Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something opening browser windows


  • This topic is locked This topic is locked
18 replies to this topic

#1 airmont

airmont

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 21 March 2010 - 09:11 AM

Hi and thanks for the help. Something is opening browser windows (90+ overnight) that are being blocked by my K-9 because of Malware/Suspicious. I ran both Atvast! and superantispyware which found nothing. GMER gave a rootkit warning and found a hidden IE process. My logs are below.

OTL logfile created on: 3/20/2010 10:17:31 PM - Run 2
OTL by OldTimer - Version 3.1.35.0 Folder = C:\Documents and Settings\sysop\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 683.00 Mb Available Physical Memory | 67.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 2.97 Gb Free Space | 15.93% Space Free | Partition Type: NTFS
Drive D: | 18.64 Gb Total Space | 8.77 Gb Free Space | 47.05% Space Free | Partition Type: NTFS
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TEACHER
Current User Name: sysop
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/09 07:24:10 | 002,769,336 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/03/09 07:24:08 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/03/08 15:05:21 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sysop\Desktop\OTL.exe
PRC - [2010/02/18 16:40:26 | 002,012,912 | ---- | M] (SUPERAntiSpyware.com) -- D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/01/13 19:39:08 | 001,078,560 | ---- | M] () -- C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
PRC - [2008/04/13 20:12:28 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/03/08 15:05:21 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sysop\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (ACDaemon)
SRV - [2010/03/09 07:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/03/09 07:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/03/09 07:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/01/13 19:39:08 | 001,078,560 | ---- | M] () [Auto | Running] -- C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe -- (bckwfs)
SRV - [2007/05/03 11:32:12 | 001,099,280 | ---- | M] (SMART Technologies Inc.) [Disabled | Stopped] -- C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe -- (SMART Board Service)
SRV - [2007/04/19 06:42:30 | 000,759,312 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe -- (SMART Web Server)
SRV - [2006/02/20 15:23:08 | 000,495,616 | ---- | M] ( ) [On_Demand | Stopped] -- C:\WINDOWS\System32\lxcrcoms.exe -- (lxcr_device)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1659004503-152049171-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1659004503-152049171-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-1659004503-152049171-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/mail
IE - HKU\S-1-5-21-1659004503-152049171-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1659004503-152049171-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.30.0.2:8002

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://mail.yahoo.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.8
FF - prefs.js..network.proxy.ftp: "10.30.0.2"
FF - prefs.js..network.proxy.ftp_port: 8002
FF - prefs.js..network.proxy.gopher: "10.30.0.2"
FF - prefs.js..network.proxy.gopher_port: 8002
FF - prefs.js..network.proxy.http: "10.30.0.2"
FF - prefs.js..network.proxy.http_port: 8002
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "10.30.0.2"
FF - prefs.js..network.proxy.socks_port: 8002
FF - prefs.js..network.proxy.ssl: "10.30.0.2"
FF - prefs.js..network.proxy.ssl_port: 8002

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/16 10:02:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/16 10:03:00 | 000,000,000 | ---D | M]

[2009/07/07 07:49:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\Mozilla\Extensions
[2010/03/18 13:05:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\Mozilla\Firefox\Profiles\kmfqayn4.default\extensions
[2009/07/02 23:16:02 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\sysop\Application Data\Mozilla\Firefox\Profiles\kmfqayn4.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010/03/18 13:05:04 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/02/16 19:59:54 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (CIEDownload Object) - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies Inc\Notebook Software\NotebookPlugin.dll (SMART Technologies Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1659004503-152049171-1801674531-1003\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [LXCRCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.DLL ()
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-1659004503-152049171-1801674531-1003..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-1659004503-152049171-1801674531-1003..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe File not found
O4 - HKU\S-1-5-21-1659004503-152049171-1801674531-1003..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\4.0; File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1659004503-152049171-1801674531-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1659004503-152049171-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKU\S-1-5-21-1659004503-152049171-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O7 - HKU\S-1-5-21-1659004503-152049171-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab (Support.com Configuration Class)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} http://www.musicnotes.com/download/mnviewer.cab (Musicnotes Viewer)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www1.snapfish.com/SnapfishActivia.cab (Snapfish Activia)
O16 - DPF: {571CB303-4267-4D92-B45C-9B79ACC18632} http://potplayer.daum.net/PotPlayer/v2/PotWeb.cab (PotWeb Control)
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab (Kodak Gallery Easy Upload Manager Class)
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab (Kodak Gallery Easy Upload Manager Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadblocker.com/activex/sabspx.cab (SABScanProcesses Class)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} http://www.photodex.com/pxplay.cab (Photodex Presenter AX control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\sysop\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\sysop\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - D:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/06/29 14:45:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/02/21 08:13:51 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/02/21 08:13:52 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{7d9491a0-5992-11dd-8abc-00065b62ac59}\Shell - "" = AutoRun
O33 - MountPoints2\{7d9491a0-5992-11dd-8abc-00065b62ac59}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7d9491a0-5992-11dd-8abc-00065b62ac59}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/06/29 14:44:44 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - Services: "mnmsrvc"
MsConfig - Services: "ImapiService"
MsConfig - Services: "aspnet_state"
MsConfig - Services: "WZCSVC"
MsConfig - Services: "WMPNetworkSvc"
MsConfig - Services: "TapiSrv"
MsConfig - Services: "srservice"
MsConfig - Services: "SMART Web Server"
MsConfig - Services: "SMART Board Service"
MsConfig - Services: "MDM"
MsConfig - Services: "NMSAccessU"
MsConfig - Services: "wuauserv"
MsConfig - Services: "WmdmPmSN"
MsConfig - Services: "FastUserSwitchingCompatibility"
MsConfig - Services: "ACDaemon"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk - D:\DOCUME~1\KODAKE~1\KODAKE~1\bin\EASYSH~1.EXE - File not found
MsConfig - StartUpReg: Google Update - hkey= - key= - C:\Documents and Settings\sysop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Java\jre6\bin\jusched.exe File not found
MsConfig - State: "system.ini" - 2
MsConfig - State: "win.ini" - 2
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 10.1
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.4
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5c9ff2bf-938d-47fe-85d9-9dbab4f65018} - KB897715
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {79844cfb-ac65-4e10-a06a-c974234f40d0} - KB883939
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\AC3ACM.acm (fccHandler)
Drivers32: msacm.alf2cd - C:\WINDOWS\System32\alf2cd.acm (NCT Company)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.scg726 - C:\WINDOWS\System32\Scg726.acm (SHARP Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.voxacm160 - C:\WINDOWS\System32\vct3216.acm (Voxware, Inc.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\divx.dll (DivXNetworks, Inc.)
Drivers32: vidc.dvsd - C:\WINDOWS\System32\mcdvd_32.dll (MainConcept)
Drivers32: vidc.ffds - - File not found
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.MP42 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.mp43 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: VIDC.MPG4 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.tscc - C:\WINDOWS\System32\tsccvid.dll (TechSmith Corporation)
Drivers32: vidc.xvid - C:\WINDOWS\System32\xvidvfw.dll ()

