Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C:\WINDOWS\system32\drivers\atapi.sys


  • This topic is locked This topic is locked
13 replies to this topic

#1 aweber422

aweber422

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago
  • Local time:11:27 AM

Posted 21 March 2010 - 10:22 PM

I know my computer is infected becasue when I try to click on a link I'm redirected to another site and sometimes I get some weird popups.

I ran SUPERAntiSpyware and AVG and it just says I have tracking ads but nothing else but every so often I get a warning from AVG about C:\WINDOWS\system32\drivers\atapi.sys being infected but nothing happens

Thanks for your help!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 15:41:12.44 on Thu 03/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.189 [GMT -7:00]

AV: Paladin Antivirus *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\digtizer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\calc.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7XUKRUP6\Defogger[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\V0GGL25Z\dds[2].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.fujitsu.com/computers
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [<NO NAME>]
mRun: [FjEvents] c:\program files\fujitsu\utils\fjevents.exe
mRun: [FjDspMon] c:\program files\fujitsu\utils\FjDspMon.exe
mRun: [Fujitsu Menu] c:\program files\fujitsu\utils\FjMnuIco.exe
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [ZCfgSvc.exe] c:\windows\system32\ZCfgSvc.exe
mRun: [PRONoMgr.exe] c:\program files\intel\prosetwireless\ncs\proset\PRONoMgr.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-2-22 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-2-22 52872]
R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [2010-1-23 7808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-22 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-22 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-22 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 66632]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-4 308064]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-3-4 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-3-4 5888008]
R3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\system32\drivers\A302.sys [2004-8-31 11831]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-2-22 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-2-22 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-2-22 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-2-22 26120]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2004-8-31 191264]
R3 DX02;DX02;c:\windows\system32\drivers\dx02.sys [2004-7-29 83712]
R3 Fjbtndrv;Fujitsu LIFEBOOK T3000 Button Driver;c:\windows\system32\drivers\FjBtndrv.sys [2003-6-20 11392]
R3 FUJ02E1;%FUJ02E1.DeviceDesc%;c:\windows\system32\drivers\FUJ02E1.sys [2004-8-31 6000]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [2004-8-31 31104]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2004-8-31 5760]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
S0 lwlkzr;lwlkzr; [x]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-2-22 30104]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2004-8-31 14208]

=============== Created Last 30 ================

2010-03-18 22:38:38 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-03-18 18:11:40 481 ----a-w- c:\documents and settings\administrator\Shortcut to Administrator.lnk
2010-03-14 02:11:19 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-14 02:10:57 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-14 02:10:57 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-03-14 02:10:21 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-13 09:07:56 292 ----a-w- c:\windows\vtmb.ini
2010-03-11 02:38:51 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-09 22:51:21 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-04 23:24:52 0 d-----w- c:\docume~1\admini~1\applic~1\AVG9
2010-03-04 19:38:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-23 06:11:29 0 d--h--w- C:\$AVG
2010-02-23 06:11:02 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-02-23 06:11:01 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-23 06:10:59 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-23 06:10:52 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-23 06:10:39 0 d-----w- c:\windows\system32\drivers\Avg
2010-02-23 06:09:30 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-02-23 06:09:30 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-02-23 03:38:13 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-02-23 03:37:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-22 20:31:39 0 d-----w- c:\windows\system32\appmgmt
2010-02-22 16:54:05 0 ----a-w- c:\windows\Waverly.INI
2010-02-22 14:35:33 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2010-02-22 14:26:07 0 d-----w- c:\program files\Nancy Drew
2010-02-19 04:27:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 04:27:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 04:27:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-19 04:00:22 7860 ----a-w- c:\docume~1\alluse~1\applic~1\fiosejgfse.dll
2010-02-19 01:42:20 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2010-02-19 01:42:20 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2010-02-17 02:03:09 0 d-----w- c:\windows\RegisteredPackages
2010-02-17 01:57:51 0 d-----w- c:\program files\Activision
2010-02-17 01:46:25 0 d-----w- c:\program files\ActivisionVampire - Bloodlines
2010-02-17 01:13:03 0 d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro

==================== Find3M ====================

2010-03-18 21:56:21 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-22 10:39:05 11973 ----a-w- c:\windows\system32\drivers\secdrv.sys
2010-02-15 06:15:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-23 23:44:34 15939 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 15:43:56.81 ===============









GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-19 12:05:48
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxrdapow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA7C8F670]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA6E06320]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA7C8F7C0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA7C8F860]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86E90CA1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\Temp\08a308ed-f7da-4dc4-adc8-a47ba3533b46.tmp 0 bytes
File C:\WINDOWS\Temp\f1059433-61eb-4fdd-9f33-1beada2564f4.tmp 0 bytes
File C:\WINDOWS\Temp\c65d767d-a2f7-4afc-a81e-3c91b83e69a5.tmp 0 bytes
File C:\WINDOWS\Temp\0d60ef60-a440-4095-aa00-6c4e255fe36d.tmp 0 bytes
File C:\WINDOWS\Temp\e820ff80-91d0-425d-97a2-08367d64e66c.tmp 0 bytes
File C:\WINDOWS\Temp\b9304b26-fd71-4021-9e97-8e773e8e2290.tmp 0 bytes
File C:\WINDOWS\Temp\a42dd5c0-4614-4b00-b483-c2b1ceeca4f8.tmp 0 bytes
File C:\WINDOWS\Temp\90a2bd6b-92f6-4d90-82ca-04d32561c92c.tmp 0 bytes
File C:\WINDOWS\Temp\827bb642-d990-479e-b75e-08decbe75f43.tmp 0 bytes
File C:\WINDOWS\Temp\33d2eb73-595a-4975-9b79-9cedbd38794e.tmp 0 bytes
File C:\WINDOWS\Temp\4f6a663b-4aa4-402e-bd25-e33d60958f83.tmp 0 bytes
File C:\WINDOWS\Temp\c236176b-7a5c-4908-985d-a243001e3645.tmp 0 bytes
File C:\WINDOWS\Temp\43c4f6f4-2d19-42ef-a2c6-90c74f5abfb2.tmp 0 bytes
File C:\WINDOWS\Temp\014502e0-f9c6-4582-8a67-a172733ee48f.tmp 0 bytes
File C:\WINDOWS\Temp\093f5d74-cb20-45d7-91c0-4bd5a711a717.tmp 0 bytes
File C:\WINDOWS\Temp\023cadb3-829f-4be0-9652-3441f0910f21.tmp 0 bytes
File C:\WINDOWS\Temp\67cc8169-8bc7-4f21-ac45-fdbdb35f2042.tmp 0 bytes
File C:\WINDOWS\Temp\6043a938-7572-4e72-89ae-ef4b0db5a8fc.tmp 0 bytes
File C:\WINDOWS\Temp\acaae447-da1d-41eb-b016-7788ab6c1fd2.tmp 0 bytes
File C:\WINDOWS\Temp\f4bf932d-146e-40f5-a82a-c0dce1f5bb15.tmp 0 bytes
File C:\WINDOWS\Temp\f4c28a47-bd87-4a3f-a893-4ce2d1224065.tmp 0 bytes
File C:\WINDOWS\Temp\5c36268d-a59f-4fcb-b3e9-aca2f19d43ff.tmp 0 bytes
File C:\WINDOWS\Temp\99721459-fee8-4da7-ae47-df9cca3f5273.tmp 0 bytes
File C:\WINDOWS\Temp\211e4720-8a9e-477f-bec9-8049156aaec6.tmp 0 bytes
File C:\WINDOWS\Temp\c2abcace-cd1c-4aea-b00f-8f2c2e0a7d01.tmp 0 bytes
File C:\WINDOWS\Temp\9e2df724-2fca-44f8-9434-2d28b6fff882.tmp 0 bytes
File C:\WINDOWS\Temp\d807d54b-7e95-4cfe-b732-7e52d9acac35.tmp 0 bytes
File C:\WINDOWS\Temp\d55df1a3-71c6-478a-8dbc-7a8bacc0ccc0.tmp 0 bytes
File C:\WINDOWS\Temp\e9a5859d-5989-4e02-814d-bedf4d00a56b.tmp 0 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by aweber422, 21 March 2010 - 10:51 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:27 PM

Posted 22 March 2010 - 04:55 PM

Hi aweber422,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

******
******

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  1. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 aweber422

aweber422
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago
  • Local time:11:27 AM

Posted 22 March 2010 - 07:02 PM

Thank you for helping, I'll delete the peer-to-peer program.







ComboFix 10-03-22.02 - Administrator 03/22/2010 18:07:56.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.757 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\fhfhfhf.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\fiosejgfse.dll
c:\recycler\S-1-5-21-1177238915-842925246-854245398-500
c:\windows\system32\Thumbs.db

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))
.

2010-03-18 21:23 . 2010-03-18 21:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-03-18 21:23 . 2010-03-18 21:23 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-03-18 20:39 . 2010-03-22 22:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-03-18 20:38 . 2010-03-22 22:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-18 20:03 . 2010-03-18 20:03 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-03-15 05:35 . 2010-03-15 05:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-14 02:12 . 2010-03-14 02:12 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-14 02:12 . 2010-03-18 20:43 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-14 02:11 . 2010-03-14 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-14 02:10 . 2010-03-18 20:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-14 02:10 . 2010-03-14 02:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-03-14 02:10 . 2010-03-14 02:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-12 05:52 . 2010-03-12 05:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-11 02:38 . 2010-03-11 02:38 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-09 22:51 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-02-24 10:35 . 2010-02-24 10:35 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-24 00:50 . 2010-03-22 23:26 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2010-02-23 09:23 . 2010-02-23 09:25 -------- d-----w- c:\program files\QuickTime
2010-02-23 06:11 . 2010-02-23 06:20 -------- d-----w- C:\$AVG
2010-02-23 03:38 . 2010-02-23 03:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-23 03:37 . 2010-02-23 03:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-22 14:35 . 2007-03-13 00:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2010-02-22 14:26 . 2010-03-18 18:26 -------- d-----w- c:\program files\Nancy Drew

