Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirect / Windows Update blocked


  • This topic is locked This topic is locked
63 replies to this topic

#1 Taren421

Taren421

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 05 April 2010 - 04:56 PM

I had been infected with the AVE.exe virus, and finally got it off of my system though it kept reviving itself in my config/systemprofile/appdata/local folder. But then I started getting the browser redirects and just whole new windows opening on their own. The last redirect Avast caught this morning & identified in the Webshield log as [L] JS:Prontexi-AM [Trj]. I switched over to Avast yesterday after deciding that AVG just wasn't cutting it anymore. It seems to be working a little better at least.

I'm also not able to connect to Windows Update. When I do it through Windows, it will *sometimes* detect new updates, but mostly pops up an error 80072EFE, which comes up with 0 results on a search. That error comes up when trying to download/install when it does detect new updates. Clicking a link to Windows Update on Google refreshes the search page with "webhp?ei=-k66S_OHBqGOMuShzLQE" added after the .com/

The actual website "http://windowsupdate.microsoft.com/" shows an "IE cannot display the webpage". Just opened the update through windows again & it is showing that there have never been checks or updates, which is incorrect as I was able to get a few updates here and there over the last few days. Defender would not update no matter what, but when I downloaded the file directly from the MS Defender page, it installed fine. The same with the Malicious Software removal tool.

I have to upload my scans through my daughter's laptop, the forum kicks me out of the post screen whenever I add them.

I'd appreciate any help I can get at this point, cause I'm about to pull my hair out.

Thanks!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Taren at 15:59:21.39 on Mon 04/05/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_19
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3454.2486 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Users\Taren\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll__BHODemonDisabled
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {A057A204-BACC-4D26-8398-26FADCF27386} - No File
uRun: [POP Peeper] "c:\program files\pop peeper\POPPeeper.exe" -min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\users\taren\appdata\roaming\micros~1\windows\startm~1\programs\startup\canoni~1.lnk - c:\windows\system32\rundll32.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\taren\appdata\roaming\mozilla\firefox\profiles\njedykil.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-4 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-4 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-4 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-4-4 51792]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-4 40384]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\printer\center\KodakSvc.exe [2008-2-28 18944]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-4-1 1153368]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-4 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-4 40384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-04-05 19:53:38 0 ----a-w- c:\users\taren\defogger_reenable
2010-04-05 04:36:14 0 d-----w- c:\windows\system32\catroot2
2010-04-05 04:11:58 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 04:11:30 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-05 03:18:04 0 d-sh--w- C:\$RECYCLE.BIN
2010-04-04 20:37:43 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-04 20:37:24 0 d-----w- c:\programdata\Alwil Software
2010-04-04 18:59:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-04 18:59:00 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-04 18:57:34 0 d-----w- c:\programdata\Lavasoft
2010-04-04 18:57:34 0 d-----w- c:\program files\Lavasoft
2010-04-04 05:56:38 4306 ----a-w- c:\windows\system32\drivers\nvstor32.inf
2010-04-04 05:56:38 140832 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-04-04 05:32:40 0 d-----w- c:\windows\nvtmpinst
2010-04-04 05:08:49 0 d-----w- c:\program files\Windows Portable Devices
2010-04-04 05:08:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-04-04 05:08:32 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-04-04 04:46:02 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-04-04 04:46:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-04-04 04:46:01 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-04-04 04:44:34 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-04-04 04:43:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-04-04 04:43:01 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-04-04 04:43:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-04-02 17:06:38 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-04-02 17:06:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-04-02 17:06:38 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-04-02 16:38:30 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-04-02 07:19:01 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-02 07:19:01 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-02 07:19:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-02 07:19:01 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-02 07:19:01 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-02 07:19:00 0 d-----w- c:\users\taren\appdata\roaming\Simply Super Software
2010-04-02 07:19:00 0 d-----w- c:\programdata\Simply Super Software
2010-04-02 07:19:00 0 d-----w- c:\program files\Trojan Remover
2010-04-02 06:48:14 0 d-----w- c:\program files\Trend Micro
2010-04-02 05:08:38 0 d-----w- c:\windows\system32\vi-VN
2010-04-02 05:08:38 0 d-----w- c:\windows\system32\eu-ES
2010-04-02 05:08:38 0 d-----w- c:\windows\system32\ca-ES
2010-04-02 04:58:43 0 d-----w- c:\windows\system32\EventProviders
2010-04-02 02:36:21 0 d--h--w- c:\windows\PIF
2010-04-02 01:24:53 380 ----a-w- c:\windows\wininit.ini
2010-04-02 01:03:02 0 d-----w- c:\users\taren\Pavark
2010-04-02 01:01:35 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-02 00:58:27 0 d-----w- c:\users\taren\appdata\roaming\Systweak
2010-04-02 00:58:27 0 d-----w- c:\programdata\Systweak
2010-04-02 00:56:11 0 d-----w- c:\programdata\IObit
2010-04-02 00:49:04 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-02 00:49:04 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-01 21:33:57 98816 ----a-w- c:\windows\sed.exe
2010-04-01 21:33:57 77312 ----a-w- c:\windows\MBR.exe
2010-04-01 21:33:57 261632 ----a-w- c:\windows\PEV.exe
2010-04-01 21:33:57 161792 ----a-w- c:\windows\SWREG.exe
2010-04-01 21:25:16 0 d-----w- c:\program files\Microsoft
2010-04-01 21:24:36 0 d-----w- c:\programdata\Sun
2010-04-01 21:23:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-01 19:04:22 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-01 19:03:13 0 d-----w- c:\users\taren\appdata\roaming\SUPERAntiSpyware.com
2010-04-01 18:02:39 0 d-----w- c:\windows\system32\catroot2.bak
2010-04-01 06:45:33 2000 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2010-04-01 06:45:33 2000 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2010-03-10 08:03:12 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-10 08:03:10 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-10 08:03:09 30720 ----a-w- c:\windows\system32\httpapi.dll

==================== Find3M ====================

2010-04-04 12:41:12 529464 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-04 05:32:23 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-04 05:32:23 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-04 05:08:43 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-04 05:08:43 143360 ----a-w- c:\windows\inf\infstor.dat
2010-04-02 05:05:35 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-04-02 00:55:42 386060 ----a-r- c:\windows\system32\drivers\hosts
2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
1997-03-10 20:31:16 448512 ----a-w- c:\program files\FL.EXE
1997-03-08 19:32:28 4089 ----a-w- c:\program files\README.TXT
2009-09-03 02:59:36 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\cookies\index.dat
2009-09-03 02:59:36 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\history\history.ie5\index.dat
2009-09-03 02:59:36 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2008-09-28 16:19:25 22 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 16:02:40.47 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:10 AM

Posted 06 April 2010 - 02:14 PM


Hello Taren421 smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



Run RKill right before you run ComboFix.


RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.







Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.


When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.











Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Taren421

Taren421
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 06 April 2010 - 03:00 PM

RKill worked fine, but Combofix gave me a bluescreen.

Here's what was in the error box upon restart.
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 50
BCP1: 9981C99B
BCP2: 00000000
BCP3: A23E606D
BCP4: 00000000
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini040610-01.dmp
C:\Users\Taren\AppData\Local\temp\WER-58937-0.sysdata.xml
C:\Users\Taren\AppData\Local\temp\WER2ECC.tmp.version.txt

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=501...mp;clcid=0x0409


Do you want me to re-run Combofix?