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17173366603513856)

========== Files/Folders - Created Within 14 Days ==========

[2010/03/16 10:55:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sysop\Application Data\SUPERAntiSpyware.com
[2010/03/16 10:52:34 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/03/14 19:33:40 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/03/08 15:05:13 | 000,554,496 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\sysop\Desktop\OTL.exe
[2009/07/22 03:01:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/03/15 08:07:26 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/03/15 08:07:26 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/03/15 08:07:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/07/14 01:37:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2007/04/16 14:54:37 | 000,409,600 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrinpa.dll
[2007/04/16 14:54:36 | 000,393,216 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcriesc.dll
[2007/04/16 14:48:00 | 000,995,328 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrusb1.dll
[2007/04/16 14:47:59 | 001,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrserv.dll
[2007/04/16 14:47:58 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrprox.dll
[2007/04/16 14:47:58 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrpplc.dll
[2007/04/16 14:47:57 | 000,536,576 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrlmpm.dll
[2007/04/16 14:47:50 | 000,610,304 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrcomc.dll
[2007/04/16 14:47:50 | 000,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrcomm.dll
[2006/12/26 15:05:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ApplicationHistory
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/03/20 22:26:01 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-152049171-1801674531-1003UA.job
[2010/03/20 21:03:50 | 000,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/03/20 21:02:55 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/03/20 21:00:57 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/20 21:00:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/20 21:00:06 | 1072,775,168 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/20 01:26:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-152049171-1801674531-1003Core.job
[2010/03/18 21:15:55 | 007,602,176 | -H-- | M] () -- C:\Documents and Settings\sysop\NTUSER.DAT
[2010/03/18 12:54:13 | 000,000,017 | -H-- | M] () -- C:\WINDOWS\System32\servdat.slm
[2010/03/18 12:42:15 | 000,000,352 | ---- | M] () -- C:\WINDOWS\System32\lsprst7.tgz
[2010/03/18 12:42:15 | 000,000,338 | ---- | M] () -- C:\WINDOWS\System32\lsprst7.dll
[2010/03/17 22:14:46 | 000,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/17 22:14:46 | 000,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/17 22:14:46 | 000,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/17 21:45:43 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\sysop\ntuser.ini
[2010/03/17 21:45:31 | 002,108,930 | -H-- | M] () -- C:\Documents and Settings\sysop\Local Settings\Application Data\IconCache.db
[2010/03/16 10:55:56 | 000,000,642 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/03/16 10:41:30 | 007,757,856 | ---- | M] () -- C:\Documents and Settings\sysop\Desktop\SUPERAntiSpyware.exe
[2010/03/15 21:10:15 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\sysop\Desktop\Microsoft Word.lnk
[2010/03/12 12:50:38 | 003,952,640 | ---- | M] () -- C:\Documents and Settings\sysop\Local Settings\Application Data\filesync.metadata
[2010/03/12 12:50:34 | 000,002,253 | ---- | M] () -- C:\Documents and Settings\sysop\Desktop\SyncToy 2.0.lnk
[2010/03/11 23:05:04 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/03/09 07:24:05 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/03/09 07:12:54 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/03/09 07:12:33 | 000,162,640 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/03/09 07:09:08 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/03/09 07:08:41 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/03/09 07:08:38 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/03/09 07:08:30 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/03/09 07:08:15 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/03/08 19:22:14 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\sysop\Desktop\gmer.exe
[2010/03/08 15:06:43 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\sysop\Desktop\Defogger.exe
[2010/03/08 15:05:21 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sysop\Desktop\OTL.exe
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/16 10:55:56 | 000,000,642 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/03/16 10:41:30 | 007,757,856 | ---- | C] () -- C:\Documents and Settings\sysop\Desktop\SUPERAntiSpyware.exe
[2010/03/08 15:06:43 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\sysop\Desktop\Defogger.exe
[2010/02/16 20:38:14 | 000,000,338 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2010/02/07 08:57:10 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/02/01 20:45:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\sysop\Local Settings\Application Data\Schedule8.dat
[2009/10/01 21:23:57 | 003,952,640 | ---- | C] () -- C:\Documents and Settings\sysop\Local Settings\Application Data\filesync.metadata
[2009/03/12 16:14:14 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\sysop\Local Settings\Application Data\prvlcl.dat
[2009/01/13 19:39:06 | 000,072,992 | ---- | C] () -- C:\WINDOWS\System32\drivers\bckd.sys
[2008/11/01 21:25:02 | 000,002,048 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2008/01/12 20:09:12 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/01/12 20:09:11 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/10/20 22:19:26 | 000,000,031 | -H-- | C] () -- C:\WINDOWS\uccspecc.sys
[2007/08/22 18:01:33 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2007/08/22 18:01:33 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2007/06/17 16:15:32 | 000,013,312 | ---- | C] () -- C:\Documents and Settings\sysop\Application Data\internaldb41.dat
[2007/06/17 16:15:32 | 000,003,608 | ---- | C] () -- C:\Documents and Settings\sysop\Application Data\internaldb41.dat-journal
[2007/04/16 14:54:43 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxcrvs.dll
[2007/04/16 14:54:33 | 000,303,104 | ---- | C] () -- C:\WINDOWS\System32\lxcrcoin.dll
[2007/04/16 14:53:16 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxcrdrs.dll
[2007/04/16 14:53:16 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxcrcaps.dll
[2007/04/16 14:53:15 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxcrcnv4.dll
[2007/04/16 14:48:01 | 000,233,472 | ---- | C] () -- C:\WINDOWS\System32\LXCRinst.dll
[2006/12/26 15:04:32 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat
[2006/12/20 00:03:40 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.sysop.ini
[2006/11/03 11:09:46 | 000,000,011 | ---- | C] () -- C:\WINDOWS\OSA.INI
[2006/09/12 18:25:54 | 000,000,794 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2006/06/15 18:05:29 | 000,169,472 | ---- | C] () -- C:\Documents and Settings\sysop\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/01/03 12:49:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2005/11/30 14:51:57 | 000,000,287 | ---- | C] () -- C:\WINDOWS\XT30.INI
[2005/11/17 12:16:13 | 000,028,747 | ---- | C] () -- C:\WINDOWS\System32\KMemoryMMX.dll
[2005/11/17 12:16:13 | 000,024,653 | ---- | C] () -- C:\WINDOWS\System32\KMemoryPIII.dll
[2005/11/17 12:16:13 | 000,024,632 | ---- | C] () -- C:\WINDOWS\System32\KMemory.dll
[2005/11/17 12:16:13 | 000,020,546 | ---- | C] () -- C:\WINDOWS\System32\KMemoryC.dll
[2005/11/17 12:15:03 | 000,000,002 | ---- | C] () -- C:\WINDOWS\PhotoSuite.ini
[2005/11/17 12:14:59 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\EnrouteStitch.dll
[2005/11/17 12:14:58 | 000,458,752 | ---- | C] () -- C:\WINDOWS\System32\Fpl.dll
[2005/11/17 12:14:57 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\JPEGLIB.DLL
[2005/11/17 12:14:56 | 000,332,800 | ---- | C] () -- C:\WINDOWS\System32\FPXLIB.DLL
[2005/07/12 12:51:43 | 000,000,053 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/07/12 12:51:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2005/06/30 12:43:58 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/06/30 12:22:00 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\sysop\Local Settings\Application Data\fusioncache.dat
[2004/09/01 07:42:44 | 000,257,536 | ---- | C] () -- C:\WINDOWS\System32\BiImg.dll
[2004/09/01 07:42:44 | 000,257,536 | ---- | C] () -- C:\WINDOWS\BiImg.dll
[2004/09/01 07:42:44 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\JPeg32.dll
[2004/09/01 07:42:44 | 000,110,592 | ---- | C] () -- C:\WINDOWS\JPeg32.dll
[2004/09/01 07:42:44 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\BiEResNT.dll
[2004/09/01 07:42:44 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\Bic_Res.dll
[2004/09/01 07:42:44 | 000,000,002 | ---- | C] () -- C:\WINDOWS\bi_group.ini
[2000/01/28 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
[1997/06/13 22:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

