:26:19:728 2532
14:26:19:728 2532 Driver Name: atapi
14:26:19:728 2532 IRP_MJ_CREATE : F777C572
14:26:19:728 2532 IRP_MJ_CREATE_NAMED_PIPE : 804F9709
14:26:19:728 2532 IRP_MJ_CLOSE : F777C572
14:26:19:728 2532 IRP_MJ_READ : 804F9709
14:26:19:728 2532 IRP_MJ_WRITE : 804F9709
14:26:19:728 2532 IRP_MJ_QUERY_INFORMATION : 804F9709
14:26:19:728 2532 IRP_MJ_SET_INFORMATION : 804F9709
14:26:19:728 2532 IRP_MJ_QUERY_EA : 804F9709
14:26:19:728 2532 IRP_MJ_SET_EA : 804F9709
14:26:19:728 2532 IRP_MJ_FLUSH_BUFFERS : 804F9709
14:26:19:728 2532 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9709
14:26:19:728 2532 IRP_MJ_SET_VOLUME_INFORMATION : 804F9709
14:26:19:728 2532 IRP_MJ_DIRECTORY_CONTROL : 804F9709
14:26:19:728 2532 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9709
14:26:19:728 2532 IRP_MJ_DEVICE_CONTROL : F777C592
14:26:19:728 2532 IRP_MJ_INTERNAL_DEVICE_CONTROL : F77787B4
14:26:19:728 2532 IRP_MJ_SHUTDOWN : 804F9709
14:26:19:728 2532 IRP_MJ_LOCK_CONTROL : 804F9709
14:26:19:728 2532 IRP_MJ_CLEANUP : 804F9709
14:26:19:728 2532 IRP_MJ_CREATE_MAILSLOT : 804F9709
14:26:19:728 2532 IRP_MJ_QUERY_SECURITY : 804F9709
14:26:19:728 2532 IRP_MJ_SET_SECURITY : 804F9709
14:26:19:728 2532 IRP_MJ_POWER : F777C5BC
14:26:19:728 2532 IRP_MJ_SYSTEM_CONTROL : F7783164
14:26:19:743 2532 IRP_MJ_DEVICE_CHANGE : 804F9709
14:26:19:743 2532 IRP_MJ_QUERY_QUOTA : 804F9709
14:26:19:743 2532 IRP_MJ_SET_QUOTA : 804F9709
14:26:19:743 2532 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
14:26:19:743 2532
14:26:19:743 2532 Completed
14:26:19:743 2532
14:26:19:743 2532 Results:
14:26:19:743 2532 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
14:26:19:743 2532 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:26:19:743 2532 File objects infected / cured / cured on reboot: 0 / 0 / 0
14:26:19:743 2532
14:26:19:743 2532 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
14:26:19:743 2532 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
14:26:19:743 2532 KLMD(ARK) unloaded successfully


#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:47 PM

Posted 13 March 2010 - 05:21 PM

Hi,

Do you have your windows cd handy?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 EEEO

EEEO
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 13 March 2010 - 05:45 PM

Yes. I was initially going to just reformat the C drive and reinstall the system, but it's such an involved process I was hoping to avoid it.

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:47 PM

Posted 13 March 2010 - 05:54 PM

Hi,


You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console


Restart the computer and logon to the Recovery Console.
Execute the following bolded commands at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

Ren c:\windows\system32\drivers\atapi.sys atapi.old
Copy c:\windows\system32\dllcache\atapi.sys c:\windows\system32\drivers
exit



Back in normal wndows, please post back with a fresh OTL logfile.

Edited by schrauber, 13 March 2010 - 05:55 PM.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 EEEO

EEEO
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 14 March 2010 - 08:37 AM

I ran the recovery console and executed the commands.

I haven't yet posted an OTL log for you, but here is the one I just ran:

OTL logfile created on: 3/14/2010 8:33:40 AM - Run 1
OTL by OldTimer - Version 3.1.37.1 Folder = C:\Documents and Settings\Eric Oberg\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 564.00 Mb Available Physical Memory | 55.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 13.38 Gb Free Space | 45.66% Space Free | Partition Type: NTFS
Drive D: | 149.05 Gb Total Space | 63.84 Gb Free Space | 42.83% Space Free | Partition Type: NTFS
Drive E: | 195.31 Gb Total Space | 2.62 Gb Free Space | 1.34% Space Free | Partition Type: NTFS
Drive F: | 157.01 Gb Total Space | 4.19 Gb Free Space | 2.67% Space Free | Partition Type: NTFS
Drive G: | 270.45 Gb Total Space | 180.83 Gb Free Space | 66.86% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EOS-51875D09518
Current User Name: Eric Oberg
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/14 08:32:21 | 000,555,008 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric Oberg\Desktop\OTL.exe
PRC - [2010/02/18 17:40:26 | 002,012,912 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2010/02/05 13:36:00 | 000,527,344 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Eric Oberg\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/11/12 20:07:57 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/10/14 22:38:56 | 000,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/21 19:16:02 | 000,724,992 | ---- | M] (Intuit, Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2006/01/02 18:41:22 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2005/02/28 00:18:52 | 000,098,304 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe
PRC - [2005/02/28 00:01:48 | 000,036,864 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
PRC - [2004/06/14 01:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\BRSVC01A.EXE
PRC - [2003/08/06 14:24:20 | 012,037,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
PRC - [2003/07/14 23:45:18 | 000,196,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2003/05/29 17:28:32 | 000,790,528 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [2001/12/13 01:01:00 | 000,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\BRSS01A.EXE


========== Modules (SafeList) ==========

MOD - [2010/03/14 08:32:21 | 000,555,008 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric Oberg\Desktop\OTL.exe
MOD - [2006/08/25 10:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (Imakaut)
SRV - [2009/11/12 20:07:57 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2004/06/14 01:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) [Auto | Running] -- C:\WINDOWS\system32\BRSVC01A.EXE -- (Brother XP spl Service)
SRV - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/17 11:15:58 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2006/05/03 11:50:42 | 001,540,608 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/01/19 04:17:38 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2006/01/18 23:44:46 | 000,053,248 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrSerIf.sys -- (BrSerIf)
DRV - [2004/11/26 08:29:00 | 000,224,000 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2004/10/15 13:50:20 | 000,015,295 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
DRV - [2002/09/20 11:53:34 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1060284298-2025429265-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1060284298-2025429265-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/21 16:35:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/21 16:34:54 | 000,000,000 | ---D | M]