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-23 01:16 . 2010-02-15 06:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-03-22 02:58 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-13 10:00 . 2004-09-01 01:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-11 23:57 . 2010-02-15 06:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-02-24 20:04 . 2010-02-19 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-23 09:14 . 2010-02-15 06:52 -------- d-----w- c:\program files\Common Files\Apple
2010-02-22 10:39 . 2004-09-01 01:00 11973 ----a-w- c:\windows\system32\drivers\secdrv.sys
2010-02-19 04:27 . 2010-02-19 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-17 02:16 . 2010-02-17 01:46 -------- d-----w- c:\program files\ActivisionVampire - Bloodlines
2010-02-17 01:57 . 2010-02-17 01:57 -------- d-----w- c:\program files\Activision
2010-02-17 01:34 . 2004-09-01 01:44 -------- d-----w- c:\program files\usb_spk
2010-02-17 01:13 . 2010-02-17 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2010-02-16 06:51 . 2004-09-01 05:33 20328 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-16 06:14 . 2004-09-01 01:30 94291 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-16 06:05 . 2004-09-01 01:25 -------- d-----w- c:\program files\Windows Journal
2010-02-15 19:02 . 2010-02-15 19:02 0 ----a-w- c:\windows\nsreg.dat
2010-02-15 06:58 . 2010-02-15 06:56 -------- d-----w- c:\program files\iTunes
2010-02-15 06:58 . 2010-02-15 06:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-15 06:56 . 2010-02-15 06:56 -------- d-----w- c:\program files\iPod
2010-02-15 06:56 . 2010-02-15 06:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-15 06:55 . 2010-02-15 06:55 -------- d-----w- c:\program files\Bonjour
2010-02-15 06:54 . 2010-02-15 06:54 -------- d-----w- c:\program files\Apple Software Update
2010-02-15 06:52 . 2010-02-15 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-15 06:15 . 2010-02-15 06:14 -------- d-----w- c:\program files\LimeWire
2010-02-15 06:15 . 2010-02-15 06:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-15 06:15 . 2010-02-15 06:15 -------- d-----w- c:\program files\Java
2010-02-15 06:15 . 2010-02-15 06:15 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-01-27 03:03 . 2010-01-27 03:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2010-01-24 16:08 . 2010-01-24 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-01-24 16:08 . 2010-01-24 16:07 -------- d-----w- c:\program files\CyberLink
2010-01-24 16:05 . 2010-01-24 16:05 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-24 16:03 . 2010-01-24 16:03 -------- d-----w- c:\program files\Common Files\L&H
2010-01-24 16:00 . 2010-01-24 16:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2010-01-24 15:59 . 2010-01-24 15:59 -------- d-----w- c:\program files\Ahead
2010-01-24 15:59 . 2010-01-24 15:59 -------- d-----w- c:\program files\Common Files\Ahead
2010-01-24 15:54 . 2010-01-24 15:54 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-24 00:00 . 2010-01-24 00:00 -------- d-----w- c:\program files\AVG
2010-01-23 23:44 . 2004-09-01 01:43 -------- d-----w- c:\program files\Intel
2010-01-23 23:44 . 2010-01-23 23:44 15939 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-01-23 03:51 . 2010-01-23 03:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-08 00:07 . 2010-02-19 04:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2010-02-19 04:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2004-09-01 01:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-14 2012912]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-22 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-12-15 118784]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-07 88363]
"FjEvents"="c:\program files\Fujitsu\Utils\fjevents.exe" [2004-08-25 20480]
"FjDspMon"="c:\program files\Fujitsu\Utils\FjDspMon.exe" [2003-07-28 20480]
"Fujitsu Menu"="c:\program files\Fujitsu\Utils\FjMnuIco.exe" [2003-10-28 32768]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2004-08-04 81920]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2003-08-21 61440]
"ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2004-06-14 417856]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-05-10 102469]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-15 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-16 417792]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-24 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-06-14 14:46 180290 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [1/23/2010 4:44 PM 7808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 8:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 66632]
R3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\system32\drivers\A302.sys [8/31/2004 6:38 PM 11831]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [8/31/2004 6:38 PM 191264]
R3 DX02;DX02;c:\windows\system32\drivers\dx02.sys [7/29/2004 1:27 PM 83712]
R3 Fjbtndrv;Fujitsu LIFEBOOK T3000 Button Driver;c:\windows\system32\drivers\FjBtndrv.sys [6/20/2003 2:30 PM 11392]
R3 FUJ02E1;%FUJ02E1.DeviceDesc%;c:\windows\system32\drivers\FUJ02E1.sys [8/31/2004 6:38 PM 6000]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [8/31/2004 6:38 PM 31104]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [8/31/2004 6:38 PM 5760]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 12872]
S0 lwlkzr;lwlkzr; [x]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [8/31/2004 11:22 AM 14208]
.
Contents of the 'Scheduled Tasks' folder

2010-03-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3436966418-3987874840-2200114875-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 22:32]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3436966418-3987874840-2200114875-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 22:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.fujitsu.com/computers
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-Apoint - c:\program files\Apoint2K\Apoint.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-22 18:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3436966418-3987874840-2200114875-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7e,78,68,1b,d9,ad,45,46,83,0a,ac,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7e,78,68,1b,d9,ad,45,46,83,0a,ac,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\LgNotify.dll

- - - - - - - > 'explorer.exe'(2620)
c:\windows\system32\WININET.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
c:\program files\Common Files\Microsoft Shared\Ink\PENUSA.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\S24EvMon.exe
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\windows\System32\SCardSvr.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\System32\tabbtnu.exe
c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\igfxext.exe
c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\digtizer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\RegSrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\1XConfig.exe
.
**************************************************************************
.
Completion time: 2010-03-22 18:18:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-23 01:18

Pre-Run: 136,555,618,304 bytes free
Post-Run: 137,042,882,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 42E44A6D087216B2642483AFB3CA0F2D


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:27 PM

Posted 23 March 2010 - 04:02 AM

What happened to AVG?