========== LOP Check ==========

[2010/02/15 19:59:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2008/06/04 10:16:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
[2010/02/07 08:56:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2008/03/03 09:08:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Musicnotes
[2007/08/30 17:12:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SMART Technologies Inc
[2007/12/11 11:27:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sync App Settings
[2007/05/28 09:05:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2005/07/12 12:57:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\The Learning Company
[2008/04/15 12:14:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\You Software
[2008/04/28 18:20:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\Attensa
[2009/06/14 13:22:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\Canneverbe_Limited
[2010/02/01 20:52:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\Dropbox
[2010/02/15 08:16:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\FileZilla
[2008/06/04 10:17:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\GlobalSCAPE
[2009/06/03 19:50:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\gtk-2.0
[2009/03/31 20:44:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\iView
[2009/03/12 13:07:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\LimeWire
[2007/12/13 16:02:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\Netscape
[2010/02/21 08:23:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\Notepad++
[2007/05/17 15:41:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\Pixela
[2007/08/22 14:23:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\RadialPoint
[2009/07/30 15:04:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\Skinux
[2007/08/30 17:12:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\SMART Technologies Inc
[2007/06/27 14:48:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\Snapfish
[2009/09/13 15:50:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\StreamTorrent
[2007/07/05 13:21:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\Uniblue
[2009/01/26 20:21:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysop\Application Data\Unity
[2010/03/20 21:02:55 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2005/06/29 16:10:09 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/18 13:49:49 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2005/06/29 16:10:09 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/09/18 13:49:49 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\erdnt\cache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2003/07/16 12:40:05 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2005/06/29 16:10:09 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/18 13:49:49 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2005/06/29 16:10:09 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/09/18 13:49:49 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\erdnt\cache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\erdnt\cache\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\erdnt\cache\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\erdnt\cache\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-21 08:15:51
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\sysop\LOCALS~1\Temp\fwrdipog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEF5FDC56]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEF5FDB12]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xEF5FE0C6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEF5FDFF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEF5FD6E8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEF5FDBEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEF5FD628]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEF5FD68C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEF5FDD0C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xEF5FE194]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEF5FDCCC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEF5FDE4C]
SSDT \??\D:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEF6C1320]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xEF60A4FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xEF60A322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xEF60A45C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 15C 804E27C8 4 Bytes CALL 8B3D87A3
PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP EF607972 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP EF60A326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP EF60A502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F84D 5 Bytes JMP EF6064BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A3AF1 7 Bytes JMP EF60A460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[672] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002
IAT C:\WINDOWS\system32\services.exe[672] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip bckd.sys
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp bckd.sys
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp bckd.sys
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp bckd.sys