[2010/02/21 16:35:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric Oberg\Application Data\Mozilla\Extensions
[2010/03/02 23:32:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric Oberg\Application Data\Mozilla\Firefox\Profiles\0jdrwpti.default\extensions
[2010/03/02 23:32:22 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Eric Oberg\Application Data\Mozilla\Firefox\Profiles\0jdrwpti.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/21 16:34:54 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/03/04 14:02:12 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1060284298-2025429265-1801674531-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)
O4 - HKU\S-1-5-21-1060284298-2025429265-1801674531-1003..\Run: [PPScheduler] C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe (ScanSoft, Inc.)
O4 - HKU\S-1-5-21-1060284298-2025429265-1801674531-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1060284298-2025429265-1801674531-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1060284298-2025429265-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1060284298-2025429265-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1060284298-2025429265-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1258075489812 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Eric Oberg\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Eric Oberg\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/12 18:00:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/14 08:32:21 | 000,555,008 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eric Oberg\Desktop\OTL.exe
[2010/03/14 08:11:11 | 000,000,000 | ---D | C] -- C:\$WIN_NT$.~BT
[2010/03/14 08:11:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\setup.pss
[2010/03/14 08:10:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\setupupd
[2010/03/13 15:23:21 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/03/10 16:53:32 | 000,181,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Eric Oberg\Desktop\TDSSKiller.exe
[2010/03/04 19:51:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/03/04 18:03:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/03/04 18:03:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2010/03/04 14:50:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/03/04 13:50:36 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/03/04 13:49:48 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/04 13:49:48 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/04 13:49:48 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/04 13:49:48 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/04 13:49:42 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/03/04 13:48:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/04 13:48:03 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/03 00:56:03 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/03/03 00:45:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Oberg\Application Data\Malwarebytes
[2010/03/03 00:45:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/03 00:08:28 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/03/03 00:08:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/03/02 23:37:32 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Eric Oberg\Desktop\spybotsd162.exe
[2010/02/24 18:23:57 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Eric Oberg\IECompatCache
[2010/02/24 09:35:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2010/02/24 09:35:12 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2010/02/24 09:35:06 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2010/02/24 09:34:39 | 000,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2010/02/24 09:34:39 | 000,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2010/02/24 09:34:39 | 000,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2010/02/24 09:34:39 | 000,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2010/02/24 09:34:38 | 001,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2010/02/24 09:34:38 | 001,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2010/02/24 09:31:50 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2010/02/23 04:00:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\KB905474
[2010/02/21 21:02:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/02/21 21:02:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Oberg\Application Data\SUPERAntiSpyware.com
[2010/02/21 21:02:28 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/02/21 21:01:50 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/02/21 20:59:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/02/21 16:38:21 | 000,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/02/21 16:35:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Oberg\Local Settings\Application Data\Mozilla
[2010/02/21 16:35:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Oberg\Application Data\Mozilla
[2010/02/21 16:34:54 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/11/12 18:03:55 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/11/12 18:03:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/11/12 18:03:49 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/11/12 18:03:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/14 08:32:21 | 000,555,008 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric Oberg\Desktop\OTL.exe
[2010/03/14 08:29:00 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2025429265-1801674531-1003UA.job
[2010/03/14 08:27:08 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/03/14 08:27:02 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/14 08:27:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/14 08:26:57 | 1073,008,640 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/14 08:11:50 | 002,883,584 | -H-- | M] () -- C:\Documents and Settings\Eric Oberg\NTUSER.DAT
[2010/03/14 08:11:50 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Eric Oberg\ntuser.ini
[2010/03/14 08:11:25 | 000,000,338 | RHS- | M] () -- C:\boot.ini
[2010/03/14 04:19:26 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/14 04:19:26 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 04:19:26 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/14 04:01:54 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/13 20:28:00 | 000,000,946 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2025429265-1801674531-1003Core.job
[2010/03/13 15:23:50 | 000,181,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Eric Oberg\Desktop\TDSSKiller.exe
[2010/03/13 15:23:10 | 000,155,752 | ---- | M] () -- C:\Documents and Settings\Eric Oberg\Desktop\tdsskiller.zip
[2010/03/13 14:46:46 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/13 14:40:50 | 003,888,953 | R--- | M] () -- C:\Documents and Settings\Eric Oberg\Desktop\schrauber.exe
