Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sudden severe slowdown of computer


  • This topic is locked This topic is locked
38 replies to this topic

#1 Xwsx777

Xwsx777

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 15 March 2010 - 06:46 PM

The computer is Windows XP, and it got slow all of a sudden. I do not know who or what the last person who was on did with the computer. When we tried to scan using Avast! or Dr. Web, it did not complete scan. Avast! reported "Some files could not be scanned," it stopped after scanning 78 of the 120 gbs. Dr Web got an error message a few minutes into the Complete Scan, it said something about a file/virus not allowing it to scan (Sorry, I should've paid more attention to it). The GMER scan was taking abnormally long so it was decided I should probably skip if I wanted to. There seems to be no problems besides the sluggishness. The sluggishness is mainly during start up (it used to take only 5-10mins. since the incident it now takes 30+mins), outside of the start up it will get lag spikes where it would slow down severely for a period of time which occurs randomly. Here are the DDS and RootRepeal logs (last person helping me told me that I should post it so you guys have something more). Topic referenced is here: http://www.bleepingcomputer.com/forums/t/302340/sudden-severe-slowdown-of-computer/ ~ OB

------------------------------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86
Run by Compaq_Owner at 10:17:17.53 on Mon 03/15/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.109 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.elportal.att.net
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
mStart Page = hxxp://www.elportal.att.net
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\nzsearch\SearchEnh1.dll
uURLSearchHooks: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - c:\program files\xfirexo\tbXfir.dll
BHO: Popup-Blocker Class: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\netzero\qsacc\X1IEBHO.dll
BHO: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - c:\program files\xfirexo\tbXfir.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - c:\program files\xfirexo\tbXfir.dll
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NetZero_uoltray] c:\program files\netzero\exec.exe regrun
uRun: [spc_w] "c:\program files\nzsearch\nzspc.exe" -w
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: []
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPwuSchd2.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\antivirus\pccguide.exe"
mRun: [PCClient.exe] "c:\program files\trend micro\antivirus\PCClient.exe"
mRun: [TM Outbreak Agent] "c:\program files\trend micro\antivirus\TMOAgent.exe" /run
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [ISW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
mRun: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast5] "c:\progra~1\alwils~1\avast5\avastUI.exe" /nogui
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\windows\installer\{d8e363a7-88b7-446d-b2c0-e26ce4dc8e54}\_294823.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-us\local\search.html
IE: &Search
IE: Display All Images with Full Quality - c:\program files\netzero\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\netzero\qsacc\appres.dll/227
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/229?62127a26e6f94462a0a0c4be9b299ec7
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/230?62127a26e6f94462a0a0c4be9b299ec7
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1255308191578
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255308147062
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\33sme96b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - component: c:\documents and settings\compaq_owner\application data\mozilla\firefox\profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\compaq_owner\application data\mozilla\firefox\profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-11-16 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-16 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2009-11-16 40384]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2004-3-5 190480]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2004-3-5 31248]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\antivirus\tmproxy.exe [2004-2-17 204873]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-13 24652]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-7-11 1205760]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2009-11-16 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2009-11-16 40384]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S2 Tmntsrv;Trend NT Realtime Service;c:\program files\trend micro\antivirus\Tmntsrv.exe [2004-2-17 241737]
S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-4-21 4048240]

=============== Created Last 30 ================

2010-03-15 13:35:13 20 ----a-w- c:\documents and settings\compaq_owner\defogger_reenable
2010-03-14 00:44:35 0 d-----w- c:\documents and settings\compaq_owner\DoctorWeb
2010-03-13 19:59:54 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-13 19:59:40 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-13 19:59:40 0 d-----w- c:\docume~1\compaq~1\applic~1\SUPERAntiSpyware.com
2010-03-13 19:58:41 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-12 19:45:59 25 ----a-w- c:\windows\popcinfot.dat
2010-03-05 00:11:22 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-03-04 23:22:05 0 d-----w- c:\program files\Conduit
2010-03-04 23:22:03 0 d-----w- c:\program files\XfireXO
2010-03-04 23:21:45 0 d-----w- c:\docume~1\compaq~1\applic~1\Xfire
2010-03-04 23:21:39 0 d-----w- c:\program files\Xfire
2010-02-21 17:03:40 0 d-----w- c:\program files\Crossword Weaver

==================== Find3M ====================

2010-03-15 02:29:52 17298 ----a-w- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\dllcache\srv.sys
2009-12-20 18:46:53 39 ----a-w- c:\documents and settings\compaq_owner\jagex_runescape_preferences.dat
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\dllcache\mspaint.exe
2009-12-16 12:57:07 18432 ----a-w- c:\windows\system32\dllcache\iedw.exe
2006-05-20 20:04:56 242 ----a-w- c:\program files\MIB2ROM.TXT

============= FINISH: 10:18:08.42 ===============

Attached Files


Edited by Orange Blossom, 15 March 2010 - 07:08 PM.

Posted Image

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:30 PM

Posted 19 March 2010 - 04:40 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Xwsx777

Xwsx777
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 19 March 2010 - 09:08 PM

Hi m0le, and thank you for your help.

Ok...I'm sorry I didn't know, I updated FireFox. Also, since the last post my Avast! antivirus blocked the same trojan from downloading 3 times within 1-2 minutes. I would like to know if I can update my antivirus (virus definitions) so it can block as most as it should, but whatever you recommend on that decision is fine. When I looked at the antivirus version, it was strange. Under the virus definition it showed some date with the year 1969. I will try to upload a screenshot later. I am confident that Viewpoint is in my computer (I see it running in processes), so I'd like to remove that.