---- Processes - GMER 1.0.15 ----

Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 1128

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 AM

Posted 21 March 2010 - 10:17 AM

Hello, airmont.
Hi, before we get into this, let's look at a couple of files that seem suspicious.





Step 1

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Program Files\Internet Explorer\iexplore.exe


Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



Step 2

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as airmontCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on airmontCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 airmont

airmont
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 21 March 2010 - 03:04 PM

Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.

--------------------------------------------------------------------------------

Filename: iexplore.exe
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Thu 18 Mar 2010 11:53:04 (CET) Permalink

--------------------------------------------------------------------------------
Additional info
File size: 638816 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: b60dddd2d63ce41cb8c487fcfbb6419e
SHA1: eadce51c88c8261852c1903399dde742fba2061b


Scanners
2010-03-18 Found nothing 2010-03-18 Found nothing
2010-03-18 Found nothing 2010-03-18 Found nothing
2010-03-17 Found nothing 2010-03-18 Found nothing
2010-03-18 Found nothing 2010-03-18 Found nothing
2010-03-18 Found nothing 2010-03-18 Found nothing
2010-03-18 Found nothing 2010-03-17 Found nothing
2010-03-18 Found nothing 2010-03-18 Found nothing
2010-03-18 Found nothing 2010-03-18 Found nothing
2010-03-18 Found nothing 2010-03-16 Found nothing
2010-03-17 Found nothing 2010-03-17 Found nothing


----------------------



ComboFix 10-03-20.06 - sysop 03/21/2010 14:38:27.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.653 [GMT -4:00]
Running from: c:\documents and settings\sysop\Desktop\airmontCF.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\eSellerateEngine.dll
c:\windows\system32\lsprst7.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.

