Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE8 Redirect Virus Win32/Alureon A.


  • This topic is locked This topic is locked
14 replies to this topic

#1 muzzal

muzzal

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 09 April 2010 - 05:12 AM

Hi there.
I'm running XP Pro SP3. When I do a Google search and click on a link it rediects me to another site. I have to click the back arrow and then click the link again to get in. I have tried a few different scans... Avira shows nothing as does Malwarebytes. Windows Security Essentials detects the virus but when I attempt to remove it I get an error saying the action was incomplete (code 0x80501001)

Hoping someone can please assist me in fixing this problem..

Thanks,
Muzzal


Below is the dds log



DDS (Ver_10-03-17.01) - NTFSx86
Run by M at 19:58:26.28 on Fri 04/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1450 [GMT 10:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Calibrize\CalibrizeResume.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UnHackMe\hackmon.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\M\Local Settings\Temporary Internet Files\Content.IE5\BC5BTLC6\dds[1].com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/ig
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [CGFLoader] c:\program files\calibrize\CalibrizeLoader.exe
uRun: [CalibrizeResume] c:\program files\calibrize\CalibrizeResume.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-23 11608]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 MpKsl6f916805;MpKsl6f916805;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d350847b-4733-462b-8184-ae133e9a6dc7}\MpKsl6f916805.sys [2010-4-9 28880]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 66632]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-23 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-23 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-23 56816]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-2 54752]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-4-9 34760]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\anti trojan elite\atepmon.sys --> c:\program files\anti trojan elite\ATEPMon.sys [?]
S3 IS360service;IS360service;c:\program files\iobit\iobit security 360\IS360srv.exe [2009-6-25 224528]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
S4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-16 25832]
S4 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2010-04-09 09:15:39 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-04-09 09:15:39 32480 ----a-w- c:\windows\system32\Partizan.exe
2010-04-09 09:15:31 2 --shatr- c:\windows\winstart.bat
2010-04-09 09:15:17 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-04-09 09:15:06 0 d-----w- c:\program files\UnHackMe
2010-04-09 09:08:13 96512 ----a-w- c:\windows\system32\drivers\ulptwsbn.sys
2010-04-09 08:45:11 96512 ----a-w- c:\windows\system32\drivers\ktzkmzpp.sys
2010-04-08 10:37:20 96512 ----a-w- c:\windows\system32\drivers\xgekpatw.sys
2010-04-08 10:20:57 96512 ----a-w- c:\windows\system32\drivers\lompwhdo.sys
2010-04-08 09:49:20 96512 ----a-w- c:\windows\system32\drivers\qsltezbh.sys
2010-04-08 08:02:47 96512 ----a-w- c:\windows\system32\drivers\eflbqmno.sys
2010-04-08 07:47:06 96512 ----a-w- c:\windows\system32\drivers\eykbbegu.sys
2010-04-08 07:32:08 96512 ----a-w- c:\windows\system32\drivers\bqmmsfmt.sys
2010-04-07 11:57:16 96512 ----a-w- c:\windows\system32\drivers\ipdjmuwd.sys
2010-04-07 11:48:47 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-07 10:28:39 0 d-----w- c:\program files\Microsoft Security Essentials
2010-04-05 06:57:06 0 d-----w- c:\program files\IrfanView
2010-04-05 06:41:46 561152 ----a-w- c:\windows\system32\AltST.dll
2010-04-05 06:41:46 491520 ----a-w- c:\windows\system32\imagx4.dll
2010-04-05 06:41:46 38912 ----a-w- c:\windows\system32\picn20.dll
2010-04-05 06:41:46 250736 ----a-w- c:\windows\system32\ImagXpr4.dll
2010-04-05 06:41:45 834128 ----a-w- c:\windows\system32\Actbar2.ocx
2010-04-05 06:41:45 421888 ----a-w- c:\windows\system32\imagr4.dll
2010-04-05 06:41:45 372736 ----a-w- c:\windows\system32\ShellExtension.dll
2010-04-04 08:14:45 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-29 06:30:06 4544 ----a-w- c:\windows\MSOClip.232
2010-03-29 06:30:06 10304 ----a-w- c:\windows\MSOPrefs.232
2010-03-11 06:46:44 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-04-07 08:49:58 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLbx.DAT
2010-04-05 06:28:23 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2010-04-02 10:47:54 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2010-03-29 13:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 13:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-22 21:08:31 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

============= FINISH: 19:59:00.26 ===============


BC AdBot (Login to Remove)

 


#2 muzzal

muzzal
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 10 April 2010 - 05:38 PM

Attached File  Attach.txt   18.26KB   11 downloadsHi there.
I have a rootkit infection that I'm unable to remove using "standard" means. I'm running XP Pro SP3. When I do a Google search and click on a link it rediects me to another site. I have tried a few different scans... Avira shows nothing as does Mmal. Windows Security Essentials detects the virus but when I attempt to remove it I get an error saying the action was incomplete (code 0x80501001).

I have included the DDS log and Attach.txt file. Could not run GMER due to continual system crash during scan process.

Hoping someone can please assist me in fixing this problem..