Again, thanks for all the help.
Posted Image

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:30 PM

Posted 19 March 2010 - 09:24 PM

Once the PC is clean you will be able to update your antivirus but at the moment this is being blocked.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#5 Xwsx777

Xwsx777
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 20 March 2010 - 07:28 PM

Ok, I can wait until it's clean. I will try to scan as soon as possible but I may not be able to until Monday (because parents like to use the computer & they recently moved the computer to their room, so when they're working I can scan).
Posted Image

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:30 PM

Posted 20 March 2010 - 08:32 PM

No problem thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#7 Xwsx777

Xwsx777
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 22 March 2010 - 08:45 AM

Ok, I ran the scan. Should I restart the computer? And I couldn't find Norton Internet Security on the running Processes or Programs list or task bar, so I couldn't close that.

----------------------------------------------------------------------------------------------------

ComboFix 10-03-20.06 - Compaq_Owner 03/22/2010 8:22.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.139 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\comfix.exe
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\sonicr.inf
C:\LOG1.tmp
C:\LOG10.tmp
C:\LOG11.tmp
C:\LOG12.tmp
C:\LOG13.tmp
C:\LOG14.tmp
C:\LOG15.tmp
C:\LOG16.tmp
C:\LOG17.tmp
C:\LOG18.tmp
C:\LOG19.tmp
C:\LOG1A.tmp
C:\LOG1B.tmp
C:\LOG1C.tmp
C:\LOG1D.tmp
C:\LOG1E.tmp
C:\LOG1F.tmp
C:\LOG2.tmp
C:\LOG20.tmp
C:\LOG21.tmp
C:\LOG22.tmp
C:\LOG23.tmp
C:\LOG24.tmp
C:\LOG25.tmp
C:\LOG26.tmp
C:\LOG27.tmp
C:\LOG28.tmp
C:\LOG29.tmp
C:\LOG2A.tmp
C:\LOG2B.tmp
C:\LOG2C.tmp
C:\LOG2D.tmp
C:\LOG2F.tmp
C:\LOG3.tmp
C:\LOG31B.tmp
C:\LOG326.tmp
C:\LOG33.tmp
C:\LOG34.tmp
C:\LOG39.tmp
C:\LOG3A.tmp
C:\LOG4.tmp
C:\LOG5.tmp
C:\LOG53.tmp
C:\LOG54.tmp
C:\LOG59.tmp
C:\LOG6.tmp
C:\LOG63.tmp
C:\LOG69.tmp
C:\LOG6A.tmp
C:\LOG7.tmp
C:\LOG8.tmp
C:\LOG84.tmp
C:\LOG9.tmp
C:\LOGA.tmp
C:\LOGB.tmp
C:\LOGC.tmp
C:\LOGD.tmp
C:\LOGE.tmp
C:\LOGF.tmp
c:\windows\desktop
c:\windows\desktop\Instal~1.lnk
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15.inf
c:\windows\system32\ps2.bat
D:\Autorun.inf

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 )))))))))))))))))))))))))))))))
.

2010-03-14 00:44 . 2010-03-14 00:44 -------- d-----w- c:\documents and settings\Compaq_Owner\DoctorWeb
2010-03-13 19:59 . 2010-03-13 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-13 19:59 . 2010-03-13 19:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-13 19:59 . 2010-03-13 19:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2010-03-13 19:58 . 2010-03-13 19:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-12 19:45 . 2010-03-15 03:51 25 ----a-w- c:\windows\popcinfot.dat
2010-03-05 00:11 . 2010-03-05 00:11 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-03-04 23:22 . 2010-03-04 23:22 -------- d-----w- c:\program files\Conduit
2010-03-04 23:22 . 2010-03-04 23:22 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Conduit
2010-03-04 23:22 . 2010-03-05 03:34 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\XfireXO
2010-03-04 23:22 . 2010-03-04 23:22 -------- d-----w- c:\program files\XfireXO
2010-03-04 23:21 . 2010-03-19 20:16 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Xfire
2010-03-04 23:21 . 2010-03-17 19:35 -------- d-----w- c:\program files\Xfire
2010-02-21 17:03 . 2010-02-21 17:03 -------- d-----w- c:\program files\Crossword Weaver