Please run DDS and post both the logs without zipping or attaching. Also avoid changing anything.

#5 aweber422

aweber422
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago
  • Local time:11:27 AM

Posted 23 March 2010 - 03:53 PM

The AVG was a trial run and it ended that day so I don't have it anymore sadly



DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 15:44:13.20 on Tue 03/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.531 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\digtizer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.fujitsu.com/computers
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [FjEvents] c:\program files\fujitsu\utils\fjevents.exe
mRun: [FjDspMon] c:\program files\fujitsu\utils\FjDspMon.exe
mRun: [Fujitsu Menu] c:\program files\fujitsu\utils\FjMnuIco.exe
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [ZCfgSvc.exe] c:\windows\system32\ZCfgSvc.exe
mRun: [PRONoMgr.exe] c:\program files\intel\prosetwireless\ncs\proset\PRONoMgr.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [2010-1-23 7808]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 66632]
R3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\system32\drivers\A302.sys [2004-8-31 11831]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2004-8-31 191264]
R3 DX02;DX02;c:\windows\system32\drivers\dx02.sys [2004-7-29 83712]
R3 Fjbtndrv;Fujitsu LIFEBOOK T3000 Button Driver;c:\windows\system32\drivers\FjBtndrv.sys [2003-6-20 11392]
R3 FUJ02E1;%FUJ02E1.DeviceDesc%;c:\windows\system32\drivers\FUJ02E1.sys [2004-8-31 6000]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [2004-8-31 31104]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2004-8-31 5760]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
S0 lwlkzr;lwlkzr; [x]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2004-8-31 14208]

=============== Created Last 30 ================

2010-03-23 01:01:23 0 d-sha-r- C:\cmdcons
2010-03-23 00:58:23 98816 ----a-w- c:\windows\sed.exe
2010-03-23 00:58:23 77312 ----a-w- c:\windows\MBR.exe
2010-03-23 00:58:23 261632 ----a-w- c:\windows\PEV.exe
2010-03-23 00:58:23 161792 ----a-w- c:\windows\SWREG.exe
2010-03-18 22:38:38 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-03-18 18:11:40 481 ----a-w- c:\documents and settings\administrator\Shortcut to Administrator.lnk
2010-03-14 02:11:19 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-14 02:10:57 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-14 02:10:57 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-03-14 02:10:21 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-13 09:07:56 292 ----a-w- c:\windows\vtmb.ini
2010-03-11 02:38:51 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-09 22:51:21 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-02-23 06:11:29 0 d-----w- C:\$AVG
2010-02-23 03:38:13 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-02-23 03:37:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-22 20:31:39 0 d-----w- c:\windows\system32\appmgmt
2010-02-22 16:54:05 0 ----a-w- c:\windows\Waverly.INI
2010-02-22 14:35:33 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2010-02-22 14:26:07 0 d-----w- c:\program files\Nancy Drew

==================== Find3M ====================

2010-03-22 02:58:44 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-22 10:39:05 11973 ----a-w- c:\windows\system32\drivers\secdrv.sys
2010-02-15 06:15:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-23 23:44:34 15939 ----a-w- c:\windows\system32\drivers\AegisP.sys

============= FINISH: 15:44:28.78 ===============




#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:27 PM

Posted 23 March 2010 - 04:23 PM

Where is the other DDS log?

Run DDS and attach the Attach.txt without zipping to your reply. No need for DDS.txt[/list]




#7 aweber422

aweber422
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago
  • Local time:11:27 AM

Posted 23 March 2010 - 05:16 PM


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/23/2010 1:42:19 PM
System Uptime: 3/23/2010 2:58:01 PM (3 hours ago)