Thanks,
Muzzal




Below is the dds log


DDS (Ver_10-03-17.01) - NTFSx86
Run by M at 19:58:26.28 on Fri 04/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1450 [GMT 10:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Calibrize\CalibrizeResume.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UnHackMe\hackmon.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\M\Local Settings\Temporary Internet Files\Content.IE5\BC5BTLC6\dds[1].com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/ig
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [CGFLoader] c:\program files\calibrize\CalibrizeLoader.exe
uRun: [CalibrizeResume] c:\program files\calibrize\CalibrizeResume.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-23 11608]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 MpKsl6f916805;MpKsl6f916805;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d350847b-4733-462b-8184-ae133e9a6dc7}\MpKsl6f916805.sys [2010-4-9 28880]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 66632]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-23 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-23 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-23 56816]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-2 54752]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-4-9 34760]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\anti trojan elite\atepmon.sys --> c:\program files\anti trojan elite\ATEPMon.sys [?]
S3 IS360service;IS360service;c:\program files\iobit\iobit security 360\IS360srv.exe [2009-6-25 224528]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
S4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-16 25832]
S4 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2010-04-09 09:15:39 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-04-09 09:15:39 32480 ----a-w- c:\windows\system32\Partizan.exe
2010-04-09 09:15:31 2 --shatr- c:\windows\winstart.bat
2010-04-09 09:15:17 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-04-09 09:15:06 0 d-----w- c:\program files\UnHackMe
2010-04-09 09:08:13 96512 ----a-w- c:\windows\system32\drivers\ulptwsbn.sys
2010-04-09 08:45:11 96512 ----a-w- c:\windows\system32\drivers\ktzkmzpp.sys
2010-04-08 10:37:20 96512 ----a-w- c:\windows\system32\drivers\xgekpatw.sys
2010-04-08 10:20:57 96512 ----a-w- c:\windows\system32\drivers\lompwhdo.sys
2010-04-08 09:49:20 96512 ----a-w- c:\windows\system32\drivers\qsltezbh.sys
2010-04-08 08:02:47 96512 ----a-w- c:\windows\system32\drivers\eflbqmno.sys
2010-04-08 07:47:06 96512 ----a-w- c:\windows\system32\drivers\eykbbegu.sys
2010-04-08 07:32:08 96512 ----a-w- c:\windows\system32\drivers\bqmmsfmt.sys
2010-04-07 11:57:16 96512 ----a-w- c:\windows\system32\drivers\ipdjmuwd.sys
2010-04-07 11:48:47 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-07 10:28:39 0 d-----w- c:\program files\Microsoft Security Essentials
2010-04-05 06:57:06 0 d-----w- c:\program files\IrfanView
2010-04-05 06:41:46 561152 ----a-w- c:\windows\system32\AltST.dll
2010-04-05 06:41:46 491520 ----a-w- c:\windows\system32\imagx4.dll
2010-04-05 06:41:46 38912 ----a-w- c:\windows\system32\picn20.dll
2010-04-05 06:41:46 250736 ----a-w- c:\windows\system32\ImagXpr4.dll
2010-04-05 06:41:45 834128 ----a-w- c:\windows\system32\Actbar2.ocx
2010-04-05 06:41:45 421888 ----a-w- c:\windows\system32\imagr4.dll
2010-04-05 06:41:45 372736 ----a-w- c:\windows\system32\ShellExtension.dll
2010-04-04 08:14:45 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-29 06:30:06 4544 ----a-w- c:\windows\MSOClip.232
2010-03-29 06:30:06 10304 ----a-w- c:\windows\MSOPrefs.232
2010-03-11 06:46:44 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-04-07 08:49:58 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLbx.DAT
2010-04-05 06:28:23 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2010-04-02 10:47:54 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2010-03-29 13:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 13:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-22 21:08:31 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

============= FINISH: 19:59:00.26 ===============

Edited by Orange Blossom, 11 April 2010 - 02:50 PM.
Merged topics. ~ OB


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:40 AM

Posted 12 April 2010 - 10:10 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 muzzal

muzzal
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 13 April 2010 - 03:54 AM

Hi. Thanks for helping me out....

I have attached the OTL.Txt log data but the Extras.Txt did not happen (hope this is OK). I did run an OTL scan yesterday (got from Geeks to go) and I did get 2 outputs using the following scan codes:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90


Would this work for your analysis? Also note, I managed to get the GMER scan to work and have attached the logfile.

Rgds,
Muzzal


OTL.Txt Log

OTL logfile created on: 4/13/2010 6:40:44 PM - Run 4
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\M\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 197.35 Gb Free Space | 66.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: M-5267A0B43FE64
Current User Name: M
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/12 19:35:55 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\M\Desktop\OTL.exe
PRC - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/07/21 12:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 14:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2008/12/16 16:44:28 | 000,479,232 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2008/09/16 11:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
PRC - [2008/04/14 10:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/26 15:40:38 | 000,413,696 | ---- | M] (Eberhard Werle) -- C:\Program Files\Calibrize\CalibrizeResume.exe
PRC - [2007/04/20 03:33:01 | 000,271,936 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2006/09/25 09:12:20 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2005/06/06 19:40:48 | 000,544,768 | R--- | M] (Motorola Inc.) -- C:\WINDOWS\sm56hlpr.exe
PRC - [2004/10/15 19:40:56 | 002,577,632 | ---- | M] (Sygate Technologies, Inc.) -- C:\Program Files\Sygate\SPF\Smc.exe
PRC - [2004/06/03 18:51:27 | 000,172,032 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\type32.exe
PRC - [2004/06/03 18:50:07 | 000,204,800 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\point32.exe
PRC - [2002/03/18 21:30:52 | 000,188,416 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe


========== Modules (SafeList) ==========

MOD - [2010/04/12 19:35:55 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\M\Desktop\OTL.exe
MOD - [2007/04/20 03:33:11 | 000,063,032 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\patrolpro.dll
MOD - [2004/10/15 18:32:10 | 000,083,096 | ---- | M] (Sygate Technologies, Inc.) -- C:\WINDOWS\system32\SSSensor.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/16 06:07:16 | 000,025,832 | ---- | M] (BioWare) [Disabled | Stopped] -- C:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/08/05 21:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/07/21 12:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/06/16 13:10:02 | 000,224,528 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\IObit\IObit Security 360\IS360srv.exe -- (IS360service)
SRV - [2009/05/13 14:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/11/09 15:20:27 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/09/16 11:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor7.0)
SRV - [2004/10/15 19:40:56 | 002,577,632 | ---- | M] (Sygate Technologies, Inc.) [Auto | Running] -- C:\Program Files\Sygate\SPF\Smc.exe -- (SmcService)


========== Driver Services (SafeList) ==========

DRV - [2010/04/11 06:41:37 | 000,034,760 | ---- | M] (Greatis Software) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\Partizan.sys -- (Partizan)
DRV - [2010/03/02 18:37:08 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/03/02 18:37:08 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/03/02 18:37:08 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/02/23 07:08:31 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/12/02 15:23:40 | 000,149,040 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2009/08/05 21:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/05/11 08:12:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/05/09 01:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/03/30 08:33:07 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 10:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/08/14 06:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2008/04/14 02:36:05 | 000,144,384 | ---- | M] (Windows Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/25 20:38:15 | 000,014,656 | ---- | M] (Windows Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2007/11/30 17:34:08 | 000,040,960 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rts5161ccid.sys -- (USBCCID)
DRV - [2006/12/17 12:50:29 | 001,918,464 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/11/24 14:47:50 | 000,040,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ET5Drv.sys -- (ET5Drv)
DRV - [2006/11/15 16:34:00 | 004,225,920 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/08/14 15:09:48 | 000,083,200 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2005/06/06 19:43:04 | 000,925,192 | R--- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2004/10/15 18:32:44 | 000,014,568 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys -- (wg6n)
DRV - [2004/10/15 18:32:42 | 000,014,568 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys -- (wg5n)
DRV - [2004/10/15 18:32:40 | 000,014,568 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys -- (wg4n)
DRV - [2004/10/15 18:32:38 | 000,014,568 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys -- (wg3n)
DRV - [2004/10/15 18:18:46 | 000,021,075 | ---- | M] (Sygate Technologies, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\wpsdrvnt.sys -- (wpsdrvnt)
DRV - [2004/10/15 18:17:02 | 000,060,496 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\Drivers\Teefer.sys -- (Teefer)
DRV - [2004/08/25 06:42:00 | 000,319,104 | R--- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt61.sys -- (RT61)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1547161642-602609370-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1547161642-602609370-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/ig
IE - HKU\S-1-5-21-1547161642-602609370-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1547161642-602609370-839522115-1003\..\URLSearchHook: CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1547161642-602609370-839522115-1003\..\URLSearchHook: E312764E-7706-43F1-8DAB-FCDD2B1E416D} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1547161642-602609370-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2008/06/24 21:34:43 | 000,250,435 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.1001-search.info
O1 - Hosts: 127.0.0.1 1001-search.info
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 8730 more lines...
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe (HP)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SmcService] C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)
O4 - HKLM..\Run: [SMSERIAL] C:\WINDOWS\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [type32] C:\Program Files\Microsoft IntelliType Pro\type32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe (BillP Studios)
O4 - HKU\S-1-5-21-1547161642-602609370-839522115-1003..\Run: [CalibrizeResume] C:\Program Files\Calibrize\CalibrizeResume.exe (Eberhard Werle)
O4 - HKU\S-1-5-21-1547161642-602609370-839522115-1003..\Run: [CGFLoader] C:\Program Files\Calibrize\CalibrizeLoader.exe (Colorjinn)
O4 - HKU\S-1-5-21-1547161642-602609370-839522115-1003..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe (Greatis Software)
O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnceEx: [Title] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1547161642-602609370-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1547161642-602609370-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\M\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\M\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/05/12 00:45:20 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (Partizan) - C:\WINDOWS\System32\Partizan.exe (Greatis Software)
O34 - HKLM BootExecute: (ootExecute settings...) - File not found
O34 - HKLM BootExecute: (ount) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/05/12 08:43:45 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 2
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