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-21 15:20 . 2006-03-19 03:30 -------- d-----w- c:\program files\NetZero
2010-03-15 02:29 . 2006-06-03 12:26 17298 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2010-03-14 21:33 . 2006-03-19 14:07 109192 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-13 20:00 . 2010-03-13 20:00 52224 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-13 20:00 . 2010-03-13 20:00 117760 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-13 19:59 . 2010-03-13 19:59 65024 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2010-03-13 19:59 . 2010-03-13 19:59 5120 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2010-03-13 19:59 . 2010-03-13 19:59 18944 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2010-03-13 18:04 . 2009-07-12 15:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 18:04 . 2010-03-13 18:04 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-13 03:53 . 2009-02-14 02:19 -------- d-----w- c:\program files\StepMania
2010-03-12 22:32 . 2009-08-27 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-09 11:24 . 2009-11-16 15:35 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 11:12 . 2009-11-16 15:36 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 11:12 . 2009-11-16 15:36 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 11:09 . 2009-11-16 15:36 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 11:08 . 2009-11-16 15:36 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 11:08 . 2009-11-16 15:36 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 11:08 . 2009-11-16 15:36 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 11:08 . 2009-11-16 15:36 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-25 20:39 . 2009-06-30 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-02-11 18:53 . 2009-12-19 14:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-04 15:08 . 2009-09-15 14:21 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-01-31 18:10 . 2010-01-31 17:48 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Synthesia
2010-01-31 17:42 . 2010-01-31 17:41 -------- d-----w- c:\program files\Synthesia
2010-01-30 03:09 . 2009-09-15 14:21 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-01-27 00:23 . 2009-09-15 14:21 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-01-27 00:23 . 2009-09-15 14:21 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-01-27 00:23 . 2009-09-15 14:21 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-01-20 17:14 . 2010-03-04 23:22 101376 ------w- c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll
2010-01-20 17:14 . 2010-03-04 23:22 52224 ------w- c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
2010-01-07 21:07 . 2009-07-12 15:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-07-12 15:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:14 . 2004-08-04 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2006-05-20 20:04 . 2006-05-20 20:04 242 ----a-w- c:\program files\MIB2ROM.TXT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2010-02-22 17:05 2353176 ----a-w- c:\program files\XfireXO\tbXfir.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2005-06-28 768000]
"spc_w"="c:\program files\NZSearch\nzspc.exe" [2004-11-09 286786]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-27 2937528]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"pccguide.exe"="c:\program files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 950337]
"PCClient.exe"="c:\program files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 634949]
"TM Outbreak Agent"="c:\program files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 290816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-26 198160]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"ISUSScheduler"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2005-06-10 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2008-1-30 22486]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1159798644\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58343:TCP"= 58343:TCP:Pando Media Booster
"58343:UDP"= 58343:UDP:Pando Media Booster
"56590:TCP"= 56590:TCP:Pando Media Booster
"56590:UDP"= 56590:UDP:Pando Media Booster
"56372:TCP"= 56372:TCP:Pando Media Booster
"56372:UDP"= 56372:UDP:Pando Media Booster
"58287:TCP"= 58287:TCP:Pando Media Booster
"58287:UDP"= 58287:UDP:Pando Media Booster
"57842:TCP"= 57842:TCP:Pando Media Booster
"57842:UDP"= 57842:UDP:Pando Media Booster

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/16/2009 11:36 AM 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/16/2009 11:36 AM 19024]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [3/5/2004 3:53 PM 190480]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/5/2004 3:53 PM 31248]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [2/17/2004 6:58 PM 204873]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/13/2009 4:03 AM 24652]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [7/11/2009 5:46 PM 1205760]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Antivirus\Tmntsrv.exe [2/17/2004 6:57 PM 241737]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/26/2009 4:03 PM 715248]
.
Contents of the 'Scheduled Tasks' folder

2010-03-11 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.elportal.att.net
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://www.elportal.att.net
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
IE: Display All Images with Full Quality - c:\program files\NetZero\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\NetZero\qsacc\appres.dll/227
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?62127a26e6f94462a0a0c4be9b299ec7
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?62127a26e6f94462a0a0c4be9b299ec7
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - component: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKLM-Run-PCDrProfiler - (no file)
SafeBoot-svcWRSSSDK
AddRemove-Compaq Game Console - c:\program files\WildTangent\Apps\hpuninstall.exe
AddRemove-Macromedia Shockwave Player - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE
AddRemove-Sonic 3D - c:\sega\Sonic3D\directx\setup
AddRemove-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\CDAUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-22 08:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2954400660-1623874938-1004999022-1009\Software\SecuROM\License information*]
"datasecu"=hex:bb,93,7a,1e,43,43,bc,cd,bb,d2,25,a6,55,cd,0a,a6,b9,80,68,7d,42,
76,d0,5b,24,4a,32,5b,a9,12,de,ff,68,19,83,80,a7,0a,5d,36,42,28,19,08,7b,20,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-22 08:43:51
ComboFix-quarantined-files.txt 2010-03-22 12:43

Pre-Run: 85,610,323,968 bytes free
Post-Run: 86,764,265,472 bytes free

- - End Of File - - 463351723CE94A484F0DB3C6C0E0F81D

Posted Image

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:30 PM

Posted 22 March 2010 - 01:40 PM

No need to reboot the PC. If it slows to an impossible speed then reboot but otherwise leave it as it is.


Let's attempt to replace your missing system file first

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
FCopy::
C:\windows\system32\dllcache\proquota.exe | c:\windows\system32\proquota.exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please now run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Now you can reboot if Combofix hasn't already. Let me know how the PC is running now. smile.gif

Posted Image
m0le is a proud member of UNITE

#9 Xwsx777

Xwsx777
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 23 March 2010 - 08:32 AM

Well, nothing has changed with the computer. By that I mean it's still getting the lag spikes and still taking around 30 minutes to start up. I saw all the LOG that were deleted in last ComboFix still in C:\ Drive after I restarted computer. A message also popped up and it said:

Microsoft Visual C++ Debug Library

Debug Assertion Failed!

Program: C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
File: afxtempl.h
Line: 1514

For more information on how your program can cause an assertion failure, see the Visual C++ documentation on asserts.