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:10 AM

Posted 06 April 2010 - 03:27 PM

Try it once more and if you didn't do it this time be sure to disable Windows Defender along with your Avast and any other thing like SuperAntiSpyware. Almost any of those type programs can cause interference if they are running in real time.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Taren421

Taren421
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 06 April 2010 - 03:52 PM

Good call. I had forgotten WinDefender.
ComboFix 10-04-05.06 - Taren 04/06/2010 16:36:34.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3454.2448 [GMT -4:00]
Running from: c:\users\Taren\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-04-06 20:45 . 2010-04-06 20:45 -------- d-----w- c:\users\Taren\AppData\Local\temp
2010-04-06 20:45 . 2010-04-06 20:45 -------- d-----w- c:\users\Diane\AppData\Local\temp
2010-04-06 20:45 . 2010-04-06 20:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-06 20:45 . 2010-04-06 20:45 -------- d-----w- c:\users\Admin\AppData\Local\temp
2010-04-06 17:24 . 2010-04-06 17:24 598368 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-04-06 14:45 . 2010-04-04 18:58 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-05 21:36 . 2010-04-05 21:16 5367 ----a-w- c:\users\Public\Attach.zip
2010-04-05 04:36 . 2010-04-05 04:38 -------- d-----w- c:\windows\system32\catroot2
2010-04-05 04:12 . 2010-04-05 04:12 52224 ----a-w- c:\users\Taren\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-05 04:12 . 2010-04-05 04:12 117760 ----a-w- c:\users\Taren\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-05 04:11 . 2010-04-05 04:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 04:11 . 2010-04-05 04:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-05 02:54 . 2010-04-05 02:54 -------- d-----w- C:\rsit
2010-04-04 20:37 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-04 20:37 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-04 20:37 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-04 20:37 . 2010-03-09 10:08 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-04 20:37 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-04 20:37 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-04 20:37 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-04 20:37 . 2010-04-04 20:37 -------- d-----w- c:\programdata\Alwil Software
2010-04-04 20:37 . 2010-04-04 20:37 -------- d-----w- c:\program files\Alwil Software
2010-04-04 20:25 . 2010-04-04 20:26 -------- d-----w- c:\program files\ERUNT
2010-04-04 18:59 . 2010-04-04 18:59 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-04 18:59 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-04 18:59 . 2010-04-04 18:59 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-04 18:59 . 2010-04-04 18:59 95024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-04-04 18:57 . 2010-04-04 18:59 -------- d-----w- c:\programdata\Lavasoft
2010-04-04 18:57 . 2010-04-04 18:58 -------- d-----w- c:\program files\Lavasoft
2010-04-04 05:56 . 2010-04-04 19:00 140832 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-04-04 05:32 . 2010-04-04 05:59 -------- d-----w- c:\windows\nvtmpinst
2010-04-04 05:08 . 2010-04-04 05:08 -------- d-----w- c:\program files\Windows Portable Devices
2010-04-04 04:46 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-04-04 04:46 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-04-04 04:46 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-04-04 04:44 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-04-04 04:43 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-04-04 04:43 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-04-04 04:43 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-04-02 17:06 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-04-02 17:06 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-04-02 17:06 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-04-02 16:38 . 2010-04-02 16:38 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-04-02 07:19 . 2006-06-19 16:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-02 07:19 . 2006-05-25 18:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-02 07:19 . 2005-08-26 04:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-02 07:19 . 2003-02-02 23:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-02 07:19 . 2002-03-06 04:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-02 07:19 . 2010-04-02 07:19 -------- d-----w- c:\program files\Trojan Remover
2010-04-02 07:19 . 2010-04-02 07:19 -------- d-----w- c:\users\Taren\AppData\Roaming\Simply Super Software
2010-04-02 07:19 . 2010-04-02 07:19 -------- d-----w- c:\programdata\Simply Super Software
2010-04-02 06:48 . 2010-04-02 06:48 -------- d-----w- c:\program files\Trend Micro
2010-04-02 05:08 . 2010-04-02 05:08 -------- d-----w- c:\windows\system32\ca-ES
2010-04-02 05:08 . 2010-04-02 05:08 -------- d-----w- c:\windows\system32\vi-VN
2010-04-02 05:08 . 2010-04-02 05:08 -------- d-----w- c:\windows\system32\eu-ES
2010-04-02 04:58 . 2010-04-02 04:58 -------- d-----w- c:\windows\system32\EventProviders
2010-04-02 02:36 . 2010-04-02 02:36 -------- d--h--w- c:\windows\PIF
2010-04-02 01:03 . 2010-04-02 01:03 -------- d-----w- c:\users\Taren\Pavark
2010-04-02 01:01 . 2010-04-04 18:58 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-02 00:58 . 2010-04-02 04:21 -------- d-----w- c:\users\Taren\AppData\Roaming\Systweak
2010-04-02 00:58 . 2010-04-02 04:21 -------- d-----w- c:\programdata\Systweak
2010-04-02 00:56 . 2010-04-02 00:56 -------- d-----w- c:\programdata\IObit
2010-04-02 00:49 . 2010-04-02 00:55 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-02 00:49 . 2010-04-02 00:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-01 21:25 . 2010-04-02 04:23 -------- d-----w- c:\program files\Microsoft
2010-04-01 21:23 . 2010-04-01 21:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-01 20:14 . 2010-04-01 20:14 680 ----a-w- c:\users\Taren\AppData\Local\d3d9caps.dat
2010-04-01 19:04 . 2010-04-01 19:04 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-01 19:03 . 2010-04-05 04:11 -------- d-----w- c:\users\Taren\AppData\Roaming\SUPERAntiSpyware.com
2010-04-01 18:02 . 2010-04-04 04:44 -------- d-----w- c:\windows\system32\catroot2.bak
2010-04-01 09:17 . 2010-04-01 09:17 209720 ----a-w- c:\users\Taren\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-01 07:51 . 2010-04-01 07:51 5918776 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-01 07:16 . 2010-04-01 07:16 -------- d-----w- c:\users\Admin\AppData\Local\Yahoo
2010-04-01 07:16 . 2010-04-01 07:16 -------- d-----w- c:\users\Admin\AppData\Roaming\Yahoo!
2010-04-01 06:52 . 2010-04-01 06:52 -------- d-----w- c:\users\Admin\AppData\Local\Mozilla
2010-03-30 20:52 . 2010-03-30 20:52 -------- d-----w- c:\users\Diane\AppData\Roaming\vlc
2010-03-10 08:03 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-10 08:03 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-10 08:03 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 19:50 . 2008-11-06 21:48 720 ----a-w- c:\programdata\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-04-06 17:27 . 2008-08-12 21:15 -------- d-----w- c:\program files\SpywareBlaster
2010-04-06 17:24 . 2010-04-04 18:58 966104 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-06 17:24 . 2010-04-04 18:58 1265264 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-04-04 22:06 . 2008-08-12 21:21 -------- d-----w- c:\users\Taren\AppData\Roaming\uTorrent
2010-04-04 19:00 . 2008-05-06 07:32 -------- d-----w- c:\program files\Yahoo!
2010-04-04 18:59 . 2010-04-04 18:58 516480 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\EmailScannerAddin.dll
2010-04-04 12:41 . 2009-10-24 06:02 529464 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-04 07:10 . 2010-02-22 04:29 2977 ----a-w- c:\programdata\Intuit\QuickBooks 2010\qbbackup.sys
2010-04-04 06:21 . 2010-03-05 18:16 -------- d-----w- c:\program files\verizon_broad
2010-04-04 06:20 . 2009-12-11 13:57 -------- d-----w- c:\programdata\Yahoo!
2010-04-04 06:00 . 2008-05-06 07:01 -------- d-----w- c:\programdata\NVIDIA
2010-04-04 05:08 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-04 05:08 . 2010-04-04 05:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-04-04 05:08 . 2010-04-04 05:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-04-04 04:31 . 2008-08-12 22:36 -------- d-----w- c:\users\Taren\AppData\Roaming\POP Peeper
2010-04-02 08:08 . 2009-03-31 21:05 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-02 05:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-04-02 05:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-04-02 05:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-04-02 05:08 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-02 05:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-04-02 05:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-04-02 00:55 . 2006-11-02 10:23 386060 ----a-r- c:\windows\system32\drivers\hosts
2010-04-01 21:24 . 2008-05-06 07:18 -------- d-----w- c:\program files\Common Files\Java
2010-04-01 21:23 . 2008-05-06 07:18 -------- d-----w- c:\program files\Java
2010-04-01 07:51 . 2010-02-07 04:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-01 06:43 . 2008-10-14 23:25 -------- d-----w- c:\users\Taren\AppData\Roaming\Winamp
2010-04-01 06:43 . 2008-08-23 15:21 -------- d-----w- c:\users\Taren\AppData\Roaming\Poser 7
2010-04-01 06:43 . 2009-07-28 19:03 -------- d-----w- c:\programdata\Microsoft Help
2010-04-01 06:43 . 2009-04-28 01:42 -------- d-----w- c:\users\Diane\AppData\Roaming\POP Peeper
2010-04-01 06:43 . 2008-09-27 15:27 -------- d-----w- c:\program files\Common Files\DAZ
2010-04-01 06:43 . 2008-09-15 01:17 -------- d-----w- c:\program files\EvilLyrics
2010-03-30 04:46 . 2010-02-07 04:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-02-07 04:31 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-15 12:43 . 2008-08-12 21:21 -------- d-----w- c:\program files\uTorrent
2010-03-10 02:29 . 2008-10-31 00:32 -------- d-----w- c:\users\Taren\AppData\Roaming\FileZilla
2010-03-05 18:17 . 2010-03-05 18:17 -------- d-----w- c:\users\Taren\AppData\Roaming\Motive
2010-03-05 18:16 . 2010-03-05 18:16 -------- d-----w- c:\program files\Common Files\Motive
2010-03-05 18:16 . 2010-03-05 18:16 -------- d-----w- c:\programdata\Motive
2010-03-05 18:16 . 2010-03-05 18:04 -------- d-----w- c:\program files\Verizon
2010-03-05 18:12 . 2010-03-05 18:12 -------- d-----w- c:\program files\Common Files\SupportSoft
2010-03-05 18:04 . 2010-03-05 18:02 -------- d-----w- c:\users\Taren\AppData\Roaming\TechWizard
2010-03-05 17:58 . 2010-03-05 17:58 -------- d-----w- c:\users\Diane\AppData\Roaming\TechWizard
2010-02-26 13:51 . 2008-08-12 21:24 -------- d-----w- c:\program files\Winamp
2010-02-26 13:42 . 2008-08-17 03:33 -------- d-----w- c:\program files\AVG
2010-02-24 14:16 . 2009-10-02 15:55 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-04-01 20:47 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-01 20:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-04-01 20:47 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-04-01 20:47 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-22 04:28 . 2010-02-22 00:05 -------- d-----w- c:\programdata\SQL Anywhere 11
2010-02-22 04:21 . 2010-02-22 00:05 -------- d-----w- c:\program files\Common Files\Intuit
2010-02-22 04:20 . 2010-02-22 04:20 -------- d-----w- c:\programdata\Nuance
2010-02-22 04:14 . 2010-02-22 00:05 -------- d-----w- c:\programdata\Intuit
2010-02-22 03:25 . 2010-02-22 03:25 975136 ----a-w- c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch2.exe
2010-02-22 03:25 . 2010-02-22 03:25 44832 ----a-w- c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2010-02-22 03:25 . 2010-02-22 03:25 499712 ----a-w- c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2010-02-22 03:25 . 2010-02-22 03:25 348160 ----a-w- c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll
2010-02-22 00:05 . 2010-02-22 00:05 -------- d-----w- c:\program files\Intuit
2010-02-22 00:05 . 2010-02-22 00:05 -------- d-----w- c:\programdata\COMMON FILES
2010-02-21 20:48 . 2010-02-21 20:48 1653661 ----a-w- c:\users\Public\ta09pa1040.exe
2010-02-21 20:44 . 2010-02-21 20:48 17412532 ----a-w- c:\users\Public\ta09stdw.exe
2010-02-07 04:31 . 2010-02-07 04:31 -------- d-----w- c:\users\Taren\AppData\Roaming\Malwarebytes
2010-02-07 04:31 . 2010-02-07 04:31 -------- d-----w- c:\programdata\Malwarebytes
2010-02-04 15:53 . 2010-04-04 18:58 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-01-23 09:26 . 2010-02-23 23:48 2048 ----a-w- c:\windows\system32\tzres.dll
1997-03-10 20:31 . 2008-10-16 23:42 448512 ----a-w- c:\program files\FL.EXE
1997-03-08 19:32 . 2008-10-16 23:42 4089 ----a-w- c:\program files\README.TXT
2008-10-01 21:08 . 2008-08-13 02:21 72 --sh--w- c:\windows\S6CD8ADEB.tmp
2008-09-28 16:19 . 2008-09-28 16:19 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2010-01-12 1490944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\users\Taren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Canon IJ Status Monitor Canon Inkjet i550.lnk - c:\windows\system32\rundll32.exe [2006-11-2 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-07-10 17:59 195072 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:9e,29,b0,27,23,d2,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3374299948-3289535038-2432813410-1000]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3374299948-3289535038-2432813410-1001]
"EnableNotificationsRef"=dword:00000001