SafeBootMin: AVG Anti-Spyware Driver - Driver
SafeBootMin: AVG Anti-Spyware Guard - Service
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: MsMpSvc - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AVG Anti-Spyware Driver - Driver
SafeBootNet: AVG Anti-Spyware Guard - Service
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: MsMpSvc - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - Microsoft NetShow Player
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.2
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2906801A-5AEE-A8CA-46E6-FE203E61C496} - Microsoft Windows Media Player
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.2
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {55ADC5F7-A848-4AE4-B8C2-E94FFCCB0DF7} -
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {854F3FDF-6AFF-1542-5A92-1D0AC135D6FD} - Browser Customizations
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.ac3filter - C:\WINDOWS\System32\ac3filter.acm ()
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2010/04/12 19:35:46 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\M\Desktop\OTL.exe
[2010/04/12 18:29:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/12 18:28:14 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/12 18:14:23 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\M\My Documents\TFC.exe
[2010/04/11 09:19:55 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\hldgtnhr.sys
[2010/04/11 06:41:37 | 000,034,760 | ---- | C] (Greatis Software) -- C:\WINDOWS\System32\drivers\Partizan.sys
[2010/04/11 06:41:37 | 000,032,480 | ---- | C] (Greatis Software) -- C:\WINDOWS\System32\Partizan.exe
[2010/04/09 22:46:28 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mktwgqry.sys
[2010/04/09 20:44:36 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/09 19:15:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\M\My Documents\RegRun2
[2010/04/09 19:15:17 | 000,012,752 | ---- | C] (Greatis Software, LLC.) -- C:\WINDOWS\System32\drivers\UnHackMeDrv.sys
[2010/04/09 19:15:06 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2010/04/09 19:08:13 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ulptwsbn.sys
[2010/04/09 18:45:11 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ktzkmzpp.sys
[2010/04/08 20:37:20 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\xgekpatw.sys
[2010/04/08 20:20:57 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\lompwhdo.sys
[2010/04/08 19:49:20 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\qsltezbh.sys
[2010/04/08 18:02:47 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\eflbqmno.sys
[2010/04/08 17:47:06 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\eykbbegu.sys
[2010/04/08 17:32:08 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\bqmmsfmt.sys
[2010/04/07 21:57:16 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ipdjmuwd.sys
[2010/04/07 21:48:47 | 000,181,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/04/07 20:28:39 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/04/07 19:27:55 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\M\Recent
[2010/04/05 16:57:06 | 000,000,000 | ---D | C] -- C:\Program Files\IrfanView
[2010/04/05 16:41:46 | 000,561,152 | ---- | C] (SoftTech InterCorp) -- C:\WINDOWS\System32\AltST.dll
[2010/04/05 16:41:46 | 000,491,520 | ---- | C] (Pegasus Software, LLC) -- C:\WINDOWS\System32\imagx4.dll
[2010/04/05 16:41:46 | 000,250,736 | ---- | C] (Pegasus Software, LLC) -- C:\WINDOWS\System32\ImagXpr4.dll
[2010/04/05 16:41:46 | 000,038,912 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\picn20.dll
[2010/04/05 16:41:45 | 000,834,128 | ---- | C] (Data Dynamics) -- C:\WINDOWS\System32\Actbar2.ocx
[2010/04/05 16:41:45 | 000,421,888 | ---- | C] (Pegasus Software,LLC) -- C:\WINDOWS\System32\imagr4.dll
[2010/04/05 16:41:45 | 000,372,736 | ---- | C] (SoftTech InterCorp Corporation, http://www.stintercorp.com/) -- C:\WINDOWS\System32\ShellExtension.dll
[2010/02/23 13:52:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/02/23 13:52:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/02/23 06:38:30 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/02/23 06:38:30 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/02/23 06:38:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/10/30 18:56:20 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\M\Application Data\pcouffin.sys
[2007/12/02 07:45:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2007/09/22 19:00:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple

========== Files - Modified Within 30 Days ==========

[2010/04/13 14:16:27 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/04/13 14:12:23 | 000,013,692 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/13 14:11:20 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/13 14:11:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/12 22:01:33 | 007,077,888 | ---- | M] () -- C:\Documents and Settings\M\ntuser.dat
[2010/04/12 22:01:33 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\M\ntuser.ini
[2010/04/12 22:01:17 | 006,996,010 | -H-- | M] () -- C:\Documents and Settings\M\Local Settings\Application Data\IconCache.db
[2010/04/12 19:35:55 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\M\Desktop\OTL.exe
[2010/04/12 18:28:15 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\M\Desktop\NTREGOPT.lnk
[2010/04/12 18:28:15 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\M\Desktop\ERUNT.lnk
[2010/04/12 18:14:25 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\M\My Documents\TFC.exe
[2010/04/11 10:00:00 | 000,000,376 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2010/04/11 09:19:55 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\hldgtnhr.sys
[2010/04/11 06:41:37 | 000,034,760 | ---- | M] (Greatis Software) -- C:\WINDOWS\System32\drivers\Partizan.sys
[2010/04/11 06:41:37 | 000,032,480 | ---- | M] (Greatis Software) -- C:\WINDOWS\System32\Partizan.exe
[2010/04/09 22:46:28 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mktwgqry.sys
[2010/04/09 19:15:31 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/09 19:15:31 | 000,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2010/04/09 19:15:31 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2010/04/09 19:15:20 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\M\Desktop\UnHackMe.lnk
[2010/04/09 19:08:13 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ulptwsbn.sys
[2010/04/09 18:45:11 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ktzkmzpp.sys
[2010/04/08 20:37:20 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\xgekpatw.sys
[2010/04/08 20:20:57 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\lompwhdo.sys
[2010/04/08 19:49:20 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\qsltezbh.sys
[2010/04/08 18:02:47 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\eflbqmno.sys
[2010/04/08 17:47:06 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\eykbbegu.sys
[2010/04/08 17:32:08 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\bqmmsfmt.sys
[2010/04/07 21:57:16 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ipdjmuwd.sys
[2010/04/07 20:28:40 | 000,000,840 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/04/07 19:06:34 | 000,000,820 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/07 18:49:58 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLbx.DAT
[2010/04/05 16:57:07 | 000,000,685 | ---- | M] () -- C:\Documents and Settings\M\Desktop\IrfanView.lnk
[2010/04/05 16:28:23 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2010/04/05 16:26:02 | 000,521,444 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/05 16:26:02 | 000,441,346 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/05 16:26:02 | 000,071,554 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/04 18:20:33 | 000,000,390 | ---- | M] () -- C:\Documents and Settings\M\My Documents\cc_20100404_182029.reg
[2010/04/03 18:00:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/03 13:26:18 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\M\Desktop\Microsoft Word.lnk
[2010/04/02 20:47:54 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2010/03/29 23:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/29 23:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/29 19:26:22 | 000,031,232 | ---- | M] () -- C:\Documents and Settings\M\My Documents\Presentation1.ppt
[2010/03/29 19:26:12 | 000,010,304 | ---- | M] () -- C:\WINDOWS\MSOPrefs.232
[2010/03/29 19:26:12 | 000,004,544 | ---- | M] () -- C:\WINDOWS\MSOClip.232
[2010/03/28 14:24:49 | 000,030,208 | ---- | M] () -- C:\Documents and Settings\M\My Documents\lynne mullins recipes.doc
[2010/03/26 19:01:27 | 000,052,736 | ---- | M] () -- C:\Documents and Settings\M\My Documents\Order details mem card.doc
[2010/03/25 19:02:17 | 000,006,658 | ---- | M] () -- C:\Documents and Settings\M\My Documents\cc_20100325_200212.reg
[2010/03/25 18:53:09 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\M\Desktop\CCleaner.lnk
[2010/03/18 18:24:18 | 000,000,468 | ---- | M] () -- C:\Documents and Settings\M\My Documents\spider.sav
[2010/03/17 20:08:49 | 000,339,456 | ---- | M] () -- C:\Documents and Settings\M\My Documents\Centrelink.doc
[2010/03/17 20:07:13 | 000,069,149 | ---- | M] () -- C:\Documents and Settings\M\My Documents\Centrelink 3.pdf
[2010/03/17 20:04:14 | 000,157,353 | ---- | M] () -- C:\Documents and Settings\M\My Documents\Centrelink 2.pdf
[2010/03/17 20:03:39 | 000,317,922 | ---- | M] () -- C:\Documents and Settings\M\My Documents\Centrelink 1.pdf