2010-03-16 14:58 . 2010-03-16 14:58 52224 ----a-w- c:\documents and settings\sysop\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-16 14:58 . 2010-03-21 01:46 117760 ----a-w- c:\documents and settings\sysop\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-16 14:55 . 2010-03-16 14:55 -------- d-----w- c:\documents and settings\sysop\Application Data\SUPERAntiSpyware.com
2010-03-16 14:52 . 2010-03-16 14:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-14 23:33 . 2010-03-14 23:33 -------- d-----w- C:\VundoFix Backups
2010-03-11 05:32 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-02-21 22:16 . 2010-02-21 22:16 -------- d-----w- c:\program files\AGD Interactive
2010-02-21 12:47 . 2010-02-21 12:47 -------- d-----w- c:\program files\Common Files\Java
2010-02-21 12:47 . 2010-02-21 12:47 503808 ----a-w- c:\documents and settings\sysop\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2c3323ee-n\msvcp71.dll
2010-02-21 12:47 . 2010-02-21 12:47 499712 ----a-w- c:\documents and settings\sysop\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2c3323ee-n\jmc.dll
2010-02-21 12:47 . 2010-02-21 12:47 348160 ----a-w- c:\documents and settings\sysop\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2c3323ee-n\msvcr71.dll
2010-02-21 12:47 . 2010-02-21 12:47 61440 ----a-w- c:\documents and settings\sysop\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14d29ac9-n\decora-sse.dll
2010-02-21 12:47 . 2010-02-21 12:47 12800 ----a-w- c:\documents and settings\sysop\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14d29ac9-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-21 18:29 . 2009-08-24 20:20 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2010-03-18 16:42 . 2007-08-22 21:55 -------- d-----w- c:\program files\SPSSEval
2010-03-09 11:24 . 2010-02-15 23:59 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 11:12 . 2010-02-16 00:00 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 11:12 . 2010-02-16 00:00 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 11:09 . 2010-02-16 00:00 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 11:08 . 2010-02-16 00:00 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 11:08 . 2010-02-16 00:00 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 11:08 . 2010-02-16 00:00 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 11:08 . 2010-02-16 00:00 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-22 14:20 . 2005-06-30 14:45 197104 ----a-w- c:\documents and settings\sysop\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-21 12:45 . 2009-03-22 11:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-21 12:42 . 2007-07-12 01:45 -------- d-----w- c:\program files\Java
2010-02-21 12:23 . 2007-02-20 02:02 -------- d-----w- c:\documents and settings\sysop\Application Data\Notepad++
2010-02-21 12:23 . 2009-07-15 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-21 12:23 . 2008-01-16 19:44 -------- d-----w- c:\program files\Norton Security Scan
2010-02-21 12:21 . 2010-01-03 23:40 -------- d-----w- c:\program files\The Extractor
2010-02-21 12:10 . 2010-02-12 19:54 -------- d-----w- c:\program files\7-Zip
2010-02-18 02:45 . 2005-07-11 13:27 -------- d-----w- c:\program files\Symantec
2010-02-16 23:54 . 2007-04-16 18:49 -------- d-----w- c:\program files\Lexmark 2400 Series
2010-02-15 23:59 . 2010-02-15 23:59 -------- d-----w- c:\program files\Alwil Software
2010-02-15 23:59 . 2010-02-15 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-15 12:16 . 2008-06-06 21:26 -------- d-----w- c:\documents and settings\sysop\Application Data\FileZilla
2010-02-11 18:53 . 2010-02-15 23:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-07 19:00 . 2008-11-09 02:36 -------- d-----w- c:\program files\DOSBox-0.72
2010-02-07 12:57 . 2010-02-07 12:57 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-02-07 12:56 . 2010-02-07 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-02-05 15:39 . 2010-02-05 15:39 251376 ----a-w- c:\documents and settings\sysop\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-02-02 16:42 . 2007-04-16 18:56 -------- d-----w- c:\program files\lx_cats
2010-02-02 00:52 . 2009-08-13 11:55 -------- d-----w- c:\documents and settings\sysop\Application Data\Dropbox
2010-02-02 00:48 . 2010-02-02 00:45 0 ----a-w- c:\documents and settings\sysop\Local Settings\Application Data\Schedule8.dat
2010-01-22 00:57 . 2010-01-22 00:57 40960 ----a-r- c:\documents and settings\sysop\Application Data\Microsoft\Installer\{C8398A8B-8E8D-456B-88FE-8BA82A7A0247}\NewShortcut4_F92D24B7EFD44DB4B12061027658C974.exe
2010-01-22 00:57 . 2010-01-22 00:57 40960 ----a-r- c:\documents and settings\sysop\Application Data\Microsoft\Installer\{C8398A8B-8E8D-456B-88FE-8BA82A7A0247}\NewShortcut1_F92D24B7EFD44DB4B12061027658C974.exe
2010-01-22 00:57 . 2010-01-22 00:57 40960 ----a-r- c:\documents and settings\sysop\Application Data\Microsoft\Installer\{C8398A8B-8E8D-456B-88FE-8BA82A7A0247}\ARPPRODUCTICON.exe
2010-01-22 00:57 . 2010-01-22 00:56 -------- d-----w- c:\program files\Mplus
2010-01-22 00:47 . 2009-03-25 23:55 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 02:30 . 2009-09-25 18:03 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-11 01:28 . 2007-05-18 03:01 295 ----a-w- c:\windows\EReg072.dat
2010-01-07 21:07 . 2009-08-19 00:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-08-19 00:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 23:40 . 2010-01-03 23:40 737280 ----a-w- c:\windows\iun6002.exe
2009-12-31 16:50 . 2003-07-16 16:40 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2005-04-27 14:54 916480 ------w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\sysop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-05 133104]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-7-11 25214]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-10-05 21:05 133104 ----atw- c:\documents and settings\sysop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"ImapiService"=3 (0x3)
"aspnet_state"=3 (0x3)
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"TapiSrv"=3 (0x3)
"srservice"=2 (0x2)
"SMART Web Server"=2 (0x2)
"SMART Board Service"=2 (0x2)
"MDM"=2 (0x2)
"NMSAccessU"=2 (0x2)
"wuauserv"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ACDaemon"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\sysop\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\sysop\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/15/2010 8:00 PM 162640]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [1/13/2009 7:39 PM 72992]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/15/2010 8:00 PM 19024]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [1/13/2009 7:39 PM 1078560]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S4 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies Inc\SMART Board Software\WebServer.exe [4/19/2007 6:42 AM 759312]
.
Contents of the 'Scheduled Tasks' folder

2010-03-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-152049171-1801674531-1003Core.job
- c:\documents and settings\sysop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-05 21:05]

2010-03-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-152049171-1801674531-1003UA.job
- c:\documents and settings\sysop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-05 21:05]

2010-03-21 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 02:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/mail
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 10.30.0.2:8002
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {571CB303-4267-4D92-B45C-9B79ACC18632} - hxxp://potplayer.daum.net/PotPlayer/v2/PotWeb.cab
FF - ProfilePath - c:\documents and settings\sysop\Application Data\Mozilla\Firefox\Profiles\kmfqayn4.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - plugin: c:\documents and settings\sysop\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\sysop\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WMPNSCFG - c:\program files\Windows Media Player\WMPNSCFG.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 14:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-152049171-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-03-21 15:00:50
ComboFix-quarantined-files.txt 2010-03-21 19:00

Pre-Run: 3,906,932,736 bytes free
Post-Run: 3,910,598,656 bytes free

- - End Of File - - D1B315AEE9E9F5ECFCD37279698FDAE2


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 AM

Posted 22 March 2010 - 09:58 PM

Hello, airmont.
OK, do you have a proxy server set up? Does this IP address and port mean anything to you? 10.30.0.2:8002

If they do, let me know and don't continue. If they don't, please continue with the instructions:


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
"ShellNext"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
DDS::
IE - HKU\S-1-5-21-1659004503-152049171-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1659004503-152049171-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.30.0.2:8002
Firefox::
FF - prefs.js..network.proxy.ftp: "10.30.0.2"
FF - prefs.js..network.proxy.ftp_port: 8002
FF - prefs.js..network.proxy.gopher: "10.30.0.2"
FF - prefs.js..network.proxy.gopher_port: 8002
FF - prefs.js..network.proxy.http: "10.30.0.2"
FF - prefs.js..network.proxy.http_port: 8002
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "10.30.0.2"
FF - prefs.js..network.proxy.socks_port: 8002
FF - prefs.js..network.proxy.ssl: "10.30.0.2"
FF - prefs.js..network.proxy.ssl_port: 8002


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 airmont

airmont
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 23 March 2010 - 06:37 PM

I didn`t set up a proxy server, but I use Blue Coat K-9 web protection filtering software which may use a proxy. Is this a problem?