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-04-06 1265264]
R3 BCASPROT;Advanced System Protector; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\printer\center\KodakSvc.exe [2008-02-28 18944]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 18:58]

2010-04-04 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2010-04-02 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\users\Taren\AppData\Roaming\Mozilla\Firefox\Profiles\njedykil.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-06 16:45
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2584)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-04-06 16:49:31
ComboFix-quarantined-files.txt 2010-04-06 20:49
ComboFix2.txt 2010-04-05 03:19
ComboFix3.txt 2010-04-01 21:47

Pre-Run: 34,687,205,376 bytes free
Post-Run: 34,645,479,424 bytes free

- - End Of File - - 14D4284FC3201346728B6E4F5DF76252


#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:10 AM

Posted 06 April 2010 - 04:21 PM

Good job of getting it to run, unluckily it's really not showing anything and it didn't find anything to delete. I am going to go back through the log but in the meantime I want you to try the following to see if it helps the redirection problems:



Let's try a few things to see if they work or at least eliminate them as the redirection problem.

1.) If you use a router please reset it and create a new password



2.) Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".



3.)To flush DNS cache in Microsoft Windows (98, 2000, XP, Vista, 7):

* Go to Start -> Run -> type in cmd
* from command prompt, type ipconfig /flushdns
* that will reset your DNS cache



4.) Please download HostsXpert 4.2
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Taren421

Taren421
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 06 April 2010 - 04:47 PM

Router is reset, new password
ATFCleaner is run, but I couldn't clean Windows Temp, as I seem to have lost my "Run as Administrator" & "Open" options in the Rclick menu.
DNS Cache is flushed
HostsXpert is run, & locked as read only.

Should I leave Defender & Avast turned off?

#8 Taren421

Taren421
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 06 April 2010 - 05:07 PM

No, that didn't fix it. sad.gif
I have this window open & refreshing every 1/2 hour or so. IE just popped a new seperate window on me, & I wasn't going to take a chance on where it was gonna open with no AV running, so I didn't get an address..