Motherboard: FUJITSU | | FJNB18E
Processor: Intel® Pentium® M processor 1.60GHz | Onboard | 1599/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 127.248 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 1/23/2010 1:42:23 PM - System Checkpoint
RP2: 1/23/2010 4:00:08 PM - Installed AVG Free 9.0
RP3: 1/24/2010 8:03:19 AM - Installed Microsoft Office XP Professional with FrontPage
RP4: 1/24/2010 6:55:21 PM - Installed Windows Internet Explorer 8.
RP5: 1/25/2010 9:04:13 PM - System Checkpoint
RP6: 1/26/2010 9:23:04 AM - Avg8 Update
RP7: 1/27/2010 10:10:43 AM - System Checkpoint
RP8: 1/28/2010 11:44:39 AM - System Checkpoint
RP9: 1/29/2010 12:20:00 PM - System Checkpoint
RP10: 1/30/2010 12:23:54 PM - System Checkpoint
RP11: 1/31/2010 1:20:00 PM - System Checkpoint
RP12: 2/3/2010 6:40:18 PM - System Checkpoint
RP13: 2/4/2010 7:48:48 PM - System Checkpoint
RP14: 2/5/2010 8:15:58 PM - System Checkpoint
RP15: 2/7/2010 7:32:24 AM - System Checkpoint
RP16: 2/8/2010 8:11:46 AM - System Checkpoint
RP17: 2/9/2010 9:11:45 AM - System Checkpoint
RP18: 2/10/2010 10:11:46 AM - System Checkpoint
RP19: 2/11/2010 11:11:46 AM - System Checkpoint
RP20: 2/12/2010 12:11:46 PM - System Checkpoint
RP21: 2/14/2010 3:03:25 PM - System Checkpoint
RP22: 2/14/2010 10:56:19 PM - Installed iTunes
RP23: 2/15/2010 9:19:54 AM - Software Distribution Service 3.0
RP24: 2/15/2010 10:49:17 AM - Software Distribution Service 3.0
RP25: 2/15/2010 9:33:38 PM - Software Distribution Service 3.0
RP26: 2/15/2010 9:34:21 PM - Software Distribution Service 3.0
RP27: 2/16/2010 5:50:08 PM - Software Distribution Service 3.0
RP28: 2/16/2010 5:57:25 PM - Installed Vampire - The Masquerade Bloodlines
RP29: 2/16/2010 10:11:59 PM - Software Distribution Service 3.0
RP30: 2/18/2010 2:23:23 PM - System Checkpoint
RP31: 2/22/2010 10:09:11 PM - Installed AVG 9.0
RP32: 2/22/2010 9:48:16 PM - Restore Operation
RP33: 2/22/2010 12:31:00 PM - Removed Apple Application Support
RP34: 2/23/2010 1:34:57 AM - Removed Apple Mobile Device Support
RP35: 2/23/2010 1:43:09 AM - Avg8 Update
RP36: 2/23/2010 1:16:27 AM - Installed QuickTime
RP37: 2/24/2010 9:08:43 AM - Software Distribution Service 3.0
RP38: 2/25/2010 10:24:27 AM - Avg8 Update
RP39: 2/26/2010 10:25:30 AM - System Checkpoint
RP40: 2/27/2010 3:21:34 PM - System Checkpoint
RP41: 2/28/2010 6:18:35 PM - System Checkpoint
RP42: 3/4/2010 12:11:21 AM - System Checkpoint
RP43: 3/4/2010 11:36:43 AM - Avg8 Update
RP44: 3/4/2010 11:38:56 AM - Avg Update
RP45: 3/6/2010 2:25:40 PM - System Checkpoint
RP46: 3/8/2010 3:17:38 PM - Avg Update
RP47: 3/9/2010 8:24:40 PM - Software Distribution Service 3.0
RP48: 3/10/2010 4:03:29 PM - Software Distribution Service 3.0
RP49: 3/10/2010 6:28:04 PM - Restore Operation
RP50: 3/10/2010 6:35:18 PM - Restore Operation
RP51: 3/10/2010 6:48:37 PM - Avg Update
RP52: 3/10/2010 7:04:44 PM - Removed Vampire - The Masquerade Bloodlines
RP53: 3/12/2010 5:09:58 PM - System Checkpoint
RP54: 3/13/2010 12:41:39 AM - Installed Vampire - The Masquerade Bloodlines
RP55: 3/13/2010 2:11:28 AM - Removed Vampire - The Masquerade Bloodlines
RP56: 3/13/2010 7:10:55 PM - Installed SUPERAntiSpyware Free Edition
RP57: 3/14/2010 7:20:39 PM - System Checkpoint
RP58: 3/15/2010 10:38:54 PM - System Checkpoint
RP59: 3/17/2010 2:52:07 PM - Avg Update
RP60: 3/18/2010 11:20:17 AM - Removed Nancy Drew: Warnings at Waverly Academy
RP61: 3/18/2010 1:35:44 PM - Restore Operation
RP62: 3/20/2010 7:01:13 PM - System Checkpoint
RP63: 3/21/2010 12:56:14 AM - Installed Windows Media Player 11
RP64: 3/22/2010 2:04:19 PM - System Checkpoint
RP65: 3/22/2010 5:16:14 PM - Removed AVG 9.0

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 6.0
Agere Systems AC'97 Modem
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Fujitsu Button Driver Component
Fujitsu Button Utilities
Fujitsu Hotkey Utility
Fujitsu Pen Service
Google Chrome
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel® Extreme Graphics 2 Driver
Intel® mDriver
Intel® PROSet for Wireless
IntelliSonic DX
iTunes
Java™ 6 Update 16
LimeWire 5.4.6
Malwarebytes' Anti-Malware
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Nero 6 Ultra Edition
O2Micro MemoryCardBus Windows Driver
O2Micro SmartCardBus Windows Driver Installer
PowerDVD
QuickTime
Security Panel Application
Security Panel Application for Supervisor
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SigmaTel AC97 Audio Drivers
SUPERAntiSpyware Free Edition
Tablet PC Tutorials for Microsoft Windows XP SP2
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Vampire - The Masquerade Bloodlines
WebFldrs XP
Windows Internet Explorer 8
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

3/23/2010 2:56:23 PM, error: Dhcp [1002] - The IP address lease 192.168.2.121 for the Network Card with network address 001500367B46 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
3/20/2010 4:23:23 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001500367B46. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
3/17/2010 9:15:56 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
3/17/2010 9:15:56 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:27 PM

Posted 24 March 2010 - 03:04 AM

You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can. I recommend this good free antivirus:

Avira
  • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.
  • In the left pane click Status. In the right pane click Scan system now.
  • After the scan finished let it remove what it finds and then Click Report.
  • You can get the last report also by clicking on Reports on the left pane.
  • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
  • A window opens, click on Report file.
  • Copy and paste the content of the report to your reply.