#6 airmont

airmont
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 23 March 2010 - 09:05 PM

Nevermind. I decided to run it in any case and deal with any consequences later. My log is attached.

ComboFix 10-03-23.03 - sysop 03/23/2010 21:42:54.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.650 [GMT -4:00]
Running from: c:\documents and settings\sysop\Desktop\airmontCF.exe
Command switches used :: c:\documents and settings\sysop\Desktop\CFscript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))))))))))))))))))))))))))
.

2010-03-16 14:58 . 2010-03-16 14:58 52224 ----a-w- c:\documents and settings\sysop\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-16 14:58 . 2010-03-21 01:46 117760 ----a-w- c:\documents and settings\sysop\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-16 14:55 . 2010-03-16 14:55 -------- d-----w- c:\documents and settings\sysop\Application Data\SUPERAntiSpyware.com
2010-03-16 14:52 . 2010-03-16 14:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-11 05:32 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-21 18:29 . 2009-08-24 20:20 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2010-03-18 16:42 . 2007-08-22 21:55 -------- d-----w- c:\program files\SPSSEval
2010-03-09 11:24 . 2010-02-15 23:59 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 11:12 . 2010-02-16 00:00 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 11:12 . 2010-02-16 00:00 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 11:09 . 2010-02-16 00:00 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 11:08 . 2010-02-16 00:00 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 11:08 . 2010-02-16 00:00 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 11:08 . 2010-02-16 00:00 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 11:08 . 2010-02-16 00:00 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-22 14:20 . 2005-06-30 14:45 197104 ----a-w- c:\documents and settings\sysop\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-21 22:16 . 2010-02-21 22:16 -------- d-----w- c:\program files\AGD Interactive
2010-02-21 12:47 . 2010-02-21 12:47 -------- d-----w- c:\program files\Common Files\Java
2010-02-21 12:47 . 2010-02-21 12:47 503808 ----a-w- c:\documents and settings\sysop\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2c3323ee-n\msvcp71.dll
2010-02-21 12:47 . 2010-02-21 12:47 499712 ----a-w- c:\documents and settings\sysop\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2c3323ee-n\jmc.dll
2010-02-21 12:47 . 2010-02-21 12:47 348160 ----a-w- c:\documents and settings\sysop\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2c3323ee-n\msvcr71.dll
2010-02-21 12:47 . 2010-02-21 12:47 61440 ----a-w- c:\documents and settings\sysop\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14d29ac9-n\decora-sse.dll
2010-02-21 12:47 . 2010-02-21 12:47 12800 ----a-w- c:\documents and settings\sysop\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14d29ac9-n\decora-d3d.dll
2010-02-21 12:45 . 2009-03-22 11:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-21 12:42 . 2007-07-12 01:45 -------- d-----w- c:\program files\Java
2010-02-21 12:23 . 2007-02-20 02:02 -------- d-----w- c:\documents and settings\sysop\Application Data\Notepad++
2010-02-21 12:23 . 2009-07-15 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-21 12:23 . 2008-01-16 19:44 -------- d-----w- c:\program files\Norton Security Scan
2010-02-21 12:21 . 2010-01-03 23:40 -------- d-----w- c:\program files\The Extractor
2010-02-21 12:10 . 2010-02-12 19:54 -------- d-----w- c:\program files\7-Zip
2010-02-18 02:45 . 2005-07-11 13:27 -------- d-----w- c:\program files\Symantec
2010-02-16 23:54 . 2007-04-16 18:49 -------- d-----w- c:\program files\Lexmark 2400 Series
2010-02-15 23:59 . 2010-02-15 23:59 -------- d-----w- c:\program files\Alwil Software
2010-02-15 23:59 . 2010-02-15 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-15 12:16 . 2008-06-06 21:26 -------- d-----w- c:\documents and settings\sysop\Application Data\FileZilla
2010-02-11 18:53 . 2010-02-15 23:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-07 19:00 . 2008-11-09 02:36 -------- d-----w- c:\program files\DOSBox-0.72
2010-02-07 12:57 . 2010-02-07 12:57 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-02-07 12:56 . 2010-02-07 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-02-05 15:39 . 2010-02-05 15:39 251376 ----a-w- c:\documents and settings\sysop\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-02-02 16:42 . 2007-04-16 18:56 -------- d-----w- c:\program files\lx_cats
2010-02-02 00:52 . 2009-08-13 11:55 -------- d-----w- c:\documents and settings\sysop\Application Data\Dropbox
2010-02-02 00:48 . 2010-02-02 00:45 0 ----a-w- c:\documents and settings\sysop\Local Settings\Application Data\Schedule8.dat
2010-01-22 00:57 . 2010-01-22 00:57 40960 ----a-r- c:\documents and settings\sysop\Application Data\Microsoft\Installer\{C8398A8B-8E8D-456B-88FE-8BA82A7A0247}\NewShortcut4_F92D24B7EFD44DB4B12061027658C974.exe
2010-01-22 00:57 . 2010-01-22 00:57 40960 ----a-r- c:\documents and settings\sysop\Application Data\Microsoft\Installer\{C8398A8B-8E8D-456B-88FE-8BA82A7A0247}\NewShortcut1_F92D24B7EFD44DB4B12061027658C974.exe
2010-01-22 00:57 . 2010-01-22 00:57 40960 ----a-r- c:\documents and settings\sysop\Application Data\Microsoft\Installer\{C8398A8B-8E8D-456B-88FE-8BA82A7A0247}\ARPPRODUCTICON.exe
2010-01-20 02:30 . 2009-09-25 18:03 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-11 01:28 . 2007-05-18 03:01 295 ----a-w- c:\windows\EReg072.dat
2010-01-07 21:07 . 2009-08-19 00:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-08-19 00:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 23:40 . 2010-01-03 23:40 737280 ----a-w- c:\windows\iun6002.exe
2009-12-31 16:50 . 2003-07-16 16:40 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\sysop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-05 133104]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-7-11 25214]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-10-05 21:05 133104 ----atw- c:\documents and settings\sysop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"ImapiService"=3 (0x3)
"aspnet_state"=3 (0x3)
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"TapiSrv"=3 (0x3)
"srservice"=2 (0x2)
"SMART Web Server"=2 (0x2)
"SMART Board Service"=2 (0x2)
"MDM"=2 (0x2)
"NMSAccessU"=2 (0x2)
"wuauserv"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ACDaemon"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\sysop\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\sysop\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/15/2010 8:00 PM 162640]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [1/13/2009 7:39 PM 72992]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/15/2010 8:00 PM 19024]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [1/13/2009 7:39 PM 1078560]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S4 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies Inc\SMART Board Software\WebServer.exe [4/19/2007 6:42 AM 759312]
.
Contents of the 'Scheduled Tasks' folder