========== Files Created - No Company Name ==========

[2010/04/12 18:28:15 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\M\Desktop\NTREGOPT.lnk
[2010/04/12 18:28:15 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\M\Desktop\ERUNT.lnk
[2010/04/09 19:15:31 | 000,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat
[2010/04/09 19:15:20 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\M\Desktop\UnHackMe.lnk
[2010/04/07 20:34:16 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/04/07 20:28:40 | 000,000,840 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/04/05 16:57:07 | 000,000,685 | ---- | C] () -- C:\Documents and Settings\M\Desktop\IrfanView.lnk
[2010/04/04 18:20:31 | 000,000,390 | ---- | C] () -- C:\Documents and Settings\M\My Documents\cc_20100404_182029.reg
[2010/04/03 15:08:37 | 007,077,888 | ---- | C] () -- C:\Documents and Settings\M\ntuser.dat
[2010/03/29 19:26:22 | 000,031,232 | ---- | C] () -- C:\Documents and Settings\M\My Documents\Presentation1.ppt
[2010/03/29 16:30:06 | 000,010,304 | ---- | C] () -- C:\WINDOWS\MSOPrefs.232
[2010/03/29 16:30:06 | 000,004,544 | ---- | C] () -- C:\WINDOWS\MSOClip.232
[2010/03/28 14:24:49 | 000,030,208 | ---- | C] () -- C:\Documents and Settings\M\My Documents\lynne mullins recipes.doc
[2010/03/25 19:02:14 | 000,006,658 | ---- | C] () -- C:\Documents and Settings\M\My Documents\cc_20100325_200212.reg
[2010/03/18 18:24:18 | 000,000,468 | ---- | C] () -- C:\Documents and Settings\M\My Documents\spider.sav
[2010/03/17 20:08:49 | 000,339,456 | ---- | C] () -- C:\Documents and Settings\M\My Documents\Centrelink.doc
[2010/03/17 20:07:13 | 000,069,149 | ---- | C] () -- C:\Documents and Settings\M\My Documents\Centrelink 3.pdf
[2010/03/17 20:04:14 | 000,157,353 | ---- | C] () -- C:\Documents and Settings\M\My Documents\Centrelink 2.pdf
[2010/03/17 20:03:39 | 000,317,922 | ---- | C] () -- C:\Documents and Settings\M\My Documents\Centrelink 1.pdf
[2010/03/17 18:17:54 | 000,052,736 | ---- | C] () -- C:\Documents and Settings\M\My Documents\Order details mem card.doc
[2010/03/04 19:38:28 | 000,000,442 | RHS- | C] () -- C:\Documents and Settings\M\ntuser.pol
[2010/02/23 17:34:26 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\M\ntuser.tmp.LOG
[2010/01/23 13:58:40 | 005,386,240 | ---- | C] () -- C:\WINDOWS\System32\RTS5121icon.dll
[2009/09/08 19:40:58 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2009/09/08 19:40:58 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2009/09/08 19:40:58 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2009/09/08 19:40:58 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2009/07/28 20:15:05 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Vocals
[2009/07/28 20:15:05 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\M\Application Data\User Loops
[2009/07/28 20:06:00 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLbx.DAT
[2009/07/27 19:52:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2009/07/27 18:53:18 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Pop Kit
[2009/07/27 18:53:18 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\M\Application Data\Plug-Ins
[2009/07/27 18:53:18 | 000,000,012 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Quartz Composer
[2009/07/27 18:53:17 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2009/07/27 18:52:12 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Podcasting
[2009/07/27 18:52:12 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\M\Application Data\Plants
[2009/07/27 18:52:12 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2009/07/27 18:52:12 | 000,000,012 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\PrintingModule
[2009/07/10 16:53:40 | 000,000,039 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/07/10 16:53:38 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2009/05/29 21:10:05 | 000,000,040 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ra3.ini
[2009/04/03 14:10:04 | 007,262,208 | ---- | C] () -- C:\WINDOWS\System32\tliadjust32.dll
[2009/03/29 05:58:49 | 000,000,668 | ---- | C] () -- C:\Documents and Settings\M\Application Data\vso_ts_preview.xml
[2009/03/28 14:54:19 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/03/28 14:54:19 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/01/04 17:28:29 | 000,000,031 | ---- | C] () -- C:\Documents and Settings\M\jagex_runescape_preferences.dat
[2008/10/30 18:58:14 | 000,000,062 | ---- | C] () -- C:\Documents and Settings\M\Application Data\Printer.ini
[2008/10/30 18:56:20 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\M\Application Data\inst.exe
[2008/10/30 18:56:20 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\M\Application Data\pcouffin.cat
[2008/10/30 18:56:20 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\M\Application Data\pcouffin.inf
[2008/10/13 12:11:46 | 000,002,255 | ---- | C] () -- C:\Documents and Settings\M\.recently-used.xbel
[2008/10/07 08:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 08:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/08/24 08:19:08 | 000,000,124 | ---- | C] () -- C:\Documents and Settings\M\Local Settings\Application Data\fusioncache.dat
[2008/08/23 19:13:13 | 000,022,328 | ---- | C] () -- C:\Documents and Settings\M\Application Data\PnkBstrK.sys
[2008/07/06 18:49:47 | 000,090,668 | ---- | C] () -- C:\WINDOWS\System32\vobis32.dll
[2007/11/26 20:56:28 | 000,151,415 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2007/08/29 14:29:46 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\M\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/15 07:02:09 | 000,000,120 | ---- | C] () -- C:\Documents and Settings\M\Application Data\FixVTS.ini
[2007/08/14 18:13:01 | 000,000,031 | ---- | C] () -- C:\WINDOWS\ultimatecd.ini
[2007/07/10 19:42:49 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2007/07/10 19:42:49 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2007/07/10 19:42:49 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2007/05/21 12:14:12 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/05/15 15:03:32 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/12 02:24:56 | 000,069,632 | R--- | C] () -- C:\WINDOWS\sm56spn.dll
[2007/05/12 02:24:55 | 000,069,632 | R--- | C] () -- C:\WINDOWS\sm56itl.dll
[2007/05/12 02:24:55 | 000,069,632 | R--- | C] () -- C:\WINDOWS\sm56ger.dll
[2007/05/12 02:24:55 | 000,069,632 | R--- | C] () -- C:\WINDOWS\sm56fra.dll
[2007/05/12 02:24:55 | 000,069,632 | R--- | C] () -- C:\WINDOWS\sm56eng.dll
[2007/05/12 02:24:55 | 000,053,248 | R--- | C] () -- C:\WINDOWS\sm56jpn.dll
[2007/05/12 02:24:55 | 000,049,152 | R--- | C] () -- C:\WINDOWS\sm56cht.dll
[2007/05/12 02:24:54 | 000,069,632 | R--- | C] () -- C:\WINDOWS\sm56brz.dll
[2007/05/12 02:24:54 | 000,049,152 | R--- | C] () -- C:\WINDOWS\sm56chs.dll
[2007/05/12 00:50:12 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\M\ntuser.ini
[2007/05/12 00:50:11 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\M\ntuser.dat.LOG
[2007/05/12 00:50:10 | 007,077,888 | ---- | C] () -- C:\Documents and Settings\M\ntuser.bak
[2004/10/15 18:31:56 | 000,218,264 | ---- | C] () -- C:\WINDOWS\System32\SetAid.dll
[1999/01/23 04:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 03:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 03:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >


< MD5 for: AGP440.SYS >
[2006/02/28 22:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/18 22:37:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/09/18 22:37:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/14 04:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/14 04:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2006/02/28 22:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/18 22:37:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/09/18 22:37:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/14 04:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2006/02/28 22:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
[2008/04/14 04:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 10:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 10:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2006/02/28 22:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 10:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 10:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2006/02/28 22:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2006/02/28 22:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 10:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 10:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
< End of report >


GMER Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-12 19:30:15
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\M\LOCALS~1\Temp\agrirpog.sys
---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xB9ECCB30]
SSDT BAEF9626 ZwCreateKey
SSDT BAEF961C ZwCreateThread
SSDT BAEF962B ZwDeleteKey
SSDT BAEF9635 ZwDeleteValueKey
SSDT BAEF963A ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xB9ECC470]
SSDT BAEF9608 ZwOpenProcess
SSDT BAEF960D ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xB9ECCC50]
SSDT BAEF9644 ZwReplaceKey
SSDT BAEF963F ZwRestoreKey
SSDT BAEF9630 ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xB9ECC990]
SSDT BAEF9617 ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xB9ECCD60]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xBA721780]
.text tcpip.sys!IPTransmit + 10FC A91BDD3A 6 Bytes CALL BA5E0E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 A91BF690 6 Bytes CALL BA5E0E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 A91D5454 6 Bytes CALL BA5E0E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys B9EDF3FD 7 Bytes CALL BA5E0FA0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1000] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1000] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1000] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1000] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1000] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1000] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1000] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1000] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1000] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1000] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1000] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1000] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1000] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1000] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3512] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3512] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3512] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3512] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3512] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3512] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3512] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3512] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3512] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3512] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3512] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3512] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3512] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3512] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device \Driver\atapi \Device\Ide\IdePort0 [BA714B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [BA714B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [BA714B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [BA714B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by myrti, 19 April 2010 - 07:38 AM.
disabled links


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:40 AM

Posted 14 April 2010 - 08:38 AM

Hi,

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\System32\drivers\ulptwsbn.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 muzzal

muzzal
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 15 April 2010 - 03:38 AM

Hi

Combofix log below followed by Jotti report:

ComboFix 10-04-14.01 - M 04/15/2010 18:15:17.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1471 [GMT 10:00]
Running from: c:\documents and settings\M\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\M\Application Data\inst.exe
c:\program files\Search Settings
c:\program files\Search Settings\kb128\SeARchsettings.dll
c:\program files\Search Settings\kb128\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-15 to 2010-04-15 )))))))))))))))))))))))))))))))
.