(Press Retry to debug the application)

I did the CFScript and I did update MBAM. Whenever I use ComboFix, when it starts Auto Scanning I disconnect the ethernet cable, because I didn't think it would need the internet. Although it did ask me about an update, I chose "No" because I want you to tell me what I should do. Here are the results (Combo Fix is pasted, MBAM attached)...

-----------------------------------------------------------------------------------

ComboFix 10-03-20.06 - Compaq_Owner 03/22/2010 14:47:58.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.168 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\comfix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 )))))))))))))))))))))))))))))))
.

2010-03-14 00:44 . 2010-03-14 00:44 -------- d-----w- c:\documents and settings\Compaq_Owner\DoctorWeb
2010-03-13 20:00 . 2010-03-13 20:00 52224 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-13 20:00 . 2010-03-13 20:00 117760 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-13 19:59 . 2010-03-13 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-13 19:59 . 2010-03-13 19:59 65024 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2010-03-13 19:59 . 2010-03-13 19:59 5120 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2010-03-13 19:59 . 2010-03-13 19:59 18944 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2010-03-13 19:59 . 2010-03-13 19:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-13 19:59 . 2010-03-13 19:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2010-03-13 19:58 . 2010-03-13 19:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-13 18:04 . 2010-03-13 18:04 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-12 19:45 . 2010-03-15 03:51 25 ----a-w- c:\windows\popcinfot.dat
2010-03-05 00:11 . 2010-03-05 00:11 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-03-04 23:22 . 2010-03-04 23:22 -------- d-----w- c:\program files\Conduit
2010-03-04 23:22 . 2010-03-04 23:22 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Conduit
2010-03-04 23:22 . 2010-03-05 03:34 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\XfireXO
2010-03-04 23:22 . 2010-03-04 23:22 -------- d-----w- c:\program files\XfireXO
2010-03-04 23:22 . 2010-01-20 17:14 101376 ------w- c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll
2010-03-04 23:22 . 2010-01-20 17:14 52224 ------w- c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
2010-03-04 23:21 . 2010-03-19 20:16 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Xfire
2010-03-04 23:21 . 2010-03-17 19:35 -------- d-----w- c:\program files\Xfire
2010-02-21 17:03 . 2010-02-21 17:03 -------- d-----w- c:\program files\Crossword Weaver

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-21 15:20 . 2006-03-19 03:30 -------- d-----w- c:\program files\NetZero
2010-03-15 02:29 . 2006-06-03 12:26 17298 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2010-03-14 21:33 . 2006-03-19 14:07 109192 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-13 18:04 . 2009-07-12 15:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 03:53 . 2009-02-14 02:19 -------- d-----w- c:\program files\StepMania
2010-03-12 22:32 . 2009-08-27 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-09 11:24 . 2009-11-16 15:35 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 11:12 . 2009-11-16 15:36 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 11:12 . 2009-11-16 15:36 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 11:09 . 2009-11-16 15:36 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 11:08 . 2009-11-16 15:36 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 11:08 . 2009-11-16 15:36 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 11:08 . 2009-11-16 15:36 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 11:08 . 2009-11-16 15:36 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-25 20:39 . 2009-06-30 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-02-11 18:53 . 2009-12-19 14:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-04 15:08 . 2009-09-15 14:21 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-01-31 18:10 . 2010-01-31 17:48 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Synthesia
2010-01-31 17:42 . 2010-01-31 17:41 -------- d-----w- c:\program files\Synthesia
2010-01-30 03:09 . 2009-09-15 14:21 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-01-27 00:23 . 2009-09-15 14:21 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-01-27 00:23 . 2009-09-15 14:21 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-01-27 00:23 . 2009-09-15 14:21 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-01-07 21:07 . 2009-07-12 15:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-07-12 15:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:14 . 2004-08-04 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2006-05-20 20:04 . 2006-05-20 20:04 242 ----a-w- c:\program files\MIB2ROM.TXT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2010-02-22 17:05 2353176 ----a-w- c:\program files\XfireXO\tbXfir.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2005-06-28 768000]
"spc_w"="c:\program files\NZSearch\nzspc.exe" [2004-11-09 286786]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-27 2937528]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"pccguide.exe"="c:\program files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 950337]
"PCClient.exe"="c:\program files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 634949]
"TM Outbreak Agent"="c:\program files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 290816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-26 198160]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"ISUSScheduler"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2005-06-10 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2008-1-30 22486]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1159798644\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58343:TCP"= 58343:TCP:Pando Media Booster
"58343:UDP"= 58343:UDP:Pando Media Booster
"56590:TCP"= 56590:TCP:Pando Media Booster
"56590:UDP"= 56590:UDP:Pando Media Booster
"56372:TCP"= 56372:TCP:Pando Media Booster
"56372:UDP"= 56372:UDP:Pando Media Booster
"58287:TCP"= 58287:TCP:Pando Media Booster
"58287:UDP"= 58287:UDP:Pando Media Booster
"57842:TCP"= 57842:TCP:Pando Media Booster
"57842:UDP"= 57842:UDP:Pando Media Booster

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/16/2009 11:36 AM 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/16/2009 11:36 AM 19024]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [3/5/2004 3:53 PM 190480]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/5/2004 3:53 PM 31248]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [2/17/2004 6:58 PM 204873]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/13/2009 4:03 AM 24652]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [7/11/2009 5:46 PM 1205760]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Antivirus\Tmntsrv.exe [2/17/2004 6:57 PM 241737]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/26/2009 4:03 PM 715248]
.
Contents of the 'Scheduled Tasks' folder