#9 aweber422

aweber422
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago
  • Local time:11:27 AM

Posted 24 March 2010 - 01:32 PM



Avira AntiVir Personal
Report file date: Wednesday, March 24, 2010 04:26

Scanning for 1893438 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : LIFEBOOK

Version information:
BUILD.DAT : 9.0.0.422 21701 Bytes 3/9/2010 10:29:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 3/24/2010 11:24:31
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 17:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 18:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 17:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 11:24:29
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 11:24:29
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 11:24:30
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 11:24:30
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 11:24:30
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 11:24:30
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 11:24:30
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 11:24:30
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 11:24:30
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 11:24:30
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 11:24:30
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 11:24:30
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 11:24:30
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 11:24:30
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 11:24:30
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 11:24:30
VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 11:24:30
VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 11:24:30
VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 11:24:30
VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 11:24:30
VBASE020.VDF : 7.10.5.164 113152 Bytes 3/22/2010 11:24:30
VBASE021.VDF : 7.10.5.182 108032 Bytes 3/23/2010 11:24:30
VBASE022.VDF : 7.10.5.183 2048 Bytes 3/23/2010 11:24:30
VBASE023.VDF : 7.10.5.184 2048 Bytes 3/23/2010 11:24:30
VBASE024.VDF : 7.10.5.185 2048 Bytes 3/23/2010 11:24:30
VBASE025.VDF : 7.10.5.186 2048 Bytes 3/23/2010 11:24:30
VBASE026.VDF : 7.10.5.187 2048 Bytes 3/23/2010 11:24:30
VBASE027.VDF : 7.10.5.188 2048 Bytes 3/23/2010 11:24:30
VBASE028.VDF : 7.10.5.189 2048 Bytes 3/23/2010 11:24:30
VBASE029.VDF : 7.10.5.190 2048 Bytes 3/23/2010 11:24:30
VBASE030.VDF : 7.10.5.191 2048 Bytes 3/23/2010 11:24:30
VBASE031.VDF : 7.10.5.192 42496 Bytes 3/24/2010 11:24:30
Engineversion : 8.2.1.196
AEVDF.DLL : 8.1.1.3 106868 Bytes 3/24/2010 11:24:31
AESCRIPT.DLL : 8.1.3.18 1024378 Bytes 3/24/2010 11:24:31
AESCN.DLL : 8.1.5.0 127347 Bytes 3/24/2010 11:24:31
AESBX.DLL : 8.1.2.1 254323 Bytes 3/24/2010 11:24:31
AERDL.DLL : 8.1.4.3 541043 Bytes 3/24/2010 11:24:31
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/24/2010 11:24:31
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/24/2010 11:24:30
AEHEUR.DLL : 8.1.1.13 2470262 Bytes 3/24/2010 11:24:30
AEHELP.DLL : 8.1.10.2 237941 Bytes 3/24/2010 11:24:30
AEGEN.DLL : 8.1.3.2 373108 Bytes 3/24/2010 11:24:30
AEEMU.DLL : 8.1.1.0 393587 Bytes 3/24/2010 11:24:30
AECORE.DLL : 8.1.12.3 188789 Bytes 3/24/2010 11:24:30
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 21:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 15:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 3/24/2010 11:24:31
AVREP.DLL : 8.0.0.7 159784 Bytes 3/24/2010 11:24:32
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 17:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2010 11:24:31
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 17:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 22:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 15:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 17:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 3/24/2010 11:24:29
RCTEXT.DLL : 9.0.73.0 86785 Bytes 3/24/2010 11:24:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+SPR,

Start of the scan: Wednesday, March 24, 2010 04:26

Starting search for hidden objects.
'40849' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'GoogleCrashHandler.exe' - '1' Module(s) have been scanned
Scan process 'SUPERANTISPYWARE.EXE' - '1' Module(s) have been scanned
Scan process 'igfxext.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'BtnHnd.exe' - '1' Module(s) have been scanned
Scan process 'tabtip.exe' - '1' Module(s) have been scanned
Scan process 'IndicatorUty.exe' - '1' Module(s) have been scanned
Scan process 'FjMnuIco.exe' - '1' Module(s) have been scanned
Scan process 'FjDspMon.exe' - '1' Module(s) have been scanned
Scan process 'FjEvents.exe' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'tcserver.exe' - '1' Module(s) have been scanned
Scan process '1XConfig.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'tabbtnu.exe' - '1' Module(s) have been scanned
Scan process 'wisptis.exe' - '1' Module(s) have been scanned
Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'igfxext.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'digtizer.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'scardsvr.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'keyboardsurrogate.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
51 processes with 51 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '65' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir
[DETECTION] Is the TR/Patched.Gen Trojan

Beginning disinfection:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir
[DETECTION] Is the TR/Patched.Gen Trojan
[NOTE] The file was moved to '4c0b762c.qua'!