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:10 AM

Posted 06 April 2010 - 05:18 PM

Let's see if you can get this to run. It may take awhile if you do.


I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 Taren421

Taren421
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 07 April 2010 - 06:13 AM

Got these, but I'm not sure if they're anything, as they're on my external harddrive & were old installs I was keeping.

H:\Burner\Programs\3DS Max\3D_Studio_Max_9_With_Vray.rar probably a variant of Win32/Agent trojan deleted - quarantined
H:\Programs\System\8_Alchemy.Mindworks.Pagan.Daybook.3.v5.0a21.rar probably a variant of Win32/Agent trojan deleted - quarantined
H:\Programs\System\cr-bp909.zip probably a variant of Win32/Agent trojan deleted - quarantined
H:\Programs\WebTools\Messengers\Install_AIM.exe Win32/Adware.WBug.A application deleted - quarantined


#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:10 AM

Posted 07 April 2010 - 11:05 AM

If the system had access to them then they definitely needed to go. Let's run ComboFix again. If it asks to update itself go ahead and let it.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 Taren421

Taren421
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 07 April 2010 - 01:40 PM

New ComboFix log (after update)

ComboFix 10-04-06.05 - Taren 04/07/2010 14:22:37.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3454.1738 [GMT -4:00]
Running from: c:\users\Taren\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-07 18:32 . 2010-04-07 18:32 -------- d-----w- c:\users\Taren\AppData\Local\temp
2010-04-07 18:32 . 2010-04-07 18:32 -------- d-----w- c:\users\Diane\AppData\Local\temp
2010-04-07 18:32 . 2010-04-07 18:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-07 18:32 . 2010-04-07 18:32 -------- d-----w- c:\users\Admin\AppData\Local\temp
2010-04-07 00:55 . 2010-04-07 00:55 -------- d-----w- c:\program files\ESET
2010-04-06 17:24 . 2010-04-06 17:24 598368 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-04-06 14:45 . 2010-04-04 18:58 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-05 21:36 . 2010-04-05 21:16 5367 ----a-w- c:\users\Public\Attach.zip
2010-04-05 04:36 . 2010-04-05 04:38 -------- d-----w- c:\windows\system32\catroot2
2010-04-05 04:12 . 2010-04-05 04:12 52224 ----a-w- c:\users\Taren\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-05 04:12 . 2010-04-05 04:12 117760 ----a-w- c:\users\Taren\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-05 04:11 . 2010-04-05 04:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 04:11 . 2010-04-05 04:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-05 02:54 . 2010-04-05 02:54 -------- d-----w- C:\rsit
2010-04-04 20:37 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-04 20:37 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-04 20:37 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-04 20:37 . 2010-03-09 10:08 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-04 20:37 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-04 20:37 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-04 20:37 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-04 20:37 . 2010-04-04 20:37 -------- d-----w- c:\programdata\Alwil Software
2010-04-04 20:37 . 2010-04-04 20:37 -------- d-----w- c:\program files\Alwil Software
2010-04-04 20:25 . 2010-04-04 20:26 -------- d-----w- c:\program files\ERUNT
2010-04-04 18:59 . 2010-04-04 18:59 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-04 18:59 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-04 18:59 . 2010-04-04 18:59 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-04 18:59 . 2010-04-04 18:59 95024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-04-04 18:57 . 2010-04-04 18:59 -------- d-----w- c:\programdata\Lavasoft
2010-04-04 18:57 . 2010-04-04 18:58 -------- d-----w- c:\program files\Lavasoft
2010-04-04 05:56 . 2010-04-04 19:00 140832 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-04-04 05:32 . 2010-04-04 05:59 -------- d-----w- c:\windows\nvtmpinst
2010-04-04 05:08 . 2010-04-04 05:08 -------- d-----w- c:\program files\Windows Portable Devices
2010-04-04 04:46 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-04-04 04:46 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-04-04 04:46 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-04-04 04:44 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-04-04 04:43 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-04-04 04:43 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-04-04 04:43 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-04-02 17:06 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-04-02 17:06 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-04-02 17:06 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-04-02 16:38 . 2010-04-02 16:38 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-04-02 07:19 . 2006-06-19 16:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-02 07:19 . 2006-05-25 18:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-02 07:19 . 2005-08-26 04:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-02 07:19 . 2003-02-02 23:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-02 07:19 . 2002-03-06 04:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-02 07:19 . 2010-04-02 07:19 -------- d-----w- c:\program files\Trojan Remover
2010-04-02 07:19 . 2010-04-02 07:19 -------- d-----w- c:\users\Taren\AppData\Roaming\Simply Super Software
2010-04-02 07:19 . 2010-04-02 07:19 -------- d-----w- c:\programdata\Simply Super Software
2010-04-02 06:48 . 2010-04-02 06:48 -------- d-----w- c:\program files\Trend Micro
2010-04-02 05:08 . 2010-04-02 05:08 -------- d-----w- c:\windows\system32\ca-ES
2010-04-02 05:08 . 2010-04-02 05:08 -------- d-----w- c:\windows\system32\vi-VN
2010-04-02 05:08 . 2010-04-02 05:08 -------- d-----w- c:\windows\system32\eu-ES
2010-04-02 04:58 . 2010-04-02 04:58 -------- d-----w- c:\windows\system32\EventProviders
2010-04-02 02:36 . 2010-04-02 02:36 -------- d--h--w- c:\windows\PIF
2010-04-02 01:03 . 2010-04-02 01:03 -------- d-----w- c:\users\Taren\Pavark
2010-04-02 01:01 . 2010-04-04 18:58 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-02 00:58 . 2010-04-02 04:21 -------- d-----w- c:\users\Taren\AppData\Roaming\Systweak
2010-04-02 00:58 . 2010-04-02 04:21 -------- d-----w- c:\programdata\Systweak
2010-04-02 00:56 . 2010-04-02 00:56 -------- d-----w- c:\programdata\IObit
2010-04-02 00:49 . 2010-04-02 00:55 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-02 00:49 . 2010-04-02 00:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-01 21:25 . 2010-04-02 04:23 -------- d-----w- c:\program files\Microsoft
2010-04-01 21:23 . 2010-04-01 21:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-01 20:14 . 2010-04-01 20:14 680 ----a-w- c:\users\Taren\AppData\Local\d3d9caps.dat
2010-04-01 19:04 . 2010-04-01 19:04 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-01 19:03 . 2010-04-05 04:11 -------- d-----w- c:\users\Taren\AppData\Roaming\SUPERAntiSpyware.com
2010-04-01 18:02 . 2010-04-04 04:44 -------- d-----w- c:\windows\system32\catroot2.bak
2010-04-01 09:17 . 2010-04-01 09:17 209720 ----a-w- c:\users\Taren\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-01 07:51 . 2010-04-01 07:51 5918776 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-01 07:16 . 2010-04-01 07:16 -------- d-----w- c:\users\Admin\AppData\Local\Yahoo
2010-04-01 07:16 . 2010-04-01 07:16 -------- d-----w- c:\users\Admin\AppData\Roaming\Yahoo!
2010-04-01 06:52 . 2010-04-01 06:52 -------- d-----w- c:\users\Admin\AppData\Local\Mozilla
2010-03-30 20:52 . 2010-03-30 20:52 -------- d-----w- c:\users\Diane\AppData\Roaming\vlc