2010-03-11 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.elportal.att.net
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://www.elportal.att.net
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
IE: Display All Images with Full Quality - c:\program files\NetZero\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\NetZero\qsacc\appres.dll/227
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?62127a26e6f94462a0a0c4be9b299ec7
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?62127a26e6f94462a0a0c4be9b299ec7
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - component: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-22 15:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2954400660-1623874938-1004999022-1009\Software\SecuROM\License information*]
"datasecu"=hex:bb,93,7a,1e,43,43,bc,cd,bb,d2,25,a6,55,cd,0a,a6,b9,80,68,7d,42,
76,d0,5b,24,4a,32,5b,a9,12,de,ff,68,19,83,80,a7,0a,5d,36,42,28,19,08,7b,20,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4060)
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-22 15:08:58
ComboFix-quarantined-files.txt 2010-03-22 19:08
ComboFix2.txt 2010-03-22 12:43

Pre-Run: 86,771,961,856 bytes free
Post-Run: 86,758,748,160 bytes free

- - End Of File - - 7B0523BF21A3756A08E127D7ADBFE948

Attached Files


Posted Image

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:30 PM

Posted 23 March 2010 - 12:13 PM

Don't disconnect the PC when running Combofix, you will need an update if it's available.

Please rerun the tool and update and allow it to run. smile.gif
Posted Image
m0le is a proud member of UNITE

#11 Xwsx777

Xwsx777
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 23 March 2010 - 01:35 PM

I didn't use the CFScript this time because you didn't say anything about that, but I ran another scan after updating. (FireFox auto-updated when I opened it -.-)

-------------------------------------------------------------------------------------------

ComboFix 10-03-23.01 - Compaq_Owner 03/23/2010 14:04:40.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.176 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\comfix.exe
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))
.

2010-03-14 00:44 . 2010-03-14 00:44 -------- d-----w- c:\documents and settings\Compaq_Owner\DoctorWeb
2010-03-13 19:59 . 2010-03-13 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-13 19:59 . 2010-03-13 19:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-13 19:59 . 2010-03-13 19:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2010-03-13 19:58 . 2010-03-13 19:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-12 19:45 . 2010-03-15 03:51 25 ----a-w- c:\windows\popcinfot.dat
2010-03-05 00:11 . 2010-03-05 00:11 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-03-04 23:22 . 2010-03-04 23:22 -------- d-----w- c:\program files\Conduit
2010-03-04 23:22 . 2010-03-04 23:22 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Conduit
2010-03-04 23:22 . 2010-03-05 03:34 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\XfireXO
2010-03-04 23:22 . 2010-03-04 23:22 -------- d-----w- c:\program files\XfireXO
2010-03-04 23:21 . 2010-03-19 20:16 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Xfire
2010-03-04 23:21 . 2010-03-17 19:35 -------- d-----w- c:\program files\Xfire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-23 13:12 . 2006-03-19 03:30 -------- d-----w- c:\program files\NetZero
2010-03-15 02:29 . 2006-06-03 12:26 17298 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2010-03-14 21:33 . 2006-03-19 14:07 109192 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-13 20:00 . 2010-03-13 20:00 52224 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-13 20:00 . 2010-03-13 20:00 117760 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-13 19:59 . 2010-03-13 19:59 65024 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2010-03-13 19:59 . 2010-03-13 19:59 5120 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2010-03-13 19:59 . 2010-03-13 19:59 18944 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2010-03-13 18:04 . 2009-07-12 15:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 18:04 . 2010-03-13 18:04 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-13 03:53 . 2009-02-14 02:19 -------- d-----w- c:\program files\StepMania
2010-03-12 22:32 . 2009-08-27 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-09 11:24 . 2009-11-16 15:35 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 11:12 . 2009-11-16 15:36 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 11:12 . 2009-11-16 15:36 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 11:09 . 2009-11-16 15:36 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 11:08 . 2009-11-16 15:36 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 11:08 . 2009-11-16 15:36 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 11:08 . 2009-11-16 15:36 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 11:08 . 2009-11-16 15:36 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-25 20:39 . 2009-06-30 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-02-21 17:03 . 2010-02-21 17:03 -------- d-----w- c:\program files\Crossword Weaver
2010-02-11 18:53 . 2009-12-19 14:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-04 15:08 . 2009-09-15 14:21 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-01-31 18:10 . 2010-01-31 17:48 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Synthesia
2010-01-31 17:42 . 2010-01-31 17:41 -------- d-----w- c:\program files\Synthesia
2010-01-30 03:09 . 2009-09-15 14:21 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-01-27 00:23 . 2009-09-15 14:21 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-01-27 00:23 . 2009-09-15 14:21 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-01-27 00:23 . 2009-09-15 14:21 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-01-20 17:14 . 2010-03-04 23:22 101376 ------w- c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll
2010-01-20 17:14 . 2010-03-04 23:22 52224 ------w- c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
2010-01-07 21:07 . 2009-07-12 15:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-07-12 15:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:14 . 2004-08-04 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2006-05-20 20:04 . 2006-05-20 20:04 242 ----a-w- c:\program files\MIB2ROM.TXT
.