End of the scan: Wednesday, March 24, 2010 13:27
Used time: 7:24:35 Hour(s)

The scan has been done completely.

6659 Scanned directories
224757 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
224755 Files not concerned
7056 Archives were scanned
1 Warnings
2 Notes
40849 Objects were scanned with rootkit scan
0 Hidden objects were found

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:27 PM

Posted 24 March 2010 - 02:40 PM

Avira found nothing but the infected and removed file in the quarantine folder of ComboFix.

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

CODE
RegLock::
[HKEY_USERS\S-1-5-21-3436966418-3987874840-2200114875-500\Software\Microsoft\Internet Explorer\User Preferences]
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-
Driver::
lwlkzr
folder::
c:\program files\avg
DDS::
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll


Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




#11 aweber422

aweber422
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago
  • Local time:11:27 AM

Posted 24 March 2010 - 04:58 PM

ComboFix 10-03-24.01 - Administrator 03/24/2010 16:46:24.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.608 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\avg
c:\program files\avg\AVG9\Chjw\2a5c26865c264d3f\0f3891b3-b89c-49a8-8573-8e392e9fcc78
c:\program files\avg\AVG9\Chjw\2a5c26865c264d3f\d0e0d634-4ba3-426f-a81b-1812409377e0
c:\program files\avg\AVG9\setup.dat
c:\program files\avg\AVG9\setup.exe
c:\program files\avg\AVG9\setupus.lns
c:\program files\avg\AVG9\Toolbar\IEToolbar.dll
c:\program files\avg\AVG9\Toolbar\ToolbarBroker.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_lwlkzr


((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))))))))))))))))))))))))))
.