2010-03-10 08:03 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-10 08:03 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-10 08:03 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 19:50 . 2008-11-06 21:48 720 ----a-w- c:\programdata\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-04-06 17:27 . 2008-08-12 21:15 -------- d-----w- c:\program files\SpywareBlaster
2010-04-06 17:24 . 2010-04-04 18:58 966104 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-06 17:24 . 2010-04-04 18:58 1265264 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-04-04 22:06 . 2008-08-12 21:21 -------- d-----w- c:\users\Taren\AppData\Roaming\uTorrent
2010-04-04 19:00 . 2008-05-06 07:32 -------- d-----w- c:\program files\Yahoo!
2010-04-04 18:59 . 2010-04-04 18:58 516480 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\EmailScannerAddin.dll
2010-04-04 12:41 . 2009-10-24 06:02 529464 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-04 07:10 . 2010-02-22 04:29 2977 ----a-w- c:\programdata\Intuit\QuickBooks 2010\qbbackup.sys
2010-04-04 06:21 . 2010-03-05 18:16 -------- d-----w- c:\program files\verizon_broad
2010-04-04 06:20 . 2009-12-11 13:57 -------- d-----w- c:\programdata\Yahoo!
2010-04-04 06:00 . 2008-05-06 07:01 -------- d-----w- c:\programdata\NVIDIA
2010-04-04 05:08 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-04 05:08 . 2010-04-04 05:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-04-04 05:08 . 2010-04-04 05:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-04-04 04:31 . 2008-08-12 22:36 -------- d-----w- c:\users\Taren\AppData\Roaming\POP Peeper
2010-04-02 08:08 . 2009-03-31 21:05 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-02 05:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-04-02 05:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-04-02 05:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-04-02 05:08 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-02 05:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-04-02 05:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-04-02 00:55 . 2006-11-02 10:23 386060 ----a-r- c:\windows\system32\drivers\hosts
2010-04-01 21:24 . 2008-05-06 07:18 -------- d-----w- c:\program files\Common Files\Java
2010-04-01 21:23 . 2008-05-06 07:18 -------- d-----w- c:\program files\Java
2010-04-01 07:51 . 2010-02-07 04:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-01 06:43 . 2008-10-14 23:25 -------- d-----w- c:\users\Taren\AppData\Roaming\Winamp
2010-04-01 06:43 . 2008-08-23 15:21 -------- d-----w- c:\users\Taren\AppData\Roaming\Poser 7
2010-04-01 06:43 . 2009-07-28 19:03 -------- d-----w- c:\programdata\Microsoft Help
2010-04-01 06:43 . 2009-04-28 01:42 -------- d-----w- c:\users\Diane\AppData\Roaming\POP Peeper
2010-04-01 06:43 . 2008-09-27 15:27 -------- d-----w- c:\program files\Common Files\DAZ
2010-04-01 06:43 . 2008-09-15 01:17 -------- d-----w- c:\program files\EvilLyrics
2010-03-30 04:46 . 2010-02-07 04:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-02-07 04:31 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-15 12:43 . 2008-08-12 21:21 -------- d-----w- c:\program files\uTorrent
2010-03-10 02:29 . 2008-10-31 00:32 -------- d-----w- c:\users\Taren\AppData\Roaming\FileZilla
2010-03-05 18:17 . 2010-03-05 18:17 -------- d-----w- c:\users\Taren\AppData\Roaming\Motive
2010-03-05 18:16 . 2010-03-05 18:16 -------- d-----w- c:\program files\Common Files\Motive
2010-03-05 18:16 . 2010-03-05 18:16 -------- d-----w- c:\programdata\Motive
2010-03-05 18:16 . 2010-03-05 18:04 -------- d-----w- c:\program files\Verizon
2010-03-05 18:12 . 2010-03-05 18:12 -------- d-----w- c:\program files\Common Files\SupportSoft
2010-03-05 18:04 . 2010-03-05 18:02 -------- d-----w- c:\users\Taren\AppData\Roaming\TechWizard
2010-03-05 17:58 . 2010-03-05 17:58 -------- d-----w- c:\users\Diane\AppData\Roaming\TechWizard
2010-02-26 13:51 . 2008-08-12 21:24 -------- d-----w- c:\program files\Winamp
2010-02-26 13:42 . 2008-08-17 03:33 -------- d-----w- c:\program files\AVG
2010-02-24 14:16 . 2009-10-02 15:55 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-04-01 20:47 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-01 20:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-04-01 20:47 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-04-01 20:47 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-22 04:28 . 2010-02-22 00:05 -------- d-----w- c:\programdata\SQL Anywhere 11
2010-02-22 04:21 . 2010-02-22 00:05 -------- d-----w- c:\program files\Common Files\Intuit
2010-02-22 04:20 . 2010-02-22 04:20 -------- d-----w- c:\programdata\Nuance
2010-02-22 04:14 . 2010-02-22 00:05 -------- d-----w- c:\programdata\Intuit
2010-02-22 03:25 . 2010-02-22 03:25 975136 ----a-w- c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch2.exe
2010-02-22 03:25 . 2010-02-22 03:25 44832 ----a-w- c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2010-02-22 03:25 . 2010-02-22 03:25 499712 ----a-w- c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2010-02-22 03:25 . 2010-02-22 03:25 348160 ----a-w- c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll
2010-02-22 00:05 . 2010-02-22 00:05 -------- d-----w- c:\program files\Intuit
2010-02-22 00:05 . 2010-02-22 00:05 -------- d-----w- c:\programdata\COMMON FILES
2010-02-21 20:48 . 2010-02-21 20:48 1653661 ----a-w- c:\users\Public\ta09pa1040.exe
2010-02-21 20:44 . 2010-02-21 20:48 17412532 ----a-w- c:\users\Public\ta09stdw.exe
2010-02-07 04:31 . 2010-02-07 04:31 -------- d-----w- c:\users\Taren\AppData\Roaming\Malwarebytes
2010-02-07 04:31 . 2010-02-07 04:31 -------- d-----w- c:\programdata\Malwarebytes
2010-02-04 15:53 . 2010-04-04 18:58 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-01-23 09:26 . 2010-02-23 23:48 2048 ----a-w- c:\windows\system32\tzres.dll
1997-03-10 20:31 . 2008-10-16 23:42 448512 ----a-w- c:\program files\FL.EXE
1997-03-08 19:32 . 2008-10-16 23:42 4089 ----a-w- c:\program files\README.TXT
2008-10-01 21:08 . 2008-08-13 02:21 72 --sh--w- c:\windows\S6CD8ADEB.tmp
2008-09-28 16:19 . 2008-09-28 16:19 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2010-01-12 1490944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\users\Taren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Canon IJ Status Monitor Canon Inkjet i550.lnk - c:\windows\system32\rundll32.exe [2006-11-2 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-07-10 17:59 195072 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:9e,29,b0,27,23,d2,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3374299948-3289535038-2432813410-1000]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3374299948-3289535038-2432813410-1001]
"EnableNotificationsRef"=dword:00000001

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-04-06 1265264]
R3 BCASPROT;Advanced System Protector; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\printer\center\KodakSvc.exe [2008-02-28 18944]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 18:58]

2010-04-04 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2010-04-02 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\users\Taren\AppData\Roaming\Mozilla\Firefox\Profiles\njedykil.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 14:32
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Taren\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3768)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-04-07 14:36:23
ComboFix-quarantined-files.txt 2010-04-07 18:36
ComboFix2.txt 2010-04-06 20:49
ComboFix3.txt 2010-04-05 03:19
ComboFix4.txt 2010-04-01 21:47

Pre-Run: 33,217,957,888 bytes free
Post-Run: 33,172,705,280 bytes free

- - End Of File - - 706B39D611462084356EBFBF56C86951


#13 Taren421

Taren421
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 07 April 2010 - 02:14 PM