((((((((((((((((((((((((((((( SnapShot@2010-03-22_12.35.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-12 05:54 . 2010-01-12 05:54 98304 c:\windows\system32\Macromed\Shockwave 10\SwOnce.dll
- 2009-07-16 11:00 . 2009-07-16 11:00 98304 c:\windows\system32\Macromed\Shockwave 10\SwOnce.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 86016 c:\windows\system32\Macromed\Shockwave 10\SwMenuX.dll
- 2009-07-16 11:00 . 2009-07-16 11:00 86016 c:\windows\system32\Macromed\Shockwave 10\SwMenuX.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 77824 c:\windows\system32\Macromed\Shockwave 10\SwInit.exe
- 2009-07-16 11:00 . 2009-07-16 11:00 77824 c:\windows\system32\Macromed\Shockwave 10\SwInit.exe
- 2009-07-16 11:00 . 2009-07-16 11:00 24576 c:\windows\system32\Macromed\Shockwave 10\DynaPlayer.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 24576 c:\windows\system32\Macromed\Shockwave 10\DynaPlayer.dll
+ 2005-06-25 05:32 . 2010-03-23 00:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-06-25 05:32 . 2009-12-01 11:47 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-06-24 22:25 . 2009-12-01 11:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-06-24 22:25 . 2010-03-23 00:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-06-24 22:25 . 2009-12-01 11:47 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-03-23 00:43 . 2010-03-23 00:43 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-01-12 05:54 . 2010-01-12 05:54 136568 c:\windows\system32\Macromed\Shockwave 10\SYMCCHECKER.DLL
- 2009-07-16 11:00 . 2009-07-16 11:00 180224 c:\windows\system32\Macromed\Shockwave 10\Proj.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 180224 c:\windows\system32\Macromed\Shockwave 10\Proj.dll
- 2009-07-16 11:00 . 2009-07-16 11:00 475136 c:\windows\system32\Macromed\Shockwave 10\PluginPing.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 475136 c:\windows\system32\Macromed\Shockwave 10\PluginPing.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 339968 c:\windows\system32\Macromed\Shockwave 10\Plugin.dll
- 2009-07-16 11:00 . 2009-07-16 11:00 339968 c:\windows\system32\Macromed\Shockwave 10\Plugin.dll
- 2009-07-16 11:00 . 2009-07-16 11:00 606208 c:\windows\system32\Macromed\Shockwave 10\iml32X.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 606208 c:\windows\system32\Macromed\Shockwave 10\iml32X.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 753152 c:\windows\system32\Macromed\Shockwave 10\gi.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 471040 c:\windows\system32\Macromed\Shockwave 10\Control.dll
- 2009-07-16 11:00 . 2009-07-16 11:00 1490944 c:\windows\system32\Macromed\Shockwave 10\dirapiX.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 1490944 c:\windows\system32\Macromed\Shockwave 10\dirapiX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2010-02-22 17:05 2353176 ----a-w- c:\program files\XfireXO\tbXfir.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2005-06-28 768000]
"spc_w"="c:\program files\NZSearch\nzspc.exe" [2004-11-09 286786]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-27 2937528]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"pccguide.exe"="c:\program files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 950337]
"PCClient.exe"="c:\program files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 634949]
"TM Outbreak Agent"="c:\program files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 290816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-26 198160]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"ISUSScheduler"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2005-06-10 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2008-1-30 22486]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1159798644\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58343:TCP"= 58343:TCP:Pando Media Booster
"58343:UDP"= 58343:UDP:Pando Media Booster
"56590:TCP"= 56590:TCP:Pando Media Booster
"56590:UDP"= 56590:UDP:Pando Media Booster
"56372:TCP"= 56372:TCP:Pando Media Booster
"56372:UDP"= 56372:UDP:Pando Media Booster
"58287:TCP"= 58287:TCP:Pando Media Booster
"58287:UDP"= 58287:UDP:Pando Media Booster
"57842:TCP"= 57842:TCP:Pando Media Booster
"57842:UDP"= 57842:UDP:Pando Media Booster

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/16/2009 11:36 AM 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/16/2009 11:36 AM 19024]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [3/5/2004 3:53 PM 190480]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/5/2004 3:53 PM 31248]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [2/17/2004 6:58 PM 204873]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/13/2009 4:03 AM 24652]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [7/11/2009 5:46 PM 1205760]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Antivirus\Tmntsrv.exe [2/17/2004 6:57 PM 241737]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/26/2009 4:03 PM 715248]
.
Contents of the 'Scheduled Tasks' folder

2010-03-11 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.elportal.att.net
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://www.elportal.att.net
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
IE: Display All Images with Full Quality - c:\program files\NetZero\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\NetZero\qsacc\appres.dll/227
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?62127a26e6f94462a0a0c4be9b299ec7
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?62127a26e6f94462a0a0c4be9b299ec7
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - component: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-23 14:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2954400660-1623874938-1004999022-1009\Software\SecuROM\License information*]
"datasecu"=hex:bb,93,7a,1e,43,43,bc,cd,bb,d2,25,a6,55,cd,0a,a6,b9,80,68,7d,42,
76,d0,5b,24,4a,32,5b,a9,12,de,ff,68,19,83,80,a7,0a,5d,36,42,28,19,08,7b,20,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2732)
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-23 14:27:38
ComboFix-quarantined-files.txt 2010-03-23 18:27
ComboFix2.txt 2010-03-22 19:08
ComboFix3.txt 2010-03-22 12:43

Pre-Run: 86,654,173,184 bytes free
Post-Run: 86,675,542,016 bytes free

- - End Of File - - A8DFB356DBF19265A307EEC3B157C6BD

Posted Image

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:30 PM

Posted 23 March 2010 - 02:38 PM

No, that's fine not using the script.