2010-04-15 08:09 . 2010-04-15 08:09 96512 ----a-w- c:\windows\system32\drivers\gedsxcqu.sys
2010-04-15 07:53 . 2010-04-15 07:53 96512 ----a-w- c:\windows\system32\drivers\svgkitxn.sys
2010-04-12 08:28 . 2010-04-12 08:28 -------- d-----w- c:\program files\ERUNT
2010-04-10 23:19 . 2010-04-10 23:19 96512 ----a-w- c:\windows\system32\drivers\hldgtnhr.sys
2010-04-10 20:41 . 2010-04-10 20:41 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-04-10 20:41 . 2010-04-10 20:41 32480 ----a-w- c:\windows\system32\Partizan.exe
2010-04-09 12:46 . 2010-04-09 12:46 96512 ----a-w- c:\windows\system32\drivers\mktwgqry.sys
2010-04-09 10:44 . 2010-04-09 10:44 -------- d-----w- c:\program files\ESET
2010-04-09 09:15 . 2010-04-09 09:15 2 --shatr- c:\windows\winstart.bat
2010-04-09 09:15 . 2008-12-22 05:56 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-04-09 09:15 . 2010-04-09 09:15 -------- d-----w- c:\program files\UnHackMe
2010-04-09 09:08 . 2010-04-09 09:08 96512 ----a-w- c:\windows\system32\drivers\ulptwsbn.sys
2010-04-09 08:45 . 2010-04-09 08:45 96512 ----a-w- c:\windows\system32\drivers\ktzkmzpp.sys
2010-04-08 10:37 . 2010-04-08 10:37 96512 ----a-w- c:\windows\system32\drivers\xgekpatw.sys
2010-04-08 10:20 . 2010-04-08 10:20 96512 ----a-w- c:\windows\system32\drivers\lompwhdo.sys
2010-04-08 09:49 . 2010-04-08 09:49 96512 ----a-w- c:\windows\system32\drivers\qsltezbh.sys
2010-04-08 08:02 . 2010-04-08 08:02 96512 ----a-w- c:\windows\system32\drivers\eflbqmno.sys
2010-04-08 07:47 . 2010-04-08 07:47 96512 ----a-w- c:\windows\system32\drivers\eykbbegu.sys
2010-04-08 07:32 . 2010-04-08 07:32 96512 ----a-w- c:\windows\system32\drivers\bqmmsfmt.sys
2010-04-07 11:57 . 2010-04-07 11:57 96512 ----a-w- c:\windows\system32\drivers\ipdjmuwd.sys
2010-04-07 11:48 . 2010-02-24 00:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-07 10:28 . 2010-04-07 10:29 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-04-05 06:57 . 2010-04-05 06:57 -------- d-----w- c:\program files\IrfanView
2010-04-05 06:41 . 2007-07-24 05:53 561152 ----a-w- c:\windows\system32\AltST.dll
2010-04-05 06:41 . 2001-06-25 21:15 38912 ----a-w- c:\windows\system32\picn20.dll
2010-04-05 06:41 . 2000-07-31 08:16 250736 ----a-w- c:\windows\system32\ImagXpr4.dll
2010-04-05 06:41 . 2000-07-31 04:47 491520 ----a-w- c:\windows\system32\imagx4.dll
2010-04-05 06:41 . 2002-09-21 06:08 372736 ----a-w- c:\windows\system32\ShellExtension.dll
2010-04-05 06:41 . 2000-06-29 06:38 421888 ----a-w- c:\windows\system32\imagr4.dll
2010-04-04 08:14 . 2010-04-04 08:14 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-03 02:51 . 2010-04-03 02:51 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-14 08:22 . 2007-05-11 16:06 25696 ----a-w- c:\documents and settings\M\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-13 09:28 . 2009-11-25 10:02 -------- d-----w- c:\program files\MSECACHE
2010-04-11 01:51 . 2010-02-24 10:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-08 08:39 . 2007-05-20 23:44 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-07 08:49 . 2009-07-28 10:06 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT
2010-04-05 06:28 . 2009-07-27 08:53 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2010-04-03 02:51 . 2010-02-20 06:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 10:47 . 2009-07-27 08:52 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2010-03-29 13:46 . 2010-02-20 06:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 13:45 . 2010-02-20 06:15 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-28 04:00 . 2010-02-24 10:15 117760 ----a-w- c:\documents and settings\M\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-27 21:49 . 2009-11-20 21:08 -------- d-----w- c:\program files\Dragon Age
2010-03-25 08:53 . 2009-08-01 10:43 -------- d-----w- c:\program files\CCleaner
2010-03-08 07:58 . 2009-11-17 07:51 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 10:15 . 2010-02-24 10:15 52224 ----a-w- c:\documents and settings\M\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-24 10:08 . 2010-02-24 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-24 10:08 . 2010-02-24 10:08 -------- d-----w- c:\documents and settings\M\Application Data\SUPERAntiSpyware.com
2010-02-24 10:07 . 2007-05-19 13:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-23 07:32 . 2010-02-20 07:51 -------- d-----w- c:\documents and settings\M\Application Data\Digital Support
2010-02-23 07:31 . 2009-09-08 10:04 -------- d-----w- c:\program files\Anti Trojan Elite
2010-02-23 07:29 . 2007-05-21 00:07 -------- d-----w- c:\documents and settings\M\Application Data\Azureus
2010-02-23 04:20 . 2010-02-23 04:13 -------- d-----w- c:\documents and settings\M\Application Data\DVD Flick
2010-02-23 04:06 . 2010-02-23 04:05 -------- d-----w- c:\program files\DVD Flick
2010-02-22 22:48 . 2007-08-14 20:53 -------- d-----w- c:\documents and settings\M\Application Data\ImgBurn
2010-02-22 22:20 . 2008-06-24 11:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-22 22:20 . 2008-06-24 11:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-22 21:08 . 2010-02-22 20:49 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-22 20:49 . 2010-02-22 20:49 -------- d-----w- c:\program files\Avira
2010-02-22 20:49 . 2010-02-22 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-02-20 06:15 . 2010-02-20 06:15 -------- d-----w- c:\documents and settings\M\Application Data\Malwarebytes
2010-02-20 06:15 . 2010-02-20 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-03 23:22 . 2007-10-02 05:48 21808 ----a-w- c:\documents and settings\Jessica\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-03-17 2387968]
"CGFLoader"="c:\program files\Calibrize\CalibrizeLoader.exe" [2007-11-26 1961984]
"CalibrizeResume"="c:\program files\Calibrize\CalibrizeResume.exe" [2007-11-26 413696]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-24 90112]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SMSERIAL"="sm56hlpr.exe" [2005-06-06 544768]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 188416]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2007-04-19 271936]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-12 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 03:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Gigabyte\\ET5\\update.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59480:TCP"= 59480:TCP:Freindly Sites
"59480:UDP"= 59480:UDP:File Sharing
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 6:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 6:56 AM 66632]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/23/2010 6:49 AM 108289]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [4/11/2010 6:41 AM 34760]
S1 MpKsl16f06560;MpKsl16f06560;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B3C749A5-D6E3-42C9-8E5C-7E0A89C21C80}\MpKsl16f06560.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B3C749A5-D6E3-42C9-8E5C-7E0A89C21C80}\MpKsl16f06560.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S3 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe [6/25/2009 5:47 PM 224528]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 6:56 AM 12872]
S4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [12/16/2009 6:07 AM 25832]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-03-17 02:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 04:57]