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-152049171-1801674531-1003Core.job
- c:\documents and settings\sysop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-05 21:05]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-152049171-1801674531-1003UA.job
- c:\documents and settings\sysop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-05 21:05]

2010-03-21 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 02:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/mail
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {571CB303-4267-4D92-B45C-9B79ACC18632} - hxxp://potplayer.daum.net/PotPlayer/v2/PotWeb.cab
FF - ProfilePath - c:\documents and settings\sysop\Application Data\Mozilla\Firefox\Profiles\kmfqayn4.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - plugin: c:\documents and settings\sysop\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\sysop\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-23 21:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-152049171-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3300)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-23 22:01:16
ComboFix-quarantined-files.txt 2010-03-24 02:00
ComboFix2.txt 2010-03-21 19:00

Pre-Run: 3,815,436,288 bytes free
Post-Run: 3,778,793,472 bytes free

- - End Of File - - C2108B73A3059840705462EAEFFFAB43


#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 AM

Posted 23 March 2010 - 09:58 PM

ok, still have the popups or not?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 airmont

airmont
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 24 March 2010 - 06:11 AM

No popups overnight, although it is very sporadic and happens only once in a while.

#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 AM

Posted 24 March 2010 - 06:42 PM

Hello, airmont.
ok, let's let it run for a bit more and see if anything pops up. One of the entries we deleted told your computer to launch IE every time the Internet Connection Wizard completed. That's not quite standard. Let's see if that helps. In the interim, let's run MBAM.



Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 2

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\EReg072.dat
DirLook::
C:\Program Files\TinyProxy\
C:\Program Files\ProtectService\
Driver::
ACDaemon


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Step 2

Please go to Start --> Run and copy and paste the first line of text in the box and press OK. Once done, do the same with the second line.


Reg Export HKLM\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatiblity C:\export.txt
Reg Export HKLM\SYSTEM\CurrentControlSet\Services\wuauserv C:\export2.txt



Please attach C:\export.txt and C:\export2.txt to your reply.


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 airmont

airmont
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 24 March 2010 - 09:35 PM

Hi Etavares,

Thanks for the help. I got a few popups today that were not blocked but showed ads through "carlsmedia"? In any case, my logs are below with the exception of "Reg Export HKLM\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatiblity C:\export.txt" which did not generate any output file.


Malwarebytes' Anti-Malware 1.44
Database version: 3910
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/24/2010 9:44:17 PM
mbam-log-2010-03-24 (21-44-17).txt

Scan type: Quick Scan
Objects scanned: 118565
Time elapsed: 20 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ComboFix 10-03-24.02 - sysop 03/24/2010 21:53:20.9.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.638 [GMT -4:00]
Running from: c:\documents and settings\sysop\Desktop\anti virus\airmontCF.exe
Command switches used :: c:\documents and settings\sysop\Desktop\anti virus\CFscript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\EReg072.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EReg072.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACDAEMON
-------\Service_ACDaemon


((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
.