Can you run the script now though. thumbup2.gif


Now please give Dr Web a go

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#13 Xwsx777

Xwsx777
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 23 March 2010 - 07:45 PM

I'm running the express scan with Dr Web , but should it really be taking this long? Despite that it says 264kb/sec, it seems to be at a little over 30% and it's been scanning for an hour. (Scares me about how long the Complete Scan would take O_o)
Posted Image

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:30 PM

Posted 24 March 2010 - 01:55 PM

Did you run the Combofix script?

Can you post the log when it has been done.
Posted Image
m0le is a proud member of UNITE

#15 Xwsx777

Xwsx777
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 24 March 2010 - 04:47 PM

I quit the Dr Web early again because parents will be home soon, 5hrs and it was still stuck on drivers. It goes at good speed until it gets to there, slowed down to 54kb/sec. I went ahead and tried the Complete Scan and it caused the computer to restart shortly into the scan. A windows error came up after reboot and it was the thing where it asks if you want to send an error report. I said no but I attached details of it because it may be useful to you. It shows the error signature and the files associated with the error. I did run ComboFix with the CFScript, after the update of course and connected to internet. Here are the results...

----------------------------------------------------------------------------------

ComboFix 10-03-23.01 - Compaq_Owner 03/23/2010 16:03:00.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.194 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\comfix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))
.

2010-03-14 00:44 . 2010-03-14 00:44 -------- d-----w- c:\documents and settings\Compaq_Owner\DoctorWeb
2010-03-13 20:00 . 2010-03-13 20:00 52224 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-13 20:00 . 2010-03-13 20:00 117760 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-13 19:59 . 2010-03-13 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-13 19:59 . 2010-03-13 19:59 65024 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2010-03-13 19:59 . 2010-03-13 19:59 5120 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2010-03-13 19:59 . 2010-03-13 19:59 18944 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2010-03-13 19:59 . 2010-03-13 19:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-13 19:59 . 2010-03-13 19:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2010-03-13 19:58 . 2010-03-13 19:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-13 18:04 . 2010-03-13 18:04 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-12 19:45 . 2010-03-15 03:51 25 ----a-w- c:\windows\popcinfot.dat
2010-03-05 00:11 . 2010-03-05 00:11 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-03-04 23:22 . 2010-03-04 23:22 -------- d-----w- c:\program files\Conduit
2010-03-04 23:22 . 2010-03-04 23:22 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Conduit
2010-03-04 23:22 . 2010-03-05 03:34 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\XfireXO
2010-03-04 23:22 . 2010-03-04 23:22 -------- d-----w- c:\program files\XfireXO
2010-03-04 23:22 . 2010-01-20 17:14 101376 ------w- c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll
2010-03-04 23:22 . 2010-01-20 17:14 52224 ------w- c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
2010-03-04 23:21 . 2010-03-23 19:58 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Xfire
2010-03-04 23:21 . 2010-03-17 19:35 -------- d-----w- c:\program files\Xfire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-23 13:12 . 2006-03-19 03:30 -------- d-----w- c:\program files\NetZero
2010-03-15 02:29 . 2006-06-03 12:26 17298 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2010-03-14 21:33 . 2006-03-19 14:07 109192 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-13 18:04 . 2009-07-12 15:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 03:53 . 2009-02-14 02:19 -------- d-----w- c:\program files\StepMania
2010-03-12 22:32 . 2009-08-27 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-09 11:24 . 2009-11-16 15:35 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 11:12 . 2009-11-16 15:36 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 11:12 . 2009-11-16 15:36 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 11:09 . 2009-11-16 15:36 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 11:08 . 2009-11-16 15:36 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 11:08 . 2009-11-16 15:36 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 11:08 . 2009-11-16 15:36 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 11:08 . 2009-11-16 15:36 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-25 20:39 . 2009-06-30 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-02-21 17:03 . 2010-02-21 17:03 -------- d-----w- c:\program files\Crossword Weaver
2010-02-11 18:53 . 2009-12-19 14:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-04 15:08 . 2009-09-15 14:21 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-01-31 18:10 . 2010-01-31 17:48 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Synthesia
2010-01-31 17:42 . 2010-01-31 17:41 -------- d-----w- c:\program files\Synthesia
2010-01-30 03:09 . 2009-09-15 14:21 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-01-27 00:23 . 2009-09-15 14:21 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-01-27 00:23 . 2009-09-15 14:21 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-01-27 00:23 . 2009-09-15 14:21 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-01-07 21:07 . 2009-07-12 15:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-07-12 15:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:14 . 2004-08-04 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2006-05-20 20:04 . 2006-05-20 20:04 242 ----a-w- c:\program files\MIB2ROM.TXT
.