2010-04-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 08:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/ig
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
URLSearchHooks-E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-15 18:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-602609370-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ee,59,26,ee,f8,84,ff,f3,d6,cc,29,fb,13,cd,de,b5,8a,c0,ee,28,76,b9,53,
89,02,87,9e,eb,d8,9a,1d,29,82,52,1c,16,9a,97,80,09,b9,37,05,d6,74,b4,46,89,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-1547161642-602609370-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:df,f6,c9,75,bf,4c,1e,bf,69,a6,5d,76,b0,d2,cb,ee,79,6c,a8,6b,2a,
b5,7f,01,6a,e1,b3,78,90,a2,b6,c3,5a,7a,36,02,16,af,f3,60,b8,24,c7,ae,2a,b9,\
"rkeysecu"=hex:64,3a,41,44,ea,1d,82,08,47,45,8b,a9,71,e4,97,05
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2104)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\windows\sm56hlpr.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2010-04-15 18:27:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-15 08:27

Pre-Run: 211,472,207,872 bytes free
Post-Run: 214,210,879,488 bytes free

- - End Of File - - B1619635A0D40C367EC82F3C657B599E


Jotti





Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.


Filename: atapi.sys Status: Scan finished. 0 out of 20 scanners reported malware.Scan taken on: Wed 14 Apr 2010 20:39:36 (CET) Permalink

google_protectAndRun("render_ads.js::google_render_ad", google_handleError, google_render_ad);


Additional info
File size: 96512 bytes Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit MD5: 9f3a2f5aa6875c72bf062c712cfa2674 SHA1: a719156e8ad67456556a02c34e762944234e7a44 Packer (Kaspersky): PE_Patch

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:40 AM

Posted 15 April 2010 - 01:30 PM

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\system32\drivers\gedsxcqu.sys
c:\windows\system32\drivers\svgkitxn.sys
c:\windows\system32\drivers\hldgtnhr.sys
c:\windows\system32\drivers\mktwgqry.sys
c:\windows\winstart.bat
c:\windows\system32\drivers\ulptwsbn.sys
c:\windows\system32\drivers\ktzkmzpp.sys
c:\windows\system32\drivers\xgekpatw.sys
c:\windows\system32\drivers\lompwhdo.sys
c:\windows\system32\drivers\qsltezbh.sys
c:\windows\system32\drivers\eflbqmno.sys
c:\windows\system32\drivers\eykbbegu.sys
c:\windows\system32\drivers\bqmmsfmt.sys
c:\windows\system32\drivers\ipdjmuwd.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

How is your PC doing.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 muzzal

muzzal
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 16 April 2010 - 03:37 AM

Hi Myrti,
My PC seems to be running much better clapping.gif

Hope this is the end of the infection! Got to say I appreciate your help and have to commend those that run this site.


ComboFix.txt follows.....

ComboFix 10-04-14.01 - M 04/16/2010 18:21:58.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1508 [GMT 10:00]
Running from: c:\documents and settings\M\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\M\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

FILE ::
"c:\windows\system32\drivers\bqmmsfmt.sys"
"c:\windows\system32\drivers\eflbqmno.sys"
"c:\windows\system32\drivers\eykbbegu.sys"
"c:\windows\system32\drivers\gedsxcqu.sys"
"c:\windows\system32\drivers\hldgtnhr.sys"
"c:\windows\system32\drivers\ipdjmuwd.sys"
"c:\windows\system32\drivers\ktzkmzpp.sys"
"c:\windows\system32\drivers\lompwhdo.sys"
"c:\windows\system32\drivers\mktwgqry.sys"
"c:\windows\system32\drivers\qsltezbh.sys"
"c:\windows\system32\drivers\svgkitxn.sys"
"c:\windows\system32\drivers\ulptwsbn.sys"
"c:\windows\system32\drivers\xgekpatw.sys"
"c:\windows\winstart.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\bqmmsfmt.sys
c:\windows\system32\drivers\eflbqmno.sys
c:\windows\system32\drivers\eykbbegu.sys
c:\windows\system32\drivers\gedsxcqu.sys
c:\windows\system32\drivers\hldgtnhr.sys
c:\windows\system32\drivers\ipdjmuwd.sys
c:\windows\system32\drivers\ktzkmzpp.sys
c:\windows\system32\drivers\lompwhdo.sys
c:\windows\system32\drivers\mktwgqry.sys
c:\windows\system32\drivers\qsltezbh.sys
c:\windows\system32\drivers\svgkitxn.sys
c:\windows\system32\drivers\ulptwsbn.sys
c:\windows\system32\drivers\xgekpatw.sys
c:\windows\winstart.bat