Had a thought... do all of these programs we've been running only scan the C: drive?
I have some programs installed on my E: drive so I went and looked; #2 from the four that ESET detected is actually installed in E:program files
This is a copy of the Installd.txt

;Installed file list -- do not edit
;Mon Feb 16 21:03:08 2009
INIFILE:C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\pagan3.ini
INSTALLPATH:e:\Program Files\Pagan Daybook 3\
INSTALLD.TXT
APPLICATION:Pagan Daybook 3
e:\Program Files\Pagan Daybook 3\InstallLog.txt (not in folder)

e:\Program Files\Pagan Daybook 3\INSTALLD.TXT

C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\pagan3.ini

e:\Program Files\Pagan Daybook 3\pagan3.exe

e:\Program Files\Pagan Daybook 3\pagan3.year

e:\Program Files\Pagan Daybook 3\saver.exe (not in folder)

e:\Program Files\Pagan Daybook 3\referenc.htm

e:\Program Files\Pagan Daybook 3\manual.htm

e:\Program Files\Pagan Daybook 3\regist.htm

e:\Program Files\Pagan Daybook 3\drivers.htm

e:\Program Files\Pagan Daybook 3\INTRO.HTM

e:\Program Files\Pagan Daybook 3\legaldog.htm

e:\Program Files\Pagan Daybook 3\sharewar.htm

e:\Program Files\Pagan Daybook 3\indcdrom.htm

e:\Program Files\Pagan Daybook 3\othrsoft.htm

e:\Program Files\Pagan Daybook 3\license.htm

e:\Program Files\Pagan Daybook 3\html0000.gif

e:\Program Files\Pagan Daybook 3\HTML0001.GIF

e:\Program Files\Pagan Daybook 3\html0002.gif

e:\Program Files\Pagan Daybook 3\HTML0031.GIF

e:\Program Files\Pagan Daybook 3\HTML0032.GIF

e:\Program Files\Pagan Daybook 3\HTML0033.GIF

e:\Program Files\Pagan Daybook 3\html0013.gif

e:\Program Files\Pagan Daybook 3\html0014.gif

e:\Program Files\Pagan Daybook 3\html0012.gif

e:\Program Files\Pagan Daybook 3\html0034.gif

e:\Program Files\Pagan Daybook 3\html0035.gif

e:\Program Files\Pagan Daybook 3\html0036.gif

e:\Program Files\Pagan Daybook 3\html0037.gif

e:\Program Files\Pagan Daybook 3\html0038.gif

e:\Program Files\Pagan Daybook 3\html0075.gif

e:\Program Files\Pagan Daybook 3\html0070.jpg

e:\Program Files\Pagan Daybook 3\html0071.jpg

e:\Program Files\Pagan Daybook 3\html0072.jpg

e:\Program Files\Pagan Daybook 3\html0073.jpg

e:\Program Files\Pagan Daybook 3\html0074.jpg

e:\Program Files\Pagan Daybook 3\html0076.jpg

e:\Program Files\Pagan Daybook 3\html0077.jpg

e:\Program Files\Pagan Daybook 3\HTML0057.png

e:\Program Files\Pagan Daybook 3\HTML0058.png

e:\Program Files\Pagan Daybook 3\HTML0059.png

e:\Program Files\Pagan Daybook 3\html0078.png

e:\Program Files\Pagan Daybook 3\HTML0060.png

e:\Program Files\Pagan Daybook 3\html0079.png

e:\Program Files\Pagan Daybook 3\HTML0061.png

e:\Program Files\Pagan Daybook 3\html0085.png

e:\Program Files\Pagan Daybook 3\html9001.png

e:\Program Files\Pagan Daybook 3\html9002.png

e:\Program Files\Pagan Daybook 3\html9003.png

e:\Program Files\Pagan Daybook 3\html9000.png

e:\Program Files\Pagan Daybook 3\GCSGIF32.DLL (not in folder)

e:\Program Files\Pagan Daybook 3\gcsbmp32.dll (not in folder)

e:\Program Files\Pagan Daybook 3\gcsjpg32.dll

e:\Program Files\Pagan Daybook 3\gcspcx32.dll (not in folder)

e:\Program Files\Pagan Daybook 3\gcspng32.dll (not in folder)

e:\Program Files\Pagan Daybook 3\gcstga32.dll (not in folder)

e:\Program Files\Pagan Daybook 3\GDIPLUS.dll

e:\Program Files\Pagan Daybook 3\EPNTWRPR.dll

e:\Program Files\Pagan Daybook 3\whatsnew.doc

e:\Program Files\Pagan Daybook 3\pagan.mtx (in c:user...roaming... folder)

e:\Program Files\Pagan Daybook 3\pagan.fft (in c:user...roaming... folder)

e:\Program Files\Pagan Daybook 3\pagan3.ccl (in c:user...roaming... folder)

e:\Program Files\Pagan Daybook 3\ORTHO256.CCL (in c:user...roaming... folder)