((((((((((((((((((((((((((((( SnapShot@2010-03-22_12.35.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-12 05:54 . 2010-01-12 05:54 98304 c:\windows\system32\Macromed\Shockwave 10\SwOnce.dll
- 2009-07-16 11:00 . 2009-07-16 11:00 98304 c:\windows\system32\Macromed\Shockwave 10\SwOnce.dll
- 2009-07-16 11:00 . 2009-07-16 11:00 86016 c:\windows\system32\Macromed\Shockwave 10\SwMenuX.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 86016 c:\windows\system32\Macromed\Shockwave 10\SwMenuX.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 77824 c:\windows\system32\Macromed\Shockwave 10\SwInit.exe
- 2009-07-16 11:00 . 2009-07-16 11:00 77824 c:\windows\system32\Macromed\Shockwave 10\SwInit.exe
- 2009-07-16 11:00 . 2009-07-16 11:00 24576 c:\windows\system32\Macromed\Shockwave 10\DynaPlayer.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 24576 c:\windows\system32\Macromed\Shockwave 10\DynaPlayer.dll
+ 2005-06-25 05:32 . 2010-03-23 00:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-06-25 05:32 . 2009-12-01 11:47 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-06-24 22:25 . 2009-12-01 11:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-06-24 22:25 . 2010-03-23 00:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-01-12 05:54 . 2010-01-12 05:54 136568 c:\windows\system32\Macromed\Shockwave 10\SYMCCHECKER.DLL
+ 2010-01-12 05:54 . 2010-01-12 05:54 180224 c:\windows\system32\Macromed\Shockwave 10\Proj.dll
- 2009-07-16 11:00 . 2009-07-16 11:00 180224 c:\windows\system32\Macromed\Shockwave 10\Proj.dll
- 2009-07-16 11:00 . 2009-07-16 11:00 475136 c:\windows\system32\Macromed\Shockwave 10\PluginPing.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 475136 c:\windows\system32\Macromed\Shockwave 10\PluginPing.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 339968 c:\windows\system32\Macromed\Shockwave 10\Plugin.dll
- 2009-07-16 11:00 . 2009-07-16 11:00 339968 c:\windows\system32\Macromed\Shockwave 10\Plugin.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 606208 c:\windows\system32\Macromed\Shockwave 10\iml32X.dll
- 2009-07-16 11:00 . 2009-07-16 11:00 606208 c:\windows\system32\Macromed\Shockwave 10\iml32X.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 753152 c:\windows\system32\Macromed\Shockwave 10\gi.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 471040 c:\windows\system32\Macromed\Shockwave 10\Control.dll
- 2009-07-16 11:00 . 2009-07-16 11:00 1490944 c:\windows\system32\Macromed\Shockwave 10\dirapiX.dll
+ 2010-01-12 05:54 . 2010-01-12 05:54 1490944 c:\windows\system32\Macromed\Shockwave 10\dirapiX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2010-02-22 17:05 2353176 ----a-w- c:\program files\XfireXO\tbXfir.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2005-06-28 768000]
"spc_w"="c:\program files\NZSearch\nzspc.exe" [2004-11-09 286786]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-27 2937528]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"pccguide.exe"="c:\program files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 950337]
"PCClient.exe"="c:\program files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 634949]
"TM Outbreak Agent"="c:\program files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 290816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-26 198160]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"ISUSScheduler"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2005-06-10 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2008-1-30 22486]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1159798644\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58343:TCP"= 58343:TCP:Pando Media Booster
"58343:UDP"= 58343:UDP:Pando Media Booster
"56590:TCP"= 56590:TCP:Pando Media Booster
"56590:UDP"= 56590:UDP:Pando Media Booster
"56372:TCP"= 56372:TCP:Pando Media Booster
"56372:UDP"= 56372:UDP:Pando Media Booster
"58287:TCP"= 58287:TCP:Pando Media Booster
"58287:UDP"= 58287:UDP:Pando Media Booster
"57842:TCP"= 57842:TCP:Pando Media Booster
"57842:UDP"= 57842:UDP:Pando Media Booster

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/16/2009 11:36 AM 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/16/2009 11:36 AM 19024]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [3/5/2004 3:53 PM 190480]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/5/2004 3:53 PM 31248]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [2/17/2004 6:58 PM 204873]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/13/2009 4:03 AM 24652]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [7/11/2009 5:46 PM 1205760]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Antivirus\Tmntsrv.exe [2/17/2004 6:57 PM 241737]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/26/2009 4:03 PM 715248]
.
Contents of the 'Scheduled Tasks' folder

2010-03-11 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.elportal.att.net
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://www.elportal.att.net
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
IE: Display All Images with Full Quality - c:\program files\NetZero\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\NetZero\qsacc\appres.dll/227
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?62127a26e6f94462a0a0c4be9b299ec7
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?62127a26e6f94462a0a0c4be9b299ec7
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - component: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\33sme96b.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-23 16:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2954400660-1623874938-1004999022-1009\Software\SecuROM\License information*]
"datasecu"=hex:bb,93,7a,1e,43,43,bc,cd,bb,d2,25,a6,55,cd,0a,a6,b9,80,68,7d,42,
76,d0,5b,24,4a,32,5b,a9,12,de,ff,68,19,83,80,a7,0a,5d,36,42,28,19,08,7b,20,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3136)
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-23 16:22:24
ComboFix-quarantined-files.txt 2010-03-23 20:22
ComboFix2.txt 2010-03-23 18:27
ComboFix3.txt 2010-03-22 19:08
ComboFix4.txt 2010-03-22 12:43

Pre-Run: 86,699,941,888 bytes free
Post-Run: 86,688,489,472 bytes free

- - End Of File - - 35D0610E0E61407803E5A223254E5D0B

Attached Files


Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users