.
((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-15 09:00 . 2010-04-15 09:00 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-04-15 09:00 . 2010-04-15 09:00 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-04-12 08:28 . 2010-04-12 08:28 -------- d-----w- c:\program files\ERUNT
2010-04-09 10:44 . 2010-04-09 10:44 -------- d-----w- c:\program files\ESET
2010-04-09 09:15 . 2010-04-15 10:50 -------- d-----w- c:\program files\UnHackMe
2010-04-07 11:48 . 2010-02-24 00:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-07 10:28 . 2010-04-07 10:29 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-04-05 06:57 . 2010-04-05 06:57 -------- d-----w- c:\program files\IrfanView
2010-04-05 06:41 . 2007-07-24 05:53 561152 ----a-w- c:\windows\system32\AltST.dll
2010-04-05 06:41 . 2001-06-25 21:15 38912 ----a-w- c:\windows\system32\picn20.dll
2010-04-05 06:41 . 2000-07-31 08:16 250736 ----a-w- c:\windows\system32\ImagXpr4.dll
2010-04-05 06:41 . 2000-07-31 04:47 491520 ----a-w- c:\windows\system32\imagx4.dll
2010-04-05 06:41 . 2002-09-21 06:08 372736 ----a-w- c:\windows\system32\ShellExtension.dll
2010-04-05 06:41 . 2000-06-29 06:38 421888 ----a-w- c:\windows\system32\imagr4.dll
2010-04-04 08:14 . 2010-04-04 08:14 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-03 02:51 . 2010-04-03 02:51 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-24 08:04 . 2010-03-24 18:17 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\6415\AdobeARM.exe
2010-03-24 08:04 . 2010-03-24 18:17 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\6415\AdobeExtractFiles.dll
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\6415\ReaderUpdater.exe
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\6415\AcrobatUpdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-14 08:22 . 2007-05-11 16:06 25696 ----a-w- c:\documents and settings\M\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-13 09:28 . 2009-11-25 10:02 -------- d-----w- c:\program files\MSECACHE
2010-04-11 01:51 . 2010-02-24 10:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-08 08:39 . 2007-05-20 23:44 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-07 08:49 . 2009-07-28 10:06 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT
2010-04-05 06:28 . 2009-07-27 08:53 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2010-04-03 02:51 . 2010-02-20 06:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 10:47 . 2009-07-27 08:52 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2010-03-29 13:46 . 2010-02-20 06:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 13:45 . 2010-02-20 06:15 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-28 04:00 . 2010-02-24 10:15 117760 ----a-w- c:\documents and settings\M\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-27 21:49 . 2009-11-20 21:08 -------- d-----w- c:\program files\Dragon Age
2010-03-25 08:53 . 2009-08-01 10:43 -------- d-----w- c:\program files\CCleaner
2010-03-08 07:58 . 2009-11-17 07:51 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-25 06:24 . 2006-02-28 12:00 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 10:15 . 2010-02-24 10:15 52224 ----a-w- c:\documents and settings\M\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-24 10:08 . 2010-02-24 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-24 10:08 . 2010-02-24 10:08 -------- d-----w- c:\documents and settings\M\Application Data\SUPERAntiSpyware.com
2010-02-24 10:07 . 2007-05-19 13:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-23 07:32 . 2010-02-20 07:51 -------- d-----w- c:\documents and settings\M\Application Data\Digital Support
2010-02-23 07:31 . 2009-09-08 10:04 -------- d-----w- c:\program files\Anti Trojan Elite
2010-02-23 07:29 . 2007-05-21 00:07 -------- d-----w- c:\documents and settings\M\Application Data\Azureus
2010-02-23 04:20 . 2010-02-23 04:13 -------- d-----w- c:\documents and settings\M\Application Data\DVD Flick
2010-02-23 04:06 . 2010-02-23 04:05 -------- d-----w- c:\program files\DVD Flick
2010-02-22 22:48 . 2007-08-14 20:53 -------- d-----w- c:\documents and settings\M\Application Data\ImgBurn
2010-02-22 22:20 . 2008-06-24 11:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-22 22:20 . 2008-06-24 11:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-22 21:08 . 2010-02-22 20:49 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-22 20:49 . 2010-02-22 20:49 -------- d-----w- c:\program files\Avira
2010-02-22 20:49 . 2010-02-22 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-02-20 06:15 . 2010-02-20 06:15 -------- d-----w- c:\documents and settings\M\Application Data\Malwarebytes
2010-02-20 06:15 . 2010-02-20 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-03 23:22 . 2007-10-02 05:48 21808 ----a-w- c:\documents and settings\Jessica\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-03-17 2387968]
"CGFLoader"="c:\program files\Calibrize\CalibrizeLoader.exe" [2007-11-26 1961984]
"CalibrizeResume"="c:\program files\Calibrize\CalibrizeResume.exe" [2007-11-26 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-24 90112]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SMSERIAL"="sm56hlpr.exe" [2005-06-06 544768]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 188416]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2007-04-19 271936]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-12 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 03:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Gigabyte\\ET5\\update.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59480:TCP"= 59480:TCP:Freindly Sites
"59480:UDP"= 59480:UDP:File Sharing
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 6:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 6:56 AM 66632]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/23/2010 6:49 AM 108289]
S1 MpKsl16f06560;MpKsl16f06560;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B3C749A5-D6E3-42C9-8E5C-7E0A89C21C80}\MpKsl16f06560.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B3C749A5-D6E3-42C9-8E5C-7E0A89C21C80}\MpKsl16f06560.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S3 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe [6/25/2009 5:47 PM 224528]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 6:56 AM 12872]
S4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [12/16/2009 6:07 AM 25832]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-03-17 02:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 04:57]

2010-04-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 08:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/ig
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-16 18:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-602609370-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ee,59,26,ee,f8,84,ff,f3,d6,cc,29,fb,13,cd,de,b5,8a,c0,ee,28,76,b9,53,
89,02,87,9e,eb,d8,9a,1d,29,82,52,1c,16,9a,97,80,09,b9,37,05,d6,74,b4,46,89,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-1547161642-602609370-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:df,f6,c9,75,bf,4c,1e,bf,69,a6,5d,76,b0,d2,cb,ee,79,6c,a8,6b,2a,
b5,7f,01,6a,e1,b3,78,90,a2,b6,c3,5a,7a,36,02,16,af,f3,60,b8,24,c7,ae,2a,b9,\
"rkeysecu"=hex:64,3a,41,44,ea,1d,82,08,47,45,8b,a9,71,e4,97,05
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-04-16 18:27:34
ComboFix-quarantined-files.txt 2010-04-16 08:27
ComboFix2.txt 2010-04-15 08:27

Pre-Run: 214,159,519,744 bytes free
Post-Run: 214,133,481,472 bytes free

- - End Of File - - FA5D12F0E4CF4C7C8B4E6899A35BF085




#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:40 AM

Posted 18 April 2010 - 04:32 AM

Hi,

this is looking pretty good! smile.gif I would like you to run an online scan to check for leftovers:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 muzzal

muzzal
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 19 April 2010 - 06:12 AM

Hi,
Could not run text file because there was no option to list threats found.
Probably because the finished scan showed there were no threats lol laugh.gif
All I saw was a green tick box with something like "No threats detected" written next to it.

Is there anything I missed or another scan I can run?


Rgds,
Muzzal

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:40 AM

Posted 19 April 2010 - 07:16 AM

Hi,

this is good news! smile.gif

Please update your java next:
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)"
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


As a side note I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Ms Essentials or Antivir.

How is your PC doing now?

regards myrti

Edited by myrti, 19 April 2010 - 07:35 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 muzzal

muzzal
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 20 April 2010 - 03:38 AM

Hi Myrti,

Java now updated.

Only installed a 2nd AV prog because of initial infection problems.
Which prog would you recommend I keep? wacko.gif



Muzzal

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:40 AM

Posted 20 April 2010 - 02:18 PM

Hi,

I'm a fan of Avira, but MSSE has its merits as well. I would say that you should choose the one with which you are more at ease.

As a final step : Please do the following to clean up your PC:
  1. Delete the tools used during the disinfection:
  2. Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTC from the following mirror and save it to your desktop:
    • Double click on
    • Push the large "Cleanup" button.
    • Allow your system to reboot.
  3. If OTC faild to remove all programs from your Desktop, please delete the rest manually.
Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:Have a nice day
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 muzzal

muzzal
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 21 April 2010 - 03:39 AM

Hi Myrti,

I have followed your final instructions and taken your kind advice.
My system is now clean and error free (I intend to keep it that way busy.gif )

Many thanks to you and others that manage this excellent site..... clapping.gif


Kind Regards,

Muzzal

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:40 AM

Posted 21 April 2010 - 06:27 AM

Heya,

I'm glad we could help! thumbup.gif

Since this topic appears to be resolved, I will now close it.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users