e:\Program Files\Pagan Daybook 3\Steel Pentagram.gif

e:\Program Files\Pagan Daybook 3\Red Pentagram.gif

e:\Program Files\Pagan Daybook 3\Pyramid of Isis.gif

e:\Program Files\Pagan Daybook 3\Happy Donut.gif

e:\Program Files\Pagan Daybook 3\Marble Cube.gif

e:\Program Files\Pagan Daybook 3\No Animation.gif

e:\Program Files\Pagan Daybook 3\Unicorn.GIF

e:\Program Files\Pagan Daybook 3\Deep Blue.theme

e:\Program Files\Pagan Daybook 3\Shallow Pool.theme

e:\Program Files\Pagan Daybook 3\Green Dome.theme

e:\Program Files\Pagan Daybook 3\Purple Planet from Space.theme

e:\Program Files\Pagan Daybook 3\Daybreak.theme

e:\Program Files\Pagan Daybook 3\Twigs.theme

e:\Program Files\Pagan Daybook 3\Clouds at Midnight.theme

e:\Program Files\Pagan Daybook 3\Ankh if you Love Isis.theme

e:\Program Files\Pagan Daybook 3\Marble.theme

e:\Program Files\Pagan Daybook 3\Purple Pagan.theme

e:\Program Files\Pagan Daybook 3\Orange Forest.theme

e:\Program Files\Pagan Daybook 3\Cosmic Void.theme

e:\Program Files\Pagan Daybook 3\Twilight of the Frogs.theme

e:\Program Files\Pagan Daybook 3\Magenta Surprise.theme

e:\Program Files\Pagan Daybook 3\Outworlds.theme

e:\Program Files\Pagan Daybook 3\Venus from Orbit.theme

e:\Program Files\Pagan Daybook 3\Plastic Furniture.theme

e:\Program Files\Pagan Daybook 3\Garden Path.theme

e:\Program Files\Pagan Daybook 3\Emerald Stone.theme

e:\Program Files\Pagan Daybook 3\Samhain.theme

e:\Program Files\Pagan Daybook 3\Dark Side of the Moon.theme

e:\Program Files\Pagan Daybook 3\Granite.theme

e:\Program Files\Pagan Daybook 3\current.theme

e:\Program Files\Pagan Daybook 3\default.theme

e:\Program Files\Pagan Daybook 3\Travertine.theme

e:\Program Files\Pagan Daybook 3\Mutant Lemons.theme

e:\Program Files\Pagan Daybook 3\Coastline of Atlantis.theme

e:\Program Files\Pagan Daybook 3\Ebb Tide.theme

e:\Program Files\Pagan Daybook 3\Pumpkin in Freefall.theme

e:\Program Files\Pagan Daybook 3\Untitled.theme

e:\Program Files\Pagan Daybook 3\Drowsy Maggie.mid

e:\Program Files\Pagan Daybook 3\Dances by Praetorius.mid

e:\Program Files\Pagan Daybook 3\Lachrimae by John Dowland.mid

e:\Program Files\Pagan Daybook 3\Megans Aire by S W Rimmer.mid

e:\Program Files\Pagan Daybook 3\The Frog Galliard by John Dowland.mid

e:\Program Files\Pagan Daybook 3\Oh Venus Bant by Agricola.mid

e:\Program Files\Pagan Daybook 3\The Kesh.mid

e:\Program Files\Pagan Daybook 3\Ricketts' Hornpipe.mid

e:\Program Files\Pagan Daybook 3\Drewies Accordes.mid

e:\Program Files\Pagan Daybook 3\The Morpeth Rant.mid

e:\Program Files\Pagan Daybook 3\The Old Gray Goose.mid

e:\Program Files\Pagan Daybook 3\Concerto For Two Trumpets.mid

e:\Program Files\Pagan Daybook 3\Night on Bald Mountain.mid

e:\Program Files\Pagan Daybook 3\default.dat (not in folder)

e:\Program Files\Pagan Daybook 3\order.doc

e:\Program Files\Pagan Daybook 3\alchuddl.exe

e:\Program Files\Pagan Daybook 3\clickme.exe

e:\Program Files\Pagan Daybook 3\gwpweb.exe

e:\Program Files\Pagan Daybook 3\alchunin.exe


e:\Program Files\Pagan Daybook 3\license.txt

e:\Program Files\Pagan Daybook 3\document.icn

e:\Program Files\Pagan Daybook 3\instad.exe

MKDIR:e:\Program Files\Pagan Daybook 3\html

MKDIR:C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\Themes

MKDIR:C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\Animations

MKDIR:C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\Personal

MKDIR:C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\Music

C:\Windows\Pagan Daybook 3.scr
e:\Program Files\Pagan Daybook 3\html\drivers.htm
e:\Program Files\Pagan Daybook 3\html\indcdrom.htm
e:\Program Files\Pagan Daybook 3\html\INTRO.HTM
e:\Program Files\Pagan Daybook 3\html\legaldog.htm
e:\Program Files\Pagan Daybook 3\html\license.htm
e:\Program Files\Pagan Daybook 3\html\manual.htm
e:\Program Files\Pagan Daybook 3\html\othrsoft.htm
e:\Program Files\Pagan Daybook 3\html\referenc.htm
e:\Program Files\Pagan Daybook 3\html\regist.htm
e:\Program Files\Pagan Daybook 3\html\sharewar.htm
e:\Program Files\Pagan Daybook 3\html\html0000.gif
e:\Program Files\Pagan Daybook 3\html\HTML0001.GIF
e:\Program Files\Pagan Daybook 3\html\html0002.gif
e:\Program Files\Pagan Daybook 3\html\html0012.gif
e:\Program Files\Pagan Daybook 3\html\html0013.gif
e:\Program Files\Pagan Daybook 3\html\html0014.gif
e:\Program Files\Pagan Daybook 3\html\HTML0031.GIF
e:\Program Files\Pagan Daybook 3\html\HTML0032.GIF
e:\Program Files\Pagan Daybook 3\html\HTML0033.GIF
e:\Program Files\Pagan Daybook 3\html\html0034.gif
e:\Program Files\Pagan Daybook 3\html\html0035.gif
e:\Program Files\Pagan Daybook 3\html\html0036.gif
e:\Program Files\Pagan Daybook 3\html\html0037.gif
e:\Program Files\Pagan Daybook 3\html\html0038.gif
e:\Program Files\Pagan Daybook 3\html\html0039.gif
e:\Program Files\Pagan Daybook 3\html\Html0059.gif
e:\Program Files\Pagan Daybook 3\html\html0075.gif
e:\Program Files\Pagan Daybook 3\html\html0070.jpg
e:\Program Files\Pagan Daybook 3\html\html0071.jpg
e:\Program Files\Pagan Daybook 3\html\html0072.jpg
e:\Program Files\Pagan Daybook 3\html\html0073.jpg
e:\Program Files\Pagan Daybook 3\html\html0074.jpg
e:\Program Files\Pagan Daybook 3\html\html0076.jpg
e:\Program Files\Pagan Daybook 3\html\html0077.jpg
e:\Program Files\Pagan Daybook 3\html\html0033.png
e:\Program Files\Pagan Daybook 3\html\HTML0057.png
e:\Program Files\Pagan Daybook 3\html\HTML0058.png
e:\Program Files\Pagan Daybook 3\html\HTML0059.png
e:\Program Files\Pagan Daybook 3\html\HTML0060.png
e:\Program Files\Pagan Daybook 3\html\HTML0061.png
e:\Program Files\Pagan Daybook 3\html\html0078.png
e:\Program Files\Pagan Daybook 3\html\html0079.png
e:\Program Files\Pagan Daybook 3\html\html0084.png
e:\Program Files\Pagan Daybook 3\html\html0085.png
e:\Program Files\Pagan Daybook 3\html\html9000.png
e:\Program Files\Pagan Daybook 3\html\html9001.png
e:\Program Files\Pagan Daybook 3\html\html9002.png
e:\Program Files\Pagan Daybook 3\html\html9003.png
C:\Windows\ALCHUNIN.EXE
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\music\Concerto For Two Trumpets.mid
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\music\Dances by Praetorius.mid
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\music\Drewies Accordes.mid
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\music\Drowsy Maggie.mid
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\music\Lachrimae by John Dowland.mid
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\music\Megans Aire by S W Rimmer.mid
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\music\Night on Bald Mountain.mid
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\music\Oh Venus Bant by Agricola.mid
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\music\Ricketts' Hornpipe.mid
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\music\The Frog Galliard by John Dowland.mid
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\music\The Kesh.mid
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\music\The Morpeth Rant.mid
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\music\The Old Gray Goose.mid
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Ankh if you Love Isis.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Clouds at Midnight.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Coastline of Atlantis.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Cosmic Void.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\current.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Dark Side of the Moon.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Daybreak.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Deep Blue.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\default.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Ebb Tide.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Emerald Stone.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Garden Path.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Granite.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Green Dome.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Magenta Surprise.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Marble.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Mutant Lemons.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Orange Forest.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Outworlds.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Plastic Furniture.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Pumpkin in Freefall.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Purple Pagan.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Purple Planet from Space.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Samhain.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Shallow Pool.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Travertine.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Twigs.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Twilight of the Frogs.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Untitled.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\Venus from Orbit.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\animations\Happy Donut.gif
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\animations\Marble Cube.gif
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\animations\No Animation.gif
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\animations\Pyramid of Isis.gif
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\animations\Red Pentagram.gif
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\animations\Steel Pentagram.gif
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\animations\Unicorn.GIF
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\themes\default.theme
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\ORTHO256.CCL
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\pagan3.ccl
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\pagan.mtx
C:\Users\Taren\AppData\Roaming\Alchemy Mindworks\Pagan Daybook 3\pagan.fft
GROUPNAME:Pagan Daybook 3
LINKPATH:C:\Users\Taren\AppData\Roaming\Microsoft\Windows\Start Menu\Pagan Daybook 3.lnk
LINKDESCRIPTION:Pagan Daybook 3
LINKITEMPATH:e:\Program Files\Pagan Daybook 3\

The underlined files are the ones I'm worried about, especially if all these malware/virus programs are missing them?
What should we do?

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:10 AM

Posted 07 April 2010 - 02:29 PM

No, they should scan all of the drives.