2010-03-24 11:00 . 2010-03-24 11:00 -------- d-----w- c:\windows\LastGood.Tmp
2010-03-24 10:59 . 2010-03-24 11:24 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-24 10:59 . 2010-03-24 11:24 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-24 10:59 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-03-24 10:59 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-03-24 10:59 . 2010-03-24 10:59 -------- d-----w- c:\program files\Avira
2010-03-24 10:59 . 2010-03-24 10:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-03-18 21:23 . 2010-03-18 21:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-03-18 21:23 . 2010-03-18 21:23 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-03-18 20:39 . 2010-03-24 23:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-03-18 20:38 . 2010-03-22 22:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-18 20:03 . 2010-03-18 20:03 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-03-15 05:35 . 2010-03-15 05:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-14 02:12 . 2010-03-14 02:12 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-14 02:12 . 2010-03-23 01:22 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-14 02:11 . 2010-03-14 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-14 02:10 . 2010-03-18 20:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-14 02:10 . 2010-03-14 02:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-03-14 02:10 . 2010-03-14 02:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-12 05:52 . 2010-03-12 05:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-11 02:38 . 2010-03-11 02:38 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-09 22:51 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-02-24 10:35 . 2010-02-24 10:35 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-24 00:50 . 2010-03-22 23:26 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2010-02-23 09:23 . 2010-02-23 09:25 -------- d-----w- c:\program files\QuickTime
2010-02-23 06:11 . 2010-02-23 06:20 -------- d-----w- C:\$AVG
2010-02-23 03:38 . 2010-02-23 03:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-23 03:37 . 2010-02-23 03:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-24 23:52 . 2010-02-15 06:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-03-22 02:58 . 2004-08-03 22:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-18 18:26 . 2010-02-22 14:26 -------- d-----w- c:\program files\Nancy Drew
2010-03-13 10:00 . 2004-09-01 01:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-11 23:57 . 2010-02-15 06:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-02-24 20:04 . 2010-02-19 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-23 09:14 . 2010-02-15 06:52 -------- d-----w- c:\program files\Common Files\Apple
2010-02-22 10:39 . 2004-09-01 01:00 11973 ----a-w- c:\windows\system32\drivers\secdrv.sys
2010-02-19 04:27 . 2010-02-19 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-17 02:16 . 2010-02-17 01:46 -------- d-----w- c:\program files\ActivisionVampire - Bloodlines
2010-02-17 01:57 . 2010-02-17 01:57 -------- d-----w- c:\program files\Activision
2010-02-17 01:34 . 2004-09-01 01:44 -------- d-----w- c:\program files\usb_spk
2010-02-17 01:13 . 2010-02-17 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2010-02-16 06:51 . 2004-09-01 05:33 20328 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-16 06:14 . 2004-09-01 01:30 94291 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-16 06:05 . 2004-09-01 01:25 -------- d-----w- c:\program files\Windows Journal
2010-02-15 19:02 . 2010-02-15 19:02 0 ----a-w- c:\windows\nsreg.dat
2010-02-15 06:58 . 2010-02-15 06:56 -------- d-----w- c:\program files\iTunes
2010-02-15 06:58 . 2010-02-15 06:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-15 06:56 . 2010-02-15 06:56 -------- d-----w- c:\program files\iPod
2010-02-15 06:56 . 2010-02-15 06:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-15 06:55 . 2010-02-15 06:55 -------- d-----w- c:\program files\Bonjour
2010-02-15 06:54 . 2010-02-15 06:54 -------- d-----w- c:\program files\Apple Software Update
2010-02-15 06:52 . 2010-02-15 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-15 06:15 . 2010-02-15 06:14 -------- d-----w- c:\program files\LimeWire
2010-02-15 06:15 . 2010-02-15 06:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-15 06:15 . 2010-02-15 06:15 -------- d-----w- c:\program files\Java
2010-02-15 06:15 . 2010-02-15 06:15 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-01-27 03:03 . 2010-01-27 03:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2010-01-24 16:08 . 2010-01-24 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-01-24 16:08 . 2010-01-24 16:07 -------- d-----w- c:\program files\CyberLink
2010-01-24 16:05 . 2010-01-24 16:05 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-24 16:03 . 2010-01-24 16:03 -------- d-----w- c:\program files\Common Files\L&H
2010-01-24 16:00 . 2010-01-24 16:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2010-01-24 15:59 . 2010-01-24 15:59 -------- d-----w- c:\program files\Ahead
2010-01-24 15:59 . 2010-01-24 15:59 -------- d-----w- c:\program files\Common Files\Ahead
2010-01-24 15:54 . 2010-01-24 15:54 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-23 23:44 . 2010-01-23 23:44 15939 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-01-23 03:51 . 2010-01-23 03:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-08 00:07 . 2010-02-19 04:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2010-02-19 04:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2004-09-01 01:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-23_01.15.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 09:19 . 2007-11-07 09:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2010-03-24 23:52 . 2010-03-24 23:52 16384 c:\windows\Temp\Perflib_Perfdata_c18.dat
+ 2010-03-24 10:59 . 2010-03-24 11:24 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2008-07-29 15:05 . 2008-07-29 15:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 10:54 . 2008-07-29 10:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2010-03-24 10:57 . 2010-03-24 10:57 228352 c:\windows\Installer\2c90e93.msi
+ 2008-07-29 15:05 . 2008-07-29 15:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
- 2004-09-01 01:49 . 2010-03-18 21:34 2248192 c:\windows\Installer\152aa.msi
+ 2004-09-01 01:49 . 2010-03-23 21:21 2248192 c:\windows\Installer\152aa.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-14 2012912]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-22 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-12-15 118784]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-07 88363]
"FjEvents"="c:\program files\Fujitsu\Utils\fjevents.exe" [2004-08-25 20480]
"FjDspMon"="c:\program files\Fujitsu\Utils\FjDspMon.exe" [2003-07-28 20480]
"Fujitsu Menu"="c:\program files\Fujitsu\Utils\FjMnuIco.exe" [2003-10-28 32768]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2004-08-04 81920]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2003-08-21 61440]
"ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2004-06-14 417856]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-05-10 102469]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-15 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-16 417792]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-24 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-06-14 14:46 180290 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [1/23/2010 4:44 PM 7808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 8:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/24/2010 3:59 AM 108289]
R3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\system32\drivers\A302.sys [8/31/2004 6:38 PM 11831]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [8/31/2004 6:38 PM 191264]
R3 DX02;DX02;c:\windows\system32\drivers\dx02.sys [7/29/2004 1:27 PM 83712]
R3 Fjbtndrv;Fujitsu LIFEBOOK T3000 Button Driver;c:\windows\system32\drivers\FjBtndrv.sys [6/20/2003 2:30 PM 11392]
R3 FUJ02E1;%FUJ02E1.DeviceDesc%;c:\windows\system32\drivers\FUJ02E1.sys [8/31/2004 6:38 PM 6000]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [8/31/2004 6:38 PM 31104]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [8/31/2004 6:38 PM 5760]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 12872]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [8/31/2004 11:22 AM 14208]
.
Contents of the 'Scheduled Tasks' folder

2010-03-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3436966418-3987874840-2200114875-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 22:32]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3436966418-3987874840-2200114875-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 22:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.fujitsu.com/computers
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-24 16:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\LgNotify.dll

- - - - - - - > 'explorer.exe'(212)
c:\windows\system32\WININET.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
c:\program files\Common Files\Microsoft Shared\Ink\PENUSA.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\S24EvMon.exe
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\windows\System32\SCardSvr.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\System32\tabbtnu.exe
c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\igfxext.exe
c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\digtizer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\RegSrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\1XConfig.exe
.
**************************************************************************
.
Completion time: 2010-03-24 16:55:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-24 23:55
ComboFix2.txt 2010-03-23 01:18

Pre-Run: 136,172,871,680 bytes free
Post-Run: 136,225,529,856 bytes free

- - End Of File - - 1B6C3F549EBEDFCE75B59F50251026EB


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:27 PM

Posted 25 March 2010 - 02:52 AM

  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 18 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

  2. Tell me how is the computer running.


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:27 PM

Posted 29 March 2010 - 05:25 PM

Hi,

We are pretty done. Are you still there?

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:27 PM

Posted 01 April 2010 - 06:10 PM


This thread will now be closed since the issue seems to be resolved.

If you should have a new issue, please start a new topic.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users