2010-03-16 14:55 . 2010-03-16 14:55 -------- d-----w- c:\documents and settings\sysop\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 02:11 . 2009-08-24 20:20 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2010-03-25 00:54 . 2009-08-19 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-18 16:42 . 2007-08-22 21:55 -------- d-----w- c:\program files\SPSSEval
2010-03-16 14:52 . 2010-03-16 14:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-09 11:24 . 2010-02-15 23:59 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 11:12 . 2010-02-16 00:00 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 11:12 . 2010-02-16 00:00 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 11:09 . 2010-02-16 00:00 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 11:08 . 2010-02-16 00:00 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 11:08 . 2010-02-16 00:00 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 11:08 . 2010-02-16 00:00 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 11:08 . 2010-02-16 00:00 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-22 14:20 . 2005-06-30 14:45 197104 ----a-w- c:\documents and settings\sysop\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-21 22:16 . 2010-02-21 22:16 -------- d-----w- c:\program files\AGD Interactive
2010-02-21 12:47 . 2010-02-21 12:47 -------- d-----w- c:\program files\Common Files\Java
2010-02-21 12:45 . 2009-03-22 11:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-21 12:42 . 2007-07-12 01:45 -------- d-----w- c:\program files\Java
2010-02-21 12:23 . 2007-02-20 02:02 -------- d-----w- c:\documents and settings\sysop\Application Data\Notepad++
2010-02-21 12:23 . 2009-07-15 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-21 12:23 . 2008-01-16 19:44 -------- d-----w- c:\program files\Norton Security Scan
2010-02-21 12:21 . 2010-01-03 23:40 -------- d-----w- c:\program files\The Extractor
2010-02-21 12:10 . 2010-02-12 19:54 -------- d-----w- c:\program files\7-Zip
2010-02-18 02:45 . 2005-07-11 13:27 -------- d-----w- c:\program files\Symantec
2010-02-16 23:54 . 2007-04-16 18:49 -------- d-----w- c:\program files\Lexmark 2400 Series
2010-02-15 23:59 . 2010-02-15 23:59 -------- d-----w- c:\program files\Alwil Software
2010-02-15 23:59 . 2010-02-15 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-15 12:16 . 2008-06-06 21:26 -------- d-----w- c:\documents and settings\sysop\Application Data\FileZilla
2010-02-11 18:53 . 2010-02-15 23:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-07 19:00 . 2008-11-09 02:36 -------- d-----w- c:\program files\DOSBox-0.72
2010-02-07 12:57 . 2010-02-07 12:57 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-02-07 12:56 . 2010-02-07 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-02-02 16:42 . 2007-04-16 18:56 -------- d-----w- c:\program files\lx_cats
2010-02-02 00:52 . 2009-08-13 11:55 -------- d-----w- c:\documents and settings\sysop\Application Data\Dropbox
2010-02-02 00:48 . 2010-02-02 00:45 0 ----a-w- c:\documents and settings\sysop\Local Settings\Application Data\Schedule8.dat
2010-01-07 20:07 . 2009-08-19 00:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 20:07 . 2009-08-19 00:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 23:40 . 2010-01-03 23:40 737280 ----a-w- c:\windows\iun6002.exe
2009-12-31 16:50 . 2003-07-16 16:40 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\ProtectService\ ----


---- Directory of c:\program files\TinyProxy\ ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\sysop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-05 133104]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-7-11 25214]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-10-05 21:05 133104 ----atw- c:\documents and settings\sysop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"ImapiService"=3 (0x3)
"aspnet_state"=3 (0x3)
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"TapiSrv"=3 (0x3)
"srservice"=2 (0x2)
"SMART Web Server"=2 (0x2)
"SMART Board Service"=2 (0x2)
"MDM"=2 (0x2)
"NMSAccessU"=2 (0x2)
"wuauserv"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ACDaemon"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\sysop\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\sysop\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/15/2010 8:00 PM 162640]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [1/13/2009 7:39 PM 72992]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/15/2010 8:00 PM 19024]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [1/13/2009 7:39 PM 1078560]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S4 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies Inc\SMART Board Software\WebServer.exe [4/19/2007 6:42 AM 759312]
.
Contents of the 'Scheduled Tasks' folder

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-152049171-1801674531-1003Core.job
- c:\documents and settings\sysop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-05 21:05]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-152049171-1801674531-1003UA.job
- c:\documents and settings\sysop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-05 21:05]

2010-03-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 02:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/mail
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {571CB303-4267-4D92-B45C-9B79ACC18632} - hxxp://potplayer.daum.net/PotPlayer/v2/PotWeb.cab
FF - ProfilePath - c:\documents and settings\sysop\Application Data\Mozilla\Firefox\Profiles\kmfqayn4.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - plugin: c:\documents and settings\sysop\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\sysop\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-24 22:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-152049171-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2388)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-24 22:29:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-25 02:29
ComboFix2.txt 2010-03-21 19:00

Pre-Run: 3,716,304,896 bytes free
Post-Run: 3,659,173,888 bytes free

- - End Of File - - 246ED990DEDC8B9F36ACEFDED4A87BBC


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Automatic Updates"
"ObjectName"="LocalSystem"
"Description"="Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters]
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,75,00,\
61,00,75,00,73,00,65,00,72,00,76,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum]
"0"="Root\\LEGACY_WUAUSERV\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001



#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 AM

Posted 25 March 2010 - 06:45 AM

ok, two things.

1. I had a typo in the line that didn't produce a log. Please follow step 2 above, but with this text:
Reg Export HKLM\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility C:\export.txt

2. Please find and delete this file:
c:\windows\iun6002.exe

If you get more popups after that, let me know. I have another trick up my sleeve to identify what's causing them.

Edited by etavares, 25 March 2010 - 07:13 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 airmont

airmont
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 25 March 2010 - 05:46 PM

My reg export is below, and deleted c:\windows\iun6002.exe which has a hidden system file.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility]
"Type"=dword:00000020
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Fast User Switching Compatibility"
"DependOnService"=hex(7):54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,\
63,00,65,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ObjectName"="LocalSystem"
"Description"="Provides management for applications that require assistance in a multiple user environment."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
73,00,68,00,73,00,76,00,63,00,73,00,2e,00,64,00,6c,00,6c,00,00,00
"ServiceMain"="BadApplicationServiceMain"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Enum]
"0"="Root\\LEGACY_FASTUSERSWITCHINGCOMPATIBILITY\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001



#13 airmont

airmont
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 26 March 2010 - 12:02 PM

Hi Etavares,

No popups since I deleted the file, but I will be away from home for the next week and a half and won`t be able to follow up with this until I come back. I'll PM you when I'm back home. Thanks for all your help.

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 AM

Posted 28 March 2010 - 01:26 PM

ok, i'll leave this open for a bit.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 airmont

airmont
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 07 April 2010 - 12:27 PM

Thanks for your patience. I've been running my computer all day and so far no popups. Everything looks good.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users