[2010/03/13 14:12:38 | 000,000,471 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2010/03/13 12:18:20 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/08 17:26:56 | 000,217,088 | ---- | M] () -- C:\Documents and Settings\Eric Oberg\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/07 19:14:45 | 000,044,165 | ---- | M] () -- C:\Documents and Settings\Eric Oberg\Desktop\gmerlog.zip
[2010/03/04 19:51:52 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/03/04 17:40:58 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Eric Oberg\Desktop\olvrd5f0.exe
[2010/03/04 14:59:47 | 000,000,026 | ---- | M] () -- C:\Documents and Settings\Eric Oberg\defogger_reenable
[2010/03/04 14:42:45 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Eric Oberg\Desktop\Defogger.exe
[2010/03/04 14:02:12 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/03/04 13:50:42 | 000,000,281 | RHS- | M] () -- C:\Boot.bak
[2010/03/02 23:38:53 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Eric Oberg\Desktop\spybotsd162.exe
[2010/03/02 21:35:23 | 000,000,333 | -H-- | M] () -- C:\Documents and Settings\Eric Oberg\My Documents\maxdesk.ini
[2010/03/02 21:33:17 | 000,649,265 | -H-- | M] () -- C:\Documents and Settings\Eric Oberg\My Documents\PPThumbs.ptn
[2010/03/02 21:32:54 | 000,437,467 | ---- | M] () -- C:\Documents and Settings\Eric Oberg\My Documents\Document (10).pdf
[2010/03/02 10:15:14 | 000,981,935 | ---- | M] () -- C:\Documents and Settings\Eric Oberg\Desktop\Insurance Form.pdf
[2010/03/01 04:58:54 | 000,003,748 | ---- | M] () -- C:\WINDOWS\System32\gapocra.dat
[2010/02/24 17:58:13 | 000,031,392 | ---- | M] () -- C:\Documents and Settings\Eric Oberg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/02/24 17:57:40 | 000,170,688 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/02/21 21:01:50 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/02/21 17:07:38 | 000,114,111 | ---- | M] () -- C:\Documents and Settings\Eric Oberg\Desktop\ZimmermanPOA.pdf
[2010/02/21 17:07:20 | 000,114,085 | ---- | M] () -- C:\Documents and Settings\Eric Oberg\My Documents\Document (9).pdf
[2010/02/21 16:44:04 | 000,010,752 | ---- | M] () -- C:\WINDOWS\DCEBoot.exe
[2010/02/21 16:37:15 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Eric Oberg\Local Settings\Application Data\housecall.guid.cache
[2010/02/21 16:35:05 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/02/16 12:19:19 | 000,180,357 | ---- | M] () -- C:\Documents and Settings\Eric Oberg\My Documents\Document (8).pdf
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/14 08:11:25 | 000,472,007 | R--- | C] () -- C:\txtsetup.sif
[2010/03/14 08:11:25 | 000,260,272 | R--- | C] () -- C:\$LDR$
[2010/03/13 15:23:10 | 000,155,752 | ---- | C] () -- C:\Documents and Settings\Eric Oberg\Desktop\tdsskiller.zip
[2010/03/13 14:40:50 | 003,888,953 | R--- | C] () -- C:\Documents and Settings\Eric Oberg\Desktop\schrauber.exe
[2010/03/07 19:14:45 | 000,044,165 | ---- | C] () -- C:\Documents and Settings\Eric Oberg\Desktop\gmerlog.zip
[2010/03/04 19:51:52 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/03/04 17:40:58 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Eric Oberg\Desktop\olvrd5f0.exe
[2010/03/04 14:59:42 | 000,000,026 | ---- | C] () -- C:\Documents and Settings\Eric Oberg\defogger_reenable
[2010/03/04 14:42:45 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Eric Oberg\Desktop\Defogger.exe
[2010/03/04 13:50:42 | 000,000,281 | RHS- | C] () -- C:\Boot.bak
[2010/03/04 13:50:38 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/03/04 13:49:48 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/04 13:49:48 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/04 13:49:48 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/04 13:49:48 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/04 13:49:48 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/02 21:32:53 | 000,437,467 | ---- | C] () -- C:\Documents and Settings\Eric Oberg\My Documents\Document (10).pdf
[2010/03/02 10:15:14 | 000,981,935 | ---- | C] () -- C:\Documents and Settings\Eric Oberg\Desktop\Insurance Form.pdf
[2010/03/01 04:58:54 | 000,003,748 | ---- | C] () -- C:\WINDOWS\System32\gapocra.dat
[2010/02/23 04:00:33 | 000,000,260 | ---- | C] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/02/21 17:07:38 | 000,114,111 | ---- | C] () -- C:\Documents and Settings\Eric Oberg\Desktop\ZimmermanPOA.pdf
[2010/02/21 17:07:20 | 000,114,085 | ---- | C] () -- C:\Documents and Settings\Eric Oberg\My Documents\Document (9).pdf
[2010/02/21 16:44:04 | 000,010,752 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2010/02/21 16:37:15 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Eric Oberg\Local Settings\Application Data\housecall.guid.cache
[2010/02/21 16:35:05 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/02/16 12:19:19 | 000,180,357 | ---- | C] () -- C:\Documents and Settings\Eric Oberg\My Documents\Document (8).pdf
[2010/01/04 13:28:58 | 000,375,296 | ---- | C] () -- C:\WINDOWS\System32\tx32.dll
[2010/01/04 13:28:57 | 000,000,202 | ---- | C] () -- C:\WINDOWS\System32\Ic32.ini
[2009/12/21 14:14:06 | 002,720,585 | ---- | C] () -- C:\WINDOWS\System32\fojmcrashe.dll
[2009/12/21 14:14:06 | 001,969,853 | ---- | C] () -- C:\WINDOWS\System32\gapocra.dll
[2009/12/20 13:24:32 | 000,000,176 | ---- | C] () -- C:\WINDOWS\bi_group.ini
[2009/11/13 16:53:07 | 000,000,056 | ---- | C] () -- C:\WINDOWS\BO9420CN.INI
[2009/11/13 16:52:44 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2009/11/13 16:52:43 | 000,000,471 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/11/13 16:52:43 | 000,000,026 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/11/13 16:17:25 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\BRTCPCON.DLL
[2009/11/13 16:17:24 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI
[2009/11/13 13:03:07 | 000,000,227 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/11/13 13:03:07 | 000,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/11/13 13:02:07 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/11/12 20:18:45 | 000,217,088 | ---- | C] () -- C:\Documents and Settings\Eric Oberg\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/12 20:13:37 | 000,000,033 | ---- | C] () -- C:\WINDOWS\BiMonitor.ini
[2009/11/12 20:13:33 | 000,028,787 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2009/11/12 19:59:50 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/05/10 17:30:08 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\JPEG32.DLL
[2001/09/28 14:44:58 | 000,257,536 | ---- | C] () -- C:\WINDOWS\System32\BiImg.dll
< End of report >





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users