Please upload this file for me so I can take a look at it. I don't really think it is bad but it won't hurt to check it out since I can't find anything out about it.
  • Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    CODE
    http://www.bleepingcomputer.com/forums/index.php?showtopic=307398&view=findpost&p=1704535
  • Click Browse and select the c:\windows\S6CD8ADEB.tmp
  • Under the comments section, say that thewall asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Let me know when you have uploaded the log.





The other thing I need for you to do is to re-enable your Avast and then run DDS once again for me. Post both logs it produces into the reply window and don't make either an attachment. I posted the instructions again in case it is no longer on your system:




Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop and post both in the reply window.

  • Edited by thewall, 07 April 2010 - 02:30 PM.

    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #15 Taren421

    Taren421
    • Topic Starter

    • Members
    • 34 posts
    • OFFLINE
    •  
    • Local time:07:10 AM

    Posted 07 April 2010 - 02:56 PM

    It won't let me open it, it says it is in use.

    DDS -

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Taren at 15:50:41.56 on Wed 04/07/2010
    Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_19
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3454.1563 [GMT -4:00]

    SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Kodak\printer\center\KodakSvc.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Windows\Explorer.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\Taren\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.google.com/
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {A057A204-BACC-4D26-8398-26FADCF27386} - No File
    uRun: [POP Peeper] "c:\program files\pop peeper\POPPeeper.exe" -min
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    StartupFolder: c:\users\taren\appdata\roaming\micros~1\windows\startm~1\programs\startup\canoni~1.lnk - c:\windows\system32\rundll32.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
    IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\taren\appdata\roaming\mozilla\firefox\profiles\njedykil.default\
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-4 64288]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-4 162640]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-4 19024]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-4-4 51792]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-4 40384]
    R2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\printer\center\KodakSvc.exe [2008-2-28 18944]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-4-1 1153368]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-4 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-4 40384]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

    =============== Created Last 30 ================

    2010-04-07 18:35:11 0 d-sh--w- C:\$RECYCLE.BIN
    2010-04-07 00:55:26 0 d-----w- c:\program files\ESET
    2010-04-06 14:45:02 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-04-05 19:53:38 0 ----a-w- c:\users\taren\defogger_reenable
    2010-04-05 04:36:14 0 d-----w- c:\windows\system32\catroot2
    2010-04-05 04:11:58 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-04-05 04:11:30 0 d-----w- c:\program files\common files\Wise Installation Wizard
    2010-04-04 20:37:43 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-04-04 20:37:24 0 d-----w- c:\programdata\Alwil Software
    2010-04-04 18:59:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-04-04 18:59:00 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-04-04 18:57:34 0 d-----w- c:\programdata\Lavasoft
    2010-04-04 18:57:34 0 d-----w- c:\program files\Lavasoft
    2010-04-04 05:56:38 4306 ----a-w- c:\windows\system32\drivers\nvstor32.inf
    2010-04-04 05:56:38 140832 ----a-w- c:\windows\system32\drivers\nvstor32.sys
    2010-04-04 05:32:40 0 d-----w- c:\windows\nvtmpinst
    2010-04-04 05:08:49 0 d-----w- c:\program files\Windows Portable Devices
    2010-04-04 05:08:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
    2010-04-04 05:08:32 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
    2010-04-04 04:46:02 92672 ----a-w- c:\windows\system32\UIAnimation.dll
    2010-04-04 04:46:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
    2010-04-04 04:46:01 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
    2010-04-04 04:44:34 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
    2010-04-04 04:43:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
    2010-04-04 04:43:01 4096 ----a-w- c:\windows\system32\oleaccrc.dll
    2010-04-04 04:43:01 234496 ----a-w- c:\windows\system32\oleacc.dll
    2010-04-02 17:06:38 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-04-02 17:06:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-04-02 17:06:38 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-04-02 16:38:30 0 d-sh--w- c:\windows\system32\%APPDATA%
    2010-04-02 07:19:01 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2010-04-02 07:19:01 75264 ----a-w- c:\windows\system32\unacev2.dll
    2010-04-02 07:19:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2010-04-02 07:19:01 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2010-04-02 07:19:01 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2010-04-02 07:19:00 0 d-----w- c:\users\taren\appdata\roaming\Simply Super Software
    2010-04-02 07:19:00 0 d-----w- c:\programdata\Simply Super Software
    2010-04-02 07:19:00 0 d-----w- c:\program files\Trojan Remover
    2010-04-02 06:48:14 0 d-----w- c:\program files\Trend Micro
    2010-04-02 05:08:38 0 d-----w- c:\windows\system32\vi-VN
    2010-04-02 05:08:38 0 d-----w- c:\windows\system32\eu-ES
    2010-04-02 05:08:38 0 d-----w- c:\windows\system32\ca-ES
    2010-04-02 04:58:43 0 d-----w- c:\windows\system32\EventProviders
    2010-04-02 02:36:21 0 d--h--w- c:\windows\PIF
    2010-04-02 01:24:53 380 ----a-w- c:\windows\wininit.ini
    2010-04-02 01:03:02 0 d-----w- c:\users\taren\Pavark
    2010-04-02 01:01:35 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
    2010-04-02 00:58:27 0 d-----w- c:\users\taren\appdata\roaming\Systweak
    2010-04-02 00:58:27 0 d-----w- c:\programdata\Systweak
    2010-04-02 00:56:11 0 d-----w- c:\programdata\IObit
    2010-04-02 00:49:04 0 d-----w- c:\programdata\Spybot - Search & Destroy
    2010-04-02 00:49:04 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-04-01 21:33:57 98816 ----a-w- c:\windows\sed.exe
    2010-04-01 21:33:57 77312 ----a-w- c:\windows\MBR.exe
    2010-04-01 21:33:57 261632 ----a-w- c:\windows\PEV.exe
    2010-04-01 21:33:57 161792 ----a-w- c:\windows\SWREG.exe
    2010-04-01 21:25:16 0 d-----w- c:\program files\Microsoft
    2010-04-01 21:24:36 0 d-----w- c:\programdata\Sun
    2010-04-01 21:23:48 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-04-01 19:04:22 0 d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-04-01 19:03:13 0 d-----w- c:\users\taren\appdata\roaming\SUPERAntiSpyware.com
    2010-04-01 18:02:39 0 d-----w- c:\windows\system32\catroot2.bak
    2010-04-01 06:45:33 2000 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2010-04-01 06:45:33 2000 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2010-03-10 08:03:12 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-03-10 08:03:10 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2010-03-10 08:03:09 30720 ----a-w- c:\windows\system32\httpapi.dll

    ==================== Find3M ====================

    2010-04-04 12:41:12 529464 ----a-w- c:\windows\system32\drivers\ndis.sys
    2010-04-04 05:32:23 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-04-04 05:32:23 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-04-04 05:08:43 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-04-04 05:08:43 143360 ----a-w- c:\windows\inf\infstor.dat
    2010-04-02 05:05:35 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
    2010-04-02 00:55:42 386060 ----a-r- c:\windows\system32\drivers\hosts
    2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
    2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    1997-03-10 20:31:16 448512 ----a-w- c:\program files\FL.EXE
    1997-03-08 19:32:28 4089 ----a-w- c:\program files\README.TXT
    2009-09-03 02:59:36 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\cookies\index.dat
    2009-09-03 02:59:36 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\history\history.ie5\index.dat
    2009-09-03 02:59:36 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
    2008-09-28 16:19:25 22 --sha-w- c:\windows\sminst\HPCD.sys

    ============= FINISH: 15:51:14.89 ===============





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users