thanks in advance
ken
DDS (Ver_10-03-17.01) - NTFSx86
Run by ken at 21:06:33.46 on Tue 03/30/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1592 [GMT -6:00]
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Turbine\Turbine Download Manager - Bullroarer\TurbineDownloadManagerIcon.exe
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Turbine\Turbine Download Manager - Bullroarer\TurbineMessageService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Turbine\Turbine Download Manager - Bullroarer\TurbineNetworkService.exe
C:\Documents and Settings\ken\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.comcast.net?cid=103109
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - No File
TB: {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager - bullroarer\TurbineDownloadManagerIcon.exe"
mRun: [PROMon.exe] PROMon.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [EPSON Stylus CX3200] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: <NO NAME> =
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: DisallowRun = 1 (0x1)
dPolicies-disallowrun: 1 = opera.exe
dPolicies-disallowrun: 2 = firefox.exe
dPolicies-disallowrun: 3 = chrome.exe
IE: &Search
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - hxxp://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120676994187
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143777018421
DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} - hxxp://playgames.comcast.net/online2/mystery_solitaire/SpinTopGamesLauncher.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://comcast.oberon-media.com/online2/luxor_amun_rising/mjolauncher.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} - hxxp://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: {97438FE9-D361-4279-BA82-98CC0877A717} - hxxp://www.worldwinner.com/games/v57/cubis/cubis.cab
DPF: {A219C6A1-B503-42A9-95DC-A84B2CC1231F} - hxxp://playgames.comcast.net/online2/asianata/asianata.cab
DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - hxxp://www.worldwinner.com/games/v49/luxor/luxor.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/trytwoofakind/zylomgamesplayer.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://playgames.comcast.net/online2/gold_fever/goldfever.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://connect.jpmorganchase.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15034/CTPID.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
============= SERVICES / DRIVERS ===============
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-4-9 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-4-9 94360]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-4-9 731840]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-3-14 665008]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-3-14 665008]
R2 PublicPreviewTurbineMessageService;Turbine Message Service - PublicPreview;c:\program files\turbine\turbine download manager - bullroarer\TurbineMessageService.exe [2009-12-9 271856]
R3 PublicPreviewTurbineNetworkService;Turbine Network Service - PublicPreview;c:\program files\turbine\turbine download manager - bullroarer\TurbineNetworkService.exe [2009-12-9 218608]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 gupdate1ca10b0796a5742;Google Update Service (gupdate1ca10b0796a5742);c:\program files\google\update\GoogleUpdate.exe [2009-7-29 133104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
============== File Associations ===============
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
=============== Created Last 30 ================
2010-03-31 03:03:06 0 ----a-w- c:\documents and settings\ken\defogger_reenable
2010-03-31 02:22:47 2502 ----a-w- c:\windows\system32\tmp.reg
2010-03-31 00:15:03 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-31 00:14:50 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-31 00:14:50 0 d-----w- c:\docume~1\ken\applic~1\SUPERAntiSpyware.com
2010-03-31 00:14:35 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-30 23:47:09 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-03-30 23:42:18 0 d-----w- c:\windows\ERUNT
2010-03-30 23:38:49 0 d-----w- C:\SDFix
2010-03-29 17:24:00 0 d-----w- c:\docume~1\ken\applic~1\Malwarebytes
2010-03-29 17:23:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 17:23:54 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 17:23:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-29 17:23:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-22 01:21:05 0 d-----w- c:\program files\ESET
2010-03-21 23:50:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-21 22:17:16 0 d-----w- c:\program files\Lavasoft
2010-03-14 21:55:15 93096 ----a-w- c:\windows\system32\IncContxMenu.dll
2010-03-14 21:55:15 2164648 ----a-w- c:\windows\system32\Incinerator.dll
2010-03-14 21:53:28 30208 ----a-w- c:\windows\system32\iolobtdfg.exe
2010-03-14 21:53:28 12288 ----a-w- c:\windows\system32\smrgdf.exe
2010-03-14 21:53:02 0 d-----w- c:\program files\iolo
2010-03-11 20:48:59 0 d-sh--w- c:\windows\system32\winsys
2010-03-10 01:25:25 0 d-----w- c:\docume~1\ken\applic~1\.BitTornado
2010-03-10 01:21:18 0 d-----w- c:\program files\BitTornado
==================== Find3M ====================
2010-03-23 21:09:44 39938 -c--a-w- c:\windows\DIIUnin.dat
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2008-10-07 13:07:25 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100720081008\index.dat
============= FINISH: 21:07:29.78 ===============
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-31 20:12:19
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ken\LOCALS~1\Temp\ugnyipog.sys
---- System - GMER 1.0.15 ----
SSDT 890EBA20 ZwAssignProcessToJobObject
SSDT 890EC5A0 ZwDebugActiveProcess
SSDT 890EBFD0 ZwDuplicateObject
SSDT 890EB160 ZwOpenProcess
SSDT 890EB460 ZwOpenThread
SSDT 890EBE60 ZwProtectVirtualMemory
SSDT 890EBD00 ZwSetContextThread
SSDT 890EBB80 ZwSetInformationThread
SSDT 890E8A50 ZwSetSecurityObject
SSDT 890EB8C0 ZwSuspendProcess
SSDT 890EB760 ZwSuspendThread
SSDT 890EB2F0 ZwTerminateProcess
SSDT 890EB5F0 ZwTerminateThread
SSDT 890EC3F0 ZwWriteVirtualMemory
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F74C9B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [F74C9B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F74C9B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F74C9B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Edited by puckhead, 01 April 2010 - 04:59 PM.